Cyber Essentials 3.3: What the New Scope Means for Your Business

From 27th April 2026, any organisation renewing or applying will be assessed against the new 3.3 standard. 

The update introduces important changes to how scope is defined and how organisations are assessed. While the core five control areas remain the same, the level of clarity and enforcement has significantly increased.

In practice, this means fewer grey areas and less flexibility in how requirements are interpreted.

For more detail on the official changes, IASME have published their guidance here.

While there are several updates to be aware of, two changes in particular are likely to have the biggest impact on most organisations and are the most common causes of failure if not addressed early:

• All cloud services now require MFA
• All internet-connected devices are now in scope

We’ll explore these in detail below — but first, it’s important to understand how the overall scope has changed.

The Biggest Change: Cloud Services Are Now Fully In Scope

One of the most important updates in Cyber Essentials 3.3 is the formal definition and inclusion of cloud services.

Previously, organisations could (intentionally or not) treat Cyber Essentials as a “devices and firewall” exercise. That is no longer possible.

From 27th April 2026:

• All cloud services are now explicitly in scope
• They cannot be excluded
• They must meet Cyber Essentials requirements — including MFA

This includes:

• Microsoft 365 / Google Workspace
• CRM platforms (e.g. Salesforce, HubSpot)
• Accounting software (e.g. Xero, Sage)
• HR systems
• File storage platforms (e.g. SharePoint, Dropbox)
• Banking apps
• Social media accounts used for business

In simple terms:
If your business logs into it and it holds or processes company data, it’s in scope.

This change significantly broadens what needs to be secured, and when combined with the requirement for MFA across all cloud services, it becomes one of the most common areas where organisations fall short.

 

Key Focus Area: MFA Across All Cloud Services

With cloud services now fully in scope, Multi-Factor Authentication (MFA) becomes critical.

From 27th April 2026:

• MFA must be enabled across all cloud platforms
• Not just email — but CRM, finance, HR, business social media accounts, and more
• It must be enforced for all users, not just admins

 The importance of MFA is well documented, with IASME highlighting the risks of not implementing it.

Where businesses are most at risk

The issue isn’t usually awareness — it’s inconsistent implementation.

We regularly see:

• MFA enabled for some users, but not all
• Admin accounts protected, but standard users not
• Shared logins still in use
• Older or niche systems overlooked
  
  

Commonly overlooked platforms

These are the types of systems most often missed during Cyber Essentials assessments:

• HR systems (e.g. BambooHR, BrightHR)
• Accounting platforms (e.g. QuickBooks, Sage)
• Payroll and expenses tools (e.g. PayFit, Expensify)

These often contain highly sensitive data but aren’t always treated as security-critical systems.

 

Key Focus Area: All Internet-Connected Devices Are Now In Scope

Another key change in Cyber Essentials 3.3 is how scope is defined.

The previous concept of “untrusted connections” has been removed. In its place is a much simpler rule:

If a device can connect to the internet, it is in scope.

This removes ambiguity entirely and is one of the most common areas organisations will encounter issues at renewal.

In practical terms, this includes:

• Laptops and desktops
• Servers
• Mobile devices
• Network equipment
• Legacy systems
• Specialist or operational devices

Where Businesses Are Most At Risk Of Failing

The challenge isn’t understanding the rule. It’s how widely it now applies, and where gaps are left unaddressed.

Organisations will now fail due to:

• Unsupported or outdated devices still in use
• Devices not being regularly patched or centrally managed
• Equipment previously assumed to be “out of scope”

In most cases, these aren’t deliberate decisions. They’re oversights caused by incomplete visibility across the environment.

The Hidden Challenge: Legacy And Edge Devices

The highest risk sits at the edges of the environment, where devices are easiest to overlook.

This includes:

• Old PCs still used occasionally
• Test or backup machines
• On-premise servers
• Network-attached or specialist devices

These systems are often missed during reviews, but are now fully in scope.

Each of these must either:

• Meet Cyber Essentials requirements
  or
• Be properly segmented, with clear supporting evidence

Without this, certification will fail.

Quick Self-Check: What Have You Probably Missed?

As a result of these scope changes, it’s more important than ever to ensure nothing is overlooked.

If your business uses any of the following, then they are now in scope from 27th April 2026: 

CRM Systems

• Salesforce
• HubSpot
• Zoho CRM
• Microsoft Dynamics 365
• Pipedrive

HR & Payroll Platforms

• BambooHR
• BrightHR
• Sage HR
• Personio
• ADP
• PayFit
• Gusto

Accounting & Finance Software

• Xero
• QuickBooks Online
• Sage Accounting / Sage 50cloud
• FreeAgent
• KashFlow

Project & Work Management Tools

• Asana
• Monday.com
• Trello
• ClickUp
• Jira

File Sharing & Cloud Storage

• Microsoft OneDrive / SharePoint
• Google Drive
• Dropbox
• Box

Email & Collaboration Platforms

• Microsoft 365 (Outlook, Teams)
• Google Workspace (Gmail, Docs)
• Slack

Marketing Platforms

• Mailchimp
• HubSpot Marketing
• ActiveCampaign
• Klaviyo

Password Managers

• LastPass
• 1Password
• Bitwarden
• Dashlane

Remote Access & IT Tools

• TeamViewer
• AnyDesk
• LogMeIn
• ConnectWise Control

Online Banking & Financial Platforms

• Barclays / HSBC / NatWest business banking
• PayPal
• Stripe
• GoCardless

Social Media (Business Use)

• • LinkedIn
  • Facebook
  • Instagram
  • X (Twitter)
  • TikTok

This is not an exhaustive list — any cloud-based system or applications your business uses will fall within scope and should be reviewed. 

If any of these apply to you, they are in scope.

And that means:

• MFA must be enabled
• Access must be controlled

• They must be included in your Cyber Essentials assessment

Other Notable Changes

While the two areas above are the most impactful, there are a few additional updates worth noting:

Patch Management

• Critical updates must now be applied within 14 days
• Clearer expectations around update enforcement
  
  

Mobile Device Security

• Stronger expectations around:
  • Encryption
  • Device lock
  • Patch compliance
• Greater emphasis on MDM (e.g. Intune)
  
  

Evidence Requirements

• More detailed and technical responses expected
• Greater emphasis on:
  • Screenshots
  • Policy configurations
  • Compliance reporting

Overall, Cyber Essentials is moving from:
“policy-based assurance” → “technical validation”

What About Exclusions?

Exclusions are now far more difficult.

If you attempt to exclude anything, you must provide:

• Clear technical justification
• Evidence of segmentation or isolation

In most cases, it is now far simpler to secure systems properly than try to exclude them.

What You Should Do Now (Before Your Renewal)

With the 27th April 2026 enforcement date approaching — and with MFA and device scope being the two most common failure points — now is the time to prepare.

1. Audit all cloud services
Identify everything your business uses

2. Enforce MFA everywhere
No exceptions — especially for HR and finance systems

3. Review all devices
Ensure everything internet-connected is compliant or segmented

4. Address legacy systems
Upgrade, remove, or properly isolate them

5. Prepare evidence early
Screenshots, reports, and policies

Cyber Essentials 3.3 doesn’t introduce new controls — it removes ambiguity.

• Same five control areas
• Much broader scope
• Greater clarity
• Higher expectations

For organisations renewing from 27th April 2026 onwards, this will likely require some internal changes.

The biggest risks are:

• Not enforcing MFA across all cloud platforms
• Assuming certain devices are “out of scope”

But ultimately, this update reflects how businesses operate today:

In the cloud, across multiple systems, with data everywhere — and Cyber Essentials now expects you to secure it that way.

Need help preparing for Cyber Essentials 3.3? Whether you're renewing or applying for the first time, we can review your current setup and highlight any gaps ahead of April 2026. Existing customers can contact their account manager for tailored guidance and support.