For many business owners and directors, the key issue is simple: Cyber Essentials can no longer be treated as something to revisit only when renewal time arrives. The latest version reflects the way modern businesses actually work, using cloud platforms, hybrid working, remote access, SaaS applications and mobile devices as part of normal day-to-day operations.
Need help preparing for Cyber Essentials v3.3?
Bondgate supports businesses across Darlington, Tees Valley and the wider North East with practical Cyber Essentials guidance, gap reviews and certification preparation.
Cyber Essentials v3.3 in brief
From 27 April 2026, Cyber Essentials v3.3 requires businesses to:
- include cloud services in scope
- include end-user devices in scope
- use multi-factor authentication for cloud services where available
- apply high-risk and critical security updates within 14 days
- remove unsupported software or isolate it properly from internet-connected systems
What is new in Cyber Essentials v3.3?
The official Cyber Essentials: Requirements for IT Infrastructure v3.3 highlights several changes, including a formal definition for cloud services, updated wording around passwordless authentication including FIDO2, clearer scope wording, and stronger emphasis on backup, software development and cloud inclusion.
The practical impact for SMEs: the biggest changes are not theoretical. They affect what must be in scope, how MFA must be applied, how quickly patching needs to happen, and what directors are expected to stand behind at sign-off stage.
1. Cloud services must be in scope
“If your organisation’s data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.”
This is one of the most important changes in v3.3. If your organisation stores or processes data using cloud services, those services now need to be explicitly considered as part of your Cyber Essentials scope.
That could include:
- Microsoft 365
- Google Workspace
- Dropbox
- cloud backup platforms
- finance systems
- CRM platforms
- SaaS applications
- social media accounts used for business activity
The self-assessment materials also make clear that social media accounts such as Facebook, LinkedIn and X are considered cloud services.
2. End-user devices cannot be excluded
“A scope that doesn’t include end-user devices isn’t acceptable.”
This means Cyber Essentials cannot be narrowed down to only a firewall, server environment or office network. If your staff use laptops, desktops, tablets or mobile phones to access organisational data or services, those devices matter.
This also affects BYOD arrangements where personal devices are used for business access.
3. MFA is mandatory for cloud services where available
“Your organisation must implement MFA, where available – authentication to cloud services must always use MFA.”
This is one of the clearest and most commercially important parts of the new version. If a cloud platform supports MFA, it needs to be enabled.
The self-assessment question set specifically asks whether MFA has been applied to:
- all cloud administrators
- all cloud users
- all relevant cloud services
Important: in the self-assessment booklet, a “no” answer to MFA questions for cloud administrators or cloud users where MFA is available results in a fail.
4. High-risk security updates must be applied within 14 days
The 14-day patching rule remains one of the most important operational requirements in Cyber Essentials v3.3.
All software on in-scope devices must be updated within 14 days where:
- the vendor describes the vulnerability as critical or high risk
- the vulnerability has a CVSS v3 base score of 7 or above
- the vendor does not provide severity information
This includes operating systems, applications, router firmware and firewall firmware.
Important: the self-assessment booklet states that a “no” answer on the 14-day patching questions is an automatic fail.
5. Unsupported software creates a direct compliance problem
Cyber Essentials v3.3 requires all in-scope software to be licensed and supported. Unsupported software must either be removed or moved out of scope using a properly defined sub-set that prevents traffic to and from the internet.
For many SMEs, this is where hidden issues start to appear, particularly around:
- older Windows versions
- legacy business systems
- unsupported browsers
- ageing network devices
- old plugins, extensions or frameworks
6. Directors and business owners are clearly accountable
“Your answers must be approved by a Board level representative, business owner or the equivalent, otherwise certification cannot be awarded.”
That makes Cyber Essentials more than a technical issue. It is now clearly a governance and accountability issue too.
Business owners and directors need confidence that:
- the scope is accurate
- the controls are genuinely in place
- any exclusions are justifiable
- the business can stand behind the answers submitted
For North East SMEs, this is the real shift: Cyber Essentials is no longer just an IT support discussion. It is part of commercial readiness, operational discipline and leadership sign-off.
Why this matters for Darlington, Tees Valley and North East businesses
Across Darlington and the wider North East, Cyber Essentials is often linked directly to commercial opportunity and customer confidence. Businesses are being asked for it because they want to:
- win contracts
- stay on approved supplier lists
- reassure customers and partners
- meet insurer or procurement expectations
- improve cyber resilience without building a large internal security function
This is especially relevant for local manufacturers, engineering businesses, professional services firms, MSPs, logistics firms, construction companies and growing SMEs with cloud-first systems.
What SME owners and directors should review now
Review your scope properly
- end-user devices
- cloud services
- networks in use
- home and remote working arrangements
- BYOD access routes
- firewalls and routers in scope
Review MFA coverage
- all cloud administrators
- all cloud users
- every cloud service where MFA is available
Review your patching process
- high-risk operating system updates within 14 days
- high-risk application updates within 14 days
- router and firewall firmware updates within 14 days
- automatic updates enabled where possible
Review supported software
- unsupported software
- unlicensed software
- legacy platforms outside vendor support
- unsupported extensions or frameworks
Review access control
- account approval processes
- unique credentials
- leaver and inactivity account removal
- least-privilege access
- separate admin accounts
- review of privileged access
A better approach: the businesses that handle Cyber Essentials well are usually the ones that treat it as a repeatable operational process, not a last-minute certification rush.
A practical 4-step plan to prepare for Cyber Essentials v3.3
Step 1: Define what is in scope
Take a realistic view of your environment, including cloud services, end-user devices and remote working arrangements.
Step 2: Assess the five control areas
- Firewalls
- Secure Configuration
- Security Update Management
- User Access Control
- Malware Protection
Step 3: Fix the common gap areas
- roll out MFA fully
- tighten account and admin controls
- improve patching discipline
- remove unsupported software
- document approvals and reviews more clearly
Step 4: Prepare before renewal pressure arrives
Do not wait until a customer asks for certification or renewal is due. The earlier you review your position, the easier it is to close gaps properly.
Want to understand how Cyber Essentials v3.3 applies to your business?
Bondgate works with businesses across Darlington, Tees Valley and the wider North East to make Cyber Essentials practical, proportionate and commercially useful.
Cyber Essentials v3.3 FAQ
What is Cyber Essentials v3.3?
Cyber Essentials v3.3 is the April 2026 version of the UK government-backed Cyber Essentials requirements for IT infrastructure. It updates the scheme’s wording around scope, cloud services, MFA, supported software and patching.
When does Cyber Essentials v3.3 go live?
Cyber Essentials v3.3 takes effect from 27 April 2026.
Are cloud services in scope for Cyber Essentials v3.3?
Yes. The official requirements state that if your organisation’s data or services are hosted on cloud services, those services must be in scope and cannot be excluded.
Can end-user devices be excluded from scope?
No. The official requirements state that a scope that does not include end-user devices is not acceptable.
Does Cyber Essentials v3.3 require MFA?
Yes, where available. The requirements state that organisations must implement MFA where available, and that authentication to cloud services must always use MFA.
What is the 14-day patching rule?
High-risk or critical security updates, and updates covering vulnerabilities with a CVSS v3 base score of 7 or above, must be applied within 14 days of release.
Does Cyber Essentials apply to Microsoft 365?
Yes. Microsoft 365 is a cloud service and should be included in scope where it stores or processes organisational data.
How Bondgate helps local businesses prepare
For businesses in Darlington, Tees Valley and the wider North East, Bondgate helps make Cyber Essentials practical.
That includes helping you to:
- define scope properly
- identify cloud services and user devices in scope
- review MFA coverage
- assess patching readiness
- identify unsupported software risks
- tighten access controls
- prepare confidently for certification
Speak to Bondgate about Cyber Essentials v3.3
If your business is based in Darlington, Tees Valley or the wider North East, now is the time to get ahead of Cyber Essentials v3.3.
Learn more about Cyber Essentials certification in Darlington
Suggested SEO title: Cyber Essentials v3.3: What Darlington and North East SMEs Need to Do Before 27 April 2026
Suggested meta description: Cyber Essentials v3.3 goes live on 27 April 2026. Learn what Darlington and North East SMEs need to do now on scope, MFA, patching and compliance.