What the Cyber Essentials Requirements for IT Infrastructure v3.3 Changes Mean for Your Business
Cyber Essentials continues to evolve to reflect the realities of modern Cyber Security. From 27 April 2026, all new Cyber Essentials assessments are being assessed against Requirements for IT Infrastructure v3.3, introducing more rigorous expectations around cloud security, authentication and resilience.
This update is more than a routine refresh. It reflects how organisations now operate, with cloud‑first services, remote working and increasingly sophisticated threats firmly in scope. For businesses planning certification or renewal after May 2026, understanding these changes early is essential.
This guide breaks down what has changed and, more importantly, what practical steps organisations should take to remain compliant and resilient.
We’ve awarded over 1,500 Cyber Essentials and Cyber Essentials Plus accreditations
Why Is Multi‑Factor Authentication Now Mandatory Under Cyber Essentials v3.3?
One of the most significant changes in v3.3 is the mandatory enforcement of Multi‑Factor Authentication.
Where MFA is supported, whether it is free, bundled or paid for, it must be enabled for all users. Failure to do so will now result in an automatic fail.
What this means in practice
Organisations must:
- Audit all user accounts across email, cloud platforms and administrative portals
- Enable MFA consistently, including for privileged and administrative users
- Remove legacy authentication methods that bypass MFA
This change improves accountability and dramatically reduces the risk of credential‑based attacks, which remain one of the most common causes of breaches.
How Are Cloud Services Treated Under the Updated Cyber Essentials Requirements?
Under v3.3, any cloud service that stores or processes organisational data is now in scope. This removes previous ambiguity around excluding Software‑as‑a‑Service platforms.
Practical considerations for business
You should now:
- Maintain a complete inventory of cloud services in use
- Apply Cyber Essentials controls consistently across Microsoft 365, Google Workspace, CRM platforms and file‑sharing tools
- Ensure access controls, MFA and patching responsibilities are clearly defined with suppliers
This change reflects how critical cloud services have become to day‑to‑day operations and ensures security controls keep pace.
What Do the New Cyber Essentials Scoping Rules Mean for Devices and Services?
The previous concepts of “untrusted” or “user‑initiated” devices have been removed.
The new rule is straightforward: If a device or service connects to the internet, or manages internet‑connected data, it is in scope.
Why this matters
This clarity reduces misinterpretation during assessments and ensures organisations take a more holistic view of their environment. Laptops, mobile devices, servers and cloud platforms should all be considered equally when applying controls.
How Have Application Development Requirements Changed in Cyber Essentials v3.3?
The scope formerly referred to as “Web Applications” has now evolved into Application Development.
This aligns Cyber Essentials with the UK Government’s Software Security Code of Practice, increasing focus on:
- Secure coding principles
- Timely patching of applications and frameworks
- Managing vulnerabilities throughout the development lifecycle
Guidance for development teams
Organisations involved in application development should:
- Document secure development practices
- Keep third‑party libraries up to date
- Demonstrate how vulnerabilities are identified and remediated
This change reinforces that security must be built in, not bolted on.
Why Is Passwordless Authentication Being Encouraged by Cyber Essentials?
While not yet mandatory, v3.3 actively promotes passwordless authentication such as passkeys and FIDO2 authenticators.
Why organisations should take notice
Passwordless authentication:
- Reduces reliance on weak or reused passwords
- Improves user experience without sacrificing security
- Aligns with the long‑term direction of secure identity management
Adopting passwordless methods now can simplify future compliance and strengthen overall security posture.
What Are the New Backup and Recovery Expectations Under Cyber Essentials v3.3?
Backup and recovery have received increased emphasis under the updated requirements.
Organisations must demonstrate that backups are:
- Robust and documented
- Protected from unauthorised access
- Regularly tested to ensure recovery is achievable
Practical steps to take
Businesses should review:
- Backup frequency and retention policies
- Offline or immutable backup options
- Evidence of routine restore testing
This ensures organisations are better prepared to recover from ransomware or other disruptive incidents.
When Do the Cyber Essentials v3.3 Changes Take Effect and What is the Deadline?
There is a critical timing consideration for organisations planning certification.
- Assessments set up before 27 April 2026 will follow the previous standard
- Assessments initiated on or after this date must comply with v3.3
For some organisations, this presents a short‑term opportunity. For most, however, preparing for the new requirements is the more sustainable approach.
How Can Organisations Prepare for Cyber Essentials Certification After May 2026?
The v3.3 update raises the bar, but it also brings clarity. Organisations that take a proactive approach will find that these changes not only support compliance but meaningfully improve resilience.
Key preparation steps include:
- Reviewing MFA coverage across all systems
- Bringing all cloud services into scope
- Updating asset inventories and scoping assumptions
- Strengthening backup and recovery processes
- Aligning development practices with secure coding standards
How Can CyberLab Support Your Cyber Essentials Journey Post‑May 2026?
Navigating updated Cyber Essentials requirements can be complex, particularly for organisations with growing cloud environments.
CyberLab supports businesses through:
- Cyber Essentials readiness assessments
- Practical remediation guidance
- Ongoing Cyber Security strategy aligned to evolving standards
If you are planning Cyber Essentials certification or renewal after May 2026, now is the right time to act.
Get Cyber Essentials Certified
Show your commitment to cyber security and reduce risk by gaining Cyber Essentials certification – the UK government-backed standard for defending against common threats.
As an IASME-approved assessor for Cyber Essentials and Cyber Essentials Plus, we make the process simple with tailored options to suit your technical capability and business needs.
Join over 120,000 organisations already certified and take the first step towards stronger security today.