Cyber Essentials 2026 Updates: Everything You Need to Know About the Changes
The Cyber Essentials scheme is reviewed annually by the National Cyber Security Centre (NCSC) and IASME to ensure it keeps pace with evolving cyber threats. While the five core technical controls remain unchanged, significant updates – with the introduction of the Danzell question set – come into effect in April 2026 that organisations must be aware of.
These updates impact:
- The marking criteria
- The Cyber Essentials Plus (CE+) methodology
- Certification scope transparency
- Ongoing compliance expectations
- Definition updates and clarifications
If your organisation is preparing for Cyber Essentials certification or recertification, now is the time to understand what’s changing.
When Do the Changes Take Effect?
The updated scheme, known as Danzell, will replace the expiring Willow question set, and will apply to all assessment accounts created after 26th April 2026.
Organisations with active assessment accounts created before this date will have six months to complete certification under the previous requirements.
Key Changes to Cyber Essentials 2026
Stricter Marking Criteria & Expanded Auto-Fail Conditions
One of the most significant changes is the expansion of automatic failure (“auto-fail”) criteria for critical security practices.
1) Mandatory Multi-Factor Authentication (MFA)
Multi-factor authentication (MFA) will now be mandatory for all cloud services where it is available — whether free, bundled, or paid.
Failure to enable MFA for applicable cloud services will result in automatic failure of the assessment.
This reinforces alignment with NCSC best practice and reflects the critical role MFA plays in preventing account compromise.
2) New Auto-Fail Questions on Security Updates
Two update management questions will now trigger automatic failure if not met:
A6.4
Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?
A6.5
Are all high-risk or critical security updates and vulnerability fixes for applications (including associated files and extensions) installed within 14 days of release?
Failure to meet either requirement will result in an automatic fail — regardless of performance in other areas.
These changes directly address risks created by delayed patching of critical vulnerabilities.
Improved Scope Definition & Certification Transparency
Defining scope has long been a challenge, particularly for larger or complex organisations. The 2026 updates introduce greater transparency and clarity.
1) Unlimited Scope Descriptions
Organisations can now provide detailed scope descriptions that will be available via the digital certificate platform. There is no longer a short-character limit on certificates.
2) Out-of-Scope Areas
Organisations must describe infrastructure that is excluded from scope (this information will not be made public).
3) Legal Entity Identification
All legal entities included in scope must be identified, including:
- Entity name
- Registered address
- Company number
These entities will be visible via the digital certificate platform.
4) New Certificate Options
Individual certificates may be requested for each legal entity certified within a wider scope (for a small additional fee). These will clearly state that they form part of a larger scoped certification.
Clarification of “Point in Time”
Cyber Essentials is a “point in time” assessment. From April 2026, this will be explicitly defined as:
The date the certificate is issued.
Organisations must ensure that systems are supported and compliant on that date.
Updated Director Declaration & Ongoing Compliance
The board-level declaration signed during the Verified Self-Assessment (VSA) will now explicitly confirm:
- The organisation’s responsibility to maintain compliance
- Commitment to uphold Cyber Essentials controls throughout the certification period
This reinforces that Cyber Essentials is not a one-time exercise, but an ongoing security commitment.
Changes to Cyber Essentials Plus (CE+)
The April 2026 updates also introduce important changes to the CE+ technical audit process.
Stronger Verification of Update Management
Audits have identified instances of “selective updating,” where organisations applied required patches only to sampled devices rather than across their entire environment.
To address this:
- If an organisation fails the initial random sample test:
- They must remediate
- Undergo a retest
- During the retest:
- The original sample will be rechecked
- A new random sample will also be tested
This ensures updates are applied consistently across the full CE+ scope.
A second failure will result in revocation of the Verified Self-Assessment certificate.
No Post-Test Changes to the Verified Self-Assessment
Organisations will no longer be permitted to adjust their Verified Self-Assessment responses after CE+ testing has begun.
The Verified Self-Assessment must be:
- Fully completed
- Finalised
- Locked prior to CE+ testing
This protects the integrity of the certification process.
Definition Updates and Clarifications
Several clarifications and refinements have been made to improve guidance and remove ambiguity.
Clear Definition of Cloud Services
A cloud service is an on-demand, scalable service, hosted on shared infrastructure, accessible via the internet, and accessed through an account that stores or processes organisational data.
Important: If your organisation’s data or services are hosted in the cloud, they must be in scope. Cloud services cannot be excluded.
Simplified Scoping Language
The terms “untrusted” and “user-initiated” have been removed from internet connection criteria.
Organisations must now:
- Justify any exclusions
- Explain how excluded networks are segregated from in-scope systems
Application Development Updates
- “Web applications” has been renamed to Application Development
- The UK Government Software Security Code of Practice is now referenced
- Publicly available commercial web applications are in scope
- Bespoke/custom components remain out of scope
Backup Guidance Emphasised
Backup guidance has been moved earlier in the document to reinforce its importance in incident recovery and business continuity.
User Access Control Enhancements
The updated guidance highlights modern authentication methods including:
- Passwordless authentication
- Passkeys
These are recognised as more secure alternatives to traditional passwords.
How to Prepare for the Changes
If you’re planning Cyber Essentials certification or recertification:
- Review update management processes (especially 14-day patching)
- Confirm MFA is enabled everywhere it’s available
- Reassess scope definitions and legal entity coverage
- Ensure cloud services are properly included
- Prepare leadership for updated compliance declarations
- Review CE+ update processes to prevent selective remediation risks
How to Simplify Certification
If your Cyber Essentials renewal is coming up, or if you’re going achieving compliance for the first time, we recommend familiarising yourself with the Danzell updates early to make sure you’re not caught out.
However, for the simplest way to get certified, we’re here to make things easier for you. The CyberSmart platform from E-ZU Solutions Ltd is an automated solution that helps organisations eliminate the headaches and frustrations that can often arise whilst trying to achieve certification. Head to our Cybersmart Platform page to find out more and you can even see the dashboard for yourself with our Instant Interactive Demo. And please feel free to reach out to us if you have any questions about preparing for Cyber Essentials or protecting your business-critical data – Email: [email protected] or Call: 01260 715 021.
