Is MFA mandatory for Cyber Essentials 2026?

Yes. Under Cyber Essentials Danzell v3.3, MFA is mandatory on all cloud services where it is available. If MFA is available and not enabled for all users, the assessment fails automatically.

Does Cyber Essentials MFA apply to all users or just admins?

All users. Question A7.17 requires MFA to be enabled for all users of cloud services, not just administrators. Question A7.16 covers administrators specifically. Both are automatic-fail questions under Danzell v3.3.

What counts as MFA for Cyber Essentials?

Accepted MFA methods include authenticator app codes, SMS one-time codes, hardware security keys, push notifications, passkeys, FIDO2 authenticators, and biometric verification combined with device possession. A password alone does not count as MFA.

Cyber Essentials MFA Requirements 2026

Q: What if a cloud service does not offer MFA?

If a cloud service genuinely does not offer MFA, declare it at question A7.15. However, cost is not an accepted reason — if a service offers MFA as a paid option, you must still enable it under Danzell v3.3.

Last updated: 28 March 2026

Multi-factor authentication is the most significant change in Cyber Essentials Danzell v3.3. Under the new rules, MFA must be enabled on every cloud service in scope that supports it — for all users, not just administrators. Failure to comply is an automatic certification failure.

What changed

Under the previous Willow question set, MFA was strongly recommended but not an automatic-fail condition for all users. Danzell v3.3 changes this significantly.

Area	Willow (previous)	Danzell v3.3 (current)
MFA for administrators	Required where available	Automatic fail if not enabled (A7.16)
MFA for all users	Recommended	Automatic fail if not enabled (A7.17)
Social media accounts	Not explicitly in scope	In scope as cloud services
Cost as a reason to skip MFA	Sometimes accepted	Not accepted

Which cloud services need MFA

Every cloud service used by your organisation that offers MFA must have it enabled. Common examples by category:

Productivity and email — Microsoft 365, Google Workspace, Zoho Workplace
Code and development — GitHub, GitLab, Bitbucket, Azure DevOps
Communication — Slack, Microsoft Teams, Zoom
Finance and accounting — Xero, QuickBooks Online, Sage, FreeAgent
CRM and sales — Salesforce, HubSpot, Pipedrive
Cloud infrastructure — AWS, Azure, Google Cloud Platform
Social media — LinkedIn, Facebook, X (Twitter), Instagram (business accounts)
File storage — Dropbox, Box, OneDrive, Google Drive

What counts as MFA

MFA requires at least two different factors from the following categories: something you know, something you have, and something you are. Accepted methods include:

• Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy)
• Hardware security keys (YubiKey, FIDO2 keys)
• Push notifications from a trusted device
• Biometric authentication as a second factor
• Passkeys (FIDO2/WebAuthn) — new in Danzell v3.3
• SMS one-time codes (accepted but less secure)

A password alone is never MFA, regardless of its complexity. A password combined with a security question is also not MFA because both are “something you know.”

Administrators vs all users

Danzell v3.3 asks two separate questions about MFA. A7.16 asks whether MFA is enabled for all administrator accounts on cloud services where it is available. A7.17 asks the same question for all user accounts. Both carry automatic-fail status.

The distinction matters because some organisations enable MFA for administrators but overlook standard user accounts. Under Danzell v3.3, this is not sufficient. Every user — including part-time staff, contractors, and temporary workers — must have MFA enabled on every cloud service that supports it.

What if a cloud service does not offer MFA

Question A7.15 asks you to confirm that MFA is enabled on all cloud services where it is available. If a cloud service genuinely does not offer MFA in any form, you are not penalised for not having it enabled on that specific service. However, you must document which services do not offer MFA and confirm that you have checked.

Cost is not an accepted reason for not enabling MFA. If a cloud service offers MFA only on a higher-tier plan, you must either upgrade to that plan or remove the service from your assessment scope. IASME's marking guidance is clear that availability at any price point counts as “available.”

How to enable MFA — quick reference

Microsoft 365

Use Security Defaults (free on all plans) or Conditional Access policies (requires Azure AD P1). Security Defaults enforce MFA for all users and block legacy authentication. Enable via the Azure AD portal under Properties → Manage Security Defaults.

Google Workspace

Enable 2-Step Verification in the Admin console under Security → 2-Step Verification. Set enforcement to “On” for all organisational units. Allow users to choose their preferred second factor.

GitHub

Organisation owners can require MFA for all members under Settings → Authentication security → Require two-factor authentication. Members who have not enabled MFA will be removed from the organisation.

Slack

Workspace owners can require MFA under Settings & administration → Workspace settings → Authentication. Enable “Require two-factor authentication for your workspace.” All members will be prompted to set up MFA.

Common mistakes

Enabling MFA for administrators only — Danzell v3.3 requires MFA for all users, not just administrators. A7.17 is a separate auto-fail question that covers every user account.
Forgetting social media accounts — LinkedIn, Facebook, X, and Instagram business accounts are cloud services under Danzell v3.3. If they offer MFA, it must be enabled.
Assuming SSO is the same as MFA — Single sign-on (SSO) reduces the number of passwords users manage, but it is not MFA on its own. If your SSO provider does not enforce a second factor, you do not meet the requirement.
Excluding remote workers — Remote and hybrid workers are in scope. Every cloud service they access must have MFA enabled, regardless of where they work from.

Related guides

Danzell v3.3 changes

Auto-fail questions

14-day patching

Cloud services scope

Cyber Essentials cost 2026

Start your Cyber Essentials preparation today

CrownSync CE Readiness walks your team through the official Danzell v3.3 question set, identifies gaps, and helps you get board sign-off — completely free during our launch period.

Get started free

No credit card required. Full access to all features.