Free Cyber Security AssessmentGet your personalised report in under 10 minutes
TheLogic IT Solutions Logo20 Years in Business
← Back to Resources

Compliance

Changes Coming to Cyber Essentials Plus (v3.3)

Updated 23 April 2026

The National Cyber Security Centre has released version 3.3 of the Cyber Essentials: Requirements for IT Infrastructure, effective April 2026. Same five technical controls as before, Firewalls, Secure Configuration, Security Update Management, User Access Control, Malware Protection, but a handful of tweaks that change what your assessor expects to see.

If you're due for your annual renewal or going for CE Plus, these are the bits worth knowing.

The six things that actually changed

1. Cloud services cannot be excluded from scope

The previous wording left wiggle room. v3.3 is explicit: if your organisation's data or services are hosted on cloud services, those services must be in scope. Microsoft 365, Google Workspace, Dropbox, Xero, your CRM, all in scope.

There's also a new formal definition of "cloud service": an on-demand, scalable service on shared infrastructure, accessed by an account (company credentials or a business email), that stores or processes your data.

Practical impact: every SaaS tool your team uses with a business login counts. You can't scope out the awkward ones.

2. Passwordless authentication now explicitly includes FIDO2

The passwordless definition has been updated. FIDO2 authenticators (including passkeys) are now called out as a valid passwordless method and are counted as MFA, because user authentication is performed cryptographically.

Practical impact: Windows Hello for Business, YubiKeys, and the newer passkey flows (iCloud Keychain, Google Password Manager, 1Password/Keeper passkeys) all tick the MFA box without needing a separate authenticator app.

3. "Untrusted connections" language has been removed

The old scope criteria talked about devices that could be attacked over "untrusted connections." That phrase has been dropped in favour of a cleaner set of criteria based on devices that accept or initiate internet traffic. The substance is similar; the wording is less ambiguous.

Practical impact: easier to answer the scoping questions honestly. If a device talks to or from the internet, it's in.

4. Software Security Code of Practice introduced

The Software Development section now references the NCSC's Software Security Code of Practice as the benchmark for bespoke and in-house web applications. Publicly available commercial web apps remain in scope by default; your own custom components sit outside the CE assessment itself but should be built in line with the Code.

Practical impact: if you develop your own software, the assessor will expect to see you know the Code exists and are working to it.

5. Backups are emphasised (still not mandatory)

A new Backing up your data section makes the case clearly for regular, automatic backups, including disconnecting USB/external drives when not actively backing up. It remains a recommendation rather than a technical requirement, but expect assessors to ask about it.

Practical impact: have a real backup in place, test a restore once a year, be ready to describe it.

6. Clearer tables for cloud responsibility, BYOD, and third parties

Three helpful tables that sharpen old ambiguities:

  • A cloud-services shared-responsibility table mapping each of the five controls to IaaS / PaaS / SaaS, makes it explicit where your obligation stops and the provider's starts.
  • A third-party device scope table listing employee, volunteer, trustee, university research assistant, student, MSP administrator, contractor and customer roles, and for each, whether their devices are in scope when organisation-owned, third-party-owned, or BYOD.
  • BYOD devices used only for native voice, native text, or MFA apps are explicitly out of scope.

Practical impact: fewer "is my assistant's personal phone in scope?" conversations. The answer is in the table.

Requirements worth re-checking

Some controls tightened in earlier versions remain fully in force, and they're the ones we see SMEs miss most often:

  • MFA is mandatory on all cloud service authentication. Not optional, not admins-only.
  • Password rules: either MFA + at least 8 characters, or 12+ characters, or 8+ characters with an automatic block-list of common passwords. Expiry and complexity rules are explicitly not required (and discouraged).
  • Device unlocking: PIN or password at least 6 characters; throttling of 10 guesses per 5 minutes, or auto-lock after 10 failed attempts.
  • Security updates with CVSS 7+ or vendor-flagged "critical/high" must be applied within 14 days.
  • Administrative accounts must be separate from day-to-day user accounts, no email or web browsing as admin.
  • Home routers supplied by an ISP are out of scope, so you need a software firewall on the device itself.

Full walkthrough of each control in our Cyber Essentials what-to-do guide.

What this means for your renewal

  • If you're on v3.2 and your certificate renews after April 2026, your next answer-set will be against v3.3.
  • Most changes are clarifications, not new controls. Well-run environments usually don't need to change anything technically.
  • The cloud-services scope tightening is the one that catches out smaller firms, audit your SaaS estate before applying.
  • FIDO2 / passkey adoption is now officially CE-friendly and worth considering as you plan MFA upgrades.

Where to read the full document

The full NCSC requirements document is the authoritative source, download it from the NCSC Cyber Essentials overview page.

If you'd like a pre-assessment against v3.3, or help through the questionnaire or CE Plus audit, get in touch, we're a Cyber Essentials Cyber Advisor firm and work through the new requirements with clients every week.