1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Cyber Essentials update could put your public sector contracts at

    From TechnologyDaily@1337:1/100 to All on Friday, May 01, 2026 10:15:24
    Cyber Essentials update could put your public sector contracts at risk

    Date:
    Fri, 01 May 2026 09:05:06 +0000

    Description:
    What is Cyber Essentials and why being unprepared for the April update could put your public sector contracts at risk.

    FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter From 27 April 2026, any organization that holds Cyber Essentials certification and has not switched
    on login verification across every cloud service it uses is looking at an automatic assessment failure.

    Not a non-conformity to address gradually. Not a remediation point. An immediate fail with no second chance within that certification cycle. Cyber Essentials is the UK government's flagship cybersecurity certification
    scheme, backed by the National Cyber Security Centre and administered by IASME. Around 50,000 organizations certify every year. For suppliers to central government handling sensitive data it is mandatory. Article continues below You may like Its time cyber security understood human behavior and
    acted accordingly Authentication in 2026 - moving beyond foundational MFA to tackle the new era of attacks Regulatory whiplash: Why cyber resilience is
    now a governance imperative For many others it has become a baseline expectation for cyber insurance and private sector procurement. I have been assessing organizations against the scheme since 2017.. Version 3.3, which takes effect on 27 April, is the most significant update in all of that time. Jonathan Krause Social Links Navigation

    Founder and Head Assessor at Forensic Control. The specific change is this:
    if a cloud service offers Multi-Factor Authentication (MFA) and an organization has not enabled it for all users, the assessment fails immediately.

    This applies even where the feature is only available through a paid upgrade to an existing plan. Under the previous version of the scheme, non-compliant answers on this point were survivable. That route is now closed.

    For most organizations, resolving this is a straightforward technical
    project. But in my assessments this year I have encountered a specific category of organization for which it is anything but. The gap between what v3.3 now requires and what they can actually deliver is significant, and the scheme update does not address it. Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me with news
    and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. The problem
    the guidance does not resolve The pressure points I see consistently appear
    in environments built around shared access, rapid task switching, and
    frequent staff or volunteer turnover.

    These are organizations where people need to get onto systems quickly, where devices are shared across shifts, or where managing individual login credentials for a constantly rotating workforce creates a genuine operational burden.

    Think of a station operations room where multiple staff rotate through shared terminals across shifts, needing to access time-critical information in seconds. What to read next From boardroom risk to deal flow: why cyber M&A is accelerating in 2026 How to meaningfully measure the effectiveness of cyber resilience Britain's compliance blind spot

    Or a nationally known charity with hundreds of high street locations and a large volunteer workforce on short shifts, for whom managing individual authentication at scale is a real practical problem.

    In both cases, the relevant cloud services offer the required verification feature. In both cases it has not been enabled, not out of carelessness, but because the operational reality makes standard approaches genuinely difficult to deploy.

    Under the previous version of the scheme that position was survivable. Under v3.3 it becomes an automatic fail.

    That does not make stronger authentication unnecessary. If anything it makes it more important. But it does mean that some organizations have supported
    the principle while delaying the harder work of designing how it will
    actually function day to day. That distinction matters much more under v3.3. This is a workflow design problem, not a policy problem The organizations
    that will navigate v3.3 well are not the ones with the most sophisticated security policies. They are the ones that have done the practical work of making stronger authentication usable in the environments where it is hardest to deploy.

    That means mapping every in-scope cloud service and establishing exactly
    where verification features are available, including where they require a
    paid upgrade, because v3.3 makes no distinction. It means reviewing whether current authentication approaches are suitable for fast-moving operational environments.

    And it means looking seriously at options such as FIDO2 security keys , passkeys, badge-linked identity workflows, and context-aware access controls that can reduce friction without reducing assurance.

    NCSC's own guidance has increasingly reflected the value of
    phishing-resistant approaches over codes and prompts, and v3.3 moves in the same direction.

    Cyber Essentials now makes cloud services unambiguously part of scope where they store or process organizational data . Organizations can no longer
    assume that awkward operational exceptions will remain tolerable.

    The bar is rising. The organizations that will meet it are the ones treating authentication as a design challenge, not a compliance checkbox. Start now, not at renewal The businesses most likely to struggle with Cyber Essentials v3.3 are not the ones that disagree with stronger authentication. They are
    the ones that have postponed the practical work of making it usable
    everywhere the standard now expects it to be.

    This should not be left until renewal. Rolling out new authentication
    methods, adjusting processes for joiners and leavers, and getting users comfortable with a new access model all take time. If verification features are available on your cloud services but not yet enabled, 27 April is closer than it appears.

    Cyber Essentials v3.3 is not just a tougher compliance checkpoint. It is a prompt to make sure that how your organization verifies who can access its systems actually works in the real world, especially in the environments
    where getting that right is hardest. We've featured the best encryption software. This article was produced as part of TechRadar Pro Perspectives , our channel to feature the best and brightest minds in the technology
    industry today.

    The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit



    ======================================================================
    Link to news story: https://www.techradar.com/pro/cyber-essentials-update-could-put-your-public-se ctor-contracts-at-risk


    --- Mystic BBS v1.12 A49 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)