Cyber Essentials May 2026 Update: What Businesses Need to Do to Pass v3.3
What the Cyber Essentials Requirements for IT Infrastructure v3.3 Changes Mean for Your Business
Cyber Essentials continues to evolve to reflect the realities of modern Cyber Security. From 27 April 2026, all new Cyber Essentials assessments are being assessed against Requirements for IT Infrastructure v3.3, introducing more rigorous expectations around cloud security, authentication and resilience.
This update is more than a routine refresh. It reflects how organisations now operate, with cloud‑first services, remote working and increasingly sophisticated threats firmly in scope. For businesses planning certification or renewal after May 2026, understanding these changes early is essential.
This guide breaks down what has changed and, more importantly, what practical steps organisations should take to remain compliant and resilient.
We’ve awarded over 1,500 Cyber Essentials and Cyber Essentials Plus accreditations
Why Is Multi‑Factor Authentication Now Mandatory Under Cyber Essentials v3.3?
One of the most significant changes in v3.3 is the mandatory enforcement of Multi‑Factor Authentication.
Where MFA is supported, whether it is free, bundled or paid for, it must be enabled for all users. Failure to do so will now result in an automatic fail.
What this means in practice
Organisations must:
- Audit all user accounts across email, cloud platforms and administrative portals
- Enable MFA consistently, including for privileged and administrative users
- Remove legacy authentication methods that bypass MFA
This change improves accountability and dramatically reduces the risk of credential‑based attacks, which remain one of the most common causes of breaches.
How Are Cloud Services Treated Under the Updated Cyber Essentials Requirements?
Under v3.3, any cloud service that stores or processes organisational data is now in scope. This removes previous ambiguity around excluding Software‑as‑a‑Service platforms.
Practical considerations for business
You should now:
- Maintain a complete inventory of cloud services in use
- Apply Cyber Essentials controls consistently across Microsoft 365, Google Workspace, CRM platforms and file‑sharing tools
- Ensure access controls, MFA and patching responsibilities are clearly defined with suppliers
This change reflects how critical cloud services have become to day‑to‑day operations and ensures security controls keep pace.
What Do the New Cyber Essentials Scoping Rules Mean for Devices and Services?
The previous concepts of “untrusted” or “user‑initiated” devices have been removed.
The new rule is straightforward: If a device or service connects to the internet, or manages internet‑connected data, it is in scope.
Why this matters
This clarity reduces misinterpretation during assessments and ensures organisations take a more holistic view of their environment. Laptops, mobile devices, servers and cloud platforms should all be considered equally when applying controls.
How Have Application Development Requirements Changed in Cyber Essentials v3.3?
The scope formerly referred to as “Web Applications” has now evolved into Application Development.
This aligns Cyber Essentials with the UK Government’s Software Security Code of Practice, increasing focus on:
- Secure coding principles
- Timely patching of applications and frameworks
- Managing vulnerabilities throughout the development lifecycle
Guidance for development teams
Organisations involved in application development should:
- Document secure development practices
- Keep third‑party libraries up to date
- Demonstrate how vulnerabilities are identified and remediated
This change reinforces that security must be built in, not bolted on.
Why Is Passwordless Authentication Being Encouraged by Cyber Essentials?
While not yet mandatory, v3.3 actively promotes passwordless authentication such as passkeys and FIDO2 authenticators.
Why organisations should take notice
Passwordless authentication:
- Reduces reliance on weak or reused passwords
- Improves user experience without sacrificing security
- Aligns with the long‑term direction of secure identity management
Adopting passwordless methods now can simplify future compliance and strengthen overall security posture.
What Are the New Backup and Recovery Expectations Under Cyber Essentials v3.3?
Backup and recovery have received increased emphasis under the updated requirements.
Organisations must demonstrate that backups are:
- Robust and documented
- Protected from unauthorised access
- Regularly tested to ensure recovery is achievable
Practical steps to take
Businesses should review:
- Backup frequency and retention policies
- Offline or immutable backup options
- Evidence of routine restore testing
This ensures organisations are better prepared to recover from ransomware or other disruptive incidents.
When Do the Cyber Essentials v3.3 Changes Take Effect and What is the Deadline?
There is a critical timing consideration for organisations planning certification.
- Assessments set up before 27 April 2026 will follow the previous standard
- Assessments initiated on or after this date must comply with v3.3
For some organisations, this presents a short‑term opportunity. For most, however, preparing for the new requirements is the more sustainable approach.
How Can Organisations Prepare for Cyber Essentials Certification After May 2026?
The v3.3 update raises the bar, but it also brings clarity. Organisations that take a proactive approach will find that these changes not only support compliance but meaningfully improve resilience.
Key preparation steps include:
- Reviewing MFA coverage across all systems
- Bringing all cloud services into scope
- Updating asset inventories and scoping assumptions
- Strengthening backup and recovery processes
- Aligning development practices with secure coding standards
How Can CyberLab Support Your Cyber Essentials Journey Post‑May 2026?
Navigating updated Cyber Essentials requirements can be complex, particularly for organisations with growing cloud environments.
CyberLab supports businesses through:
- Cyber Essentials readiness assessments
- Practical remediation guidance
- Ongoing Cyber Security strategy aligned to evolving standards
If you are planning Cyber Essentials certification or renewal after May 2026, now is the right time to act.
Get Cyber Essentials Certified
Show your commitment to cyber security and reduce risk by gaining Cyber Essentials certification – the UK government-backed standard for defending against common threats.
As an IASME-approved assessor for Cyber Essentials and Cyber Essentials Plus, we make the process simple with tailored options to suit your technical capability and business needs.
Join over 120,000 organisations already certified and take the first step towards stronger security today.
Cyber Essentials Willow Update 2025: Everything You Need To Know
What You Need to Know
The latest Cyber Essentials update, ‘Willow’, was released in May 2025, marking a significant evolution in the UK government’s flagship cyber security certification scheme. Replacing the ‘Montpellier’ question set, Willow reflects updated guidance from the National Cyber Security Centre (NCSC) and responds to emerging threats that businesses face today.
Whether you’re renewing your certification or applying for the first time, here’s a clear breakdown of what’s changed – and what your business needs to do next.
Key Changes in the 2025 Willow Update
The Willow update builds on the previous Montpellier release, revising definitions, terminology, and processes to keep Cyber Essentials aligned with current cyber security best practice.
Some of the headline changes include:
1. Expanded Scope: Firmware is Now In-Scope
The term ‘software’ now explicitly includes firmware, such as that found on firewalls and routers. This means organisations must ensure these critical systems are updated regularly — and are no longer exempt from compliance checks.
Why it matters: Unpatched firmware is increasingly targeted by attackers and often overlooked in patch management strategies.
2. Mandatory Asset Management Practices
Organisations must now maintain an accurate, up-to-date inventory of all devices and software within scope. This includes:
-
Company-issued and personal (BYOD) devices
-
Cloud services
-
Networking equipment
-
Installed applications
Why it matters: Asset visibility is a fundamental control for identifying vulnerabilities and reducing risk.
3. Tighter Controls for BYOD (Bring Your Own Device)
“Plugins” have been replaced with “frameworks and extensions,” a change that aligns terminology with modern software development and deployment.
4. Cloud Services: MFA Now Mandatory
The update introduces stricter rules for personal devices used for work, referencing the latest NCSC guidance. Organisations must:
-
Define clear BYOD policies
-
Enforce controls like device encryption and screen locks
-
Ensure staff understand their responsibilities
Why it matters: Personal devices are often a weak link, especially in remote or hybrid environments.
What’s Changed in Cyber Essentials?
1. Vulnerability Fixes
The term “high and critical patches” has been replaced with “vulnerability fixes.” This now includes a broader range of remediation actions such as scripts, registry edits, or vendor-prescribed methods. Any vulnerability with a CVSS score of 7.0 or higher (based on CVSS v3.1) must now be addressed.
2. Remote Working Terminology
“Home Workers” has been updated to “Home working and remote working” to better reflect the variety of modern work arrangements.
3. Supported Software
The term “plugins” has been replaced with “frameworks and extensions” to align with current software structures.
4. Passwordless Authentication
Now permitted in specific scenarios, including access to firewall configurations, externally hosted services, and internal infrastructure. Accepted methods include biometrics, physical devices, one-time codes, QR codes, and push notifications.
What’s Changed in Cyber Essentials Plus?
1. Technical Scope Verification
Auditors must now technically verify the scope of in-scope assets, including servers, end-user devices, mobile devices, and networks. Any excluded networks must also be verified.
2. Asset Sampling Notification
Applicants will be notified of the sampled assets three working days before the audit – but not earlier. This ensures a fair and unbiased selection process.
3. Admin Device Sampling
If applicable, an admin user’s device must be included in the audit sample.
What Your Business Needs to Do
Whether you’re looking to achieve certification for the first time or renew under Willow, you’ll need to ensure that your policies, tools, and documentation reflect these new expectations.
Here’s how to stay compliant:
✅ Review the full Willow requirements on the NCSC website.
✅ Audit and update your asset management processes.
✅ Apply firmware patching to all in-scope devices.
✅ Enforce MFA across all cloud platforms, for all users.
✅ Review and formalise your BYOD policies and training.
Need Help Navigating the Willow Update?
As an IASME-approved certification body, CyberLab has already helped hundreds of organisations achieve Cyber Essentials and Cyber Essentials Plus — and we’re ready to guide you through the Willow update too.
Whether it’s a full audit or a quick compliance health check, we can support you every step of the way.
Contact us today to get started with Willow.
Cyber Essentials Funded Programme: Government Support for UK SME's
Helping UK SMEs Strengthen Cyber Defences with Government Support
In today’s digital-first world, cyber threats are no longer a distant concern – they’re a daily reality. The UK government’s Cyber Essentials scheme offers a practical, affordable way for organisations to defend against the most common attacks.
Whether you’re a small business or a growing tech innovator, this funded programme helps you build a strong security foundation, earn customer trust, and unlock new opportunities – including eligibility for government contracts. And with CyberLab’s expert guidance, getting certified is simpler than ever.
What is Cyber Essentials?
Cyber Essentials is a government-backed initiative to help businesses protect against the most common cyber threats. Originally launched in 2014, over 120,000 certificates have since been awarded to businesses of all sizes across the country.
According to the UK government, obtaining Cyber Essentials certification protects your organisation from approximately 80% of cyber-attacks, demonstrating a strong commitment to cyber security and data protection to customers and stakeholders. This certification enhances your organisation’s reputation, increases the likelihood of securing new business, and enables you to bid for and win UK government contracts. By ensuring that robust cyber security measures are in place, Cyber Essentials provides the peace of mind needed to focus on your core business objectives.
Cyber Essentials Plus
Cyber Essentials Plus is the next step in your cyber security journey – an advanced government-backed initiative for businesses looking to take extra measures to protect against common cyber threats.
Around a quarter of businesses who take the Cyber Essentials certification go on to achieve Cyber Essentials Plus.
What is the funded Cyber Essentials Programme?
Every business today faces the risk of a cyber attack, but some organisations are particularly vulnerable. This could be because they handle sensitive information about the people they work with or are seen as easier targets by cyber criminals.
To help those most at risk, the NCSC is rolling out a Funded Cyber Essentials Programme. This programme is aimed at supporting vulnerable organisations by helping them implement basic security measures to protect against the most common types of cyber attacks.
How Does it Work?
The programme offers practical support from an Advisor to help your organisation achieve Cyber Essentials Plus, at no cost to the organisation. However, if the Advisor recommends any extra software or hardware, those costs won’t be covered.
If you qualify, you’ll get around 20 hours of remote support with an Advisor. They’ll spend this time working with you to identify and implement improvements that suit your organisation’s size and needs, guiding you through the five Cyber Essentials technical controls. After that, there will be a hands-on technical check to make sure everything is in place.
If it turns out that achieving Cyber Essentials Plus isn’t possible, the Advisor will help you implement as many of the controls as you can and provide a clear list of what else needs to be done to get compliant. This scheme is designed to walk you through the technical controls required for Cyber Essentials certification, leading up to the Cyber Essentials Plus audit. No previous cybersecurity certification or experience is needed.
Who is Eligible for Support?
To qualify for this scheme, companies must be a micro or small business (1 to 49 employees) registered in the UK and working on:
- The development of fundamental Artificial Intelligence (AI) technologies, OR the innovative application of Artificial Intelligence technologies in the following sectors: Public safety and health, Defence and security.
- The development of novel Quantum technologies.
- The design, development or manufacturing of semiconductors / semiconductor IP blocks.
- The development of Engineering Biology or Synthetic Biology.
AND meet the following criteria:
- Has not previously participated in the NCSC Funded Cyber Essentials Programme
- Does not currently hold Cyber Essentials Plus (CE+) certification, has not been awarded CE+ certification since January 2023 and is not currently in the process of applying for CE+ certification
How CyberLab Can Help
As an IASME approved assessor, CyberLab is not only authorised to assess against the scheme, but also able to support your organisation to achieve certification.
Not only are we authorised Cyber Essentials assessors, we are also able to provide bespoke consultancy services to assist your team in meeting and maintaining the high standard of security required.
With our expert advice, you’ll pass first time.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.
Why Windows 10’s End of Life Matters for Cyber Essentials Plus
Navigating Compliance After Microsoft Ends Support for Windows 10
Microsoft officially ended support for Windows 10 on 14 October 2025, marking a major shift for organisations working toward Cyber Essentials Plus (CE+) certification. Without free security updates or patches, Windows 10 devices now pose a compliance risk – unless covered by Microsoft’s Extended Security Updates (ESU) programme.
For CE+ applicants, this change is more than a technical footnote. It directly affects your certification status. Devices running Windows 10 are no longer considered secure by default. To remain compliant, organisations must upgrade to Windows 11 version 23H2 or newer (ideally 24H2 or 25H2).
If your CE+ audit is scheduled within the 90-day window following your Cyber Essentials certification, any Windows 10 devices must be upgraded or removed from scope before submitting your asset list to the auditor.
“With Windows 10 now out of support, organisations pursuing Cyber Essentials Plus must act quickly. Upgrading to Windows 11 isn’t just best practice – it’s essential for compliance. At CyberLab, we’re here to make that transition smooth, secure, and audit-ready.”
– Ryan Bradbury, CTO at CyberLab
Why It Matters
Auditors will now perform technical verification during CE+ assessments.
If Windows 10 devices are detected:
- They must be excluded from scope.
- Failure to do so could result in audit failure or the need to restart both Cyber Essentials and CE+ assessments.
What You Need to Do Now
To stay secure and compliant, here are your next steps:
- Audit your device inventory: Identify any machines still running Windows 10.
- Upgrade to Windows 11: Preferably version 24H2 or 25H2. Note that 23H2 reaches end of life on 11 November 2025, so plan accordingly.
- Consider ESU: If upgrading isn’t feasible, explore Microsoft’s Extended Security Updates programme.
- Communicate with your auditor: Be transparent about your upgrade plans and ensure your asset list reflects only compliant devices.
This transition is a critical moment for organisations aiming to maintain Cyber Essentials Plus certification. By acting now, you’ll avoid last-minute surprises and ensure your systems meet the latest security standards.
Need help navigating the upgrade or preparing for your CE+ audit? CyberLab’s team is here to support you.
Free Posture Assessment
Understand your security risks and how to fix them.
Take the first step to improving your cyber security posture, looking at ten key areas you and your organisation should focus on, backed by NCSC guidance.
Claim your free 30-minute guided posture assessment with a CyberLab expert.