Cyber Essentials v3.3 took effect on 27 April 2026. All new assessment accounts created after that date use the updated requirements and the new Danzell question set. If your certification is due for renewal or you are certifying for the first time, v3.3 now applies to your assessment.
The core scheme has not changed. It still tests the same five control themes: firewalls, secure configuration, user access control, malware protection, and security update management. The updated version marks certain areas more strictly, changes how cloud services are scoped, and introduces clearer automatic failure triggers. The businesses that understand these changes pass first time. The ones that assume last year’s answers still work are the ones that fail. It is crucial to keep up to date with Cyber Essentials v3.3 compliance requirements.
The Three Changes That Matter Most
1. MFA is now a hard fail. Cyber Essentials has included multi-factor authentication for several years, but v3.3 now marks it more strictly. If a cloud service supports MFA and you have not enabled it for all users, you automatically fail. No discussion, no mitigation, no partial credit. Adhering to Cyber Essentials version 3.3 is mandatory in this respect.
This applies regardless of whether MFA is free, bundled with the service, or only available as a paid add-on. If the option exists and you have not switched it on, the assessment stops there. Cyber Essentials v3.3 no longer accepts IP allowlisting as a form of multi-factor authentication.
The practical impact is significant. Most businesses have MFA enforced on their main platforms, Microsoft 365, for example, but have not enabled it on every cloud service they use. Project management tools, accounting software, CRM platforms, HR systems, social media accounts used for business, and even free-tier SaaS tools all count. Being thorough is now an integral part of the Cyber Essentials v3.3 requirements.
2. Cloud services cannot be excluded from scope. For the first time, v3.3 includes a formal definition of a cloud service: an on-demand, scalable service hosted on shared infrastructure, accessible via the internet, accessed via an account, and used to store or process organisational data. This update is outlined clearly in the Cyber Essentials v3.3 documentation.
If your business uses it and company data flows through it, it is in scope. Microsoft 365, Google Workspace, your CRM, your accounting platform, your file sharing tools, your HR system. Previous versions allowed some ambiguity that let businesses argue certain services were out of scope. That argument no longer holds. The new Cyber Essentials v3.3 designation closes these gaps.
What This Means in Practice
The practical step is to build a cloud service inventory before your assessment. List every service accessed with a business email or company account. For each one, confirm that MFA is enabled, that access controls are appropriate, and that the service is included in your scope statement as required by Cyber Essentials v3.3, ensuring no service is missed.
3. The 14-day patching rule is now an auto-fail. High-risk and critical security updates, those with a CVSS v3 base score of 7 or above, must be applied within 14 days of release. Two new auto-fail questions, A6.4 and A6.5, mean that failure to meet this requirement results in an automatic assessment failure. These specifics stem from the new Cyber Essentials v3.3 guidance.
This applies across all devices and software in scope: operating systems, firmware, browsers, plugins and applications. If your patching process is informal or relies on users accepting update prompts, you need a structured approach before your assessment. A managed IT provider with centralised patch management can enforce this consistently. Maintaining Cyber Essentials v3.3 patching standards gives your organisation the best chance at passing.
What Catches Businesses Out
Beyond the three headline changes, several areas consistently trip up businesses. Many common issues stem from misinterpreting Cyber Essentials v3.3 scope and requirements.
Scope that excludes end-user devices. A scope that does not include laptops, desktops, tablets or phones used to access organisational data is not acceptable under v3.3. If your staff use devices to access business email, files or cloud services, those devices are in scope. This includes BYOD arrangements where personal devices access company systems—a non-compliance with Cyber Essentials v3.3.
Social media accounts. Cyber Essentials v3.3 treats business social media accounts, including LinkedIn, Facebook and X, as cloud services. If your marketing team logs into these accounts with a business email, you must enable MFA to protect your assessment. The rules were clarified in Cyber Essentials v3.3, so businesses must review every account accordingly.
Unsupported operating systems. Devices running operating systems past end of support, including Windows 10 without ESU, fail the secure configuration and patching requirements. If your estate includes machines that you cannot patch, you need to upgrade them, replace them, or formally exclude them from scope with documented network segregation. Cyber Essentials v3.3 helps you handle these systems properly.
Admin account hygiene. Assessors check whether you enforce MFA on administrator accounts, limit admin privileges to the people who need them, and use separate admin and standard accounts. Shared admin accounts without MFA are a common failure point. These rules are specifically included in the Cyber Essentials v3.3 assessment process.
Incomplete evidence. Even when the right controls are in place, businesses can struggle to prove it during assessment. Screenshots, policy records, patch reports, MFA settings and scope details all need to be clear, current and consistent. If the evidence does not match the answers given in the assessment, it can delay certification or lead to follow-up questions.
How to Prepare for a v3.3 Assessment
Start with three exercises. First, build your cloud service inventory and confirm MFA status on every service. Second, run a patching audit to confirm you can evidence 14-day compliance for critical updates. Third, review your scope statement to ensure it covers all devices and cloud services that handle organisational data. These actions are vital for Cyber Essentials v3.3 readiness.
If you hold Cyber Essentials certification through Unite, we review your environment against v3.3 requirements before your assessment begins. If you are certifying for the first time, we run a readiness check that identifies gaps and helps you close them before your assessment account is created. This process is central to a successful Cyber Essentials version 3.3 certification journey.
As an IASME certification body, The Unite Group assesses businesses against the Cyber Essentials scheme directly. We understand how assessors interpret the requirements because we are the assessors. If your renewal is coming up or you want to certify for the first time under v3.3, contact us for a readiness review. Make sure you are fully prepared for Cyber Essentials v3.3 assessment changes.