Lydia HudsonCyber Essentials Plus is changing. Here’s what you need to know.

The UK's Cyber Essentials Plus certification scheme is updating its requirements on 27th April 2026. Version 3.3 introduces several changes, two of which are now auto-fail criteria for MFA enforcement and patch management non-compliance. Assessment accounts created on or after 27th April are assessed against the new standard from the start; accounts created before that date have six months to certify under the previous requirements.

The changes are not going to rewrite the scheme's five core controls. Instead, they will close long-standing loopholes and tighten how compliance is verified in practice. The standard for what "secure" looks like is rising, and organisations that have historically skirted around the hard requirements won't be able to anymore.

MFA is now mandatory for all cloud services

From 27th April, if a cloud service offers MFA, it must be switched on. No exceptions. It doesn't matter whether MFA is free, included in your licence, or costs extra. If it's available, it's required. Leaving it switched off is an automatic failure.

This will apply to all cloud services related to data storage and processing including but not limited to Microsoft 365, Google Workspace, your CRM, HR platform, and cloud storage. If your organisation accesses it using company credentials, it is in scope and cannot be excluded.

The part that will catch most organisations out is enforcement. In most Microsoft 365 environments, MFA is configured centrally but actual enforcement depends on Conditional Access policies being correctly applied to every user, every application, and every sign-in scenario. A single misconfigured policy, a guest account, a service account sitting outside your Conditional Access rules, or a SaaS tool onboarded without IT involvement can all create gaps that look compliant on paper but fail under CE+ scrutiny. One account without MFA enforced is enough to fail the entire assessment.

14-day patching is now an auto-fail

Any high-risk or critical patch must now be applied within 14 days of release across every operating system, application, firewall, and network device in scope. Miss that window and the assessment will fail regardless of how well you perform everywhere else.

The CE+ testing process has also been tightened. If a device in the initial sample fails, remediation must happen across the entire estate before retesting. In practice, 14 days sounds manageable until you are looking across hundreds or thousands of endpoints with different operating systems, different application sets, and different update schedules. Devices that are rarely switched on, managed by a third party, or recently rebuilt can quietly drift outside the window without anyone noticing. Under v3.3 those devices can no longer be ignored.

Why this matters beyond the certificate

For many UK businesses Cyber Essentials certification is a condition of contract, a requirement for cyber insurance, and a signal to clients that security is taken seriously. The April 2026 update raises the bar on all three.

Jon Tamplin, Head of Cybersecurity at ThreatAware, said "These updates reinforce something we see every day. Most attacks succeed not because defences are complex, but because the basics are missing. Visibility is the foundation. If you can't see every device and every account in your estate, you can't prove the controls are working. And under v3.3, proof is exactly what's required. It only takes one device outside the patch window or one account without MFA enforced to fail an assessment. At scale, finding that manually isn't realistic. You need to know before your assessor does."

The visibility gap

Most organisations believe they are compliant. Their policies say so. Their spreadsheets say so. But policies describe intent, not reality. In practice organisations consistently discover more gaps than they expect. Devices that have drifted outside the patch window, accounts sitting outside Conditional Access rules, cloud services onboarded without IT involvement. None of them show up on a spreadsheet. All of them show up in a CE+ assessment. Under v3.3 with auto-fails now in play you can no longer perform well in one area and paper over weaknesses in another. Every device counts. As does every user account.

How ThreatAware helps

ThreatAware is an agentless platform that connects to the security and IT tools your organisation already uses via API. In under 30 minutes you will have a real time view of every device, every account, and whether your MFA and patching controls are working across your entire estate. Not just deployed. The gaps that manual audits inevitably miss and that spreadsheets don't capture are exactly what ThreatAware surfaces. Ensuring you can find them first.

Ready to see what your estate looks like before your assessor does!

Requirements for IT Infrastructure v3.3 applies to all assessment accounts created on or after 27 April 2026. Organisations with an active account created before this date have 6 months to certify under the previous requirements. Source: IASME Consortium / NCSC.