Cyber Essentials Plus v3.3

Cyber Essentials Plus v3.3: What’s Changed and Why It Matters

Effective for new assessments from 27 April 2026, Cyber Essentials Plus v3.3 introduces the most significant tightening of the scheme in several years. While the five technical controls remain the same, the way compliance is assessed — particularly for cloud services, MFA, and patching — has changed decisively.

If your organisation relies on Microsoft 365, other SaaS platforms, or cloud infrastructure, these changes will directly affect your ability to pass a Cyber Essentials Plus audit.

This article explains what has changed, what will cause failure, and what you should do now.

Cyber Essentials Plus still assesses the same five core controls:

• Firewalls

• Secure configuration

• Security update management

• User access control

• Malware protection

These controls themselves have not been rewritten or expanded, but the interpretation and enforcement of requirements has tightened significantly under v3.3.

1. Multi-Factor Authentication Is Now Auto‑Fail

Under v3.3, failing to enable MFA where it is available is an automatic assessment failure — it is no longer a remediable issue during the audit.

This applies to:

• All cloud services that support MFA (including Microsoft 365, Google Workspace, Salesforce, AWS, Azure)

• All administrative accounts

• All remote access solutions (VPN, RDP, remote desktop tools)

If MFA is available but not enforced for every relevant user, the assessment stops and fails immediately.

2. Cloud Services Can No Longer Be Excluded from Scope

For the first time, v3.3 introduces a formal definition of a cloud service, and removes all ambiguity around scope.

Any on-demand service:

• Accessed over the internet

• Using company credentials or email addresses

• That stores or processes organisational data

Must be included, regardless of whether it is “managed” by a third party.

3. Patching Timelines Are Enforced More Rigorously

While patching requirements already existed, Cyber Essentials Plus v3.3 tightens how evidence is tested.

Key expectations now enforced during audits:

• Critical and high-severity vulnerabilities must be patched within 14 days

• Selective or “best effort” patching is more likely to be detected

• Auditors will verify patch status on sampled systems, not just documentation.

Organisations relying on inconsistent update practices are far more likely to fail under the new methodology.

4. Stronger Evidence Requirements at Plus Level

Cyber Essentials Plus has always involved independent testing, but v3.3 increases scrutiny of what is actually enforced — not what is documented.

Auditors will now explicitly verify that:

• MFA is enabled and enforced in practice

• Shared or generic accounts are not in use

• Identity policies apply consistently across services

• Controls operate as described, without manual workarounds.

Policy-only compliance is no longer sufficient.

5. New “Danzell” Question Set and Assessment Methodology

The familiar technical question set is retired and replaced by the new standard, which maps directly to the v3.3 requirements.

For Cyber Essentials Plus, v3.3 introduces:

• Clearer scoping logic

• Less assessor discretion around exclusions

• Improved detection of selective compliance (particularly patching and MFA)

This is designed to close gaps that organisations previously relied upon.

• All assessment accounts created on or after 27 April 2026 must comply with v3.3

• Accounts created before this date have a limited transition period, depending on when the assessment was opened.

If your renewal falls close to this date, timing becomes strategically important.

The new changes will mean extra preparation will be required. For more information, please speak to our security team on 0207 537 7080 or email sales@ambico.co.uk to see how Ambico Services can help your business be cyber essentials plus compliant.