The latest annual update to Cyber Essentials Plus came into effect on 27 April, marking a shift towards a more disciplined, evidence-driven version of the scheme.
Cyber Essentials has long been the benchmark for sound cyber hygiene. For organisations, certification demonstrates a commitment to sound security practices that gives clients and partners confidence. More broadly, the scheme also plays a key role in strengthening the UK’s overall cyber resilience by advocating for controls that combat common attacks.
The changes in Version 3.3 do not rewrite the scheme’s five core controls but instead tighten how compliance is verified. The focus is on raising standards for what secure looks like and closing long-standing loopholes, ensuring that organisations can no longer skirt around complex requirements.
Clarity around the scope of assessments —
One of the most significant updates is tightening up what’s in scope for a Cyber Essentials assessment. Under the updated v3.3 standard, organisations will need to provide a comprehensive overview of the systems, locations, and services covered, as well as all legal entities involved.
The aim is to help assessors gain a clearer understanding. By ensuring organisations are explicit about what is covered, assessors will have a full picture of the environment that is being certified. For companies themselves, that is important. It’s a change designed to ensure that organisations aren’t just compliant, but genuinely secure.
MFA will become mandatory —
Multi-factor authentication has also become a non-negotiable rather than a best practice. From 27 April, organisations now need to ensure that every cloud service which offers MFA has it enabled. If an MFA option exists and isn’t enforced, the organisation will automatically fail its certification.
This directly addresses the increasing attention of threat actors on credentials. Instead of using complex techniques to hack networks, they’re readily targeting identities and individuals. In making MFA mandatory, Cyber Essentials aims to protect against this and the devastating consequences compromised accounts can have, such as ransomware.
Patches must be actioned within 14 days —
A third major part of the v3.3 update is the introduction of a strict 14day patching requirement for high-risk and critical vulnerabilities. Instead of running patch cycles on a monthly or quarterly basis, firms are now required to remediate issues across operating systems, applications and network devices such as routers and firewalls within two weeks.
With threat actors working to exploit known vulnerabilities and CVEs faster than ever before – something that will only accelerate with the weaponisation of agentic AI – patching at speed is critical.
The fundamentals matter more than ever —
These changes apply to assessment accounts created after April 26, 2026. Any assessments that started prior to this will have six months to certify under the previous version of the scheme. However, the 2026 update highlights a clear shift in focus that all firms should prioritise.
The latest set of v3.3 changes signal that the fundamentals of cybersecurity matter more than ever. Rarely do threat actors need advanced techniques to succeed. Often, they target simple blind spots like missing patches or unenforced MFA policies.
That makes visibility imperative.
Most organisations believe they are compliant – their policies say so. Yet policies describe intent, not reality. In practice, organisations regularly discover gaps when they look more closely, whether it’s a device that’s drifted outside the patch window or a cloud service that was onboarded without IT involvement.
These issues may not show up in a policy overview spreadsheet, but they do in a v3.3 Cyber Essentials assessment. Equally, with the introduction of auto-fails, you can no longer cover most bases only to paper over the cracks.
This update reflects the reality of modern threats, pushing organisations to address the critical gaps that attackers commonly exploit.
It only takes one compromised device or identity to expose an entire network. Therefore, every device and every account matters. To be compliant, organisations need to provide proof that critical controls are applied consistently across their digital estate.
The fundamentals haven’t changed, but the expectations around them have. Firms that can meet those expectations by demonstrating disciplined patching, strong identity protection and the rigorous application of core controls will be well placed to ensure their compliance and security for years to come.
Jon Abbott, CEO and co-founder of ThreatAware, is a technology expert with over 25 years of experience. He has a passion for simplifying technology and making it more accessible.
You must be logged in to post a comment.