Datawiza
Back to blog
Updated July 16, 2026Blog

Cyber Essentials MFA Requirements: How to Protect Cloud and Legacy Apps

Abstract five-control Cyber Essentials MFA coverage for cloud and legacy applications
Table of contents

Cyber Essentials MFA requirements matter because many organizations now run critical business systems through cloud services and web applications. For teams pursuing certification, the question is not just whether MFA is available. It is whether MFA is enabled for the services and accounts in scope.

Cyber Essentials is a UK government-backed scheme built around five technical controls. It is designed as a baseline, not a full security program. But MFA has become one of the most visible controls because compromised passwords remain a common path into cloud services, email, admin portals, and business applications.

This guide explains how to think about Cyber Essentials MFA requirements, where legacy applications create gaps, and how an access proxy can help protect existing web applications without changing application code.

What Are the Cyber Essentials MFA Requirements?

Cyber Essentials is described by the UK National Cyber Security Centre as a scheme based on five technical controls. The official NCSC Cyber Essentials overview is the best starting point for the scheme itself. IASME is the delivery partner and publishes the current assessment and requirements materials.

For MFA, the practical assessment question is whether users must use multi-factor authentication when accessing cloud services and other systems in scope. The exact answer should follow the current Cyber Essentials requirements and your assessor’s guidance, because the scheme is updated over time.

In practice, teams should review cloud services, email, administrative consoles, user accounts, and web applications that are part of the organization’s certification scope. If those systems only rely on passwords, they may need MFA or a documented remediation plan before assessment.

Where Cyber Essentials MFA Gaps Usually Appear

The obvious systems are often handled first: Microsoft 365, Google Workspace, cloud identity providers, and VPN or remote access. The difficult systems are usually older web applications and portals that do not support modern SSO or MFA directly.

Common gaps include:

  • Legacy web applications that still use local usernames and passwords
  • Admin portals or management consoles used by employees or contractors
  • Partner, supplier, customer, or member portals exposed to the internet
  • On-premises applications accessed through a browser
  • Applications that cannot be modified before the Cyber Essentials assessment window

These gaps are easy to miss because the application may not be called a cloud service. But if users access it through a browser and it supports business operations, the access path should be reviewed carefully.

How Datawiza Helps With Cyber Essentials MFA Scope

For Cyber Essentials, the useful question is scope: which cloud services, web applications, user accounts, and admin paths are in scope, and where is MFA actually enforced? Datawiza Access Proxy helps when an existing web application is in scope but cannot support modern MFA directly.

Datawiza can enforce MFA in two ways. If the organization needs a lightweight access-layer control, Datawiza can add an MFA challenge using its built-in MFA capability before the user reaches the application. This can protect an app that still uses its own login but does not have native MFA support.

If the organization already standardizes identity through Microsoft Entra ID, Okta, Ping, Auth0, Duo, or another provider, Datawiza can integrate with that provider instead. The identity provider handles SSO, MFA, and access policy, while Datawiza protects the application path and passes approved identity context to the app.

For Cyber Essentials assessment preparation, the flow is easy to explain:

  1. Identify the existing web application or admin portal that needs MFA coverage.
  2. Place Datawiza Access Proxy in front of that application.
  3. Choose whether MFA is enforced by Datawiza built-in MFA or by the organization’s identity provider.
  4. Test that users must complete MFA before reaching the protected application.
  5. Keep evidence of the protected URL, policy configuration, and successful MFA test for assessor review.

This makes the Cyber Essentials story cleaner: the team can show that access to the application is protected, even if the application itself was not built for modern identity standards.

What Evidence to Prepare for Assessment

Cyber Essentials is a self-assessment with assessor review, so clear evidence helps. Teams should prepare:

  • A list of cloud services and web applications in scope
  • Identity provider settings showing MFA is enabled for relevant user accounts
  • Screenshots or exports showing MFA policy and conditional access rules
  • Access proxy configuration showing which legacy web apps are protected
  • Login test evidence showing users are challenged for MFA before reaching the app
  • Exception or remediation notes for systems not yet protected

The goal is not to create paperwork for its own sake. The goal is to make the MFA story clear: which systems are protected, how enforcement works, and where any remaining exceptions are being remediated.

Cyber Essentials vs Cyber Insurance MFA

Cyber Essentials and cyber insurance often overlap, but they are not the same. Cyber Essentials is a certification scheme with defined technical controls. Cyber insurance is an underwriting process where the carrier decides what questions and evidence it needs.

Still, improving Cyber Essentials MFA coverage can help insurance conversations because it gives the organization a clearer inventory of MFA-protected systems, identity policies, and exceptions.

Implementation Checklist

  1. Confirm the current Cyber Essentials requirements and your assessment scope.
  2. Inventory cloud services, web applications, admin consoles, and remote access paths.
  3. Verify MFA is enabled for relevant user accounts and administrator accounts.
  4. Identify legacy web apps that cannot connect directly to your identity provider.
  5. Protect those apps with an access proxy where source-code changes are not practical.
  6. Collect policy, configuration, and test evidence before submitting the assessment.
  7. Document exceptions and remediation plans clearly.

Frequently Asked Questions

What are Cyber Essentials MFA requirements?

Cyber Essentials requires organizations to evaluate MFA for systems in scope, especially cloud services and user accounts covered by the current assessment requirements. The official Cyber Essentials requirements and assessor guidance should be treated as the source of truth.

Does Cyber Essentials require MFA for cloud services?

Cloud services are a major focus for Cyber Essentials because they are common access points for business data. Organizations should review the current IASME Cyber Essentials requirements to confirm exactly how MFA applies to their cloud services and user accounts.

What if a legacy app does not support MFA?

If a legacy web application cannot support MFA directly, Datawiza Access Proxy can enforce MFA before users reach the app. Teams can use Datawiza built-in MFA, or they can integrate Datawiza with an identity provider such as Microsoft Entra ID, Okta, Ping, Auth0, or Duo.

This protects the access path while preserving the existing application, which is useful when the application cannot be changed before the Cyber Essentials assessment window.

Can Datawiza help with Cyber Essentials MFA requirements?

Datawiza Access Proxy can help add MFA and SSO in front of existing web applications, including legacy and on-premises apps, without changing application code. It can enforce Datawiza built-in MFA or integrate with the organization’s preferred identity provider for MFA and conditional access.

Teams should still validate the implementation against the current Cyber Essentials assessment requirements and assessor guidance.

The Bottom Line

Cyber Essentials MFA requirements are easiest to meet when every important access path is connected to modern identity policy. Legacy applications make that harder. An access proxy helps close the gap by enforcing MFA before users reach applications that cannot be rewritten quickly.

To see the access-layer pattern in action, explore no-code MFA for existing applications, MFA for web applications, and adding MFA to legacy apps without code changes.

If your team is working through Cyber Essentials MFA requirements for existing web applications, book a demo to see how Datawiza can help add MFA without rewriting the application.

Sources

NCSC Cyber Essentials overview: https://www.ncsc.gov.uk/cyberessentials/overview

IASME Cyber Essentials: https://iasme.co.uk/cyber-essentials/

IASME Cyber Essentials requirements for IT infrastructure: https://iasme.co.uk/cyber-essentials/requirements-for-it-infrastructure/

Datawiza is Easy to Get Started

Sign up to secure your AI agents and critical enterprise apps

Try Datawiza