If your Cyber Essentials certificate is coming up for renewal, or you’ve been putting off getting certified, there’s something important you need to know. The scheme has just undergone its most significant overhaul in three years.
From 27 April 2026, all new Cyber Essentials assessments are assessed against version 3.3 of the Requirements for IT Infrastructure, using a new question set named “Danzell”. The previous version, known as “Willow” (v3.2) has been retired for new applications.
This isn’t just a terminology refresh. Danzell introduces automatic-fail questions for the first time in the scheme’s history, tightens what counts as “in scope”, and makes enforcement of existing rules considerably stricter. If you or your IT provider aren’t across these changes, your next assessment could fail on something entirely preventable.
This article breaks down exactly what’s changed, what it means for your business, and how to prepare, with a free downloadable guide at the end.
A Quick Recap: What Is Cyber Essentials?
Cyber Essentials is the UK Government’s flagship cyber security certification scheme, administered by IASME Consortium on behalf of the National Cyber Security Centre (NCSC). It sets out five technical controls that, when properly implemented, protect organisations against the vast majority of common internet-based attacks.
The scheme has two tiers:
- Cyber Essentials — a self-assessment questionnaire verified by an accredited certification body. Achievable by most SMEs in a matter of days if your environment is in good shape.
- Cyber Essentials Plus (CE+) — the same five controls, independently verified through hands-on technical testing by an accredited assessor. Increasingly required for public sector contracts, NHS supply chains, and MOD frameworks.
Certification is valid for 12 months and must be renewed annually.
What’s the Danzell Update, and Why Does It Matter?
The Cyber Essentials scheme is reviewed and updated annually. Each iteration of the question set is given a place name, previous versions include Montpellier and Willow. The 2026 update is named Danzell, and it maps to version 3.3 of the underlying requirements document.
Danzell was published by IASME and the NCSC on 13 February 2026 and became mandatory for all new assessment accounts from 27 April 2026.
If your certificate was issued before that date, it remains valid until expiry. However, when you come to renew, you will be assessed against Danzell, regardless of what version you originally certified under. There is no grace period for renewals.
The reason this update matters more than previous ones comes down to a single word: enforcement. The five technical controls haven’t changed. What has changed is how strictly they’re assessed, and for the first time, certain gaps result in immediate, automatic failure of the entire assessment. No remediation window. No second chance mid-process.
The Three Changes That Will Make or Break Your Assessment
1. MFA on Cloud Services Is Now an Automatic Fail
Multi-factor authentication has been required by Cyber Essentials since 2022. But under previous versions, assessors had a degree of latitude in how gaps were handled. Under Danzell, that latitude is gone.
If a cloud service supports MFA and you haven’t enabled it, your entire assessment fails automatically.
This applies regardless of whether MFA is free, bundled with your subscription, or only available as a paid add-on. The rule is binary: if it’s available, it must be on.
In practice, this means every cloud service your business uses to store or process data needs MFA enabled across all user accounts — not just admin accounts. That includes:
- Microsoft 365 and Entra ID (Teams, SharePoint, OneDrive, Exchange)
- Google Workspace
- Accounting platforms — Xero, QuickBooks, Sage
- CRM systems — Salesforce, HubSpot, Zoho
- File storage and collaboration — Dropbox, Box, Notion
- Communication tools — Slack, Zoom
- Developer tools — GitHub, Azure DevOps
For most businesses using Microsoft 365, this means enabling Conditional Access policies or at minimum enabling Security Defaults, which enforces MFA across the tenant. If you’re unsure whether MFA is active across your cloud services, assume it isn’t — and check before you submit.
Our recommendation: Don’t wait for your renewal date to audit this. A cloud services MFA review takes a few hours and closes the biggest single failure risk in Danzell. If you’d like help with this, get in touch.
2. Patching Enforcement Is Absolute — One Device Can Fail Everything
The 14-day patching requirement isn’t new. High and critical security updates (CVSS score 7.0 and above) have always needed to be applied within 14 days of release. What’s changed is the consequence of missing that window.
Under Danzell’s question A6.5, a single unpatched device found during Cyber Essentials Plus testing can fail the entire assessment. For CE+, there is no opportunity to remediate during the assessment, if the auditor finds it, you’ve failed.
The gap most businesses miss isn’t patching Windows. It’s:
- Third-party applications — browsers, Adobe products, Java, media players — which Windows Update and most basic tools don’t cover
- Router and firewall firmware — specifically tested under A6.4 in Danzell, and frequently overlooked
- BYOD devices — personal phones and laptops used for work email that nobody’s managing
- Server applications — particularly IIS, SQL Server, and line-of-business apps
If you’re using a managed IT service, ask your provider to evidence patch compliance across all in-scope devices, including applications and firmware, before you begin your assessment. If you can’t evidence it, an assessor will assume it doesn’t exist.
3. Cloud Services Are Now Formally and Explicitly In Scope
Previous versions of Cyber Essentials had a somewhat ambiguous relationship with cloud services. Some organisations exploited this to artificially narrow their scope, declaring only their office laptops and on-premises server while ignoring the Microsoft 365 tenancy where all their actual data lived.
Danzell closes this gap entirely. For the first time, the v3.3 requirements document includes a formal definition of a cloud service:
“A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account and will store or process data for your organisation. Cloud services cannot be excluded from scope.”
This means if your organisation’s data or services are hosted on any cloud platform — SaaS, IaaS, or PaaS — those services are in scope and must be declared. No exceptions.
Other Important Changes in Danzell
Beyond the three headline changes, Danzell also brings several other updates that SMEs should be aware of:
Simplified scoping language. The terms “untrusted” and “user-initiated” have been removed as qualifiers for internet connections. Any device that connects to the internet and stores or processes organisational data is in scope. This deliberately removes the ambiguity some assessors had been inconsistently applying.
BYOD is in scope if it touches your data. Personal devices, staff phones, home laptops, personal tablets are in scope for Cyber Essentials if they access corporate email, Microsoft 365, or any cloud service containing business data. A written BYOD policy is not sufficient. Technical controls (MDM, Conditional Access, app protection policies) must be in place and demonstrably enforced.
CE+ double sampling. Cyber Essentials Plus now includes a second independent device sample to verify that remediation has been applied across the entire estate, not just the machines that were initially tested. This is specifically designed to catch “selective patching”: the practice of fixing only the devices you know will be checked. If that’s been part of your approach, Danzell will find it.
Backup guidance added. Backups are not one of the five controls and are not assessed directly. However, v3.3 now explicitly recommends that organisations maintain appropriate backups, keep copies off the primary device, and disconnect removable media when not in use. For CE+ assessments, auditors may discuss resilience posture as part of the broader conversation.
Passwordless authentication formalised. Building on the v3.2 update, Danzell gives further prominence to FIDO2 authenticators, biometrics, hardware security keys, one-time codes, and push notifications as accepted authentication methods. For organisations moving towards passwordless, or those already using Windows Hello for Business or passkeys — this is good news.
More granular scope questions. The Danzell question set includes new questions specifically around router patching (A6.4) and application patching (A6.5), alongside more detailed questions about how scope boundaries are defined and justified. Vague or incomplete scope descriptions are more likely to trigger follow-up questions or failure than in previous versions.
What SMEs Should Do Right Now
Here’s a practical action plan, regardless of when your certificate is due:
Step 1: Audit Your Cloud Services for MFA
List every cloud service your business uses that stores or processes data. For each one, verify that MFA is enabled for all users, not just admins. Prioritise Microsoft 365 or Google Workspace as your primary identity provider, and use Conditional Access or equivalent to enforce MFA as a technical policy rather than a user choice.
Step 2: Review Your Patching Coverage
Don’t assume your current IT management tools cover everything. Specifically check:
- Third-party applications on all devices (not just OS patches)
- Router and firewall firmware versions
- Any devices that fall outside your standard MDM/RMM management, including BYOD
Document the process and be able to evidence the dates patches were applied.
Step 3: Map Your True Scope
List every cloud service, device, server, and network component that stores or processes business data. Include Microsoft 365, your CRM, accounting software, file storage, and any SaaS tools staff use for work purposes. This is now your minimum scope, there is no legitimate way to exclude these from your assessment.
Step 4: Address BYOD
If staff use personal devices for work, decide whether to manage them through MDM/Conditional Access, or restrict them to containerised access (such as Outlook Mobile with Intune app protection policies). A policy document without technical controls will not pass Danzell.
Step 5: Talk to Your IT Provider
If you use a Managed Service Provider, ask them specifically about Danzell readiness. A good MSP should be able to run a gap assessment against v3.3 requirements before you purchase your assessment, identify what needs remediation, and confirm your patching evidence is in order for CE+.
How Much Does Cyber Essentials Cost?
Pricing varies by organisation size and certification body. As a rough guide:
| Organisation size | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| 1–9 employees | From ~£320 | From ~£1,200 |
| 10–49 employees | From ~£440 | From ~£1,500 |
| 50–249 employees | From ~£500 | From ~£2,500+ |
These are assessment costs only. If remediation work is needed before you can pass, additional MFA configuration, patching tooling, MDM deployment, that will add to the overall cost. The earlier you start your gap review, the more control you have over timing and budget.
A Note on Timing If You’re Mid-Assessment
If your assessment account was created before 27 April 2026, you can complete it under the Willow (v3.2) question set until 27 October 2026. After that, all outstanding assessments must restart under Danzell. If you’re currently mid-process, speak to your certification body now about whether it makes sense to finish under Willow or transition to Danzell early.
The Bottom Line
Cyber Essentials under Danzell is genuinely achievable for any SME with a reasonably modern IT setup. Most businesses using Microsoft 365, a managed device estate, and a structured patching process are closer to passing than they think. The most common failure point isn’t technical complexity, it’s not knowing what’s expected before you start.
The two things that will catch businesses out in 2026 are both preventable with a bit of preparation: MFA not enabled on cloud services, and patching gaps in third-party applications and firmware. Address those two areas, get your scope right, and the rest of the assessment becomes straightforward.
If you’d like help preparing for Cyber Essentials or Cyber Essentials Plus under the new Danzell requirements, we offer a free, no-obligation gap assessment against v3.3. We’ll tell you exactly where you stand and what needs to change before you spend a penny on certification.
Download Our Free SME Guide to Cyber Essentials (v3.3 Danzell)
We’ve put together a comprehensive downloadable guide covering everything in this article in more detail — including the five controls explained, a full pre-assessment checklist, and a step-by-step walkthrough of the certification process.
Download: Cyber Essentials SME Readiness Guide 2026 →
For more information about the official Cyber Essentials scheme, visit ncsc.gov.uk/cyberessentials and iasme.co.uk/cyber-essentials.