You have just been told your firm needs Cyber Essentials to bid for a contract. The deadline is eight weeks away. You open the IASME website and feel out of your depth.

And as of 27 April 2026, the rules got stricter.

This guide explains Cyber Essentials certification in the UK under the new v3.3 standard. You will learn what changed, what it costs, and the practical steps to pass first time. We have spent 25 years helping UK SMEs through certifications like this, and the patterns are predictable.

Key takeaways

What is Cyber Essentials certification?

Cyber Essentials is a UK government-backed certification, managed by IASME on behalf of the National Cyber Security Centre. It confirms an organisation has the five core technical controls in place to defend against common cyber attacks. The certificate is valid for 12 months and is widely required for UK public sector contracts.

The scheme has two tiers. Standard Cyber Essentials is a verified self-assessment. Cyber Essentials Plus adds an independent technical audit, including vulnerability scanning.

The five controls have not changed under v3.3. They remain: firewalls, secure configuration, user access control, malware protection, and security update management. What has changed is how strictly each one is assessed.

Why Cyber Essentials matters in 2026

Procurement Policy Note 014 makes Cyber Essentials a requirement for many UK public sector contracts. According to GOV.UK, suppliers handling citizen data, government employee data, or systems processing OFFICIAL-level data must demonstrate certification before contract award.

Enterprise procurement teams in finance, legal services, healthcare, and education increasingly demand it too. Many cyber insurance providers now treat Cyber Essentials as a baseline expectation. Some policies require MFA and may dispute claims if a breach exploits a password-only account.

If you bid for public sector or large private sector work, treat Cyber Essentials as a de facto requirement. Without it, your bid often does not reach the technical evaluation stage.

What is changing in Cyber Essentials v3.3?

Five changes matter most under v3.3:

1. MFA is now an auto-fail. If a cloud service offers MFA and it is not enabled for all users, your assessment fails immediately.
2. All cloud services are in scope. Microsoft 365, Google Workspace, your CRM, HR platform, and file sharing tools must all be assessed. You cannot exclude them.
3. The 14-day patching rule is strictly enforced. Critical and high-severity updates must be deployed within 14 days, and evidence must cover all in-scope devices, not just sampled ones.
4. Danzell replaces Willow. The new question set asks more detailed questions about cloud inventory, MFA implementation, and patching evidence.
5. Scoping rules are tighter. Assessors now have explicit authority to challenge scopes that look engineered to minimise effort.

Each change closes a loophole that has let businesses pass without doing the underlying work. The five controls are the same. The bar is higher.

When does v3.3 apply to my certification?

Assessment accounts created after 27 April 2026 use v3.3 and the Danzell question set. Accounts created before that date have six months to complete the assessment under the previous version. In practice, your next renewal after April 2026 is your first v3.3 assessment.

Cyber Essentials vs Cyber Essentials Plus: which do you need?

Choose Cyber Essentials Plus if you bid for higher-risk public sector contracts, including MoD, NHS Trust supply chains, or contracts handling sensitive citizen data. For most other public sector work, standard Cyber Essentials is enough.

Both certifications now apply v3.3 requirements. Plus inherits everything in the base standard, then adds independent verification on top.

How much does Cyber Essentials cost in the UK?

Cyber Essentials starts from £320+VAT for micro-organisations and rises in tiers based on company size. Cyber Essentials Plus costs significantly more because it includes an independent audit and vulnerability scanning. Current pricing is published on the IASME website.

The certification fee is rarely the full cost. Budget for staff time, gap analysis, and any remediation work. A failed first attempt usually means re-application fees and lost time, which is why preparation matters.

At GR.IT, we work on fixed fees with no hidden costs. You know what you are paying before we start.

How to pass Cyber Essentials first time

Most first-time failures are predictable. Work through this checklist before you book your assessment:

1. Map every asset. List every device, server, and cloud service that touches business data. Forgotten cloud apps are the most common scoping fail.
2. Enable MFA everywhere. Audit every cloud service. If MFA is offered, enable it for all users, not just admins.
3. Confirm supported software. Every in-scope device must run software within its support window. One legacy server can fail you.
4. Patch within 14 days. Set a documented process for applying critical and high-severity updates. Sampling is no longer enough.
5. Audit admin accounts. Remove unused accounts. Separate standard and admin access for every user.
6. Document scoping decisions. Write down why a service is in or out of scope. Assessors will ask.
7. Run a mock Danzell assessment. Walk through the new question set before booking. Treat it as a dress rehearsal.

In the readiness audits we have run for UK SMEs preparing for v3.3, the single most common failure is a marketing tool nobody remembered to add to the cloud inventory. The second is a back-office server quietly running an unsupported operating system.

Common pitfalls SMEs hit under v3.3

These traps catch businesses every week. Watch for them:

• Creative scoping. Excluding the marketing team’s Mailchimp account because it ‘does not store customer data’ will not survive assessor challenge.
• Personal device email. Staff reading work email on personal phones without MFA puts the whole assessment at risk.
• Forgotten legacy servers. That on-premise box running a finance package needs to be patched, supported, and in scope.
• Inconsistent patching. Remote workers’ laptops often lag behind. Centralised patch management closes this gap.
• Admin-only MFA. MFA must cover all users on every cloud service that offers it, not just privileged accounts.

If any of these sound familiar, you are not alone. They are fixable, but most need a few weeks of work.

Should you do Cyber Essentials in-house or get help?

If you have a confident in-house IT lead with time to spare, self-certification is achievable. The risk is the cost of failing first time. Lost contract opportunities and re-application fees usually outweigh the saving.

External help makes sense if your IT team is small, your cloud estate is complex, or your tender deadline is tight. A good provider runs a gap analysis, gives you a remediation roadmap, and supports you through assessment.

Our cyber security services team has guided UK SMEs through Cyber Essentials and Cyber Essentials Plus for over a decade. Plain English. Fixed fees. UK-based. If you want help, we make it straightforward.

Ready for v3.3?

Cyber Essentials v3.3 is not a reinvention. It is the most consequential tightening in years, and it closes loopholes that used to let businesses scrape through.

Early preparation is the difference between a calm assessment and a scramble. If your current certificate expires after April 2026, your next renewal is your first v3.3 assessment.

Want to know where you stand? Book a free v3.3 readiness review with our UK team. We will run a gap analysis against the Danzell question set and tell you, plainly, what to fix.

When does your current Cyber Essentials certification expire?