What are the key changes in Cyber Essentials v3.3?
Cloud services are now fully in scope
Businesses can no longer remove platforms like Microsoft 365, Google Workspace, or key SaaS tools from assessment. If the service holds your data, it is included. This will be a major shift for organisations that have historically “excluded the cloud” to simplify certification.
Identity and access becomes a serious requirement
Multi‑factor authentication is now expected across cloud services and administrative roles. There’s also formal recognition of modern passwordless methods such as passkeys and FIDO2. The direction of travel is clear. Identity security is no longer optional.
Patching and update discipline gets sharper
High risk vulnerabilities must be patched within 14 days. This alone will expose whether your business has a reliable process for managing updates. Poor patching has always been one of the most common weaknesses. v3.3 forces this to improve.
BYOD and remote working rules are clarified
Any device that accesses organisational data is in scope, whether the company owns it or not. That includes home workers and their routers if supplied by the business. This is where many organisations get caught out without realising it.
Shared responsibility for the cloud becomes explicit
v3.3 makes it clear that responsibility doesn’t stop when a business adopts cloud services. Providers take care of some controls, but configuration, identity, access, and ongoing management remain your job. This is a major blind spot for many SMEs.
Asset management finally gets the spotlight
Although not a formal control, v3.3 positions asset management as a foundational requirement. Businesses need a clear, accurate understanding of their devices, software, users, and access paths if they expect to achieve meaningful security.
Why this matters for UK SMEs
Cyber Essentials is no longer a simple certification exercise. The 2026 update moves it closer to a practical security baseline that sits at the core of operational resilience. For many SMEs, this will be the first time they’ve looked deeply at how their cloud services, devices, people, and providers are working together.
Customers and supply chain partners increasingly expect to see Cyber Essentials as a condition for doing business. Insurers now use it when assessing risk. Boards want clearer evidence that IT systems are protected. Most importantly, the modern SME operates in a more distributed environment than ever before. The traditional security perimeter no longer exists. v3.3 reflects that shift directly.
This is a moment for businesses to tidy up legacy practices, modernise their security posture, and move confidently into 2026 with systems that are properly aligned to how people work today.