Cyber Essentials has entered a more demanding phase, with cloud multi-factor authentication now a mandatory pass requirement and high-risk patching treated as an automatic-fail issue under the UK scheme’s latest update.
The v3.3 requirements took effect on 27 April 2026. The five core controls remain — firewalls, secure configuration, security update management, user access control, and malware protection — but the assessment now places more weight on cloud services, endpoint visibility, remote working, and user authentication.
That moves the scheme closer to the way companies now operate. Production planning, design files, maintenance records, quality documentation, procurement data, and finance systems increasingly sit in cloud platforms accessed from multiple sites, homes, depots, customer locations, and third-party service providers. A baseline cyber scheme that ignored those working patterns would now be certifying a tidy fiction.
Under the updated marking criteria, MFA is mandatory for all cloud services where it is available. That includes services where MFA is free, included in the subscription, connected through another service, or available as a paid option. Leaving available MFA unused will result in automatic failure.
Dominic Carroll, Director Portfolio at e2e-assure, said: “I welcome the annual updates to the Cyber Essentials marking criteria. This year’s change to make MFA a mandatory requirement to pass is long overdue. This won’t impact most organisations that are taking their cyber security seriously, as this has been basic practise for some time. But for those who are lagging behind, these are the kinds of basics we need to ensure are in place across the board.”
The shift changes the status of MFA from accepted good practice to assessment-critical control. Organisations already enforcing MFA across cloud email, ERP, CRM, remote administration, privileged accounts, and externally managed services should see the update as formalisation rather than disruption. Others will need to deal with the loose ends that often collect around legacy SaaS deployments, shared administration, opt-in authentication, and supplier-managed access.
Security update management has also moved further into pass-fail territory. High-risk or critical updates and vulnerability fixes for operating systems, router and firewall firmware, and applications must be installed within 14 days of release. Two questions covering those controls are now automatic-fail items.
Carroll added: “Additionally, increasing the focus on the timely installation of high-risk or critical security updates and vulnerability fixes is great to see. However, I still feel that 14 days is too long a window for high-risk critical security updates. The speed at which threat actors can move and deploy attacks with the assistance of AI is accelerating at an unprecedented rate, and a 2-week risk period is too long, especially for businesses critical to CNI supply chains.”
The 14-day rule is simple on paper and harder in mixed operational estates. Updates may touch engineering workstations, warehouse systems, production reporting tools, remote support software, network equipment, or applications linked to plant data. Meeting the requirement depends on knowing which assets exist, who owns them, which suppliers support them, and how quickly updates can be tested and deployed without creating avoidable operational risk.
The threat context is moving in the other direction. The 2025 Cyber Security Breaches Survey found that 43% of UK businesses identified a cyber breach or attack in the previous 12 months, rising to 67% for medium businesses and 74% for large businesses. NCSC has also warned that AI-enabled tools are expected to improve attackers’ ability to exploit known vulnerabilities, adding more urgency to patch discipline.
The update also tightens the practical meaning of scope. A Cyber Essentials assessment cannot exclude end-user devices, and cloud services hosting organisational data or services must be included. Corporate and BYOD home or remote-working devices used for organisational business are in scope, while user-owned devices that access organisational data or services are also in scope unless they are used only for native voice, native text, or MFA applications.
Jon Fielding, Managing Director, EMEA at Apricorn, said: “Today’s updates to National Cyber Security Centre’s Cyber Essentials place greater emphasis on remote working and device ownership. Bringing these into scope is a positive step as organisations are far more secure when they can rely on company-owned, managed devices, where they have visibility of assets, control over access, and the ability to enforce consistent security policies.”
Device ownership is one of the least glamorous parts of cyber security, which is usually a sign that it is one of the most useful. A managed laptop with enforced encryption, controlled authentication, known software, and central patching creates a very different risk profile from a personal device used intermittently to access company data. The updated requirements push that distinction into the certification process.
Fielding said Apricorn’s research found that only 19% of respondents said their organisation mandates the use of company-provisioned equipment with endpoint controls, while 46% of remote or mobile workers knowingly put data at risk.
He added: “The research also found that 46 per cent of remote or mobile workers knowingly put data at risk, and highlights that backup resilience should certainly have more prevalence alongside these changes. While the guidance references backups, organisations should be adopting the 3-2-1-1-0 model to ensure data can be recovered quickly and reliably. Knowing which devices exist, enforcing secure authentication such as PIN-based access, and protecting against brute force attempts are all part of reducing risk at the endpoint.”
Backups remain outside the five Cyber Essentials technical controls, even though the requirements recommend regular backups to support faster recovery if data is lost or stolen. That boundary is significant. Certification can reduce exposure to common internet-based threats, but it is not the same as resilience planning, incident response readiness, OT security assurance, or ransomware recovery capability.
The April update does not turn Cyber Essentials into a comprehensive cyber security framework. It was never designed to do that. Its value lies in making the basics harder to avoid: MFA where cloud services support it, critical updates inside the assessment window, cloud services inside scope, and unmanaged devices treated as a visible source of risk.
The result is a more useful baseline, and a less comfortable one. Companies that can already explain their assets, accounts, cloud services, suppliers, patches, and devices should have little to fear from the revised criteria. Those that cannot may discover that the cyber basics were only basic when someone else had to check them.
