Cyber Essentials v3.3 MFA Requirement: What You Need to Know

The Cyber Essentials Requirements were updated to version 3.3 on 28 April 2026, and the single biggest change is the mandatory multi-factor authentication (MFA) requirement. This applies to all user accounts accessing organisational data or services - no exceptions.

This article explains what changed, who is affected, and how to ensure your organisation complies.

Prior to v3.3, MFA was recommended but only mandatory for certain account types, primarily administrator accounts and cloud service accounts. The v3.3 update removes this distinction entirely.

Under v3.3, MFA is mandatory for every user account in scope. This includes:

• Email accounts
• Cloud platform accounts (Microsoft 365, Google Workspace, AWS, Azure, etc.)
• Remote access (VPN, remote desktop, SSH)
• Administrative accounts
• Standard user accounts accessing organisational data
• Service accounts with interactive login capability

There are no exemptions. If an account can be used to access organisational data or services, it must have MFA enabled.

Credential theft remains one of the most common attack vectors. The NCSC has consistently found that compromised passwords account for a significant proportion of successful cyber attacks against UK organisations. MFA dramatically reduces the risk of account compromise - even if a password is stolen, the attacker cannot access the account without the second factor.

The move to mandatory MFA reflects a broader industry trend. Microsoft, Google, and other major platforms have already implemented mandatory MFA for administrator accounts. The NCSC is extending this requirement to all accounts under the Cyber Essentials scheme.

Acceptable MFA methods under v3.3 include:

• Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) - Generates a time-based one-time password (TOTP) on a separate device
• Hardware security keys (YubiKey, FIDO2 keys) - Physical device that must be present during login
• Push notifications - Sent to a registered device for approval
• SMS one-time codes - Sent via text message (accepted but not recommended by NCSC due to SIM-swapping risks)
• Biometric verification - Fingerprint or facial recognition as a second factor

Not acceptable as MFA:

• Security questions (these are knowledge-based, same as passwords)
• Email-based verification codes sent to the same device
• "Remember this device" settings that bypass MFA indefinitely

Legacy systems without MFA support - Some older applications and systems do not support MFA natively. For these, you have two options: upgrade or decommission the system, or place it behind an MFA-protected gateway (such as a VPN or identity provider that enforces MFA before granting access).

BYOD devices - If employees use personal devices to access organisational data, those accounts must have MFA enabled. This is a scope issue that catches many organisations - if the device accesses work email or cloud storage, it is in scope.

Shared accounts - v3.3 does not permit shared accounts as a way to avoid MFA. Each user must have an individual account with MFA enabled. If you currently use shared accounts, you will need to transition to individual accounts before certification.

Service accounts - Automated service accounts that do not have interactive login capability are not required to have MFA. However, service accounts that can be used for interactive login must have MFA enabled or be converted to non-interactive accounts.

1. Audit all accounts in scope - Identify every account that accesses organisational data or services. Include cloud platforms, email, VPN, and any SaaS applications.

2. Enable MFA on all accounts - Work through your account inventory and enable MFA for each one. Microsoft 365 and Google Workspace both support organisation-wide MFA enforcement through admin policies.

3. Choose the right MFA method - Authenticator apps and hardware keys are the most secure options. SMS is acceptable but carries higher risk. Choose based on your organisation's risk appetite and user capability.

4. Test before certifying - After enabling MFA, verify that all users can successfully log in with their second factor. MFA rollouts sometimes cause access issues that need resolving before assessment.

5. Use the readiness checker - Fig's Cyber Essentials readiness checker includes specific questions about MFA deployment to help you identify gaps.

If your organisation already has MFA deployed across all accounts, the v3.3 update should not delay your certification. If you need to roll out MFA, allow 1-2 weeks for deployment and user training before attempting certification.

For organisations ready to certify, Fig offers same-day Cyber Essentials certification for orders placed before midday.