top of page

Cyber Essentials v3.3: What the April 2026 Changes Really Mean for Your Organisation

  • 5 hours ago
  • 3 min read
February 2026

What’s New in Cyber Essentials v3.3? 


Cyber Essentials v3.3 might not feel like a seismic shift, but it introduces key clarifications and scope adjustments that every organisation should understand. The update focuses heavily on cutting ambiguity and ensuring cloud usage, device security, and identity management are treated seriously in today’s digital landscape.


At Avella, we see these changes as a positive step. They align closely with modern security realities: mixed device environments, the ubiquity of SaaS, and the increasing importance of identity-centric controls.


Below, we break down what’s new, why it matters, and what organisations should be preparing for ahead of April 2026.


1. Cloud Services: No Longer Optional

One of the biggest clarifications is simple: if you use cloud services, they’re in scope. This aligns the scheme with modern operating realities: almost every organisation now relies on SaaS, PaaS, IaaS, or a mix of all three.


Responsibility for security always rests with the organisation, even if the provider implements certain controls. The type of cloud service – SaaS, PaaS, or IaaS – determines which controls are yours and which are the provider’s (e.g., firewall controls are fully handled by SaaS providers but shared in IaaS models).


Evidence of provider controls should be documented, typically via contracts or trust centre documentation.


Many organisations still assume that “cloud equals secure by default.” However, v3.3 removes the room for misinterpretation. Whether you use M365, Dropbox, Gmail, or AWS, the assessment will now fully examine these environments.


2. Greater Clarity, More Accountability

Any device that accesses organisational data is now explicitly in scope. That includes employee-owned devices (BYOD), remote or home working devices, and third-party devices, such as MSP admin accounts.


With flexible working blurring the lines between office and home, version 3.3 makes one thing clear: if it touches your data, it’s your responsibility – even if a third party manages it.

Devices that only handle voice calls, native SMS, or MFA apps will continue to remain out of scope.


3. Passwordless and MFA: Identity Is the New Perimeter

Cyber Essentials v3.3 modernises authentication requirements.


Passwordless authentication now includes:

  • FIDO2 security keys

  • Biometrics

  • Passkeys

  • QR/push-based authentication

  • Hardware tokens and one-time codes


Mandatory MFA: All cloud accounts must enable MFA wherever possible.


Updated password requirements:

  • Minimum 12 characters (or 8 if deny lists are used)

  • No forced password expiry

  • Brute-force protections, such as throttling or lockouts


Why this matters: Identity is now your first line of defence. Phishing-resistant MFA and passwordless methods are encouraged, and in some cases required, to protect against modern threats.


4. Stricter Patching & Vulnerability Fixes

14-Day Rule: High-risk or critical security updates for operating systems, firmware, and applications must be installed within 14 days of release.


Broader Definition: “Vulnerability fixes” now includes not just patches, but also registry edits and configuration changes recommended by vendors.


Why this matters: Faster patching closes windows of exposure and reduces the risk that attackers exploit known vulnerabilities, improving organisational resilience.


5. Software Development: Introducing the Software Security Code of Practice

For the first time, Cyber Essentials points applicants to the Software Security Code of Practice for bespoke software and web applications. While not a full secure development framework, it raises expectations around security testing, change control, dependency management, and following commercial best practice.


Even small organisations increasingly rely on custom integrations or niche SaaS tools, so this update ensures bespoke components don’t become weak links in your security chain.


6. Backups: Stronger Guidance (Still Not Mandatory)

Backups are still outside mandatory controls, but v3.3 emphasises their importance. Recommendations include:


  • Cloud-based backup solutions

  • Disconnecting removable storage when not actively backing up

  • Matching backup frequency to operational risk


Regular, automated backups minimise downtime and speed recovery in the event of ransomware or other disruptive attacks.


7. Core Technical Controls: Clearer, Not Different

The five technical controls remain at the heart of Cyber Essentials:


  • Firewalls

  • Secure configuration

  • Security update management

  • User access control

  • Malware protection


v3.3 doesn’t change these rules, but it removes ambiguity, especially around cloud workloads, device usage, and shared responsibility.


Final Thoughts


Cyber Essentials v3.3 tightens scope boundaries, modernises authentication, introduces stricter patching rules, and clarifies grey areas. That clarity helps organisations focus on the right controls without guessing what “compliant” really means.


At Avella, we help organisations navigate these updates and implement the required controls effectively. From assessing which devices and cloud services are in scope, to rolling out phishing-resistant MFA, passwordless authentication, and robust patching strategies, we provide practical guidance and hands-on support.


Done well, Cyber Essentials remains a strong baseline – not just for certification, but as part of everyday cyber security hygiene.

bottom of page