CYBER ESSENTIALS DANZELL 2026: WHAT HAS CHANGED AND WHAT UK BUSINESSES NEED TO DO

WHAT IS CYBER ESSENTIALS DANZELL?

Danzell is the name given to the latest version of the Cyber Essentials question set, which came into force on 27 April 2026. It replaces the previous Willow question set and aligns with version 3.3 of the NCSC Requirements for IT Infrastructure document.

Like all Cyber Essentials updates, Danzell was developed by the NCSC and IASME in response to how organisations actually use technology today — and the real-world attack patterns that are catching UK businesses out. The five core controls remain exactly the same. What has changed is how strictly some of them are assessed, with new automatic failure conditions introduced for the first time in the scheme's history.

If you create a new Cyber Essentials assessment account on or after 27 April 2026, you will be assessed against the Danzell question set and v3.3 requirements. If you had an active Willow account before that date, you have until 27 October 2026 to complete your assessment under the previous version.

THE FIVE KEY CHANGES IN DANZELL

1. MFA Is Now Mandatory for All Cloud Services — and Failure Is Automatic

This is the most significant change in Danzell, and the one most likely to catch UK organisations out. Under the previous Willow question set, MFA was strongly encouraged for cloud services. Under Danzell, it is mandatory — with no exceptions.

The rule is simple: if a cloud service you use supports MFA, you must have it enabled for all users. If it is not enabled, your assessment will automatically fail — regardless of how well you perform across every other control.

This applies whether MFA is:

• Free and built into the service (such as Microsoft 365 or Google Workspace)
• Available via a connected single sign-on service
• A paid add-on feature
• Enabled on your identity provider but not enforced at the application level

For many organisations, the most common gap is Microsoft 365 accounts where MFA has been set up but not enforced via Conditional Access — users can still bypass it. Under Danzell, this will fail. The MFA must be enforced, not optional.

2. New Auto-Fail Questions for Patching

The 14-day requirement for applying high-risk and critical security updates is not new — but Danzell introduces two specific auto-fail questions that make enforcement significantly stricter:

• A6.4: Are all high-risk or critical security updates and vulnerability fixes for operating systems and router/firewall firmware installed within 14 days of release?
• A6.5: Are all high-risk or critical security updates and vulnerability fixes for applications, including associated files and extensions, installed within 14 days of release?

Answering no to either question results in an automatic failure, regardless of everything else. The definition of a "vulnerability fix" has also been broadened — it now includes not just patches and software updates, but also configuration changes, registry edits, and vendor-supplied scripts that address a known vulnerability.

3. Cloud Services Are Now Formally Defined and Cannot Be Excluded

For the first time, Danzell includes a formal definition of what counts as a cloud service for Cyber Essentials purposes:

"A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account and will store or process data for your organisation."

Critically, cloud services can no longer be excluded from scope. If a service stores or processes your organisation's data, it is in scope, full stop. This includes:

• Microsoft 365, Google Workspace and other productivity platforms
• CRM systems such as Salesforce or HubSpot
• Accounting software like Xero or QuickBooks Online
• Project management tools such as Monday.com, Asana, or Jira
• Social media accounts used for business purposes
• Cloud storage such as Dropbox, OneDrive, or Google Drive
• Any SaaS platform that processes your organisation's data

If you have previously kept your Cyber Essentials scope narrow by excluding cloud services, you will need to revisit that approach before applying under Danzell.

4. Tightened Scoping — Exclusions Now Require Written Justification

The previous qualifiers "untrusted" and "user-initiated" as descriptions for internet connections have been removed from the scoping criteria. This simplifies the language but broadens what is captured in scope.

Where any part of your infrastructure is excluded from scope, Danzell now requires a written justification explaining what is excluded, why, and how effective technical segregation is achieved. Assessors will expect to see evidence of genuine segregation — a written policy alone is unlikely to be sufficient.

You must also list all legal entities, addresses, and company registration numbers that are in scope in your application.

5. Stronger Guidance on Passwordless Authentication

Danzell provides expanded recognition of passwordless authentication methods — including FIDO2 authenticators, biometrics, security keys, passkeys, one-time codes, and push notifications. These are now formally accepted as compliant MFA methods under the scheme.

This reflects the direction of travel in modern authentication and gives organisations clarity on how to implement compliant controls without relying on traditional password-plus-code MFA.

WHAT HAS NOT CHANGED

It is worth being clear about what Danzell does not change:

• The five core Cyber Essentials controls remain exactly the same — firewalls, secure configuration, user access control, malware protection, and patch management
• The overall structure of the scheme — self-assessment questionnaire reviewed by a certification body, with CE Plus adding an independent technical audit
• IASME remains the sole delivery partner for the NCSC Cyber Essentials scheme
• Pricing remains the same, based on organisation size
• Certificate validity remains 12 months for Cyber Essentials and Cyber Essentials Plus

WHAT UK BUSINESSES SHOULD DO NOW

If you are planning to certify or renew your Cyber Essentials under Danzell, here is a practical checklist to work through before you apply. You can also use our interactive Cyber Essentials readiness checklist to track your preparation against all five controls.

• Audit every cloud service your organisation uses — build a complete list including any SaaS tools, productivity platforms, CRM, accounting software, and file storage. If it holds your data and requires a login, it is in scope.
• Check MFA is enforced — not just enabled — on every cloud service — having MFA available is not enough. It must be enforced for all users. For Microsoft 365, verify Conditional Access policies are in place, not just per-user MFA settings.
• Review your patching process — can you evidence that critical and high-severity updates are applied within 14 days? If you are relying on auto-updates alone, be aware they do not always catch third-party application patches.
• Revisit your scope — if you have previously excluded cloud services, they will need to be included under Danzell. Prepare clear documentation for anything you do exclude, with evidence of technical segregation.
• Check your social media accounts — business social media accounts are now explicitly considered cloud services under Danzell and should be considered for inclusion in scope.

WHAT ABOUT CERTIFICATES ISSUED UNDER WILLOW?

If your organisation already holds a Cyber Essentials certificate issued under the Willow question set, it remains fully valid until its expiry date. You do not need to do anything immediately. However, when you come to renew, your renewal assessment will be conducted under Danzell if your account is created on or after 27 April 2026.

This means the changes above — particularly around MFA on cloud services and patching auto-fail conditions — will apply at your next renewal. Starting your preparation early is strongly advisable, particularly for organisations with complex cloud environments or where MFA enforcement may need time to implement properly.

CYBER ESSENTIALS PLUS UNDER DANZELL

Danzell introduces significant changes to how the CE Plus technical audit handles device sampling and remediation — specifically to close the loophole of selective patching. Here is what has changed.

No Selective Remediation: The Two-Sample Process

Danzell introduces a structured two-sample scanning process designed to prevent organisations from only patching the devices that happen to be selected for testing. The purpose of Sample 2 is specifically to verify that patches and updates have been applied organisation-wide — not just on the initially sampled devices.

Sample 1: If high or critical vulnerabilities are detected by the IASME-approved scanning tool in the first sample, a mandatory retest with newly sampled devices is required.

Sample 2: A random sample of devices that had detected vulnerabilities (high or critical) older than 14 days. Two outcomes apply:

• If no high or critical vulnerabilities older than 14 days are detected — meaning all previously found issues have been resolved across the organisation — a clean CE Plus Pass is awarded with no advisory.
• If new or different high or critical vulnerabilities (older than 14 days) are detected, this will result in an advisory being noted on the CE Plus report — but a CE Plus Pass is still awarded.
• If the same vulnerabilities as those from Sample 1 are detected, a CE Plus fail report is issued. Because your CE Basic declaration attested that you patch within 14 days — and Sample 2 has demonstrated that is not the case across the organisation — IASME can also revoke your underlying Cyber Essentials basic certificate. The result is that you must re-apply for Cyber Essentials basic from scratch before restarting CE Plus, incurring both additional cost and delay.

Assessment Rules

• Point in time assessment: All version and system information must be supported and meet the criteria on the certificate issue date — not just the submission date. Systems must be supported at the point the certificate is issued.
• 14-day patching window: Where build numbers are provided, version information must fall within the 14-day patching window at the time of assessment.
• Director declaration: Now includes ongoing compliance responsibility — the signatory is confirming that controls will be maintained, not simply that they were in place at the point of submission.

One further practical change: under Danzell, organisations cannot materially amend their self-assessment responses once CE Plus testing has begun. Ensure your self-assessment answers are accurate and complete before the audit stage commences — if you have any doubt, raise it with your certification body before testing starts.

Two time limits also apply to the CE Plus process. Once you pass Cyber Essentials basic, you have 90 days (3 months) from that certification date to complete and pass CE Plus. If issues are identified during the CE Plus audit, you have 30 days from the date the assessment started to remediate and have checks revisited. Both windows run simultaneously — whichever expires first is the binding deadline. If either closes before you pass CE Plus, your Plus application closes and you must re-certify at CE basic level before restarting, incurring an additional certification cost.

SUMMARY

Danzell is the most significant update to Cyber Essentials since the Montpellier-to-Willow transition. The introduction of automatic failure conditions for MFA and patching removes the flexibility that some organisations had quietly been relying on. For those with well-managed IT environments, it is largely a tightening and clarification exercise. For those with gaps in MFA enforcement or cloud scoping, it is a meaningful change that requires action before their next assessment.

The underlying purpose of Danzell is unchanged from the original scheme: to ensure UK organisations have genuine, effective security controls in place — not just a completed questionnaire.