Is your business ready? The 2026 Cyber Essentials Danzell update explained

Cyber Essentials is changing – and this time, it’s not just a paperwork exercise. 

From 27 April 2026, a new version of the scheme comes into force. The UK Government and IASME are introducing the “Danzell” update (v3.3), designed to tighten up how you’re assessed and, crucially, how compliance is proven. 

The five core controls aren’t going anywhere. What is changing is how strictly they’re applied. The flexibility and grey areas many organisations relied on before are being removed. Evidence now matters just as much as intent. 

Here’s what you need to know to stay compliant – and avoid an unexpected failure at renewal.

1. MFA is no longer optional – it’s mandatory 

Multi‑factor authentication (MFA) has long been recommended. Under the new update, it’s non‑negotiable. 

Previously, missing MFA on a handful of non‑admin accounts might have resulted in a warning or a fix‑later requirement. That safety net has gone. 

If a cloud service supports MFA – whether built‑in, paid for, or delivered via a third party – it must be enabled for every user. If it isn’t, certification will fail. Cost, convenience or licensing limitations are no longer considered valid exceptions.

2. Cloud services are fully in scope

Cloud usage is now explicitly included in Cyber Essentials assessments – with no opt‑out. 

If your business data touches a platform, it’s in scope. That includes: 

• SaaS tools – Microsoft 365, Google Workspace, Slack, Xero and similar platforms 

• Social media accounts – any business‑used account must be declared and protected with MFA 

• Infrastructure services – if you use IaaS or PaaS, you’re responsible for demonstrating that security controls are correctly configured 

In short, shared responsibility doesn’t mean shared accountability. You’ll need clear evidence that your side of the setup is secure.

3. The 14‑day patching rule is in place

Speed now matters. 

For any high or critical security update – covering operating systems, applications or firewalls – you have 14 days from release to deploy it. 

For Cyber Essentials Plus, auditors won’t rely on policy statements or screenshots alone. They’ll expect live technical evidence. A single device outside that two‑week window can halt the entire assessment. 

Consistency across your estate is key.

4. Cyber Essentials Plus gets more hands‑on

If you’re going for Plus, expect deeper verification. 

The Danzell update introduces random re‑sampling, allowing auditors to check additional devices if issues are found. Fixing one problem device won’t be enough – the auditor can re‑test a fresh sample to confirm the issue has been resolved everywhere. 

This closes the door on “audit‑day fixes” and places the focus firmly on day‑to‑day security hygiene. 

What should you do now?

You don’t need to wait until April 2026 to prepare – and leaving it until renewal could create unnecessary pressure. 

A few practical steps to take now: 

• Review MFA – list every cloud service you use and confirm MFA is enabled for all users. 

• Tighten your scope – clearly document all devices, users and services. Exclusions now require robust technical justification, such as physical network segregation. 

• Check your backups – recovery is receiving more attention. Ensure backups are documented, monitored and regularly tested – not just running in the background. 

• Use CyberSmart – to monitor and manage your Cyber Essentials compliance. 

• Get all the cyber security solutions you need to comply – we're on hand to supply you with all the software and services you need for multi-layered protection and compliance. 

From policy to proof - Cyber Essentials Danzell update

The Danzell update marks a shift from intention to evidence. While it may feel more demanding, it’s also a clear framework for building stronger, more resilient security practices. 

Get the fundamentals right now, and Cyber Essentials becomes less of a hurdle – and more of a genuine baseline for protecting your business. 

Get in touch if you need help improving your cyber security posture. Our cyber security team can help you with licensing, advice, demos, trials, quotes and more.