Does Cyber Essentials require a VPN?
Not directly. Cyber Essentials does not mandate a VPN, but under v3.3 any remote access to internal systems must use multi-factor authentication and strong encryption. A VPN is one common way to meet that requirement; it is not the only way.
Does Cyber Essentials require a VPN?
No - Cyber Essentials does not require a VPN. Under v3.3, the scheme requires any remote access to internal systems to use multi-factor authentication and strong encryption. A VPN is one common way to meet that requirement; it is not the only way.
What v3.3 actually requires for remote access
- MFA on all remote access paths to corporate systems and cloud services in scope.
- No direct exposure of internal services (RDP, management interfaces, file servers) to the public internet.
- Strong encryption (TLS 1.2+, or equivalent).
- Phishing-resistant MFA for admin accounts when accessing admin functions remotely.
See the User Access Control pillar guide for the full detail.
Where a VPN is a good solution
- Accessing on-premises servers or file shares from outside the office.
- Presenting a consistent egress IP for allow-listing.
- Protecting traffic on untrusted networks.
- Legacy applications that assume a trusted LAN.
A well-configured VPN with MFA satisfies the remote-access control cleanly.
Where a VPN is not needed
Cloud-first organisations that access all corporate services through Microsoft 365, Google Workspace, or SaaS tools - with identity-provider MFA enforced via Conditional Access - meet the v3.3 remote-access bar without a VPN at all. The identity provider becomes the enforcement point rather than the network boundary.
This is increasingly common for:
- SaaS SMEs with no internal infrastructure
- Fully remote-first businesses using Zero Trust / conditional-access patterns
- Organisations that have already retired legacy LAN-dependent applications
Where Zero Trust / Conditional Access replaces the VPN
Microsoft Entra ID Conditional Access, Okta, and Google Workspace Context-Aware Access can enforce:
- MFA per sign-in
- Device-compliance requirement (MDM-enrolled, encrypted, patched)
- Risk-based blocks for unusual locations or impossible travel
- Phishing-resistant MFA for admin roles
Configured properly, this provides stronger authentication and authorisation than a traditional VPN with a shared password plus one-time code. IASME assessors accept it as a full substitute for the remote-access control.
VPN rules that still apply to remote workers
Regardless of whether a VPN is in place:
- Home-office routers are in scope under v3.3 (default passwords changed, firmware current).
- MFA on email and cloud services is required for everyone.
- Admin accounts require phishing-resistant MFA.
See Cyber Essentials for remote and hybrid workforces for the complete remote-work scope.
Bottom line
Cyber Essentials does not require a VPN. It requires MFA and strong encryption on any remote-access path, and no direct internet exposure of internal services. A VPN is one way to meet that; identity-provider-enforced Conditional Access is another. Both pass the v3.3 assessment cleanly.
Start Cyber Essentials from £299.99 + VAT | MFA for Cyber Essentials v3.3 | Free readiness check
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demo