.png)
Cyber Essentials v3.3: Here's What Scottish SMEs Need to Know in 2026
- Innovec
- 7 days ago
- 2 min read
Cyber Essentials has changed. Learn what this means for your business.
The updated Cyber Essentials standard, v3.3, went live on 27 April 2026. If you're due to certify or renew, these are the requirements you'll now be assessed again
st, and they're meaningfully more demanding than before.
For many SMEs, particularly those that have coasted through previous certifications, this renewal will require real preparation work.
You must now consider that:
MFA is no longer optional. If a cloud service supports multi-factor authentication, it must be enabled. Free, paid, or bundled, it doesn't matter. If MFA is available and not switched on, the assessment will automatically fail. For most businesses on Microsoft 365 this is partly in place already, but it's worth checking every cloud tool your team uses, not just email.
Cloud services are now fully in scope. Cloud services can no longer be excluded from a Cyber Essentials assessment. If a service stores or processes your organisation's data, it falls within scope. That includes your CRM, accounting software, file storage, and HR platform. Businesses that have historically scoped these out will need to revisit that approach entirely, and for most organisations that means a significantly broader assessment than previous years.
Before you come to us, here's what you can do yourself:
The preparation work is real, but none of it requires technical expertise. Go through every cloud tool your team uses and enable MFA on all accounts. Make sure software across all devices is updating automatically. Check who holds admin access and tighten it to only those who genuinely need it. The more of this you have in order before assessment, the smoother the process will be, but don't underestimate how much ground there may be to cover if your environment has grown over the years.
Which certification level does your sector typically need?
Sector | Typical level | Why |
Accountancy and finance | Cyber Essentials Plus | Financial services hold sensitive banking and investment information and are a prime target; clients and investors increasingly ask for evidence of the higher standard as part of due diligence. |
Architecture and engineering | Cyber Essentials | Standard certification is usually sufficient unless bidding for public sector or government-funded contracts, where Plus may be stipulated. |
Estate agents and property | Cyber Essentials | Standard covers most requirements; Plus worth considering if handling high volumes of client financial data or working within larger supply chains. |
Recruitment | Cyber Essentials | Standard is typically adequate; Plus advisable if working with regulated clients or larger enterprise supply chains. |
Construction | Cyber Essentials | Public sector contracts increasingly require Cyber Essentials Plus, and private sector supply chains are following the same model. |
Charities and third sector | Cyber Essentials | Many funders and grant-making bodies require active certification. Standard CE meets most requirements, though specific funders may stipulate Plus. |
Cyber Essentials certification is one of the most practical steps your business can take to demonstrate that security foundations are solid.
If you're preparing for certification or renewal or want to understand how to get started, get in touch and we'll work through it with you.
Comments