Cyber Essentials v3.3 takes effect today, 27 April 2026. If you're due to renew your certification — or your cyber insurance — there are some changes worth understanding before you submit anything.
This isn't a minor update. Three changes in particular have a direct bearing on how backup and recovery fit into your certification and your insurability.
MFA Is Now an Auto-Fail — No Exceptions
Under v3.3, if multi-factor authentication is available on a service and you're not enforcing it, you fail the assessment outright. Not a partial mark, not a note in the report — an automatic failure.
This matters for backup because cloud backup portals, admin consoles, and management platforms all count. If your backup solution has an admin interface accessible over the internet and MFA isn't switched on, that's a fail. So is your Microsoft 365 tenant if you've left any accounts without it.
The practical implication: check every account with access to your backup environment. Admin accounts, service accounts, shared logins — all of it. If MFA is available and not enforced, fix it before you submit your self-assessment.
Cloud Services Are Now In Scope — Including Your SaaS Tools
One of the more significant changes in v3.3 is that you can no longer exclude cloud services from your Cyber Essentials scope. Previously, some organisations drew a tight boundary around their on-premises systems and left Microsoft 365, SharePoint, or other SaaS tools out of the picture. That's no longer acceptable.
This change exposes something a lot of SMBs have quietly overlooked: most Microsoft 365 tenants have no independent backup. Microsoft's built-in retention policies are not the same as a recoverable backup, and assessors are now looking at cloud services as part of your overall security posture.
If your Microsoft 365 data — emails, SharePoint files, Teams conversations — isn't backed up to an independent location with a tested recovery process, that gap is now visible. It won't necessarily cause a direct certification failure on its own, but it signals a weakness that assessors and insurers will notice.
Your Cyber Insurance Is Tied to This More Tightly Than You Think
Here's where it gets commercially important. Cyber insurers have been quietly tightening their underwriting criteria for the past two years, and they're increasingly aligned with Cyber Essentials controls.
In 2024, 82% of denied claims involved organisations that hadn't fully implemented MFA. That figure isn't from an obscure report — it's showing up in insurer communications and broker conversations across the UK market. Insurers aren't just asking whether you have Cyber Essentials; they're asking whether you've implemented the controls it covers, and they're cross-checking what you've attested to.
On top of that, documented backup restore tests are now a standard requirement for cyber insurance renewal. Not just a backup — evidence that you've tested recovery within the last 12 months. If you can't show that, some insurers won't quote at all. Others will offer cover with significant exclusions or higher excesses.
The 14-day patching deadline introduced in v3.3 for critical vulnerabilities mirrors what most insurers have already been demanding. It's a signal that the two frameworks — certification and insurance — are converging. Failing one increasingly affects the other.
The Free Insurance Included With Certification Is Only Worth Something If Your Controls Stack Up
For UK businesses with a turnover under £20 million, achieving Cyber Essentials Basic comes with £25,000 of free cyber liability insurance included. That sounds useful, and in some circumstances it is.
But that cover is only as good as what you've attested to on your application. If you tick the boxes, get the certificate, and then have an incident that reveals your backup wasn't tested, your cloud services weren't properly protected, or your MFA claims weren't accurate — don't expect the claim to go smoothly.
Insurance works when your actual controls match what you said they were. The certification is a starting point, not a substitute for having the right things in place.
What to Do If You're Renewing Certification or Insurance This Year
A few practical steps worth taking now:
- Audit MFA across every account that touches cloud services, backup systems, and admin portals — enforce it where it's available
- Check whether your Microsoft 365 data is independently backed up, not just subject to Microsoft's default retention settings
- Document your last restore test — when it happened, what was restored, and what the outcome was; if you can't find that record, run a test and record it properly
- Review your insurance renewal questionnaire against your actual controls, not what you intend to have in place
v3.3 isn't designed to catch people out. It's designed to reflect the reality of how businesses use technology now — and most businesses use cloud services heavily. The question is whether your backup and recovery controls keep up with that reality.
IronFell manages backup for Microsoft 365, cloud services, and on-premises systems — and we provide documented restore testing as part of the service. If you're preparing for a Cyber Essentials renewal or an insurance review, we can help you close the gaps. Get in touch with IronFell — no jargon, no hard sell.