The Big Changes in Cyber Essentials v3.3Don't Fail Your Next Certification

What Has Changed in v3.3

The 2024 update to Cyber Essentials reflects the reality of how modern organisations operate. Seven areas have seen significant changes - each one representing a governance or operational discipline that many businesses have not yet formalised.

The Certification Has Changed. Most Organisations Have Not.

For many years, Cyber Essentials was primarily a product checklist. Install antivirus, configure a firewall, enable patching, apply basic access controls. Organisations that had invested in standard IT infrastructure could pass with relatively modest preparation. The certification was a useful baseline, but it did not demand operational maturity.

Version 3.3 changes this significantly. The expansion of scope to include cloud services and SaaS applications means that the average organisation now has dozens of in-scope systems that were not previously assessed. The requirement for consistent MFA enforcement means that the informal exceptions that accumulated over years of reactive IT management are now compliance failures. The 14-day patching requirement means that organisations without structured vulnerability management will struggle to demonstrate compliance.

The organisations most at risk are those that have grown quickly, adopted SaaS tools across departments without central oversight or IT involvement. They may have passed previous Cyber Essentials assessments comfortably, but the environment they are operating in today looks very different from the one the earlier standard was designed to assess.

"Cyber Essentials is no longer simply about installing the right products. It is increasingly about governance, operational visibility, identity management, SaaS control, and maintaining secure operational discipline across the organisation."

The most common failure points we see in organisations preparing for Cyber Essentials v3.3 are not missing products. They are governance gaps: SaaS applications in scope that nobody knew about, leavers that where never raised with IT, and patch processes that worked in principle but could not be evidenced in practice. These are operational problems, not technology problems. And they require operational solutions.

For a broader perspective on how reactive IT creates hidden risk, our article on the hidden risks of reactive IT managed services explores the operational and commercial consequences of IT management that responds to problems rather than preventing them.

The SaaS Problem Most Organisations Have Not Solved

The average SME now runs between 40 and 100 SaaS applications. Finance uses one platform for expense management, marketing another for campaign analytics, operations a third for project tracking. Each of these tools may be processing organisational data. Under Cyber Essentials v3.3, each one is potentially in scope.

The challenge is not simply the number of applications. It is that most organisations no longer have a complete picture of what SaaS platforms their staff use, where business data resides, who owns each system operationally, or whether SSO and MFA are enforced consistently across the estate. This is shadow IT at scale - and it is now a direct Cyber Essentials compliance risk.

The solution to SaaS sprawl is not restriction - it is governance. Organisations that implement a lightweight SaaS register and a simple approval process for new tools find that they can accommodate the pace of SaaS adoption without losing visibility or control. The goal is not to prevent staff from using the tools that make them productive. The goal is to ensure that when a new tool is adopted, IT knows about it, security has assessed it, and the organisation understands what data is being processed and where.

For organisations that have not yet addressed SaaS governance, our article on why SME technology projects fail provides a detailed framework for building operational governance without creating enterprise-scale bureaucracy.

Identity Is Now the Security Perimeter

In the era of cloud computing and remote working, the traditional network perimeter has dissolved. Staff access organisational systems from home networks, personal devices, and public Wi-Fi. The only consistent control point that remains is identity - and Cyber Essentials v3.3 reflects this reality by placing identity management at the centre of its requirements.

The requirement for consistent MFA enforcement is the most visible change, but the underlying shift is broader. Assessors now expect organisations to demonstrate that identity is managed as an operational discipline - not just that MFA is enabled in a settings panel. This means leaver/joiner processes that are consistently followed, privilege reviews that happen on a defined schedule, service accounts that are documented and audited, and conditional access policies that enforce security standards at the identity layer.

Microsoft Entra ID (formerly Azure Active Directory) provides the identity foundation that most organisations need to meet these requirements. When properly configured, it enforces MFA through conditional access policies, manages device compliance, extends SSO to hundreds of SaaS applications, and provides the audit trail that assessors expect. The technology is available to any Microsoft 365 customer - the challenge is implementing it correctly and maintaining it as the organisation evolves.

For organisations looking to understand the full scope of Microsoft 365 security capabilities, our Microsoft 365 and Azure services page explains how Wavex helps organisations get the most from their Microsoft investment while maintaining a strong security posture.

Where Does Your Organisation Sit?

The five-level governance maturity model below reflects the operational reality of how organisations manage technology adoption, SaaS governance, and security controls. Click each level to understand the characteristics and the associated Cyber Essentials risk.

Most SMEs sit at Level 2 or Level 3. The majority of Cyber Essentials failures in v3.3 assessments stem from governance gaps - not missing products. An organisation at Level 2 may have all the right security tools deployed but still fail because it cannot demonstrate consistent control application, evidence patch compliance, or show that its SaaS estate is understood and managed.

Understanding Each v3.3 Requirement

Each section below covers a specific Cyber Essentials v3.3 requirement - explaining what it means in practice, the real-world operational challenge it presents, how mature organisations approach it, and how Wavex supports clients. Click any section to expand the detail.

Operational Problems We Help Clients Solve Every Day

Wavex works with SMEs and mid-market organisations across London and the UK to build the operational foundations that Cyber Essentials v3.3 requires. Our approach is not to prepare organisations for a single assessment - it is to help them build the governance, visibility, and operational disciplines that make certification a natural outcome of how they manage IT, rather than a project they undertake every two years.

The organisations we work with typically come to us at one of two points. Some are preparing for their first Cyber Essentials assessment and want to understand what is required. Others have previously held certification but are concerned that the v3.3 changes have created new gaps in their current controls. In both cases, the starting point is the same: a structured assessment of the current environment, identifying what is in scope, what controls are in place, and where the gaps are.

For organisations that are also thinking about the broader AI governance implications of their technology environment, our article on why every business needs an AI risk policy explores how AI adoption intersects with Cyber Essentials and operational governance requirements.

Cyber Essentials v3.3 - Common Questions