Cyber Essentials update could put your public sector contracts at risk

From 27 April 2026, any organization that holds Cyber Essentials certification and has not switched on login verification across every cloud service it uses is looking at an automatic assessment failure.

Not a non-conformity to address gradually. Not a remediation point. An immediate fail with no second chance within that certification cycle.

Cyber Essentials is the UK government's flagship cybersecurity certification scheme, backed by the National Cyber Security Centre and administered by IASME. Around 50,000 organizations certify every year. For suppliers to central government handling sensitive data it is mandatory.

For many others it has become a baseline expectation for cyber insurance and private sector procurement. I have been assessing organizations against the scheme since 2017.. Version 3.3, which takes effect on 27 April, is the most significant update in all of that time.

The specific change is this: if a cloud service offers Multi-Factor Authentication (MFA) and an organization has not enabled it for all users, the assessment fails immediately.

This applies even where the feature is only available through a paid upgrade to an existing plan. Under the previous version of the scheme, non-compliant answers on this point were survivable. That route is now closed.

For most organizations, resolving this is a straightforward technical project. But in my assessments this year I have encountered a specific category of organization for which it is anything but. The gap between what v3.3 now requires and what they can actually deliver is significant, and the scheme update does not address it.

The problem the guidance does not resolve

The pressure points I see consistently appear in environments built around shared access, rapid task switching, and frequent staff or volunteer turnover.

These are organizations where people need to get onto systems quickly, where devices are shared across shifts, or where managing individual login credentials for a constantly rotating workforce creates a genuine operational burden.

Think of a station operations room where multiple staff rotate through shared terminals across shifts, needing to access time-critical information in seconds.

Or a nationally known charity with hundreds of high street locations and a large volunteer workforce on short shifts, for whom managing individual authentication at scale is a real practical problem.

In both cases, the relevant cloud services offer the required verification feature. In both cases it has not been enabled, not out of carelessness, but because the operational reality makes standard approaches genuinely difficult to deploy.

Under the previous version of the scheme that position was survivable. Under v3.3 it becomes an automatic fail.

That does not make stronger authentication unnecessary. If anything it makes it more important. But it does mean that some organizations have supported the principle while delaying the harder work of designing how it will actually function day to day. That distinction matters much more under v3.3.

This is a workflow design problem, not a policy problem

The organizations that will navigate v3.3 well are not the ones with the most sophisticated security policies. They are the ones that have done the practical work of making stronger authentication usable in the environments where it is hardest to deploy.

That means mapping every in-scope cloud service and establishing exactly where verification features are available, including where they require a paid upgrade, because v3.3 makes no distinction. It means reviewing whether current authentication approaches are suitable for fast-moving operational environments.

And it means looking seriously at options such as FIDO2 security keys, passkeys, badge-linked identity workflows, and context-aware access controls that can reduce friction without reducing assurance.

NCSC's own guidance has increasingly reflected the value of phishing-resistant approaches over codes and prompts, and v3.3 moves in the same direction.

Cyber Essentials now makes cloud services unambiguously part of scope where they store or process organizational data. Organizations can no longer assume that awkward operational exceptions will remain tolerable.

The bar is rising. The organizations that will meet it are the ones treating authentication as a design challenge, not a compliance checkbox.

Start now, not at renewal

The businesses most likely to struggle with Cyber Essentials v3.3 are not the ones that disagree with stronger authentication. They are the ones that have postponed the practical work of making it usable everywhere the standard now expects it to be.

This should not be left until renewal. Rolling out new authentication methods, adjusting processes for joiners and leavers, and getting users comfortable with a new access model all take time. If verification features are available on your cloud services but not yet enabled, 27 April is closer than it appears.

Cyber Essentials v3.3 is not just a tougher compliance checkpoint. It is a prompt to make sure that how your organization verifies who can access its systems actually works in the real world, especially in the environments where getting that right is hardest.

We've featured the best encryption software.

This article was produced as part of TechRadar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.

The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit