6 July 2026
Cyber Essentials v3.3 — codenamed Denzil — introduced some of the most significant changes to the scheme in years. Here's what changed, what it means for your business, and how to stay compliant.
Cyber Essentials v3.3, codenamed Denzil, came into effect in April 2025 and is now the current standard against which all assessments are conducted. If you were assessed under an earlier version — or started preparing under Montpelier (v3.1) or Willow (v3.2) — there are several important changes you need to know about before you apply.
This is the single most impactful change in Denzil for most small businesses. Under previous versions, multi-factor authentication (MFA) was strongly recommended for all accounts but explicitly mandatory only for administrator accounts. Under v3.3, MFA is mandatory for every user account that can access cloud services or use remote access — with no exceptions.
In practice, this means: if any standard employee can log into Microsoft 365, Google Workspace, or any other cloud service with just a username and password, your organisation will fail the assessment. The requirement applies to all in-scope accounts across all cloud services and all remote access methods.
Under Denzil, firmware updates are explicitly included in the patch management control for the first time. This means that routers, firewalls, switches, and other network devices must have their firmware kept up to date — within the 14-day window for critical updates, and within a 'reasonable' period for all other updates.
For many small businesses, this is overlooked. The router provided by your ISP or a cheap managed switch may not receive regular firmware updates at all — or you may not know when updates are available. Under Denzil, you need to be able to demonstrate that you are actively monitoring and applying firmware updates for all in-scope network devices.
Cyber Essentials v3.3 clarifies that personally-owned devices (BYOD — bring your own device) are in scope if they are used to access organisational data or services. This has always been the intent of the scheme, but Denzil makes it explicit.
If your employees use their personal phones or laptops to access company email, files, or cloud services, those devices are in scope. You have two options: bring them into scope and ensure they meet all CE controls (malware protection, patch management, secure configuration), or restrict access so that company services cannot be accessed from unmanaged personal devices at all.
For most small businesses, the practical solution is to enforce access through managed devices only — for example, using Microsoft Intune or an MDM to ensure only compliant, enrolled devices can access company resources.
Home routers have been in scope for remote workers since v3.0 (Evendine). Denzil reinforces this: if an employee works from home and connects to company systems over their home broadband router, that router is in scope. You need to be able to confirm that the router's firewall is enabled, the admin password has been changed from the default, and the firmware is up to date.
This is one of the most frequently missed requirements. The assessor will ask about home worker routers — 'I don't know' is not a safe answer and will result in a finding.
The five control areas remain the same: Firewalls, Secure Configuration, User Access Control, Malware Protection, and Patch Management. The 14-day critical patching window is unchanged. The two certification levels — standard Cyber Essentials (self-assessment) and Cyber Essentials Plus (independently verified) — are unchanged.
Cyber Essentials certificates are valid for 12 months. When you renew, you will be assessed against the current standard — which is now Denzil v3.3. If your last assessment was under Montpelier or Willow, you should re-check your MFA coverage for all users, confirm firmware update processes are in place, and review your BYOD policy before renewing.
Our free RADAR_CHECK questionnaire is up to date with Cyber Essentials v3.3 (Denzil) requirements. It will flag MFA gaps, firmware update issues, and BYOD scope questions specifically. Take the 10-minute check and book a free 30-minute call — we will tell you exactly what needs to change before you apply.
// TAKE THE NEXT STEP
Our RADAR_CHECK questionnaire takes 10 minutes. Book a free 30-minute call and we'll walk you through your results and tell you exactly what to fix.
START FREE CHECK >>