Cyber Essentials is getting its next scheduled update on 27 April 2026, when version 3.3 becomes the standard for all new assessment accounts.

If your organisation sets up its assessment account on or after that date, you’ll be measured against the new requirements. But if you open your account before the deadline, you’ll have six months to complete the assessment using the current version.

IASME reviews Cyber Essentials every year to keep it aligned with modern threats and everyday business technology. The 2026 round is less of a big shake up and more of a tidy up, but there are still a few changes worth knowing about.

In this blog, Marvin, our technical director and resident security guru, breaks down what’s changing and how it affects you.

What’s changing?

1. MFA is now a strict requirement

The biggest update is around multi factor authentication. IASME has confirmed that MFA must be enabled wherever the option exists. If a cloud service offers MFA in any form, it must be switched on. If it isn’t, the assessment fails automatically.

This applies whether the MFA feature is free, included, paid for or connected through another service. Cyber Essentials already expected MFA, but v3.3 tightens the rules so that organisations can no longer leave some users or apps without it.

2. Cloud services now have a clear definition

For the first time, Cyber Essentials formally defines what counts as a cloud service. IASME describes it as “an on demand, scalable service delivered on shared infrastructure, accessed online using an account and storing or processing organisational data”.

The aim is to remove the confusion that sometimes crept in around which tools needed to be included in scope. Under this definition, anything you log into that handles company data should be considered part of your assessment.

3. Most changes are small and focused on clarity

IASME states that the majority of updates in v3.3 are minor adjustments. They exist to make definitions clearer, improve consistency and reduce the number of grey areas in the questionnaire.

These updates are not expected to significantly affect compliance for most organisations. Think of it less as new rules and more as polishing the wording so everyone is working from the same understanding.

4. Marking criteria is being refined

Alongside the updated requirements document, IASME will publish revised marking guidance later in 2026. The only confirmed change so far is that MFA will be strictly enforced as a pass or fail check, with more refinements to follow.

Will this be a big change for most organisations?

Probably not. IASME has said clearly that the 2026 update should not have a major impact on most businesses. If your organisation is already following sensible cybersecurity practices, you’ll mostly just notice clearer wording and a firmer stance on MFA.

What you should do now

A few simple steps will help you prepare...

1. Turn on MFA everywhere you can

If any cloud service supports MFA, enable it for every account. This is the most important action to take.

2. Check which cloud services you use

The new definition means nothing can be left out of scope because it wasn’t clearly defined before.

3. Look out for updated marking guidance

IASME will release more details later in 2026.

How we can support you

At 1101, this is exactly the kind of support we provide.

We help organisations strengthen their digital security, set up the right controls, and prepare for Cyber Essentials or Cyber Essentials Plus certifications.

If you’re planning to certify or renew under the new v3.3 rules, contact us to untangle cloud scoping and make sure you meet (and exceed) the requirements.