Cyber Essentials April 2026 Changes: What Version 3.3 Means for Your Organisation

Cyber Essentials is undergoing a major update in April 2026. From 27 April 2026, all new assessments will be based on Cyber Essentials Requirements for IT Infrastructure version 3.3, also known as Danzell.

The updated standard strengthens controls around cloud security, multi-factor authentication (MFA), identity management, application development, backups and scoping. Many organisations will need to include more systems in scope and provide more detailed evidence to pass.

Completing Cyber Essentials before April 2026 allows organisations to certify under the current, less demanding standard.

Overview of the Cyber Essentials 2026 Update

Cyber Essentials is a UK Government-backed certification designed to protect organisations from common cyber attacks. To keep pace with modern technology and evolving threats, the National Cyber Security Centre regularly updates the scheme.

The April 2026 update removes ambiguity and introduces clearer, stricter requirements across several key areas.

Key changes include:

• Cloud services fully included in scope
• Mandatory MFA wherever supported
• Revised scoping rules for devices and networks
• New expectations for application development
• Encouragement of passwordless authentication
• Greater emphasis on backup and recovery

All assessments created on or after 27 April 2026 must meet these new requirements.

What Is Changing in Cyber Essentials Version 3.3?

Cloud Services Are Now Fully in Scope

Any cloud service that stores or processes organisational data must be secured and included in the assessment. Responsibility can no longer be assumed to sit solely with the cloud provider. This includes SaaS platforms, email systems and identity providers.

MFA Is Mandatory

MFA must be enabled for all users wherever it is supported. This applies to cloud platforms, remote access, admin accounts and third-party integrations. Failure to enable MFA when available will result in a failed assessment.

Tighter Scoping Rules

Devices and services are now in scope if they:

• Accept inbound internet connections
• Initiate outbound internet connections
• Manage or route internet-connected data

Exclusions must be clearly justified with evidence of network segmentation.

New Application Development Expectations

The Web Applications section has expanded into Application Development, aligning with the UK Government Software Security Code of Practice. Organisations must demonstrate secure coding practices and patch management for applications in scope.

Passwordless Authentication Encouraged

The new guidance promotes passwordless methods such as passkeys, biometrics, hardware tokens and FIDO2 authenticators to reduce reliance on traditional passwords.

Stronger Backup and Recovery Focus

Backup processes must be documented, regularly tested and capable of supporting recovery following a cyber incident.

When Do the Changes Take Effect?

• Register by 26 April 2026: Assessed against the current Cyber Essentials standard
• Register from 27 April 2026: Assessed against version 3.3

How to Prepare for Cyber Essentials 2026

Organisations should start preparing now by:

• Creating a full inventory of cloud services
• Enabling MFA across all supported platforms
• Reviewing network architecture and scoping
• Aligning development processes with secure coding standards
• Testing and documenting backup and recovery procedures

Early preparation reduces risk, workload and the chance of failure.

Why Certify Before April 2026?

Certifying early allows organisations to:

• Avoid new cloud and MFA requirements
• Reduce remediation effort and cost
• Secure assessment slots before demand increases
• Maintain uninterrupted Cyber Essentials certification

How SysGroup Can Help

SysGroup supports organisations with:

• Cyber Essentials assessments before April 2026
• Gap analysis against version 3.3
• MFA and identity management implementation
• Cloud security reviews
• Policy and evidence preparation
• End-to-end certification support

With expert guidance, organisations can prepare efficiently and achieve Cyber Essentials compliance with confidence.