Back to Blog
ITADCyber EssentialsCyber Essentials v3.3Cyber Essentials LatestCE certification

Cyber Essentials v3.3: What Changed in April 2026 and What Every UK Business Must Do Now

The NCSC quietly updated Cyber Essentials to version 3.3 in April 2026. Cloud services can no longer be excluded from scope. FIDO2 is now formally recognised. Asset management is called out as a core security function supporting all five controls. Here is exactly what changed and what it means for your infrastructure and your IT disposal process.

NNanoSoft Team22 June 20268 min read
Cyber Essentials v3.3: What Changed in April 2026 and What Every UK Business Must Do Now

Cyber Essentials v3.3: What Changed in April 2026 and What Every UK Business Must Do Now

The NCSC updated Cyber Essentials to version 3.3 in April 2026. Most organisations working toward certification or renewal this year are still reading the previous version. If that includes yours, you are planning against an outdated document, and at least one of the changes in v3.3 will affect how you scope your assessment.

Cyber Essentials is the UK government-backed certification scheme that underpins public sector procurement. Under Procurement Policy Note 014, CE certification is mandatory for any supplier bidding for central government contracts involving personal data or ICT systems. For organisations in the ITAD, technology, healthcare or professional services sectors, CE is not optional background noise. It is a commercial gate. Getting the scope right, understanding what the five controls require in v3.3, and knowing where the certification boundary ends matters more than it ever has.

Key takeaways

  • Cyber Essentials v3.3 was published by the NCSC in April 2026, replacing the previous version.

  • Cloud services can no longer be excluded from scope under any circumstances.

  • FIDO2 authenticators and passkeys are now formally recognised as MFA-equivalent under the updated Passwordless Authentication definition.

  • A Software Security Code of Practice has been introduced for software development in scope.

  • Asset management is called out explicitly as a core security function supporting all five controls.

  • CE governs your active infrastructure. It does not govern what happens when devices leave scope. That gap requires a separate process.

Why Cyber Essentials matters more in 2026 than it did before

Two things have changed in the past twelve months that make CE certification a more significant commercial requirement than at any previous point.

First, PPN 014 is now embedded across central government procurement. Any supplier bidding for a contract involving the handling of personal data or the provision of ICT services to a central government body must hold CE certification. This is not a recommendation. It is an eligibility requirement. Organisations without CE certification are excluded from evaluation before the process begins. For UK public sector supply chains, the practical effect is that CE certification has become a licence to compete.

Second, the scope of what Cyber Essentials now covers has expanded meaningfully in v3.3 with a definitive statement that cloud services cannot be excluded from scope, an updated definition for passwordless authentication to include FIDO2, and the introduction of a Software Security Code of Practice in the software development section. These are not cosmetic changes. The cloud scope change in particular will require many organisations to revisit assessments they thought were complete.

What is new in Cyber Essentials v3.3

The NCSC published five key changes in v3.3. Each has practical implications for how organisations prepare for and structure their CE assessments.

Cloud services cannot be excluded from scope. This is the most significant change in v3.3 and the one most likely to affect organisations mid-assessment. If your organisation's data or services are hosted on cloud services, these services must be in scope, and cloud services cannot be excluded from scope. This applies regardless of whether your cloud provider is AWS, Azure, Microsoft 365, Google Workspace, Dropbox or any other on-demand service accessible via the internet. The shared responsibility model applies: your cloud provider may implement some controls on your behalf, but the applicant organisation is always responsible for ensuring all controls are implemented.

FIDO2 added to passwordless authentication. The updated definition for passwordless authentication now includes FIDO2 authenticators, and FIDO2 authenticators are regarded as MFA because user authentication is performed using a set of standards that define cryptographic authentication using public key credentials and protocols to provide more secure alternatives to passwords for accessing online services. This formally recognises passkeys and hardware security keys as MFA-equivalent, giving organisations more flexibility in how they meet the User Access Control requirement for cloud services.

Software Security Code of Practice introduced. Where organisations have software development activities within their CE scope, the v3.3 update references a new Software Security Code of Practice as the applicable guidance standard. Publicly available commercial web applications rather than apps developed in-house are in scope by default, while bespoke and custom components of web applications are out of scope.

Scope criteria simplified. The previous version referred to "untrusted connections" as the criterion for bringing devices into scope. v3.3 removes this language and replaces it with a cleaner definition: the requirements apply to all devices and software in scope which can accept incoming network connections from internet-connected devices, can establish outbound connections to devices via the internet, or control the flow of data between any of the above devices and the internet.

Backup data now formally emphasised. While backup remains outside the five technical controls, the importance of backing up data is now emphasised in v3.3, with the NCSC noting that backing up means creating a copy of information and saving it to another device or cloud storage. This is preparatory framing for potential future inclusion in the controls.

ce333it

The five technical controls: what v3.3 requires in plain English

1. Firewalls. Every device in scope must be protected by a correctly configured firewall or network device with firewall functionality, with default administrative passwords changed to strong unique passwords, access to administrative interfaces blocked from the internet unless protected by MFA or an IP allow list, and unauthenticated inbound connections blocked by default.

2. Secure Configuration. Organisations must proactively manage computers and network devices by removing and disabling unnecessary user accounts, changing any default or guessable account passwords, removing or disabling unnecessary software including applications, system utilities and network services, and ensuring users are authenticated before allowing them access to organisational data or services.

3. Security Update Management. All software on in-scope devices must be licensed and supported, have automatic updates enabled where possible, and be updated within 14 days of release where the update fixes vulnerabilities described by the vendor as critical or high risk or where the update addresses vulnerabilities with a CVSS v3 base score of 7 or above.

4. User Access Control. Organisations must have a process to create and approve user accounts, authenticate users with unique credentials before granting access, remove or disable user accounts when they are no longer required such as when a user leaves the organisation, implement MFA where available with authentication to cloud services always using MFA, and use separate accounts to perform administrative activities only.

5. Malware Protection. A malware protection mechanism must be active on all in-scope devices, either through anti-malware software configured to prevent malware from running and prevent connections to malicious websites, or through application allow listing where only approved applications restricted by code signing are allowed to execute on devices.

The gap that Cyber Essentials does not cover

CE is a forward-facing framework. It governs your active infrastructure: the devices connected to the internet, the accounts accessing your services, the software running on your machines. What it does not govern is what happens when devices leave scope.

Asset management is not a specific Cyber Essentials control, but effective asset management can help meet all five controls, so it should be considered as a core security function. The NCSC's own document makes clear that knowing where your devices are, what data they hold, and how they are managed as they enter and leave your infrastructure is foundational to CE compliance. But the certification boundary ends at the point a device is decommissioned. From that point, the device and its data are your responsibility under UK GDPR, regardless of what CE status your organisation holds.

This is where certified IT asset disposal closes the loop. When a device leaves your CE scope because it is being retired, the data on it does not retire with it. A factory reset does not satisfy GDPR. A certificate from a non-accredited vendor does not satisfy an ICO audit. The controls that CE requires for active devices, specifically secure configuration, user access removal and account deactivation, must be matched by certified, documented, standards-compliant destruction when those devices leave your environment permanently.

What to check before your next CE assessment

If you are preparing for a CE assessment or renewal under v3.3, four practical checks should happen before you begin.

Confirm that all cloud services your organisation uses are included in your scope definition. Under v3.3, none can be excluded. This includes Microsoft 365, Google Workspace, cloud-based HR platforms, customer databases and any SaaS tool that stores or processes organisational data.

Confirm that MFA is configured per individual user for all cloud service accounts, not routed through a shared account or a single device. IASME assessors will check this at account level.

Confirm that your asset register is current and accurate. If there are devices in your infrastructure that are not on the register, they are unmanaged risks for the purpose of the assessment. If there are devices that have left your infrastructure without a secure disposal record, that gap should be addressed before assessment begins.

Confirm that your software is licensed and supported across every in-scope device. Unsupported software is an automatic failure under Security Update Management.

Retire your IT. Recover its value. Prove it is gone.

NanoSoft is Cyber Essentials certified, ISO 27001 certified and ADISA accredited. We provide the certified end-of-life IT disposal that closes the gap CE leaves open, with serial-level Certificates of Data Destruction, complete chain of custody documentation and DEFRA DWTS-ready records from Q4 2026. If your CE assessment has surfaced retired devices without destruction certificates, we can resolve that before your submission.

Contact NanoSoft: services@nanosoftltd.com | 0800 677 1344 | Unit 8 & 9 Maldon Trade Park, Heybridge, Maldon CM9 4LJ, UK

Source of information: https://www.ncsc.gov.uk/files/cyber-essentials-requirements-for-it-infrastructure-v3-3.pdf

Tagged:Cyber EssentialsCyber Essentials v3.3Cyber Essentials LatestCE certification
N

NanoSoft Team

Writer at Nanosoft - covering ITAD, data security, and sustainable technology lifecycle management.

Found this useful? Share it.

Work with us

Ready to Dispose of IT Assets Securely?

Our ITAD specialists help you manage end-of-life IT with confidence — from certified data erasure to compliant disposal.