Cyber Essentials Plus v3.3 takes effect on the 27th April 2026, and with it comes a tighter focus on identity, multi-factor authentication (MFA), and cloud services. These changes are designed to ensure concrete enforcement rather than policy alone. 

Here’s what’s changing, why it matters and why it’s crucial to review your setup to avoid any unexpected disruption. 

Why it matters 

Cyber Essentials and Cyber Essentials Plus are not just certificates; they are proof your organisation can manage cyber risk effectively. 

Delaying preparation could have serious consequences: 

  • Failed certification
  • Delays in contact opportunities or supplier approvals
  • Breach of cyber insurance conditions

Understanding these risks now allows your organisation to align compliance with operational priorities and avoid disruption. 

What are the changes? 

  1. Mandatory MFA
    MFA has long been required under Cyber Essentials, but expectations have tightened: if a cloud service offers MFA in any form and it is not enabled, this will now result in automatic failure, reflecting MFA’s critical role in protecting systems from modern cyber threats. 
  2. Strengthened identity enforcement
    Businesses that once met the minimum standard may now fall short if controls aren’t applied consistently across users, devices and clous services. This ensures a more robust standard of security. 
  3. No shared accounts
    Each user must have a unique account and appropriate access rights. Shared or generic accounts are no longer acceptable.
  4. CE+ verification
    At Cyber Essentials Plus level, controls must be proven to work in practice, not just outlined in policy. You must demonstrate compliance consistency.
  5. Cloud services are fully in scope
    All cloud services your organisation relies on must now be covered, from email and collaboration tools to SaaS tools. If your team can access it, its falls within the scope.  

Actions to take now

Organisations should start planning for Cyber Essentials well before renewal rather than leaving it until the last minute. Many businesses will need time to implement multi-factor authentication, update legacy systems and streamline processes. Priority should be given to areas most at risk, including systems without MFA, older servers and cloud applications assumed out of scope. Reviewing these areas proactively helps avoid last minute surprises and reduces the risk of noncompliance.

By acting early, organisations not only meet Cyber Essential requirements but also embed lasting, practical security improvements that align with operational priorities. 

What does this mean for your business

With these changes, the expectations are clearer, making it easier for businesses to keep pace with today’s cyber threats.

Rather than just ticking boxes, the updates provide a practical way to spot risks, put strong practises in places and close security gaps, helping your organisation stay more secure. 

How we can help 

Navigating Cyber Essentials doesn’t have to be daunting. We help you review your systems, identify gaps and implement key controls: including multi-factor authentication and managing your certification from start to finish. We also assess your cloud services and legacy systems, ensuring your most valuable data is protected and aligned with operational priorities. 

With our support, compliance becomes practical and achievable. We make compliance simple, turning cybersecurity into a strength that protects your business and builds lasting trust. Get in touch with our team here.