After years observing how organisations navigate security certification, I have reached a fairly uncomfortable conclusion: most scope failures in Cyber Essentials are not technical errors. They are decisions. Somebody looked at the full picture of what should be in scope, felt the weight of what that would require, and drew the line somewhere more manageable. I understand the impulse.

I have watched it play out at every scale. But CE v3.3 closes the ambiguities that made that line defensible. And post-breach, the scope document is not filed quietly away. It becomes the first thing lawyers and insurers read.

Cyber Essentials v3.3 is not a wholesale rewrite. It's a precision instrument for closing the loopholes that UK SMBs have been quietly exploiting for years. Cloud services you can't exclude anymore. MFA that has to cover everyone, not just the IT manager. A 14-day patching window that applies to vendor config changes, not just Windows Update. Scope documents that have to reflect your actual IT estate rather than the tidy fiction you'd prefer. Here is every material change, translated into what you actually need to do before 26th April 2026. No jargon. No softening. Just the bits that matter.

If you're flashing a Cyber Essentials badge on your website but couldn't explain the difference between Willow and Danzell without Googling it, you're not certified. You're exposed. One awkward question from a big customer, an insurer, or a regulator and that logo goes from asset to evidence.

In Season 2 Episode 10 of The Small Business Cyber Security Guy, Noel Bradford, Graham Falkner, and Lucy Harper walk through every material change in CE v3.3: scope rules, cloud scoping, FIDO2, the 14-day patching rule, and exactly what you need to sort before 26 April 2026.

France banned Zoom and Teams from government. Germany is migrating 30,000 workstations to open source and saving €15 million a year. The Dutch Parliament demanded exit strategies from US cloud. Switzerland declared US cloud unsuitable for government data.

The UK has produced no sovereign cloud strategy, no government migration programme, no regulatory enforcement on CLOUD Act exposure, and no explicit guidance for commercial organisations.

Noel Bradford, with 40-odd years of watching the UK IT establishment make the same mistakes on repeat, asks the question nobody in Whitehall wants to answer: when did we decide that digital independence was somebody else's problem?

You did not set out to build US-centric infrastructure. You just bought what was on page one of Google. Email, documents, calendars, chat, CRM, help desk, backups, monitoring: all US-owned, all subject to US law, all chosen on price and convenience without a single conversation about jurisdictional risk. Mauven MacLeod explains why your 30-person firm has made exactly the same strategic bet as the NHS and the Ministry of Defence, why "it is just stationery" stopped being true about five years ago, and what one awkward question on your next vendor call can change.

You've seen the memes. Trump is controlling cloud providers like puppets. Trump is literally unplugging Europe from US infrastructure.

They're viral because they touch a nerve about something real: UK businesses run on American infrastructure controlled by American laws. But the political framing misses the actual problem.

This isn't about any particular president or administration. This is about 15 years of infrastructure consolidation, creating structural dependency that predates and will outlast any political cycle.

Let's dissect what those images actually represent, why they're simultaneously right and wrong, and what UK SMBs need to understand about where their data actually lives.