The National Cyber Security Centre is rolling out Cyber Essentials v3.3 in April 2026, and it’s tightening controls. With a huge shift towards cloud-first working, identity-based security and phishing‑resistant authentication, this update changes how organisations need to approach compliance.
What to expect in the Cyber Essentials v3.3 update and why it matters
Cloud-first working…
🔍 Scope rules are getting tighter
Cyber Essentials v3.3 makes scoping far stricter, closing loopholes by clearly defining what must be included and requiring robust justification for any exclusions. Anything that connects to the internet or processes organisational data, especially cloud services, is now automatically in scope unless you can technically prove otherwise, making “creative scoping” a thing of the past.
🌐 “Untrusted connections” is gone
Cyber Essentials v3.3 replaces the old “untrusted connections” concept with a simpler rule: if a device connects to the internet, it’s in scope. This removes ambiguity and makes scoping far more consistent across organisations.
🔒 Stricter rules for network segmentation
Segmentation is now tightly controlled, with only firewalls or VLANs allowed to create valid sub‑sets. Software‑based barriers no longer qualify, meaning fewer areas can be excluded and scoping must reflect real, enforceable network separation.
☁️ Cloud services officially everywhere — and fully in scope
Cloud platforms are now firmly treated as in scope, with v3.3 stating that any service storing or processing organisational data must be assessed, even social media accounts! From SaaS to IaaS, if your data touches it, it’s in scope with no exceptions or opt‑outs.
Identity-based security…
👉 MFA is now mandatory
MFA must be enabled for all cloud users and admins wherever it’s available, making password‑only access an automatic fail and impacting almost every organisation.
🔑 Passwordless gets an upgrade
Guidance now emphasises modern, phishing‑resistant authentication like FIDO2 Passkeys, signalling that passwordless methods are the expected direction for future standards.
🧑💻 New software development expectations
The Software Security Code of Practice is now part of Cyber Essentials, raising requirements for any organisation that builds, customises or maintains software.
Cyber Essentials v3.3 represents a move towards the changing IT landscape: cloud‑heavy environments, identity-led security and modern authentication.
If your organisation hasn’t revisited its scope, cloud configurations or MFA strategy recently, now is the time.
👉 Need help aligning with v3.3 or getting Cyber Essentials certified?
Get in touch — we’ll guide you through the changes and make sure you’re ready.
Thank you!
A member of our team will be in touch shortly.
Uh Oh!
Something went wrong, please see errors below:
