Cyber threats aren’t slowing down, and neither are the standards designed to defend against them.
On 27 April 2026, Cyber Essentials (CE) v3.3, codenamed Danzell, comes into force. For UK organisations that rely on Cyber Essentials certification for contracts, supply chain compliance or cyber insurance, this update introduces stricter identity controls, tighter cloud scoping and firmer technical requirements.
In this guide, we break down what’s changing under Cyber Essentials v3.3 and what decision-makers need to address now to achieve or maintain certification.
The main shift with 3.3 is a change in language to make it clearer for organisations what they can and cannot do. Previous versions of the Cyber Essentials framework used language that was open to interpretation, leading businesses to sometimes not follow best practices while still achieving self-certification status.
Multi-Factor Authentication is Now Mandatory
Once upon a time, multi-factor authentication (MFA) was more of a nice-to-have. Whilst Cyber Essentials has always required MFA for all users and administrators, the guidance is now much clearer to avoid doubt or misinterpretation: If you’re accessing any cloud-based service as either a user or an administrator, you MUST use Multi-factor Authentication every time.
Identity - meaning who a user is and how they authenticate - has become the centrepiece of business security. With most systems now cloud-hosted, traditional network firewalls offer far less protection. This is why Cyber Essentials v3.3 places such strong emphasis on securing usernames, passwords, and MFA as the front line.
In previous versions of CE, MFA was encouraged, but organisations were allowed to “comply or explain”. If a service didn’t support MFA or required a paid add-on, you could justify it and still pass. That is no longer the case for cloud software, or Software-as-a-Service. If you use a cloud-based solution – perhaps a HR app – and the plan you pay for doesn’t include MFA, but the more expensive plan does, you must upgrade in order to add MFA capabilities and maintain compliance.
This applies to any cloud platform holding company data, including:
Under the updated scheme, any admin account without MFA is treated as an instant failure, no exceptions. The same applies to any user account with access to company data that has MFA available but isn’t enabled.
In practice, this could mean upgrading to a higher subscription tier to unlock MFA, enforcing MFA across Microsoft 365 or Google Workspace, or switching to a platform that supports MFA. For example, operating Microsoft 365 without MFA enabled for all users would now result in an automatic assessment failure, even if all other CE controls are fully met.
Cyber Essentials v3.3 sends a clear message: passwords alone are no longer good enough, and identity must be strongly verified every time a user logs in.
CE v3.3 explicitly states that any cloud service that stores or processes organisational data must be included in the Cyber Essentials assessment. Essentially, if company data is accessible through a piece of software or a tool, it’s in scope. You cannot exclude a cloud service from the scope of your Cyber Essentials application.
Think email platforms, CRM systems, HR software, accounting tools and file-sharing platforms – are they being included in the Cyber Essentials assessment or are they being skirted over?
For the first time, CE have provided a clear definition explaining what a cloud service is and does:
“Cloud service means on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account (which may be credentials issued by your organisation, or an email address used for business purposes), and will store or process data for your organisation” – Cyber Essentials: Requirements for IT Infrastructure v3.3 April 2026
Cyber Essentials V3.3 requires organisations to show they understand and can evidence a shared responsibility model for each cloud service they use. This is because, for any company using a software-as-a-service (SaaS) product, the provider handles some of the security, but the organisation is liable for securing its use of the device.
Below, we’ve outlined what a SaaS company should cover vs what a typical business should handle from a cybersecurity perspective:
SaaS Provider Responsibilities:
Typical Business Responsibilities:
Referencing Provider Trust Centres or Contracts
Finally, CE encourages organisations to support their documentation with formal confirmation from the provider. This can include:
These sources help you clearly establish the boundary between provider responsibility and your responsibility, a distinction that assessors will expect you to explain clearly under the new v3.3 rules.
This confirmation is required only if your SaaS provider or host is handling some of the Cyber Essentials controls as part of their service offering, rather than you configuring your environment to meet the requirements. This could typically be updates or patching, which are commonly handled by the vendor for browser-based SaaS apps.
Critical & High-Risk Vulnerabilities and Patching
As with most areas of v3.3, the wording and guidance have been clarified and made more instructive to eliminate doubt or misinterpretation.
Under Cyber Essentials Danzell, any vulnerability rated 7.0 or above on the CVSS (Common Vulnerability Scoring System) v3 scale – a standardised framework for rating the severity of security vulnerabilities – should be patched within 14 days of a fix being released.
NOTE: This is worded as a “strong recommendation”, but the onus of applying the patch lies with the applicant.
This requirement applies across both operating systems and applications, meaning everything from Windows and macOS to productivity tools, VPNs, and third-party applications should be captured within the timeframe.
Cyber Essentials v3.3 raises expectations around business resilience across the board and aims to encourage businesses to think carefully about resilience and recovery.
Although back-ups are not part of the five core technical controls, it's clear that the National Cyber Security Centre (NCSC) is placing greater emphasis on backup protection in future Cyber Essentials framework revisions.
There was an estimated 34-50% increase in Ransomware tracks in the past year, with 4,701 confirmed incidents globally between January and September (2025). Therefore, the new CE updates need to be seen as retaliatory measures by the NCSC against the ever-increasing ransomware threat landscape.
New Resilience Expectations
To withstand these threats, organisations should have backup solutions that cannot be modified, deleted, or encrypted by attackers. Traditional backups, especially those connected to the network, have repeatedly been targeted and wiped during ransomware incidents, leaving businesses unable to recover even when they believed they were protected.
That is why CE v3.3 introduces stronger language around:
These practices are no longer considered “nice to have.” They are now viewed as essential components of ransomware-resilient operations.
Why We Moved to Immutable Backups Early as an MSP
Long before the Cyber Essentials framework hinted at the importance of immutable backups, we had already moved all client backups to immutable storage as part of our fully managed IT service. We recognised early on that ransomware exploiters were increasingly targeting backup repositories and that traditional backups (even cloud-based ones) were no longer sufficient on their own.
If your backups can be encrypted or deleted by an attacker, they’re not true recovery controls; they are a single point of failure.
By adopting immutable backup technology ahead of regulatory requirements, we ensured that:
Why JML Processes Matter Under v3.3
This next CE iteration is coming down hard on account lifecycle management. Therefore, businesses with poor or inadequate joiners, movers and leavers (JML) processes will need to up their game to achieve their Cyber Essentials certification.
Identity-first security, rather than poor JML processes with dormant accounts and inefficient processes, is going to be an area that CE auditors are clamping down on. The JML process will need to be well documented, repeatable and provable.
CE v3.3’s New Expectations for Custom Apps
What were previously deemed “web applications” now fall under secure application development per the impending CE regulations. Cyber Essentials now requires evidence that any in-house or bespoke apps follow secure coding and patching standards.
The v3.3 update clarifies that all remote devices accessing organisational data lie within the scope, regardless of the device type (laptop, tablet, phone).
Home and remote networks – think public spaces - must also meet the minimum firewall/router requirements if used for work purposes. VPN or secure access pathways are expected where appropriate to ensure good security baselines are established when working outside of the office.
For employees, personal devices are also in scope if they access business data; the only BYOD exceptions are voice/text-only phones or devices used to handle MFA requests, such as the Authenticator app.
Organisations must ensure security controls apply to BYOD by ensuring the device is set up with MFA, device lock, Operating System (OS) updates and anti-malware where possible. To go one step further from a compliance standpoint, we recommend creating clear BYOD policies that outline what is expected of your employees when using personal devices to access work resources.
If you’re unsure about which route to go down, we’ve devised a list of questions as part of our Cyber Essentials Readiness Checklist:
When does Cyber Essentials v3.3 (Danzell) take effect?
Cyber Essentials v3.3 comes into effect on 27 April 2026. Assessments conducted after this date will follow the updated Danzell question set.
Is MFA mandatory under Cyber Essentials v3.3?
Yes. Multi-factor authentication is mandatory for all cloud services and all administrator accounts. If your cloud service offers MFA but on a higher-tier subscription, you must upgrade and apply MFA.
Are cloud services automatically in scope for Cyber Essentials?
Yes. Any cloud service that stores or processes organisational data must now be included within scope under Cyber Essentials v3.3.
What happens if we fail a Cyber Essentials assessment?
If you fail, you must remediate the identified gaps and resubmit. Delays can impact contract eligibility and cyber insurance requirements.
We’ve been in the business of managing business IT for 25 years. The team is backed by a long list of cybersecurity accreditations and certifications, and we guarantee a Cyber Essentials pass.
If you’d like to talk through your Cyber Essentials needs with one of our cybersecurity experts, please contact the team (0333 2412320 / hello@netitude.co.uk) or book some time with our MD below.