IASME has come up with a newer version of the Cyber Essentials scheme, introducing significant changes to Cyber Essentials from April 2026. These updates are designed to address evolving cyber threats and ensure the scheme remains robust and relevant. This article addresses the changes you must know, timelines, preparations required, and how you can start this process proactively.
Cyber Essentials remains a key standard for UK organisations, continually adapting to evolving cyber threats and maintaining its credibility as a security benchmark.
This guide is for IT managers, compliance leads, and business owners preparing for Cyber Essentials or Cyber Essentials Plus certification under the new Danzell rules.
A quick summary of takeaway points:
From 27 April 2026, all new Cyber Essentials assessments must use the Danzell question set (v3.3). The five core technical controls remain unchanged — Danzell tightens how rigorously they’re assessed.
Missing Multi-Factor Authentication (MFA) on any cloud service that supports it is now an automatic failure.
All high and critical vulnerabilities for operating systems, firewall firmware, and applications must be patched within 14 days. A single missed patch can fail your assessment now.
Cloud services that store or process organisational data can no longer be excluded from scope. If your data sits in it, it counts.
Cyber Essentials Plus now includes double sampling — a second independent sample verifies that remediation was applied estate-wide, not just on initially tested devices.
Introduction: What Changes In April 2026. And Why It Matters Now
All new Cyber Essentials certifications from 27 April 2026 use the Danzell Question Set (v3.3 NCSC Requirements). Miss the changes and you risk an automatic failure before you even submit.
The five technical controls — firewalls, secure configuration, user access control, malware protection, and security update management — remain unchanged. Danzell tightens how they’re assessed, not what they are. This is a stricter marking criteria update, not a fundamental scheme overhaul. For Cyber Essentials purposes, cloud services—including SaaS platforms such as Microsoft 365 and Google Workspace—are now explicitly in scope for assessment. The formal definition of cloud services under the new requirements includes any SaaS application or platform that stores or processes organisational data, ensuring there is no ambiguity about what must be included for compliance.
The Cyber Essentials scheme update responds to real breaches where organisations held valid certification despite weak MFA implementation, slow patching practices, and poorly scoped cloud platforms. NCSC and IASME are closing loopholes that allowed tick-box compliance without genuine security posture improvement. Documentation must be prepared to match actual practices, including policies and technical evidence for the Cyber Essentials audit.
Download our free Danzell Changes Guide [PDF] for a printable quick-reference summary changes covered in this article.
Author Tip: Audit your cloud services and patching processes now. Start a gap analysis using the Danzell preview questions (published 13 February 2026) to avoid submission delays.
Organisations must maintain compliance throughout the certification period, not just at the point of assessment, by regularly reviewing and updating their security measures. A valid Cyber Essentials certification is increasingly required for government contracts, public sector supply chains, and to meet insurance and due diligence standards.
Key Dates and Transition Timeline
Date | What Happens |
|---|---|
13 February 2026 | Danzell question set v3.3 published |
Now – 26 April 2026 | Review cloud security, MFA, and patch management against new requirements |
27 April 2026 | All new CE assessment accounts must use Danzell |
27 October 2026 | Six-month grace period ends; Willow (v3.2) accounts must be completed by this date |
What about assessments already underway?
If your active assessment account was created before 27 April 2026, you can complete it under Willow (v3.2) until 27 October 2026. Should you wish to have one, get your organisation Cyber Essentials certified.
After that date, all outstanding assessments must restart under Danzell.
If you’re mid-process, speak to your certification body now to decide whether to finish under Willow or switch early. Organisations with weak MFA or patching posture may choose to renew early under Willow but should still improve quickly to meet Danzell for the following year’s recertification.
1. Cloud Services Now Mandatory in Scope and MFA Is an Auto-Fail
Cloud Scope Change
Cloud services that store or process your data can no longer be excluded from assessment scope. If it holds your data, it’s in scope — full stop. This represents a fundamental shift from previous assessments where most organisations scoped out SaaS platforms.
The expanded definition now explicitly includes:
Microsoft 365 and Google Workspace
Salesforce, HubSpot, and CRM platforms
Xero, Sage Business Cloud, and accounting software
Workday, SuccessFactors, and HR/payroll systems
ServiceNow and operational platforms
Slack and collaboration tools
Any SaaS platform that processes business data
If you use it and your organisational data sits in it, it counts toward your Cyber Essentials requirements.
MFA Auto-Fail
Multi-Factor Authentication (MFA) absent on any cloud service where it’s available equals automatic failure. There is no remediation window. This is an immediate fail condition under the stricter assessment criteria.
The rule is unambiguous: if a cloud platform makes MFA available — whether built-in or via SSO through identity providers like Entra ID, Okta, or Google Identity — it must be enabled across all user accounts. Cost or user pushback cannot be used as justification for non-implementation.
Exclusion privacy: Organisations providing scope exclusion information should know it will not be made public. Don’t let disclosure fears prevent honest scoping.
Buyer Guidance: Inventory every cloud app that touches organisational data. Enable MFA universally. Document exemptions only where MFA is genuinely unavailable from the provider.
Author Tip: Roll out MFA in phases. Run phishing simulations to boost user adoption before VSA submission. If a cloud service doesn’t support MFA, document it and consider whether that service should remain in use.
2. New Auto-Fail: Strict 14-Day Patching Window for High/Critical Vulnerabilities
Auto-Fail Questions A6.4 and A6.5
Questions A6.4 and A6.5 are now automatic failure questions, these are the CE scheme’s most explicit and measurable enforcement points:
A6.4: All high-risk or critical security updates for operating systems and router/firewall firmware must be installed within 14 days of release
A6.5: All high-risk or critical security updates for applications, including associated files and extensions, must be installed within 14 days of release
Zero Tolerance
The earlier tolerance for “a couple” of delayed patches is removed. A single missed high-risk patch outside the 14-day window on any in-scope asset can now cause CE failure and Cyber Essentials Plus revocation.
This responds directly to rapid exploitation vulnerabilities like Log4Shell and MOVEit, where delayed patching led to mass compromise within days of disclosure. The threat landscape has fundamentally changed — zero-day vulnerabilities can be weaponised at scale before monthly patch cycles complete.
Critical distinction: The 14-day window is measured from the date the vendor releases the patch, not from when your organisation becomes aware of it. This demands real-time monitoring of security bulletins, not reliance on periodic reviews.
The requirement extends to:
Operating systems (Windows, macOS, Linux)
Router and firewall firmware
Applications and productivity suites
Browsers and VPN clients
Browser extensions (frequently overlooked)
Network appliances and Wi-Fi controllers
Buyer Guidance: Implement automated vulnerability scanning (e.g., Nessus, Qualys) and patch orchestration. Track every in-scope device via a CMDB or asset register. Don’t forget firmware, browser extensions and VPN clients — these catch people out.
Author Tip: Prioritise CVSS 7+ vulnerabilities. Set automated alerts for 14-day breach thresholds and run weekly compliance reports to evidence patching in your Verified Self-Assessment (VSA). Schedule regular maintenance windows — fortnightly at minimum, not just monthly. If you use a Managed Service Provider (MSP) for your IT, ensure they are strictly bound to this 14-day SLA, as third-party delays will still cause your assessment to fail.
3. Enhanced CE Plus Testing: Double Sampling and 90-Day Timelines
How Double Sampling Works
The Cyber Essentials Plus assessment methodology has been substantially restructured. Here’s the process:
First sample: A random sample of devices is scanned and tested for critical vulnerabilities
Remediation: Your organisation fixes findings
Second sample: A new random sample (independent from the first) tests whether fixes were applied organisation-wide, not just on initially sampled devices. This means CE+ testing employs double sampling to ensure remediation is taken seriously by the organisation to ensure minimum attack surface.
This verifies estate-wide remediation, not localised fixes on tested machines.
Second Sample Outcomes (Double Sampling)
Scenario | Result |
|---|---|
New vulnerabilities found in second sample but first sample issues remediated | Advisory issued, CE Plus can still be awarded |
Both samples fail to meet standards | VSA revoked, CE Plus cannot be awarded |
Organisation refuses second sample testing | CE Plus cannot be awarded, but VSA remains valid for standard CE |
90-Day Hard Stop
If the 90-day Cyber Essentials plus timeline expires without successful remediation of first sample vulnerabilities, the entire certification process including the Verified Self-Assessment must restart from the beginning. This is not a soft deadline.
No retrospective editing: The VSA can no longer be tidied up once CE Plus technical testing has begun. It must be finalised and locked before testing starts. This removes the previous practice of adjusting self-assessment responses based on assessor feedback or testing findings.
These changes make CE Plus a stronger differentiator. Customers, regulators, and insurers can place greater trust in a current Cyber Essentials certificate at Plus level. Organisations may increasingly see CE Plus requested in supply chain frameworks and for protecting systems handling sensitive data.
Buyer Guidance: Prepare for device samples across your estate. Ensure VLAN/firewall logs and asset inventories are current and accessible for assessors.
Author Tip: Engage your assessor early for scope alignment. Budget 3–6 months for CE Plus to cover potential iterations. The 90-day clock is unforgiving — don’t start testing until you’re confident in your patching posture.
4. Scope, BYOD and Declaration Overhauls
Technical Boundaries Only
Scope must now be defined by firewalls, VLANs, or equivalent technical controls not by roles, departments, or geography. Exclusions must be justified in writing with technical reasoning. These areas of infrastructure that are excluded from the scope will not be made public.
Danzell removes references to “untrusted” and “user-initiated” from scope rules, broadening which devices are considered in scope. Systems with automatic or proxied internet connectivity are now included, not only those directly browsed by users. Relaxed scoping tricks (e.g., excluding internet-connected devices behind strict proxies by calling them “trusted”) are far less likely to be accepted under the new assessment criteria.
BYOD: No Longer Just a Policy Exercise
Personal laptops and smartphones used for corporate email or cloud access must either:
Be brought under technical control (MDM/MAM, conditional access, device compliance policies, app sandboxing), OR
Be isolated so that corporate data is only accessed via secure, controlled channels
Simply having a written BYOD policy without enforcing security controls is likely to lead to non-compliance under Danzell, particularly during Cyber Essentials Plus assessment.
Common MDM/MAM solutions now become non-discretionary for BYOD organisations:
Microsoft Intune
Jamf
Google Endpoint Management
Conditional access policies
Legal Entity Identification
All legal entities included in scope must be listed with comprehensive details such as name, address, and company number as part of their Cyber Essentials certification process.
New certificate type: An individual Cyber Essentials certificate is now available for each legal entity that is part of a larger scope assessment, with clear notation that certification is part of a wider scope. This is useful for group companies with different IT infrastructure environments.
Network Segregation and Declarations
Network segregation: Ensures only devices applying all Cyber Essentials controls are properly in scope. Unsupported or non-compliant devices must be technically segregated out — documentation alone is insufficient.
Point-in-time certification: The certificate reflects compliance on the date it was awarded; nothing more, nothing less.
Signed senior declaration: Board sign-off (or director’s signed declaration) now covers commitment about ongoing compliance for the lifetime of the certification period, not just the point of assessment. This is a governance shift — boards are accountable for 12 months, not just certification day. If a material compliance failure occurs between certification and renewal, the board’s signed declaration could become evidence in breach investigations or regulatory proceedings.
Buyer Guidance: Map your network topology before starting the VSA. Use technical segregation to cleanly exclude unsupported devices. For multi-entity groups, decide early whether to pursue a single group certificate or individual entity certificates. For BYOD, enforce controls through tooling — not just written agreements.
Author Tip: Include network diagrams in your VSA. Get legal review for multi-entity scoping. Brief your board — their signature now carries weight for the full certificate lifetime. For BYOD, test conditional access policies in report-only mode before enforcement to avoid locking users out on day one.
5. What to Expect from Your Assessor
Under Danzell, assessors will more actively verify scope descriptions against technical boundaries and Cyber Essentials requirements:
VSA must be finalised before CE Plus testing begins — no post-submission changes
Assessors will request clarification for any unclear, contradictory, or incomplete answers
Detailed scope descriptions are actively verified against network topology and stated exclusions
All assessments are checked for point-in-time compliance consistency
Evidence of patching compliance will be tested, not just logged
Expect queries and respond promptly. Response times of 48 hours or better are expected to maintain project momentum.
Buyer Guidance: Submit a polished VSA first time. Respond to assessor queries within 48 hours to avoid timeline delays.
Author Tip: Nominate a single VSA owner who understands the technical environment. Run a mock review internally before submission — treat it like a dry run.
Actionable Checklist for Danzell Compliance
☐ Inventory all cloud services that store organisational data — none can be excluded
☐ Enable MFA (multi-factor authentication) on every cloud service where available (whether free, included or available as a paid option)
☐ Automate 14-day patching tracking for OS, firmware, apps, and extensions
☐ Define scope using technical boundaries (firewalls/VLANs) — review for “untrusted”/“user-initiated” assumptions
☐ Bring BYOD devices under technical control or isolate them
☐ List all legal entities with name, address, and company number
☐ Obtain board sign-off covering ongoing 12-month compliance
☐ Lock VSA before CE Plus testing
☐ Plan for double sampling in CE Plus — budget time for remediation cycles
☐ Maintain a valid Cyber Essentials certification to meet commercial and compliance requirements, avoid exclusion from tenders, and secure insurance advantages.
FAQs: Cyber Essentials Danzell 2026
When does Danzell take effect?
All new certifications from 27 April 2026. Assessment accounts created on or after this date must use the Danzell question set.
Can I still use Willow?
Only if your assessment account was created before 27 April 2026, and you must complete by 27 October 2026. After this grace period, all outstanding assessments must restart under Danzell.
Do I have to enable MFA for every user, including shared and service accounts?
Under Danzell, MFA must be enabled wherever the cloud service supports it — standard users, admins, and shared accounts included. Simply excluding high-risk accounts from MFA is no longer acceptable.
For true non-interactive service accounts (e.g., API connectors, managed identities), replace with modern mechanisms like app registrations, certificates, or managed identities and lock down with IP/network access controls. Review identity designs with your IdP or a specialist to apply practical patterns — break-glass accounts, privileged access workstations, conditional access — without breaking automation.
Are there cost implications?
While standard Cyber Essentials assessment fees remain unchanged, there are potential cost implications for Cyber Essentials Plus. Factor in potential full restarts if the 90-day window expires or both samples fail. Budget for remediation cycles between samples and possible re-assessment fees. Organisations that prepare thoroughly before starting CE Plus testing will avoid the most costly scenario i.e. a complete VSA restart.
Can I still use personal devices (BYOD) under the Danzell rules?
Yes, but personal devices accessing corporate email or cloud services must meet the same technical requirements as corporate devices (encryption, lock screens, up-to-date OS, malware protection, MFA) or be restricted to secure containers. Typical solutions involve MDM/MAM, conditional access policies, and clear user agreements. A written policy alone without enforced controls will likely fail under Danzell, particularly during CE Plus testing.
Where can I preview the Danzell questions?
The question set was published 13 February 2026 via the NCSC and IASME. Review the official IT infrastructure requirements v3.3 now to understand the full assessment process before submission.
Will my scope exclusions be made public?
No. Exclusion details remain private. This is mentioned in Section 1 but deserves its own FAQ entry since it’s a common buyer concern.
Conclusion: Prepare Now, Certify with Confidence
Danzell raises the bar — but none of these changes are insurmountable if you prepare. Audit your cloud services, tighten your patching discipline, define your scope using technical boundaries, bring BYOD under control, and brief your board on their 12-month compliance accountability. Remember, maintaining compliance is an ongoing responsibility—organisations must regularly uphold and update their security measures throughout the certification period.
The changes reward organisations with genuine cyber security maturity and make it harder to pass through tick-box compliance alone. For UK organisations serious about maintaining compliance and protecting against common cyber attacks, this is a positive evolution. Having a valid Cyber Essentials certification is now essential for UK organisations to remain competitive, secure government contracts, participate in public sector supply chains, and meet insurance and due diligence requirements.
Want a printable quick-reference? Download the Cyphere Cyber Essentials Danzell Update Guide for free.
Need support navigating the Danzell changes? Cyphere is a CREST penetration testing service provider and IASME Cyber Essentials Plus Certification Body. We deliver readiness reviews, remediation support, and CE Plus audits — with significant CE Plus discounts when bundled with CREST pen testing, security audits, or compliance work. We factor your resources and effort into account without overloading you.
Contact Cyphere for a no-obligation discussion about your April 2026 timeline.
Final Author Tip: Whether you are private sector organisation, supply to government or handle sensitive contracts, aim for CE Plus the double sampling process now demonstrates genuine rigour to customers and supply chains. Recertify annually to lower your cyber insurance or to maintain your point-in-time compliance edge in tenders.
