How Cyber Essentials Plus v3.3 mandatory MFA rules challenge SMB cloud operations

Can AI-driven automation bridge the cybersecurity skills gap effectively?
SecQube logo

From 27 April 2026, Cyber Essentials and Cyber Essentials Plus assessments created from that date will be aligned with Requirements for IT Infrastructure v3.3, with multi-factor authentication (MFA) becoming mandatory as part of an updated marking approach. (iasme.co.uk)

For many SMBs, the hard part is not understanding why MFA matters. It is that modern work is cloud-first, device-mixed, and full of “shadow SaaS”, where access control is uneven, and evidence is hard to prove under audit pressure.

This article explains what changed, why cloud operations are now a common failure point, and what decision-makers should do this week to avoid last-minute procurement delays.

What changed in v3.3, in plain English

Cyber Essentials has always cared about practical controls, but v3.3 makes the expectation much harder to dodge: if MFA is available and technically feasible, you are expected to enforce it.

Two details make this a genuine operational challenge:

  1. Assessments created on/after 27 April 2026 use v3.3 questions (older assessment accounts continue on the earlier question set). (iasme.co.uk)
  2. Cloud services are treated as firmly in scope in real-world terms: Microsoft 365, line-of-business SaaS, and even “small” web platforms can become audit issues if they handle organisational data. (ct.co.uk)

This is why v3.3 feels different. It effectively shifts the conversation from “do we have an MFA policy?” to “can we demonstrate that MFA is actually enforced, everywhere it should be?”

Why SMB cloud operations are where audits now fail

The hidden reality: your identity perimeter is bigger than Microsoft 365

Most SMBs can enforce MFA inside Microsoft 365. The audit pain typically starts when you realise how many other services are accessed using corporate email accounts:

  • HR and payroll portals
  • Finance platforms and expense tools
  • CRM and marketing platforms
  • Support desks, collaboration apps, code repositories, and supplier portals

Security teams may assume these are “outside scope” because third parties host them. v3.3 pushes in the opposite direction: cloud is part of the organisation’s operational risk, and assessors will expect you to show it is controlled. (ct.co.uk)

Unmanaged devices make “technically feasible” uncomfortable.

A common SMB pattern is a mix of:

  • personally owned laptops used for email, “just in a browser”
  • contractors with their own devices
  • ad-hoc admin access during incidents
  • legacy protocols and old clients that bypass modern controls

This is exactly where you can end up with MFA “enabled” but not consistently enforced.

In practice, v3.3 pressures organisations towards identity-led control (for example, central SSO, conditional access, and strong sign-in policies) rather than relying on local device rules that only work for managed endpoints.

Evidence beats intention, and evidence takes time.

Cyber Essentials Plus is a technical audit, not a paperwork exercise. Under v3.3, the “MFA everywhere it is feasible” principle creates a simple operational consequence: more systems to prove, more screens to show, more edge cases to resolve. Some practitioners already describe audit evidence collection as including screenshots of SaaS MFA and detailed configuration proof. (reddit.com)

That extra time is one reason costs can rise quickly. While Cyber Essentials (self-assessment) has fixed scheme pricing by organisation size, Cyber Essentials Plus pricing varies with complexity and sampling, and many certification bodies quote micro-SME starting points in the low thousands, depending on scope and support level. (hm-network.com)

Why this matters commercially: public sector and regulated supply chains

If you sell into government, defence, healthcare, or their supply chains, certification delays are rarely “just an IT problem”.

  • Cyber Essentials has been mandated for certain central government contracts since 1 October 2014, and supply chain flow-down is common. (gov.uk)
  • NHS and healthcare procurement often references Cyber Essentials and/or Cyber Essentials Plus expectations alongside DSPT, and suppliers may be asked to evidence compliance as part of supply chain risk management. (supplychain.nhs.uk)

So the operational risk is bigger than “we might fail the audit”. It can become:

  • delayed onboarding with a prime contractor
  • extended procurement cycles
  • lost revenue because you cannot evidence readiness when asked

The most common v3.3 MFA pitfalls (and how to avoid them)

MFA is enabled, but legacy authentication still works

If older sign-in methods are still allowed, users (or attackers) can sometimes avoid MFA entirely. For Microsoft-centric environments, this is usually solved through modern identity configuration and consistent enforcement, not user training.

What to do:

  • Identify legacy sign-in paths and disable them where possible.
  • ensure your enforcement applies to all users, including service and admin accounts
  • document exceptions clearly and remove them aggressively

Admin accounts are not separated or consistently protected.

In SMBs, IT admins often use one account for everything. Under audit scrutiny, that becomes a predictable weak point: higher privilege must mean higher assurance.

What to do:

  • separate privileged accounts from day-to-day accounts
  • Enforce strong MFA for privileged access first.
  • Reduce standing privilege where you can

SaaS sprawl breaks your assurance story.

If teams can self-provision tools using corporate email, you will struggle to prove enforcement across “all technically feasible systems”.

What to do this week:

  • build a SaaS register from finance, browser history, SSO logs, and password manager inventories
  • Prioritise “data-bearing” services first (client data, patient data, credentials, financial approvals)
  • standardise access via SSO wherever possible, so MFA enforcement is consistent

A practical rule for executives: if a platform can trigger payments, expose personal data, or administer other systems, treat it as “MFA must be enforced” by default.

A fast, executive-friendly action plan before 27 April 2026

If you want to reduce audit surprises, focus on three outcomes: coverage, enforcement, and proof.

Confirm your assessment timing and freeze your scope decisions.

  • If your assessment account will be created on or after 27 April 2026, assume v3.3 applies. (iasme.co.uk)
  • Confirm which parts of the business are in scope and align procurement timelines accordingly.

Move from “MFA is available” to “MFA is enforced”

  • Ensure MFA is required for Microsoft 365 access and administrative actions.
  • Extend the same expectation to other SaaS platforms that store or process organisational data. (ct.co.uk)

Make unmanaged device access a conscious design choice.

If BYOD is part of your operating model, decide how you will control it:

  • Restrict access to browser-only for certain services.
  • enforce session controls and sign-in risk rules where available
  • Consider virtualised desktops for high-risk roles or contractors.
  • require managed devices for privileged activity

The key is showing the auditor that the control works in practice, not just on paper.

Prepare your evidence pack before the auditor asks for it.

Typical artefacts include:

  • screenshots or exports showing MFA enforcement per platform
  • lists of cloud services in use and how they authenticate
  • administrative account inventory and protection model
  • exception register with owners and expiry dates

Where SecQube fits: making enforcement measurable, not merely stated

For SMBs and managed service providers, the hardest part of v3.3 is often operational: maintaining consistent enforcement, detecting drift, and ensuring the SOC can respond quickly when identity controls surface new alerts.

SecQube’s cloud-native SOC platform is designed for Microsoft security environments, helping teams triage and manage incidents faster with Harvey®, a conversational AI assistant, while supporting a controlled, tenant-respecting security operations approach. If you need to reduce investigation time and improve consistency without expanding headcount, you can explore SecQube’s approach and request a trial via the main site. (secqube.com)

Key takeaway for decision-makers

Cyber Essentials Plus v3.3 makes MFA less of a checkbox and more of an operational control test.

If your cloud estate has grown faster than your identity governance, treat the period before 27 April 2026 as your window to simplify: consolidate sign-in, standardise enforcement, and build an evidence trail that stands up under audit.


   

   

Written By:
Cymon Skinner
design svgdesign svgdesign svg

Related blog posts:

April 13, 2026

Preparing SMBs for Cyber Essentials Plus 2026 cloud scoping and access control shifts

April 10, 2026

Cybersecurity risk assessment process: a practical workflow for assessing cyber risk factors

April 8, 2026

Do Copilot agents leave a digital footprint in enterprise environments?

April 5, 2026

How SecQube Harvey Portal and Microsoft Sentinel are revolutionising AI-driven SOC operations

April 6, 2026

Comprehensive review of March 2026’s most disruptive ransomware and cyber attacks

SaaS
Experts

AI SOC
SOC
Incident
Skills Gap

SecQube for Sentinel

Try today
SaaS

Contact Us
design color imagedesign svg
design color imagedesign color image

Cookie Settings

We take good care of you and your data. You can read more about how we use cookies, the third parties who set cookies and update your cookie settings here.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Accept All CookiesSave Settings
cookie icon

We Value Your Privacy

SecQube Cyber Security

We use cookies and similar technologies to help personalise content, tailor and measure ads, and provide a better experience. By clicking OK or turning an option on in Cookie Preferences, you agree to this, as outlined in our Privacy Policy.

Manage Settings

Accept AllDecline All