Are you ready for the latest updates to Cyber Essentials Plus?

The Cyber Essentials and Cyber Essentials Plus requirements are being updated on 27 April 2026.

With identity now widely recognised as the primary control point in modern security, the v3.3 update tightens expectations around MFA, cloud services and access management.

If you’re planning to certify or renew after that date, your assessment will need to meet the updated standard, so it’s worth reviewing your current setup now.

The key date to plan around

The change takes effect on 27 April 2026, and the important detail is how assessments are counted. Any assessment accounts created on or after that date must meet the new v3.3 standard.

If your organisation is due to renew around this date, it’s worth checking your renewal window and deciding whether an early renewal is strategically sensible. In some cases, renewing earlier can allow for a further year under current rules. Leaving it late could mean extra remediation work before a renewal can take place.

The main changes in Cyber Essentials v3.3.

• Mandatory MFA: MFA must be enabled wherever it is technically available. If it is supported and not enforced, certification is at risk.
• No cloud exceptions: All cloud services storing or processing organisational data are now formally in scope, meaning SaaS platforms can no longer be excluded from assessment.
• Stronger identity scrutiny: Identity protection and access control are treated as baseline requirements, with greater scrutiny on how consistently controls are applied.
• Avoid shared accounts: Shared or generic accounts are strongly discouraged, with an expectation that each user has a unique identity and appropriate access rights.
• Proof required: At Cyber Essentials Plus level, auditors will validate that identity and access controls are enforced in practice, not simply declared in policy.

What this means for organisations

The latest update is aimed at getting organisations to prove their controls are being enforced. This means removing long-standing expectations and tightening controls that would have previously been considered ‘good enough.’

If you rely heavily on cloud services, v3.3 brings every SaaS platform into scope. That means greater scrutiny of your identity and access controls.

If MFA is optional, inconsistently deployed or bypassed for certain apps and accounts, it is likely to result in certification failure.

And if shared accounts are still in use for administration, testing or third-party access, certification may be blocked until they are replaced.

This has commercial as well as operational repercussions. Cyber Essentials and Cyber Essentials Plus are frequently prerequisites for contracts, supplier frameworks, and many cyber insurance policies.

A failed or delayed renewal therefore has the potential to delay revenue, restrict market access, or even invalidate a breach claim.

Even when your overall security maturity is strong.

Action to take now

Priority should be given to the controls v3.3 explicitly tightens:

Support with certification and renewal

Kocho supports organisations preparing for Cyber Essentials and Cyber Essentials Plus under the new v3.3 requirements.

We can assess your current position against v3.3, help you close gaps that commonly lead to delays (MFA enforcement, cloud services in scope and shared or generic accounts) and guide you through what CE+ auditors will expect to see in practise.

For more detail on how we can help, please contact our team today.