Skip to contentAbout Fig Group
Compliance

Cyber Essentials v3.3 MFA Requirement: What You Need to Know

The v3.3 update to Cyber Essentials makes multi-factor authentication mandatory for all user accounts. Here is what changed, who is affected, and how to comply.

Author

Jay Hopkins

Editor

Edited by Jack Wickham

Published

Last reviewed

Read time

9 min read

Share

Section 01

Cyber Essentials v3.3 MFA Requirement: What You Need to Know

The Cyber Essentials Requirements were updated to version 3.3 on 28 April 2026, and the single biggest change is the mandatory multi-factor authentication (MFA) requirement. This applies to all user accounts accessing organisational data or services - no exceptions.

This article explains what changed, who is affected, and how to ensure your organisation complies.

Section 02

What Changed in v3.3?

Prior to v3.3, MFA was recommended but only mandatory for certain account types, primarily administrator accounts and cloud service accounts. The v3.3 update removes this distinction entirely.

Under v3.3, MFA is mandatory for every user account in scope. This includes:

  • Email accounts
  • Cloud platform accounts (Microsoft 365, Google Workspace, AWS, Azure, etc.)
  • Remote access (VPN, remote desktop, SSH)
  • Administrative accounts
  • Standard user accounts accessing organisational data
  • Service accounts with interactive login capability

There are no exemptions. If an account can be used to access organisational data or services, it must have MFA enabled.

Section 03

Why Did This Change?

Credential theft remains one of the most common attack vectors. The NCSC has consistently found that compromised passwords account for a significant proportion of successful cyber attacks against UK organisations. MFA dramatically reduces the risk of account compromise - even if a password is stolen, the attacker cannot access the account without the second factor.

The move to mandatory MFA reflects a broader industry trend. Microsoft, Google, and other major platforms have already implemented mandatory MFA for administrator accounts. The NCSC is extending this requirement to all accounts under the Cyber Essentials scheme.

Section 04

What Counts as MFA?

Acceptable MFA methods under v3.3 include:

  • Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy) - Generates a time-based one-time password (TOTP) on a separate device
  • Hardware security keys (YubiKey, FIDO2 keys) - Physical device that must be present during login
  • Push notifications - Sent to a registered device for approval
  • SMS one-time codes - Sent via text message (accepted but not recommended by NCSC due to SIM-swapping risks)
  • Biometric verification - Fingerprint or facial recognition as a second factor

Not acceptable as MFA:

  • Security questions (these are knowledge-based, same as passwords)
  • Email-based verification codes sent to the same device
  • "Remember this device" settings that bypass MFA indefinitely

Section 05

Common Compliance Challenges

Legacy systems without MFA support - Some older applications and systems do not support MFA natively. For these, you have two options: upgrade or decommission the system, or place it behind an MFA-protected gateway (such as a VPN or identity provider that enforces MFA before granting access).

BYOD devices - If employees use personal devices to access organisational data, those accounts must have MFA enabled. This is a scope issue that catches many organisations - if the device accesses work email or cloud storage, it is in scope.

Shared accounts - v3.3 does not permit shared accounts as a way to avoid MFA. Each user must have an individual account with MFA enabled. If you currently use shared accounts, you will need to transition to individual accounts before certification.

Service accounts - Automated service accounts that do not have interactive login capability are not required to have MFA. However, service accounts that can be used for interactive login must have MFA enabled or be converted to non-interactive accounts.

Section 06

How to Prepare

1. Audit all accounts in scope - Identify every account that accesses organisational data or services. Include cloud platforms, email, VPN, and any SaaS applications.

2. Enable MFA on all accounts - Work through your account inventory and enable MFA for each one. Microsoft 365 and Google Workspace both support organisation-wide MFA enforcement through admin policies.

3. Choose the right MFA method - Authenticator apps and hardware keys are the most secure options. SMS is acceptable but carries higher risk. Choose based on your organisation's risk appetite and user capability.

4. Test before certifying - After enabling MFA, verify that all users can successfully log in with their second factor. MFA rollouts sometimes cause access issues that need resolving before assessment.

5. Use the readiness checker - Fig's Cyber Essentials readiness checker includes specific questions about MFA deployment to help you identify gaps.

Section 07

Impact on Certification Timeline

If your organisation already has MFA deployed across all accounts, the v3.3 update should not delay your certification. If you need to roll out MFA, allow 1-2 weeks for deployment and user training before attempting certification.

For organisations ready to certify, Fig offers same-day Cyber Essentials certification for orders placed before midday.

Section 08

What we are seeing since v3.3 took effect

v3.3 has been the live standard since 28 April 2026. In the assessments we have run since, the mandatory MFA requirement is now the single most common reason a first submission needs correction - and it is almost always the same handful of blind spots rather than a wholesale failure:

  • Shared mailboxes and generic accounts (info@, accounts@) that staff log into directly. Under v3.3 these need individual, MFA-protected access or conversion to a properly delegated shared mailbox.
  • Bring-your-own-device access to work email or cloud storage that was never brought into scope. If a personal phone reaches organisational data, that account is in scope and needs MFA.
  • Legacy VPNs and line-of-business apps that predate MFA support. The fix is to place them behind an identity provider that enforces MFA, not to exempt them.
  • "Remember this device" exceptions left switched on indefinitely, which an assessor will treat as bypassing MFA.

None of these are difficult to fix, but they are easy to miss - which is exactly why the readiness checker screens for them before you submit.

Section 09

MFA methods compared

All of the following are acceptable under v3.3, but the NCSC's preference order matters when you are deciding what to roll out:

MFA methodStrengthv3.3 acceptableNotes
Hardware security key (FIDO2, YubiKey)StrongestYesPhishing-resistant; best for admin accounts
Authenticator app (TOTP or push)StrongYesThe practical default for most organisations
Biometric second factorStrongYesConvenient where device-backed
SMS one-time codeWeakerYesAccepted but not recommended (SIM-swap risk)
Security questionsNot MFANoKnowledge-based, same category as a password
Email code to the same deviceNot MFANoDoes not provide a genuine second factor

Section 10

Frequently asked questions

Is MFA mandatory for Cyber Essentials?

Yes. Since v3.3 took effect on 28 April 2026, multi-factor authentication is mandatory for every user account in scope, with no exemptions for standard user accounts.

Does Cyber Essentials require MFA on all accounts?

Yes. v3.3 removed the previous distinction that limited mandatory MFA to administrator and cloud accounts. Any account that can access organisational data or services must have MFA enabled.

What counts as MFA for Cyber Essentials v3.3?

Authenticator apps, hardware security keys, push notifications, and biometrics are all acceptable. SMS one-time codes are accepted but not recommended. Security questions and email codes sent to the same device do not count.

Is SMS acceptable as MFA for Cyber Essentials?

Yes, SMS one-time codes are still accepted under v3.3, but the NCSC does not recommend them because of SIM-swapping risk. Where you can, use an authenticator app or hardware key instead.

Do service accounts need MFA under v3.3?

Only if they have interactive login capability. Automated, non-interactive service accounts are out of scope for MFA; a service account a person can log into must have MFA enabled or be converted to non-interactive.

Will the v3.3 MFA requirement delay my certification?

Only if MFA is not already deployed. If your accounts already enforce MFA, v3.3 adds no delay. If you need to roll it out, allow 1-2 weeks for deployment and user testing before you certify.

Ready to certify against v3.3? Fig issues Cyber Essentials from £299.99 + VAT with same-day turnaround for compliant submissions, and Cyber Essentials Plus if your buyer requires the independently audited tier.

About the author

Jay Hopkins

Jay Hopkins

Managing Director, Fig Group

IASME-licensed Cyber Essentials AssessorIASME Cyber Assurance Assessor

Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.

Next step

Want to see how Fig handles this?

Explore how Fig automates compliance mapping, evidence collection, and framework alignment across 65+ standards.

Request a demo

Related solutions

Continue exploring Fig