While it is not technically required, the Cyber Essentials 3.3 set of standards is quickly becoming a necessity for organizations that need to ensure public sector contract, insurance and supplier assurance in the U.K.
That’s good news for managed service providers (MSPs), who now have an opportunity to build both trust and revenue by guiding clients toward Cyber Essentials certification.
Acronis recently surveyed U.K. partners about Cyber Essentials. The results provide an unusually candid window into what MSPs find most difficult when helping clients get in line with updated v3.3 requirements. They also reveal where MSPs can find growth opportunities.
Cyber Essentials v3.3: What MSPs worry about most
The survey highlighted several areas of concern:
1. Scope definition
Many respondents named scope definition as the most widespread blocker to supporting certification for clients. MSPs report that clients underestimate what is in scope, especially when staff are using unapproved SaaS, unmanaged devices or services no one realised were connected to organisational data.
2. Identifying cloud services and shadow SaaS
A slightly smaller number of respondents said that a related issue, discovering all cloud services storing or processing organisational data, is a major stumbling block. MSPs warn that business owners are often unaware of cloud tools staff have adopted. That can create gaps in compliance evidence and result in inconsistent assessments.
3. MFA enforcement and identity management
Although many respondents enforce multifactor authentication (MFA) for all major cloud services, coverage across clients ranges dramatically from 10%–100% percent — the median number is 80%. Inconsistent MFA enforcement, undocumented identity processes and unclear privilege boundaries can cause audit friction.
4. BYOD, mobile devices and poorly documented procedures
BYOD and third-party managed infrastructure were the most cited “items missed during scoping.” Respondents said procedural documentation for identity, access and BYOD remains the hardest evidence for clients to provide.
5. Patching timelines and backup evidence
Patching and secure update timelines, along with the need to demonstrate restore readiness, continue to challenge clients. MSPs find that manual processes struggle to keep pace with the expectations in Cyber Essentials v3.3.
How these concerns map to the five Cyber Essentials v3.3 focus areas
Cyber Essentials v3.3 has five control areas. Each point of concern MSPs identified maps to one or more of them.
Network protection and firewall management
MSP concern addressed: scope confusion, inconsistent assessor interpretation and open port ambiguity.
Survey respondents noted that different assessors often interpret firewall configurations differently, especially around VPN exposure and open ports. Cyber Essentials v3.3 now mandates that administrative interfaces must not be exposed to the internet unless access is tightly restricted: for example, via allowlisting and MFA for remote administration. That stipulation reduces ambiguity but increases evidence requirements.
Poor documentation is a major issue for MSPs, which reinforces the need for centrally enforced firewall rules and auditable change records.
Secure configuration across devices and cloud services
MSP concern addressed: shadow SaaS, BYOD gaps and unknown devices.
The survey confirms that MSPs struggle most with cloud sprawl and unmanaged personal devices. Cyber Essentials v3.3 expands scope to include any device interacting with organisational data, which means MSPs must improve application discovery, standardised baselines and increase cloud visibility.
Taking those actions directly addresses the #1 and #2 MSP concerns: scope definition and cloud service discovery.
Patch management and vulnerability remediation
MSP concern addressed: inconsistent timelines and manual processes.
Respondents highlighted increased cost and effort linked to rapid patching expectations. Cyber Essentials v3.3 requires fixes for high-risk vulnerabilities within 14 days. Manual patching cannot deliver the consistency needed for certification. That issue aligns closely with MSP frustrations about providing evidence of patch timelines across cloud and endpoint environments.
Identity security and user access control
MSP concern addressed: inconsistent MFA and documentation challenges.
The survey shows that MFA enforcement is inconsistent across client estates and identity documentation is often missing. Version 3.3 makes MFA mandatory for cloud services and administrative access, a stipulation that turns inconsistent enforcement into a common certification blocker.
MSPs therefore need stronger approaches to access governance, privilege separation and evidence collection to address a significant area of concern.
Malware protection
MSP concern addressed: incomplete endpoint visibility.
Respondents were less vocal about malware protection, but they linked many scoping issues to unmanaged endpoints. Malware protection only works when every in-scope device has a consistent client and configuration, so this area plays into broader concerns around device discovery and baseline enforcement.
What MSPs can do to build a strong Cyber Essentials practice
MSPs that focus on supporting Cyber Essentials certification for clients can differentiate themselves from competitors and open new revenue streams. They need to:
1. Standardise Cyber Essentials scoping and evidence collection.
With scope definition cited multiple times as a top challenge, MSPs should implement repeatable checklists that cover cloud apps, BYOD, access rights and evidence of restoration. Consistency in documentation directly addresses assessor variability.
2. Use first-party data to articulate client risk.
Survey responses reveal substantial variation in MFA coverage, patching cadence and SaaS visibility. MSPs who summarise these gaps with client-specific data position themselves as strategic advisors rather than providers of an undifferentiated commodity.
3. Package Cyber Essentials readiness into a managed service.
The Acronis Cyber Platform consolidates endpoint protection, patching, backup and identity controls into a single platform, which enables MSPs to reduce one of the most cited blockers in Cyber Essentials assessments: the burden of evidence collection.
4. Monetise compliance throughout the year.
Cyber Essentials renewal cycles create natural opportunities for ongoing monitoring and remediation. MSPs who offer continuous compliance support can smooth workloads and build higher margin services that scale across clients.
Explore the Acronis Compliance Navigator
Delve deeper into compliance and the requirements it imposes on MSPs and clients with the Acronis Compliance Navigator. See how Acronis solutions align with regulatory requirements.
For a real-world compliance story, read a case study about Bluemoon IT Solutions, a U.K. MSP that supports clients in meeting NCSC Cyber Essentials, Cyber Essentials Plus and ISO 27001 requirements.
About Acronis
A Swiss company founded in Singapore in 2003, Acronis has 15 offices worldwide and employees in 60+ countries. Acronis Cyber Platform is available in 26 languages in 150 countries and is used by over 21,000 service providers to protect over 750,000 businesses.
