The Cyber Essentials 2026 update (v3.3 “Danzell”), effective 27 April 2026, introduces stricter requirements for UK organisations seeking Cyber Essentials certification. The goal is simple: stronger authentication, faster vulnerability remediation, and reliable recovery processes.
Mandatory Multi-Factor Authentication (MFA) – If a cloud service supports MFA, it must be enabled. This applies to cloud platforms, administrative accounts, and remote access. Not enabling MFA where available can result in an automatic assessment failure.
Expanded Scope for Cloud Services and Devices
Any device or cloud service storing or processing company data is in scope unless it is demonstrably segregated. The update removes ambiguity around SaaS platforms and remote working.
14-Day Vulnerability Remediation Rule
High-risk or critical security updates must be applied within 14 days, including vendor-issued fixes. This strengthens patch management and reduces exposure to known threats.
Stronger Backup and Recovery Expectations
Organisations must demonstrate that data can be reliably restored after a cyber incident. Backups should support practical recovery, not just exist on paper.
Why immutable backups matter
While not mandatory, immutable backups can be your last line of defence. Ransomware attackers often target backup systems first. Using a write-once, read-many (WORM) approach ensures recovery points cannot be altered or deleted.
Cyber Essentials provides a strong security baseline, but building resilience beyond compliance ensures your organisation can recover quickly when incidents occur. Call us on 0161 464 6101 or email hello@datacentreplus.co.
FAQs
Q: When does the Cyber Essentials 2026 update take effect?
A: 27 April 2026. All new assessments will follow v3.3 (“Danzell”) standards.
Q: Is MFA mandatory under the 2026 update?
A: Yes. If MFA is offered on a cloud service, it must be enabled.
Q: Are immutable backups required?
A: Not formally, but they are recommended to protect against ransomware targeting backup systems.
Q: How quickly must vulnerabilities be fixed?
A: High-risk or critical vulnerabilities must be remediated within 14 days.
