Cyber Essentials Plus changes 2026: The Danzell Update

Cyber Essentials Plus has changed: What the Danzell Update means in 2026

A practical breakdown of the v3.3 requirements, the new auto-fail rules and why a certification that passed last year may not pass now. Last updated June 2026.

In my view, the April 2026 update to Cyber Essentials is the most significant revision to the scheme since its launch in 2014, and it's already live. Since 27 April 2026, every new Cyber Essentials and Cyber Essentials Plus assessment has been carried out against the new Danzell question set and v3.3 of the NCSC Requirements for IT Infrastructure. If you certified before then, the rules you certified against no longer apply to your next renewal.

The five core controls are unchanged. What's changed is how strictly they're assessed, and the gap between "we passed last year" and "we'll pass this year" is wider than most IT teams expect.

This article explains what changed, why it changed and what you need to do about it, whether you're renewing, certifying for the first time or trying to work out why a recent assessment didn't go the way you expected.

Quick reference: What changed

A quick word on Cyber Essentials vs Cyber Essentials Plus

It's worth being clear about how the two tiers relate, because it shapes everything that follows. Cyber Essentials Plus isn't a separate standard with its own rulebook. It's the base self-assessment plus an independent technical audit on top. To achieve CE+, you first have to pass the self-assessment, then an assessor verifies those same controls hands-on rather than taking your word for them.

That means every change in this article applies to you if you're pursuing CE+. The new auto-fail rules, the cloud scoping and the MFA mandate all sit in the self-assessment layer that CE+ is built on. On top of those, there are two changes that affect the CE+ audit specifically, both covered in the section on the CE+ audit below. So if you only hold or want the base certificate, the first half of this article is your guide; if you're going for Plus, all of it applies.

The Headline: Willow is out, Danzell is in

The Cyber Essentials scheme is reviewed and updated every year by the NCSC and IASME, the body that delivers the scheme on the NCSC's behalf. Each version of the self-assessment question set gets a name, and each version of the underlying Requirements document gets a number. The full detail of this year's changes sits in IASME's official update announcement, which this article draws on and expands with practical guidance.

Since 27 April 2026, the Willow question set (built on v3.2 of the Requirements) has been replaced by the Danzell question set, built on v3.3 of the Requirements for IT Infrastructure. The Danzell question set was published on 13 February 2026 and can still be downloaded from the IASME website to prepare against.

If you registered an assessment account before 27 April 2026, you were given a transition window to complete certification under the old Willow requirements. Everyone else, including everyone renewing now, is assessed under Danzell and v3.3.

That renewal point is the one that catches people out. You don't get to recycle last year's answers. If your renewal falls now, you're assessed against v3.3 regardless of which version you originally certified under. The certificate in your inbox from last year tells you nothing about whether you'd pass today.

(A quick note on dates, because you'll see both online: the last day to purchase under the old Willow set was Sunday 26 April 2026, so Danzell and v3.3 have applied to everything bought from 27 April onwards.)

The biggest change: Auto-fail questions

This is the single most important shift in the update.

Previously, Cyber Essentials was marked holistically. A weakness in one area could sometimes be balanced against strength elsewhere, and an assessor often had discretion to flag a problem and let you fix it during the process. Under Danzell, certain questions are designated auto-fail: get one of them wrong and you fail the entire assessment, no matter how strong everything else is, and there's no discretion and no second chance during the assessment.

Three areas now carry auto-fail status.

Multi-factor authentication on cloud services. MFA is now mandatory for all cloud services where it is available. If a cloud service offers MFA and you haven't enabled it for all users, you fail, full stop. This applies regardless of whether MFA is free, bundled into your subscription, delivered through single sign-on, dependent on another service or only available as a paid add-on. "It costs extra" is no longer an acceptable reason not to have it. Missing MFA is one of the most consistent root causes in the real breach data IASME and the NCSC review each year, which is why the scheme now treats its absence as a critical failure.

Timely patching of operating systems and firmware (question A6.4). All high-risk or critical security updates and vulnerability fixes for operating systems, routers and firewall firmware must be installed within 14 days of release. Miss that window and it's an automatic fail. Importantly, the 14-day clock starts from the date the vendor publishes the patch, not the date your scanner happens to find it. Organisations running a monthly patch cycle are, by definition, outside that window.

Timely patching of applications (question A6.5). The same 14-day rule applies, as its own separate auto-fail question, to applications and their associated files and extensions. This is the one that quietly catches people, because a device management dashboard confirming Windows Update ran tells you nothing about whether Adobe, Java, Zoom, your browsers and their extensions are current. Third-party software each has its own update mechanism, or none at all, and all of it is in scope.

Organisations without automated patch visibility will almost certainly fail this control on audit. If your team cannot produce a timestamped record of patch deployment across all in-scope devices, it is an audit failure waiting to happen.

There's also a related hard line worth flagging: out-of-support software is a categorical fail. With Windows 10 having reached end of support in October 2025, any organisation still running it without Extended Security Updates at the point of certification should expect to fail on that alone.

Cloud Services: The grey area is gone

For years, the fuzziest part of any Cyber Essentials assessment was cloud. Organisations routinely assumed that if a service was run by a third party, the third party was responsible for securing it, and it therefore sat outside the assessment scope. That assumption was always shaky. Under v3.3 it's explicitly wrong.

The Requirements document now carries a formal definition: a cloud service is an on-demand, scalable service hosted on shared infrastructure and accessed over the internet, reached via an account and used to store or process your organisation's data. And the line that follows it leaves no room for interpretation: if your organisation's data or services are hosted on cloud services, those services must be in scope. Cloud services cannot be excluded. The full wording sits in the NCSC Requirements for IT Infrastructure v3.3, the official standard behind the scheme.

In plain terms, Microsoft 365, Google Workspace, your CRM, your file storage, your HR platform, your finance system, your accounting software, your project management tools and every other SaaS product where company data lives or is processed is in scope by default. The way those environments are configured now counts towards your certification, and the MFA auto-fail rule above applies squarely to all of them.

This is the change most likely to surface gaps, and the reason is almost always the same: shadow IT. Nearly every organisation that runs a proper inventory discovers SaaS products in active use that the IT team never knew about, a marketing tool someone expensed, a design platform one team adopted, a data tool a developer started trialling. Each of those now needs to be inventoried, brought under MFA and counted in scope.

Many organisations have never formally scoped their cloud tenants for Cyber Essentials. If your Microsoft 365 or Google Workspace configuration has not been reviewed against the Danzell requirements, assume it needs work before your next assessment.

What else changed in the requirements

Beyond the headline items, v3.3 tightens several things that are easy to overlook but can still sink an assessment.

Stronger authentication requirements. Password requirements have been firmed up, including a 12-character minimum where passwords are used without an additional protective measure, and the scheme now expects phishing-resistant MFA for administrator accounts. The user access control section also actively promotes passkeys and other passwordless methods as a more secure alternative to passwords. The direction of travel is clear: passwords alone are treated as a weak foundation.

Scoping language has been tightened. The qualifiers "untrusted" and "user-initiated" have been removed from how internet connections are described, removing a common source of confusion. More significantly, if you exclude anything from your scope you now have to justify the exclusion and explain how the excluded network is segregated from your in-scope systems. Vague scoping is no longer tolerated.

"Web applications" is now "application development" and references the UK Government's Software Security Code of Practice. Publicly available commercial web applications are in scope by default; bespoke and custom-built components are out of scope.

The "whole organisation" route for groups has narrowed. If you're part of a group and want to certify a single company as a whole organisation, you now have to demonstrate genuinely separate legal responsibility, separate network infrastructure and distinct legal entities with no shared governance.

Backups have been moved earlier in the document to emphasise their role in recovering from an incident, a quiet but telling reflection of how central ransomware recovery has become.

Scope and certificate transparency improvements. Organisations can now give unlimited-length scope descriptions on the digital certificate platform, must list any out-of-scope areas (kept private), and must name every legal entity in scope with company numbers. Individual certificates can be issued per legal entity within a larger scope, for a small additional charge.

The Cyber Essentials Plus Audit has real teeth now

Everything above applies to the self-assessment, and therefore to CE+ as well, since CE+ is built on top of it. But Cyber Essentials Plus goes a step further: an independent assessor technically verifies that your controls actually work, rather than taking your word for it. That hands-on testing is what makes CE+ worth so much more to clients, insurers and procurement teams than the self-assessed base certificate. It's tested, not declared.

This is also where the two genuinely CE+ specific changes live. The update closes two loopholes in how that testing was being handled, and both matter.

The selective patching loophole is closed. Recent audits found that some organisations, when an assessor flagged a missing update during sampling, were patching only the specific devices in the test sample, passing the audit and leaving the rest of their estate unpatched. Under the new process, if you fail the initial test on a random sample you remediate and retest, but on retest the assessor rechecks the original sample and pulls a fresh random sample to confirm you've fixed the problem across the whole environment, not just the devices that happened to get tested. A second failure now results in revocation of the verified self-assessment certificate, not just the CE+. The incentive to game the sample is gone.

You can't retrofit your self-assessment after testing. Organisations were previously able to quietly adjust their self-assessment answers based on what the CE+ audit turned up. That's now prohibited. The self-assessment must be completed, finalised and locked before CE+ testing begins, and it can't be changed afterwards. The two halves of the certification have to agree with each other.

There's also a clarification on timing: the scheme now states explicitly that the "point in time" a certificate represents is the date the certificate is issued, and your systems need to be supported and compliant as at that date. And the director-level declaration has been reworded so that whoever signs it is formally acknowledging a responsibility to maintain compliance throughout the certification period, not just on assessment day. The badge is no longer a snapshot; it's a commitment.

Why this is harder than it looks

On paper, none of these changes are dramatic. MFA, patching within 14 days, knowing where your data lives: this is all basic hygiene, and any well-run IT function should be doing it already.

The difficulty isn't understanding the requirements. It's proving compliance across a real, messy, distributed estate, under a marking scheme that no longer gives you partial credit.

Consider what "MFA on all cloud services where available" actually requires you to know. You need a complete and current inventory of every cloud service your organisation uses, including the ones individual teams signed up for without telling IT. You need to know which of those offer MFA. You need it actually enforced, not just available, on every one of them, for every user, not just admins. A single forgotten SaaS tool with a login and no MFA is now an automatic failure. The most common version of this failure is painfully ordinary: MFA switched on for Microsoft 365 or Google Workspace, but missing on a secondary cloud service nobody thought to check.

The same applies to the 14-day patching rule. Meeting it once is easy. Proving you meet it consistently, across every operating system, every router, every firewall and every application and extension in scope, is an operational discipline, not a one-off task. And with the CE+ retest now sampling fresh devices after a failure, the days of patching just enough to pass are over.

Home and hybrid working makes all of this harder. Devices that connect from home, personal devices used for work and the networks they sit on are part of the picture. For most organisations that means a genuine look at device management, conditional access and the controls applied to personally-owned equipment, not a policy document that says the right things while the enforcement isn't there.

How to prepare: a practical checklist

Whether you're renewing or certifying for the first time, the organisations that come through cleanly treat this as a readiness exercise rather than a form-filling one. A sensible sequence looks like this.

1. Build a complete cloud service inventory. This is the highest-value thing you can do, and for most organisations it surfaces more than expected. Every SaaS platform where company data lives or is processed goes on the list, including shadow IT. For each one, confirm whether MFA is available and, where it is, that it's enforced for all users.
2. Audit your patching against the 14-day rule. Not "do we patch?" but "can we evidence that every high-risk and critical update across operating systems, firmware, applications and extensions is applied within 14 days, every time?" Remember the clock starts at vendor release, and a monthly cycle won't meet it.
3. Check for out-of-support software. Anything past end of support without extended security updates, Windows 10 being the obvious one, is a categorical fail. Find it before the assessor does.
4. Tighten authentication. Phishing-resistant MFA for admins, a 12-character minimum where passwords stand alone, and a serious look at passkeys where you can deploy them.
5. Pin down your scope and exclusions. Be ready to describe your scope in detail, name your in-scope legal entities and justify and evidence the segregation of anything you exclude.
6. Do a dry run before you pay for the portal. IASME lets you download the Danzell question set and work through it in advance. Treat the real submission as data entry once you've already found and fixed the gaps, rather than discovering them live.

Frequently Asked Questions

When did the Cyber Essentials changes take effect?

The Danzell question set and v3.3 of the NCSC Requirements for IT Infrastructure took effect on 27 April 2026. The last day to purchase certification under the previous Willow question set and v3.2 was 26 April 2026. Anyone purchasing or renewing from 27 April 2026 onwards is assessed against the new requirements.

What is the Danzell question set?

Danzell is the name of the Cyber Essentials self-assessment question set introduced in April 2026, replacing the previous version known as Willow. It's built on v3.3 of the Requirements for IT Infrastructure and is stricter in how it's marked, including new automatic-fail questions.

What are the auto-fail questions in Cyber Essentials v3.3?

Three areas now trigger automatic failure of the whole assessment if not met: missing multi-factor authentication on any cloud service that supports it; failure to patch high-risk or critical operating system and firmware vulnerabilities within 14 days (question A6.4); and failure to patch high-risk or critical application vulnerabilities within 14 days (question A6.5). Running out-of-support software is also treated as a categorical fail.

Is MFA mandatory for Cyber Essentials now?

Yes. MFA is mandatory on every cloud service that offers it, for all users. This applies whether MFA is free, bundled, delivered via single sign-on or only available as a paid feature. Missing it on any in-scope cloud service is an automatic failure.

Are cloud services like Microsoft 365 in scope?

Yes. Under v3.3, any cloud service that stores or processes your organisation's data is explicitly in scope and cannot be excluded. That includes Microsoft 365, Google Workspace, CRMs, cloud storage, HR and finance platforms and any other SaaS tool holding company data.

Will my existing Cyber Essentials certification still be valid?

Your current certificate remains valid until its expiry date. However, when you renew, you'll be assessed against v3.3 and the Danzell question set regardless of which version you originally certified under. You can't reuse last year's answers, and a certification that passed under Willow may not pass under Danzell without changes.

What changed for Cyber Essentials Plus specifically?

Two main things. The patch-management audit now pulls a fresh random sample of devices on retest after a failure, to stop organisations patching only the originally tested devices, and a second failure revokes the verified self-assessment certificate. Separately, the self-assessment must now be finalised and locked before CE+ testing begins and cannot be adjusted based on the audit's findings.

How long does it take to get ready for the new standard?

It depends entirely on your starting point. Organisations that already enforce MFA everywhere, patch within 14 days and have a clear cloud inventory may need very little. Those discovering shadow IT, inconsistent patching or out-of-support systems should allow several weeks to remediate before booking an assessment.

How Conosco can help

The April 2026 update rewards organisations that prepare properly and punishes those that treat certification as a paperwork exercise. The auto-fail rules in particular mean a single overlooked control, one cloud app without MFA, one class of device that slips past the 14-day window, one forgotten Windows 10 machine, can sink an otherwise strong assessment. The cost of finding that out on assessment day is far higher than finding it beforehand.

This is where our offensive security background earns its keep. We don't just check whether you've ticked the boxes; we look at your estate the way an assessor will, and the way an attacker would. The gap analysis is sharper because we know where controls tend to quietly fail in practice rather than on paper. We help organisations with:

• Cyber Essentials and CE+ readiness assessments - A pre-assessment review of your environment against the v3.3 requirements, producing a prioritised gap report so you know exactly what needs fixing before you sit the real thing. No surprises on the day.
• Remediation support - Practical, hands-on help closing the gaps we find, whether that's enforcing MFA across your cloud platforms, tightening patch management so the 14-day rule is consistently met, or sorting out device management for home and hybrid workers.
• Penetration testing and technical assurance - For organisations that want more than the baseline, testing that goes beyond CE+ to show how your defences actually hold up against a determined attacker. CE+ is a foundation, not a finish line.
• Ongoing security support - Many organisations come for certification and stay for the broader security picture the assessment surfaces. We're set up to support you well beyond the certificate.

Organisations that achieve CE+ under the Danzell requirements complete roughly 40-50% of the groundwork for ISO 27001. If that is on your roadmap, the work you do here counts.

That's a lot to take in

If you've read this far, you're already ahead of most. These changes can feel daunting at first glance, especially the auto-fail rules, and if you're not certain how they affect your specific setup, you're in good company. Most of the IT teams we speak to are confident about two or three of the requirements and genuinely unsure about the rest.

So if it would help, we're offering a free 30-minute readiness call. No pitch, no obligation. On it we can:

On the call, we will review your current scoping against the Danzell requirements, identify the controls most likely to trigger an auto-fail in your environment, and provide a plain-English summary of what needs fixing before your assessment. You leave with a clear action list, not just a conversation.

Whether you take us up on the call or simply use this article to get your own house in order, the goal is the same: walk into your next assessment knowing you'll pass, rather than hoping you will.

You can book the call or ask us anything at conosco.com. Or use the handy calendar attachment below to book a call directly with our experts.