Cyber Essentials – Danzell Update
Danzell Overview
From 27th of April 2026, the Cyber Essentials standard will be updated to version 3.3, known as Danzell. IASME, in collaboration with the NCSC, reviews and updates the scheme annually to ensure it remains aligned with the latest and most significant cyber threats affecting UK businesses.
While the five core controls – Firewalls, Secure Configuration, Patch Management, Access Control, and Malware Protection remain unchanged, the new version introduces stricter assessment criteria, with particular focus on Multi-Factor Authentication and Security Update Management. One of the most notable changes affects Cyber Essentials Plus, where any failure during the internal vulnerability scanning test will now carry greater significance.
This blog provides an overview of the main updates that organisations will need to address to maintain compliance and implement Cyber Essentials effectively. For a full list of changes, organisations should review the Cyber Essentials Requirements for IT Infrastructure v3.3, which will apply to all applications submitted on or after 27 of April 2026.
What’s Changing in Cyber Essentials?
The following chapter goes into detail about each of the changes to Danzell.
• Multi-Factor Authentication (MFA)
• Security Update Management (Stricter Patching)
• Scope Expectations
• Cyber Essentials Plus – Double Sampling
1. Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA) is now mandatory for all cloud services where it is available, whether it comes as a free feature or requires an additional purchase. Businesses that fail to implement MFA for all users and administrators will automatically fail their Cyber Essentials assessment.
To clarify which services are considered “cloud services,” IASME has updated the definition:
A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account (which may be credentials issued by your organisation or an email address used for business purposes) and will store or process data for your organisation.
Examples of cloud services include:
- Business Social Media (LinkedIn, Facebook)
- Microsoft 365
- AWS
- Cloud-based finance or HR platforms
Any cloud service hosting your organisation’s data or providing services must be included in the assessment scope. This means that cloud services cannot be excluded from the scope of the assessment. MFA plays a critical role in protecting these services from brute-force attacks, and failing to implement it increases the risk of compromise.
2. Security Update Management (Stricter Patching)
Patching requirements have been tightened, particularly for high-risk vulnerabilities. This means that Critical & High severity vulnerabilities must be patched within 14 days. This applied to all operating systems, 3rd party applications and firmware across network devices, such as firewalls and routers. Lack of patching within 14-day window will now result in an immediate failure of the Cyber Essentials assessment.
3. Scope Expectations
Scoping has always been part of Cyber Essentials, but it’s now under greater scrutiny. You’ll now be expected to clearly define what is included in scope, justify anything that is being excluded, include legal entities covered and ensure your scope matches how your business actually operates.
4. Cyber Essentials Plus – Double Sampling
If you’re going for Cyber Essentials Plus, expect a more hands-on assessment. Changes include broader vulnerability scanning, stronger validation of controls and less resilience on small samples and more emphasis on real world coverage. This means that if Critical or High vulnerabilities are found during the first chosen device sample, a new device sample will be selected and tested to ensure that remediations are applied business-wide, and not just across the previously tested sample.
From what we’re already seeing, most issues will fall into a few common areas:
Final Thoughts
This update doesn’t change what Cyber Essentials is trying to achieve, but it does change how seriously organisations need to take it. If you’re already operating with strong controls, clear processes, and good visibility of your environment, you’ll likely be in a good position. If not, this is the point where small gaps start to matter.
Where Organisations Are Likely to Struggle:
- MFA not fully rolled out (especially in legacy systems)
- Incomplete visibility of cloud services
- Patch management processes that are too slow
- Poorly defined or unrealistic scope
- Lack of documented evidence
The Key Takeaway:
Cyber Essentials is no longer just about having the right answers, it’s about having the right controls, properly implemented, and being able to demonstrate that they work.
Need Help Preparing for Danzell?
From 27 April 2026, Cyber Essentials is changing.
If your Cyber Essentials renewal is due after this date, now is the time to act as the bar is higher, and waiting will only make it harder.
Most businesses will leave it too late, then scramble to patch gaps, misunderstand requirements, and risk failing the assessment.
Our Cyber Essentials service includes a free gap analysis and compliance support, giving you a straightforward path to certification without the stress.
Secure your assessment today and take the uncertainty out of your certification.
BLOG Categories
Need a Security Assessment?
Our expert team is available to help you plan your next Penetration Test, Cloud Security Audit, or Cyber Essentials Assessment.