Cyber Essentials Just Got A Serious Upgrade
- elijahhoyle
- 6 hours ago
- 5 min read
How CMS protects your business through the biggest tightening of the framework in years and why our clients sleep easier knowing the work's already done.
Cyber Essentials v3.3 raises the bar across all five technical controls firewalls, secure configuration, access control, malware protection and patch management.
Cyber security has a habit of feeling abstract until the moment it isn't. From 27 April 2026, every new Cyber Essentials assessment now falls under v3.3 the most significant tightening of the framework in years. If you're certifying fresh, the new question set already applies. Existing assessment accounts still have a six-month grace window before they catch up.
For businesses that act early, the transition will be quiet and barely noticed. For those that delay, it'll be expensive, urgent, and far too public.
We've written this briefing because we'd rather you read it now than scramble in October. CMS exists to keep our clients ahead of moments like this, not behind them.
Why This Matters Now
The threat landscape has shifted under our feet. The standards have shifted with it.
Identity-based attacks where criminals log in as your people rather than break in are now the dominant attack pattern. Phishing is sharper, faster, and good enough to fool nine out of ten unprepared employees. Cyber insurers have noticed. Premiums are up, exclusions are tighter, and Cyber Essentials is now treated as a hard underwriting signal that drives sub-limits, claim outcomes, and in many cases whether cover is offered at all.
On top of that, the Cyber Security and Resilience Bill was introduced to Parliament in November 2025. It expands the NIS regime to cover MSPs, data centres, and a broader category of critical suppliers. More businesses are about to fall into formal scope than at any point in the last decade.
Cyber Essentials v3.3 is the framework's response. It's no longer a tickbox. It's the baseline your customers, insurers, and supply chain partners now expect and it has teeth.
The good news. You don't have to navigate any of it alone.
What's Actually Changing
Five updates matter most. Each is manageable on its own. Together they raise the bar in a way that quietly excludes any business still treating security as paperwork.
• MFA enforcement extended to every administrative account without exception, including break-glass and service accounts.
• Tightened scope around personally-owned and BYOD endpoints accessing organisational data.
• A 14-day patch and update window for high and critical vulnerabilities, with stricter evidence expectations.
• A sharper definition of what counts as a supported product, ruling out devices and software that have slipped past their vendor end-of-life.
• Stricter handling of cloud and SaaS services. The shadow stack your team adopted without IT's blessing now sits squarely in scope.
CE Or CE+? Here's The Honest Answer
Cyber Essentials is your foundation. Self-assessed, externally reviewed, and the standard your insurers, customers, and supply chain expect to see. It's what gets you into the conversation. As a bonus, valid certification still bundles free cyber liability insurance for organisations under £20m turnover.
Cyber Essentials Plus is the same controls, independently tested by an assessor in your environment. It's the standard that increasingly wins the contract, particularly across public sector and enterprise procurement. v3.3 has tightened CE+ as well. Failed update management retests now hit a fresh random sample on top of the original devices, and the assessment record cannot be amended after technical testing.
Most of our clients certify CE first, embed it operationally, then move to CE+ within the same year as the commercial case develops. We'll advise on the right sequence for your business, not push you toward whichever generates the bigger invoice.
The CMS Difference. Compliance That Runs In The Background.
Here's the shift we've made for our clients over the past year, and the one we're most proud of. Compliance is no longer something you do once a year and hope holds together. It's a maintained, continuously monitored state and you don't have to lift a finger to keep it that way.
Two CMS platforms quietly do the heavy lifting.
Inforcer. Your Microsoft 365, Watched Around The Clock
Most security failures don't come from a dramatic breach. They come from a setting that quietly drifted three weeks after the last review. Inforcer closes that gap permanently.
It monitors your Microsoft 365 environment continuously. Conditional Access, identity protection, mail flow, sharing controls, admin roles all surfaced against a CMS-managed baseline derived from CIS, NCSC, and Microsoft Secure Score guidance. Drift is flagged within hours.
What that means for you.
• Lower friction with insurers, who increasingly demand continuous evidence rather than a yearly snapshot.
• Audits that become a confirmation, not an investigation. Your evidence pack is already assembled.
• Issues caught and resolved before they become incidents.
The internal time saved is the part most clients underestimate. Audit prep that used to consume days of a senior IT person's calendar becomes an export. Quarterly policy reviews are absorbed into a continuous loop. Your team gets back to building the business.
Compliance posture is only half the picture. The wider IT estate devices, licences, contracts, joiners and leavers needs the same continuous visibility, and that's where CMS Strata, our in-house client success platform, sits alongside Inforcer. We've written about Strata in detail in a separate briefing (link below), so we won't repeat it here. The short version: Strata is the live cockpit view that turns audit prep into an export and surfaces renewal pressure months before it lands.
Common Gaps We Find (And Quietly Fix)
In nearly every readiness review we run, we find.
• MFA enforced for most users, but missing on a handful of admin or break-glass accounts.
• Conditional Access policies that drifted out of alignment between reviews.
• Leavers retaining access for longer than HR or IT realised.
• SaaS apps adopted at team level that nobody central knows about.
• An asset register that was technically maintained, but several months out of date.
None of these are unusual. All of them fail v3.3 if they're still there on assessment day.
Three Paths To Certification. Pick The One
That Fits.
The five-step Cyber Essentials Plus audit journey we run with clients — scope, baseline, evidence, external scan, certify.
ROUTE 01 | Readiness Audit We assess your current state against v3.3 and produce a clear, evidence-backed remediation plan. Useful even if you plan to certify with another partner. We've done this for boards in transition and businesses preparing for acquisition due diligence. |
ROUTE 02 | Guided Certification A genuine partnership. You retain ownership and decisions. We provide the project management, evidence pack, technical remediation, and the assessor relationship. Most clients take this route the first time. |
ROUTE 03 | Fully Managed Pathway End-to-end, always on. Inforcer monitors continuously, Strata consolidates the wider estate, a managed vulnerability tool runs continuous scanning across your estate, our team runs the assessment day, and the framework is maintained year-round. Next year's renewal is a renewal, not a re-certification scramble. |
Whichever you choose, you walk away with a defensible audit trail your insurer will accept, a posture your customers can trust, and an environment that asks far less of your internal team to keep certified.
Why CMS
We're not the provider that emails a polite warning and waits for you to act. We're the partner that's already seen this change coming, already built the platforms to absorb it, and already done the preparation work for the clients who let us.
When v3.3 lands on your renewal, the question for our clients isn't “are we ready?”. It's “what's next?”
That's the difference. And it's the one we'd love to bring to your business.
