Cyber Essentials v3.3

/ Cyber Security / By

Cyber Essentials v3.3

Introduction

As cyber threats evolve in scale and sophistication, achieving and maintaining a Cyber Essentials certification has never been more helpful for UK organisations. At Walker & Munns, we work closely with businesses to help them build strong, practical foundations for cyber resilience.

For those who already have a CE certificate, the upcoming Cyber Essentials v3.3 update, launching on 27 April 2026, brings meaningful changes every organisation should prepare for.

Benefits to your business:

  • The National Cyber Security Centre (NCSC) and IASME have clarified and strengthened the framework to ensure it remains fit for purpose in a cloud‑first, hybrid‑work world.
  • Cyber Essentials remains one of the UK’s most effective baseline frameworks.
  • Demonstrates to customers that you take cybersecurity seriously.
  • Helps win public‑sector contracts.
  • Provides a clear roadmap for essential controls

Why Cyber Essentials Matters

Cyber Essentials helps organisations defend against the most common attacks by focusing on five core security controls:

  • Firewalls
  • Secure configuration
  • User access control
  • Malware protection
  • Patch management

These controls address the everyday vulnerabilities cybercriminals continue to target.

What’s Changing in Cyber Essentials v3.3 (April 2026)

The v3.3 update, launching on 27 April 2026, is not a complete overhaul, but it does introduce major clarifications and requirements that businesses must take seriously.

 

1. Multi‑Factor Authentication (MFA) Becomes Mandatory

The biggest change: MFA is now non‑negotiable. If a system supports MFA but you haven’t enabled it, your organisation will automatically fail Cyber Essentials.

This applies to all cloud and internet facing users.

 

2. Cloud Services Fully in Scope

Whether Microsoft 365, AWS, Google Workspace or any other cloud service, your cloud tools are now clearly and fully included in the assessment. Organisations must show they’ve configured cloud environments securely, not simply relied on provider defaults.

This includes:

  • User access

  • Admin roles

  • MFA

  • Backup strategy

  • Security configurations

3. Tighter Access Controls & Faster Remediation

Version 3.3 further tightens expectations around security hygiene:

  • Separate admin accounts are mandatory and must use MFA.

  • You must patch high‑risk vulnerabilities within 14 days.

  • Scoping is stricter. Any internet‑connected device or system is in scope unless technically justified.

4. Clearer Standards for Remote & Hybrid Work

The update introduces enhanced clarity for home workers, BYOD (bring your own device), wireless devices and remote endpoints. Organisations must demonstrate that remote working does not weaken the security perimeter.

Final Thoughts

Cyber Essentials 2026 reflects the realities of how organisations work today; virtual and cloud‑first, remote‑enabled operations, and increasingly targeted by attackers. The April 2026 changes mean organisations should begin preparations now.

At Walker & Munns, we see these changes as an opportunity for organisations to raise their cybersecurity maturity and demonstrate trustworthiness to customers, partners, and insurers.

 

If you’d like tailored guidance on preparing for Cyber Essentials v3.3 or improving your organisation’s cyber resilience, we are here to help.

Related Articles

Scroll to Top