Cyber Essentials is Changing in April 2026: What You Need to Know About the Danzell Question Set
Cyber Essentials gets a ‘refresh’ every year. Most of the time the changes are modest, and organisations that treat the scheme seriously rather than as a box-tick exercise barely notice the difference. The 2026 update is in that category. It is not a heavy redesign, but the testing process for Cyber Essentials Plus is changing. There are a handful of changes that matter quite a lot, and one timing decision that is worth getting right.
Here’s everything we’ve been telling our customers, so you can make the right decision before April 26th.
What is Danzell?
Danzell is the name of the new Cyber Essentials self-assessment question set, replacing the current one called Willow. It aligns to a shiny new version of the NCSC Requirements for IT Infrastructure (the standard Cyber Essentials relies on). The core stuff is all staying the same, with some fuller requirements on detail and some more areas you can instantly fail for.
Assessment accounts created on or after 27 April 2026 will use Danzell. Accounts created before that date will continue under Willow, but organisations have until 26 October 2026 to complete certification under the previous requirements.
Should You Lock In Before April?
If you are confident that you can complete certification before 26 October 2026, you can open your assessment account before 26 April 2026 and certify against the Willow requirements. That window is worth taking if your current position is strong and you want to avoid any uncertainty around the new auto-fail criteria. If you have any doubt, prepare for Danzell and do it properly – mindful of the hard requirement for a vulnerability management solution.
For organisations certifying after April, the Danzell question set is already published on the IASME website. Download it now, do a dry run against your current estate, and close any gaps before you open an assessment account. Paying for a portal and then discovering you fail is an avoidable problem.
The New Automatic Failures
This is the section worth reading carefully. Three areas will now result in an automatic fail if not met. Previously there was more flexibility in how these were marked. That flexibility is gone.
MFA on all cloud services
Multi-factor authentication has been part of Cyber Essentials for some time, but the marking has been tightened significantly. From April 2026, if a cloud service offers MFA (even as an additional paid feature) and your organisation has not enabled it for all users, the assessment fails automatically. This applies regardless of whether MFA is free, paid, or delivered through another mechanism such as single sign-on via Microsoft 365.
If you are unsure whether your cloud services offer MFA, check before you start your assessment.
14-day patching (two new questions)
Two new questions, A6.4 and A6.5, address update management and both carry automatic-fail status:
- A6.4: High-risk and critical OS updates, plus router and firewall firmware fixes, must be applied within 14 days of release.
- A6.5: High-risk and critical application updates, including associated files and extensions, must be applied within 14 days of release.
Delays in applying critical patches remain one of the most common routes into a business – and indeed the number one issue I see on assessments. The updated rules remove any ambiguity: this must happen consistently, across the entire in-scope environment, not just the machines most likely to be inspected.
If you don’t have vulnerability management in place for your devices – you absolutely need it moving forward. No, I’m not just talking about Windows update management, we need to see consistent agent-based scanning across your entire estate. This is where you run a piece of software that installs agents onto each device on the network and reports their condition back to a central dashboard; our ‘old reliables’ in this space are Tenable and Qualys as they are accepted as valid scanning tools by IASME. There are also some other players in this space but you need to be aware that they don’t always get the same results as approved scanning tools.
Tighter Rules for Cyber Essentials Plus
If you are pursuing CE+, the hands-on technical verification process has been updated to close a loophole that allowed organisations to pass by selectively updating a small number of devices ahead of the audit.
Under the new process, if the initial random device sample fails due to missing updates, remediation is required and retesting covers both the original sample and a new random sample. A second failure results in revocation of the verified self-assessment certificate. That means if you fail at CE+, you lose your Cyber Essentials Level 1.
There is also an important sequencing rule: the verified self-assessment must be finalised before CE+ testing begins. Answers can no longer be changed based on what the CE+ audit finds. The self-assessment is your declaration of your actual state, and it needs to reflect reality before the technical work starts. This invites a tighter audit window and less general flexibility for teams looking to game the standard.
Scoping and Certification Transparency
Cloud services are now explicitly in scope and formally defined for the first time. If organisational data or services are hosted in a cloud service, that service must be included in your assessment. The previous grey area around excluding cloud services because security was “the provider’s responsibility” is closed.
Internet-connection scoping has been simplified, with the removal of the “untrusted” and “user-initiated” qualifiers that often caused confusion. Exclusions still need to be justified, and any network segregation explained. If this doesn’t mean anything to you, then you’re unlikely to be affected by the change…
On certificates, organisations must now describe out-of-scope areas and list all in-scope legal entities by name, address, and company registration number. These in-scope details will be visible on the digital certificate platform. There is also the option to obtain separate per-legal-entity certificates within a wider organisational scope, which is useful for groups with subsidiaries or separate trading entities.
A Few Other Clarifications Worth Knowing
- Point in time: The certificate issue date is now the defined point in time. Systems must be supported and compliant on that date.
- Board declaration: The director or board member declaration in a verified self-assessment will now explicitly acknowledge responsibility to maintain compliance throughout the certification period, not just on assessment day. If you are ‘just squeezing through’ on assessment day, then IASME deems that the assessment is not being completed in good faith.
- Application development: “Web applications” has been renamed to “application development” and now references the UK Government Software Security Code of Practice. Commercial public web apps are in scope by default; bespoke or custom components are not.
- Passwordless authentication: User access control guidance now highlights passwordless methods such as passkeys and biometrics, signalling where the scheme is heading.
- Backups: Backup guidance has been moved earlier in the Requirements document. This is a hint rather than a requirement change for now, but resilience and recovery look likely to take on greater prominence in future versions – and we might see some closer alignment with the IASME Cyber Assurance sister standard as time goes on.
What to Do Now
The most useful thing you can do today is download the Danzell question set from the IASME website and compare your current position against it. The areas most likely to catch organisations out are cloud service MFA coverage and consistent 14-day patching across all in-scope devices, not just the ones you remember to update.
Equally, have a think about your vulnerability management position; You cannot rely on your Certification Body to do your fact finding during the Assessment period and react to scans done for you. You need that line of sight ahead of time, and as a core part of the requirements for the standard. This is going to change the cost-benefit assessment of staying certified, so make sure you have that conversation ahead of your renewal period. Vulnerability management solutions are not all equal in quality or coverage, and to frustrate matters IASME only accepts certain results from certain scanners (and we’re not allowed to share these on a blog like this sadly). As always, we’re on hand to chat if you want to chew any of this over.
If you would like a hand working through the changes or understanding how they apply to your specific setup, we are here. As a Cyber Essentials certification body, we work through this process with organisations every day and can help you identify gaps without any of the guesswork.
Get in touch at info@adas-ltd.com or visit our Cyber Essentials page to find out how we can support your certification.