Cyber Essentials Assessment Update: The New ‘Danzell’ Version Arriving in April 2026

From 27 April 2026, the United Kingdom’s Cyber Essentials certification scheme will introduce an updated assessment question set known as ‘Danzell’. This marks one of the most notable updates to the scheme in recent years and reflects a continued effort to strengthen the baseline cyber security posture of organisations across the UK.

Cyber Essentials remains a Government backed certification designed to help organisations protect themselves against the most common forms of cyber attack. Whilst the five core technical control themes remain unchanged, the new Danzell assessment introduces greater clarity in interpretation and a firmer approach to enforcement.

What is Changing?

The Danzell update replaces the existing assessment question set known as ‘Willow’. Any organisation that creates a new Cyber Essentials assessment account on or after 27 April 2026 will be required to complete certification against this updated version.

Organisations that begin their assessment prior to this date may continue using the Willow question set, provided their application remains valid within the permitted completion timeframe.

The objective of Danzell is not to introduce new technical controls, but to ensure that existing requirements are applied consistently and reflect modern working practices such as increased reliance on cloud services and remote access technologies.

Multi Factor Authentication Requirements

One of the most significant changes introduced under Danzell relates to the use of multi factor authentication.

Where multi factor authentication is available on a cloud service used by the organisation, it must now be enabled for all users who have access to that service. Failure to implement multi factor authentication where it is supported will result in an automatic failure of the relevant assessment requirement.

This change reflects the continued prevalence of credential based attacks and reinforces the importance of strengthening identity and access management controls.

Security Update Timeframes

Danzell also introduces more stringent expectations regarding the application of security updates.

Organisations will be required to ensure that critical and high risk security updates are applied to operating systems, applications, firewalls and network devices within fourteen days of release. This represents a shift towards a more prescriptive patch management expectation and is intended to reduce exposure to known vulnerabilities.

Improved Scope Definition

The updated assessment places greater emphasis on the accurate definition of certification scope.

Organisations will now be expected to clearly identify all legal entities included within the certification boundary, alongside any systems or services that have been excluded. Where exclusions are declared, justification must be provided together with an explanation of how those excluded elements are segregated from the certified environment.

This aims to improve transparency and ensure that certification reflects the true extent of an organisation’s operational infrastructure.

Cyber Essentials Plus Considerations

Changes will also affect organisations pursuing Cyber Essentials Plus.

Following remediation activity, assessors may test a different sample of devices rather than re examining only those that previously failed. In addition, once Cyber Essentials Plus testing has commenced, organisations will not be permitted to amend their original self assessment responses.

As such, it is essential that submitted answers are both accurate and representative of the organisation’s security controls prior to testing.

Preparing for the Transition

Organisations intending to achieve certification before the introduction of Danzell should ensure that their assessment account is created prior to 27 April 2026.

Those planning to certify or renew after this date are advised to review their current implementation of multi factor authentication, patch management procedures and scope definition to ensure alignment with the updated assessment criteria.

Conclusion

The introduction of the Danzell assessment represents an evolution of the Cyber Essentials scheme rather than a fundamental redesign. By clarifying requirements and strengthening assessment expectations, the update seeks to ensure that certified organisations maintain a level of cyber resilience consistent with today’s threat landscape.

Organisations are encouraged to treat the transition as an opportunity to reinforce their existing controls and demonstrate a commitment to sound cyber security practice.

‍