Cyber Essentials v3.3: Is Your Cloud Security Ready?

Look, I know what you’re thinking. Another update? Another set of hoops to jump through?

If you’re running a business in Kent or anywhere across the UK, you’ve likely already got "Cyber Essentials" on your radar. Maybe you’ve already got the badge on your website. But as of tomorrow, Monday, April 27th, 2026, the goalposts are moving. Cyber Essentials v3.3 is officially taking effect, and the focus has shifted heavily toward the one area most of us rely on every single day: the Cloud.

At Evestaff IT Support and Consultancy, we’ve been helping SMEs navigate these transitions for years. We’ve seen the shift from "server in the corner" to "everything in the browser." The NCSC (National Cyber Security Centre) and IASME have noticed it too, and v3.3 is their way of saying that if your data is in the cloud, your security better be there with it.

If you’re planning on renewing your certification or going for it for the first time, you need to know that "nearly ready" is the same as "not ready." Let’s break down what v3.3 actually means for your business and how you can make sure you don't get hit with a "hard fail" on Tuesday morning.

The Big One: Multi-Factor Authentication (MFA) is No Longer Negotiable

In previous versions of Cyber Essentials, MFA was "highly recommended." It was the gold standard that we all knew we should have, but if you hadn't rolled it out to every single user yet, you could often still squeak through the assessment with a promise to fix it.

Those days are over.

Under v3.3, MFA is a hard requirement for all cloud services. If a cloud service offers MFA, whether it’s built-in for free, available as a paid add-on, or can be enabled via a third-party provider, you must have it turned on. If you don't, you fail. It’s that simple.

This doesn’t just apply to your IT admins or your finance team. It applies to everyone. Every staff member accessing Microsoft 365, every sales rep logging into the CRM, and every HR manager checking the payroll software. If the service supports MFA, it needs to be active.

We’ve also seen a shift in what counts as MFA. For a long time, many businesses used "IP allowlisting" (only allowing logins from the office IP address) as a substitute for MFA. In v3.3, this is no longer accepted as a primary security measure. While it’s still a good practice, it doesn't tick the MFA box. You need something they have (a phone, a token) or something they are (biometrics) to back up that password.

Everything is In-Scope

One of the most common mistakes I see SMEs make is thinking that small, niche cloud apps don’t "count" for Cyber Essentials. You might think, "Oh, we only use that for marketing emails," or "That’s just for tracking property inventories."

Actually, if we look at our friends over at propertyinventoryclerks.co.uk, they handle a massive amount of sensitive data, tenant names, addresses, and detailed property reports. In the eyes of Cyber Essentials v3.3, that data is vital.

The new rules state that if your organization’s data or services reside on any cloud platform, it is in-scope. This includes:

• Infrastructure as a Service (IaaS): Like Azure or AWS.
• Platform as a Service (PaaS): Like web hosting environments.
• Software as a Service (SaaS): Like Microsoft 365, Google Workspace, Xero, Salesforce, or even Slack.

There used to be a bit of a grey area where "non-critical" services could be excluded. That grey area has been painted over. If your business uses it to store, process, or even just pass data through, it has to meet the security standards.

The Shared Responsibility Myth

A lot of business owners tell me, "But David, we use Microsoft/Google/Amazon, surely they handle the security?"

This is what we call the "Shared Responsibility Model," and v3.3 requires you to actually prove you understand it. Yes, Microsoft is responsible for the physical security of the data centre and the underlying software. However, you are responsible for how you configure your "tenant."

If you leave a global admin account without a password policy, or if you leave a cloud storage bucket open to the public, that’s on you, not the provider. Under the new v3.3 standards, you need to demonstrate that you’ve taken ownership of the security settings within these cloud platforms. This includes managing user access, ensuring software is updated (where applicable), and, again, enforcing MFA.

Home Working and BYOD (Bring Your Own Device)

Since the world changed in 2020, remote work has become the norm. But from a security perspective, it’s a bit of a nightmare. Cyber Essentials v3.3 continues to tighten the belt on how remote workers access company data.

If your team is working from home using their own laptops or tablets (BYOD), those devices are now subject to the same scrutiny as the computers in your office. They must:

1. Have a supported operating system (no Windows 8 or old macOS versions).
2. Have automatic updates enabled.
3. Be protected by a PIN, password, or biometrics.
4. Have some form of anti-malware protection.

If you can’t guarantee that a staff member's home laptop is secure, then they shouldn't be using it to access your business's cloud services. This is why many of our clients in Kent are moving toward "Managed Devices", laptops provided by the company where we can ensure everything is locked down and compliant.

Why Does This Matter for Kent SMEs?

You might think that Cyber Essentials is just for big corporations or government contractors. But the reality is that the threat landscape in 2026 is more aggressive than ever. Small businesses are often the "low-hanging fruit" for cybercriminals because they assume the small guys haven't bothered with things like MFA or proper cloud scoping.

Beyond just "being safe," Cyber Essentials is becoming a requirement for doing business. If you’re bidding for local government contracts in Kent, or if you’re a supplier for a larger firm, they are going to ask for your CE certificate. Without it, you’re often locked out of the room.

Moreover, cyber insurance providers are getting stricter. We’ve seen cases where insurance companies have refused to pay out after a breach because the business didn’t have MFA enabled, meaning they weren't following the "minimum standard of care" defined by Cyber Essentials.

How to Get Ready (The 24-Hour Checklist)

Since v3.3 is literally around the corner, here is what you should be checking right now:

1. Audit Your SaaS: Make a list of every cloud tool your team uses. Yes, even the ones you only pay £10 a month for.
2. Turn on MFA Everywhere: Don't wait. If the "MFA" toggle is available in the settings, flip it. It might cause a morning of "how do I do this?" phone calls, but it’s better than a security breach or a failed assessment.
3. Check Your OS Versions: Is someone still using an old laptop that won't update? That device needs to be retired or upgraded immediately.
4. Review Admin Privileges: Does everyone in the office really need "Global Admin" rights? (The answer is almost always no). Strip back permissions to the bare minimum.
5. Document Your Cloud: Be ready to explain which cloud services you use and how you secure them. This documentation is a huge part of the v3.3 application.

Let’s Get You Certified

I know this sounds like a lot. IT security is one of those things that feels like a "distraction" from actually running your business: until something goes wrong.

At Evestaff IT Support and Consultancy, our job is to take that weight off your shoulders. We don’t just tell you what the rules are; we get under the hood and fix the configurations for you. We make sure your cloud is locked down, your staff are trained, and your Cyber Essentials application is a "pass" the first time around.

If you’re worried about where you stand with v3.3, or if you just want to make sure your cloud security is actually doing its job, let’s talk.

Book a Discovery Call with David Evestaff today and let’s make sure your business is ready for 2026 and beyond. We’ll look at your current setup, identify the gaps, and give you a clear roadmap to compliance.

Don't wait for the "hard fail." Let's get it right today.

SEO Tags: Cyber Essentials 2026, Cloud Security Kent, SME IT Support.