Cyber Essentials v3.3: What’s Changing for Identity and Device Security

On 27 April 2026, the National Cyber Security Centre (NCSC) will introduce Cyber Essentials v3.3. While the five Cyber Essentials control areas remain largely the same, the updated wording and marking criteria will matter in practice, particularly when it comes to access security. These changes impact multi-factor authentication (MFA) enforcement, cloud service scope, scoping rules, authentication expectations, and guidance around secure processes.

This update marks an evolution of the standard, placing greater emphasis on clarity, consistency, and modern security expectations, especially around identity, cloud services, and device scope.

If your organization is planning to certify or renew after April 2026 and wants to understand how these updates may affect your identity and device security, this guide outlines the key changes and provides practical recommendations to support your readiness for Cyber Essentials v3.3.

Who needs Cyber Essentials?

Cyber Essentials is recommended for all organizations, as it demonstrates a baseline defense against common cyber threats. However, certification is mandatory for organizations that want to bid for UK Government contracts involving the handling of financial or personal data. Cyber Essentials is increasingly being adopted by the private sector, including leading UK banks, as a baseline cybersecurity requirement across supply chains. The UK Government reports that organizations implementing Cyber Essentials controls make 92% fewer insurance claims.

What’s new in Cyber Essentials v3.3

1. Mandatory MFA for cloud and remote access

Cyber Essentials has recommended MFA for years, but v3.3 removes remaining ambiguity around how it is assessed. MFA must now be enabled for all users wherever it is supported. This applies to cloud platforms, remote access, user accounts and third-party integrations. Organizations that rely on partial MFA deployment or user opt-in approaches may need to revisit their access policies ahead of their assessment. Not enabling MFA when available will result in an automatic assessment failure.

How Specops helps: As MFA is now a pass/fail requirement under Cyber Essentials v3.3, organizations need simple, comprehensive MFA solutions. Specops Secure Access adds that crucial MFA layer to all Windows logon, Remote Desk Protocol and Virtual Private Network connections. This ensures that all employees, whether remote or in-office, can connect securely and limits the risk of account abuse even if attackers already possess stolen credentials. Specops’ Zero Trust access solution, Specops Device Trust, deepens this protection by closing MFA gaps by verifying both the user and their device after login, enforcing continuous device trust across cloud and hybrid environments, regardless of device type.

2. New clarification around passwordless authentication

Cyber Essentials v3.3 clarifies that passwordless approaches, including FIDO2/passkeys and other phishing-resistant methods, are valid forms of strong authentication. While not mandatory, if deployed they must be implemented consistently and supported by secure fallback mechanisms. In some cases, a password may still exist in Active Directory even if it is hidden from the end user, so strong password controls remain important.

This clarification benefits organizations that have already started moving away from passwords, particularly where phishing-resistant authentication is being adopted.

Organizations using passwordless authentication need to ensure the following:

• Recovery and fallback mechanisms do not weaken account security
• Privileged access is protected by the strongest available authentication

Where passwordless is only partially deployed, assessors are likely to focus on the weakest authentication paths rather than the most advanced ones.

How Specops helps: Specops Password Policy helps organizations enforce stronger password standards through granular complexity rules and custom dictionaries, while continuously checking Active Directory passwords against a database of more than 5.5 billion compromised credentials. Additionally, Specops uReset and Specops Secure Service Desk also provide secure recovery options, helping organizations reset passwords or regain access without introducing weak fallback processes that could undermine MFA or passwordless authentication.

If you are reviewing password policy settings ahead of a Cyber Essentials renewal, Specops also provides guidance on applying the NCSC password list in Active Directory and strengthening policies to better align with NCSC expectations.

3. Tighter scoping rules around device security

Cyber Essentials v3.3 tightens scope definitions to better reflect modern hybrid working. Ambiguous language such as “untrusted connections” has been removed. Any device or service that connects to the internet is considered in scope, including systems that initiate outbound connections, accept inbound connections, or route internet-connected data.

This means that many organizations must treat the following as in scope by default:

• Remote laptops and home-working devices
• BYOD endpoints accessing organizational services
• Third-party suppliers, vendors, and contractors using their own devices to access organizational systems
• Cloud-hosted systems and virtual machines
• Edge systems that connect to or route internet traffic

Any exclusions must be clearly justified and supported with evidence of network segregation.

Under Cyber Essentials v3.3, only personal devices used purely for calls, SMS, or MFA apps are typically considered out of scope. For most organizations, this update increases the importance of consistent endpoint security controls and clear documentation of device management practices.

How Specops helps: Our Zero Trust access solution, Infinipoint supports device-based access control by validating device compliance before granting access to corporate applications. Device-agnostic by design, Infinipoint works across managed and unmanaged endpoints, including BYOD and third-party contractor devices, without requiring Mobile Device Management enrollment. This helps organizations demonstrate consistent endpoint governance across remote users, contractors, and hybrid working environments.

4. Cloud services are now fully in scope

Cyber Essentials v3.3 introduces a formal definition of “cloud service” and makes it explicit that cloud services cannot be excluded from the assessment scope. If a cloud platform stores, processes, or handles organizational data, it must be included. This applies to:

• Infrastructure-as-a-Service
• Platform-as-a-Service
• Software-as-a-Service (SaaS)

Identity platforms and cloud-hosted applications, such as email, collaboration tools, CRM platforms, and SSO/identity providers, must be secured and evidenced as part of the assessment. Documenting MFA enforcement and secure configuration across cloud services will be essential for organizations certifying under Cyber Essentials v3.3.

How Specops helps: Our Zero Trust access solution Infinipoint supports secure access to cloud services by enforcing conditional access based on device trust and security posture. By binding user identities to trusted devices, we help prevent attackers from reusing stolen credentials or session tokens from unmanaged or unknown endpoints. This helps organizations apply consistent access controls across SaaS platforms and cloud-hosted systems included in the Cyber Essentials v3.3 assessment scope.

5. User access control expectations are clearer

Cyber Essentials v3.3 reinforces the requirement for organizations to maintain control of user accounts and access privileges, including third-party and supplier accounts.

Organizations must be able to demonstrate that they:

• Have a defined process to create and approve user accounts
• Authenticate users with unique credentials before granting access to systems
• Remove or disable user accounts when they are no longer required
• Use separate accounts for administrative activities, rather than using privileged accounts for email and browsing
• Remove elevated privileges when they are no longer needed, such as when employees change roles

This aligns with the scheme’s broader focus on reducing credential misuse and limiting the impact of account compromise.

How Specops helps: We strengthen user access control by enforcing conditional access based on device posture, ensuring only compliant endpoints can access corporate applications and cloud services. This reduces the risk of compromised sessions by blocking access from devices that fall outside security policy. Our Zero Trust access solution also supports low-friction self-service remediation, allowing users to resolve device compliance issues quickly without IT involvement allowing organizations to function and be secure.

To find out how Specops can support your Cyber Essentials v3.3 readiness, contact us or see how our solutions work with a demo.