
If you are planning to apply for Cyber Essentials or Cyber Essentials Plus, there is an important change to be aware of.
From 27 April 2026, new Cyber Essentials assessments moved to the updated Danzell question set, based on version 3.3 of the Cyber Essentials Requirements for IT Infrastructure. The five core controls have not changed, but the way some requirements are assessed has become stricter. IASME says the update is intended to improve clarity, consistency and effectiveness across the scheme.
That matters because some areas that may previously have been treated as issues to resolve can now lead to an automatic failure.
The biggest practical change is around multi-factor authentication, often shortened to MFA.
MFA is now mandatory for cloud services where it is available. IASME’s update states that organisations will automatically fail the assessment if MFA is not implemented for cloud services where it is available, whether MFA is free, included in the service, or only available as a paid option.
That last part is important. If a service offers MFA only on a higher licence tier, applicants should not assume that cost is a valid reason for leaving it switched off.
In practice, this means you need to know which cloud services your organisation uses, who has access to them, and whether MFA is enabled for those users.
The updated requirements also remove a common area of confusion. If your organisation’s data or services are hosted in cloud services, those services must be in scope. The NCSC requirements are explicit that cloud services cannot be excluded from scope.
This is likely to affect more organisations than they first expect.
It is not just Microsoft 365, Google Workspace or AWS. A cloud service can include any internet-accessible service that stores or processes organisational data through an account. IASME describes this as an on-demand, scalable service hosted on shared infrastructure and accessible via the internet.
For applicants, the useful starting point is a simple list of cloud services used by the business. That should include obvious systems like email and file storage, but also HR platforms, finance tools, ticketing systems, CRMs, project management tools, remote support platforms and any other service that holds business data.
The Danzell update also tightens the rules around security updates.
Two new security update management questions are now treated as auto-fail questions. They cover high-risk or critical updates and vulnerability fixes for operating systems, router and firewall firmware, and applications, including associated files and extensions. If those updates are not installed within 14 days of release, non-compliance can result in an automatic failure.
The NCSC requirements say that in-scope software must be licensed, supported, removed or isolated if unsupported, have automatic updates enabled where possible, and be updated within 14 days where the update fixes critical or high-risk vulnerabilities, addresses a CVSS v3 score of 7 or above, or does not provide severity details.
The practical point is simple. Applicants need a reliable patching process, not just a general intention to keep things updated.
Scope has always mattered in Cyber Essentials, but Danzell puts more emphasis on making it clear and defensible.
Organisations will no longer be limited to a brief scope description on certificates. They will also need to describe excluded areas of infrastructure, identify legal entities included in the assessment, and can request individual certificates for legal entities within a wider scope.
This should help reduce ambiguity, but it also means applicants need to think about scope before they start the assessment.
A vague answer such as “our main office systems” is unlikely to be enough. You should be ready to explain which business areas, networks, devices, cloud services and legal entities are included, and why anything has been left out.
Cyber Essentials has always been a point in time assessment, but Danzell clarifies what that means.
IASME says the point in time is the date the certificate is issued. Organisations must therefore make sure their systems are supported at the date of certification.
This is a small wording change with a real-world impact.
If a device, operating system, firewall, router or application becomes unsupported before the certificate is issued, it may affect the assessment. Applicants should not wait until the form is nearly submitted before checking support status.
The verified self-assessment declaration signed by a board member or director is also being updated.
IASME says the declaration will include a statement acknowledging the organisation’s responsibility to maintain compliance with all Cyber Essentials controls throughout the certification period.
That does not turn Cyber Essentials into continuous monitoring, but it does reinforce the expectation that certification is not something to achieve once and then forget about.
If you certify in May and then stop patching properly in June, you may still have a certificate, but you are no longer operating in the spirit of the scheme.
Cyber Essentials Plus is also affected.
The CE+ process is being changed to deal with cases where organisations updated only the sampled devices during the audit rather than fixing the issue across the wider scope. Under the revised process, if an organisation fails the initial random sample, it must remediate and then undergo a retest. During that retest, the assessor will check the original sample and a new random sample to confirm that fixes have been applied more widely. A second failure can result in revocation of the verified self-assessment certificate.
There is also a change to the verified self-assessment itself. Organisations will no longer be able to adjust their VSA responses based on the results of CE+ testing. The VSA must be completed, finalised and remain unchanged before CE+ testing begins.
For applicants, that means CE+ should not be treated as a discovery exercise. The self-assessment needs to be accurate before the technical audit starts.
The main message is not that Cyber Essentials has become a different scheme. The five core controls remain the same. The bigger change is that there is less room for ambiguity in important areas.
If you are applying for CE or CE+, you should check a few things early:
Make sure MFA is enabled on every cloud service where it is available.
Confirm that all cloud services holding or processing organisational data are included in scope.
Check that high-risk and critical updates are being applied within 14 days.
Review unsupported software, devices, firewalls and routers before the assessment starts.
Define your scope clearly, including legal entities and exclusions.
For CE+, make sure the verified self-assessment is accurate before testing begins.
Danzell raises the bar, but it also makes the expectations clearer.
For many organisations, the biggest challenge will not be the questionnaire itself. It will be finding all the cloud services in use, checking whether MFA is properly enabled, and proving that patching is happening consistently across the full scope.
The best time to deal with that is before the assessment account is created, not when the submission deadline is approaching.
If you are planning Cyber Essentials or Cyber Essentials Plus, it is worth doing a readiness review first. That gives you time to find the gaps, fix them properly, and avoid an avoidable failure under the new rules.




