Cyber Essentials 2026 Update: What UK Organisations Need to Know About the New Requirements

The government approved Cyber Essentials scheme is a core part of the UK’s national cyber security strategy, helping organisations of every size to protect themselves against the most common cyberattacks.

With cyber risks evolving and technology rapidly changing, the scheme is reviewed annually by the National Cyber Security Centre (NCSC) and IASME to ensure it stays relevant, practical and effective for modern IT environments and against modern day threats.

In April 2026, a new version of the Cyber Essentials requirements for IT infrastructure will come into effect. The new Danzell question set replaces the current Willow question set and is now available on the IASME website.

This update introduces several important clarifications and refinements. These include a major change to how multi factor authentication (MFA) is assessed, new auto-fail rules for security update management, a new definition for cloud services, and updates to scoping, certification transparency, backups, user access control and application development requirements.

IASME also published further scheme-level changes on 13 February 2026, introducing additional updates to the CE+ assessment process and the director declaration requirement.

In this article, we’ll be diving into exactly what’s changing in the new Danzell question set, when it comes into effect and affects your certification, how it applies to cloud services and hybrid environments, and what steps you should take now to prepare for Cyber Essentials v3.3. We’ll also share advice to ensure you have clarity on what the update means for your organisation, and the confidence to approach your next Cyber Essentials and Cyber Essentials Plus assessment successfully.

Key Takeaways

• Cyber Essentials v3.3 comes into effect for all new assessment accounts created after 26 April 2026.
• Multi factor authentication (MFA) becomes mandatory for all cloud services where MFA is available. Not enabling MFA will result in automatic failure.
• Two new security update auto-fail questions (A6.4 and A6.5) require all high-risk or critical updates to be installed within 14 days of release. Failure to meet this requirement will result in automatic assessment failure.
• A formal definition of cloud services has been added, and cloud services can no longer be excluded from scope.
• Scoping rules have been updated to remove ambiguous terms and clearly define which devices and connections must be assessed.
• New certification transparency requirements mean organisations must list all legal entities in scope and describe any excluded infrastructure areas. Individual certificates are now available per legal entity.
• The CE+ assessment process has been strengthened: organisations can no longer selectively update only tested devices, and verified self-assessments cannot be changed once CE+ testing begins.
• Directors and senior leaders must now sign a declaration confirming ongoing compliance with Cyber Essentials controls throughout the certification period, not just at the point of assessment.
• Guidance has been revised for backups, user access control, passwordless authentication and application development.
• Organisations should begin reviewing their cloud security, MFA configurations, patching processes, scoping decisions, backup strategy and access control policies ahead of the deadline.

What is Changing in Cyber Essentials in April 2026?

The Cyber Essentials 2026 update introduces a small number of targeted changes intended to remove ambiguity, increase clarity and ensure that organisations apply the scheme consistently.

Before diving into each update, it’s important to understand how the updates work in practice, when the changes take effect, and which version is applicable to your assessment cycle.

What’s the new name for the April 2026 Cyber Essentials question set?

The current Cyber Essentials question set is named Willow, which went live on 28 April 2025 under version 3.2 of the requirements. Willow replaced the previous Montpellier Question Set, which was used in earlier assessments.

The new Cyber Essentials question set is named Danzell. It replaces the current Willow question set, which went live on 28 April 2025 under version 3.2 of the requirements. Danzell is now available on the IASME website and will be used for all assessments created after 26 April 2026.

When do the new Cyber Essentials requirements take effect?

The new requirements apply to all assessment accounts created after 26 April 2026. Any active account created before the release date will be assessed under the current Willow question set and requirements, even if the assessment isn’t completed before 26 April.

Once an organisation creates an assessment account, it has six months to complete the assessment.

What’s required for Cyber Essentials Requirements for IT Infrastructure v3.3?

The Requirements for IT Infrastructure v3.3 define what organisations must meet across the five technical control areas.

Version 3.3 consolidates updated terminology, revised scoping rules and fresh guidance on cloud services, MFA, application development and backups, and new auto-fail criteria for MFA enforcement and security update management. It also introduces changes to certification transparency, the CE+ assessment process, and the director declaration requirement.

It’s been introduced to improve clarity for assessors and applicants, and ensure that organisations adopt a consistent approach to interpreting the controls.

Why the Cyber Essentials Scheme is Being Updated

Cyber Essentials is reviewed annually to ensure it reflects current cyber security practice and remains aligned to the threats that UK organisations face. The 2026 update continues that principle by tightening definitions and reinforcing areas where organisations often misinterpret the controls.

Why does Cyber Essentials change every year?

Annual updates are necessary to ensure the scheme continues to focus on the most relevant security risks. Regular revisions also allow the scheme to address ambiguity, resolve common misunderstandings and enhance the quality of assessments without introducing major operational change for most applicants.

How the NCSC and IASME review the scheme

The National Cyber Security Centre (NCSC) and IASME collaborate with technical experts to assess how the controls are being applied and where refinements could improve consistency. This process includes reviewing feedback from assessors, analysing assessment data, and evaluating whether the requirements align to the latest cyber security guidance. IASME also incorporates findings from its own ongoing audit processes, which contributed to the additional scheme-level changes announced on 13 February 2026.

What the 2026 update aims to achieve

The Cyber Essentials 2026 update is designed to provide clearer definitions, consistent interpretation of requirements, and improved scoping accuracy. Its aim is to remove ambiguity, encourage stronger authentication practices, and ensure that organisations applying for Cyber Essentials or Cyber Essentials Plus have a more predictable and rigorous assessment experience.

Summary of the Key Cyber Essentials 2026 Changes

The Cyber Essentials Requirements for IT Infrastructure v3.3 introduces several important updates. While most changes refine existing controls rather than introduce entirely new ones, they will require organisations to review their configurations, scope decisions, patching processes and certification approach to ensure compliance.

MFA becomes a mandatory auto-fail requirement for all cloud services

One of the most significant updates relates to multi factor authentication (MFA). While MFA has previously been required, the marking criteria has been changed in a way that will have a substantial impact on many organisations:

• Cloud services that support MFA must have MFA enabled: If a service offers MFA, whether it’s included, free, paid, or available through an integration, and you have not enabled it, this will now lead to an automatic failure.
• What counts as MFA: MFA must require at least two different factors from the categories of something you know, something you have or something you are. This includes app-based authenticators, hardware keys and biometrics.
• What happens if MFA is available, but you haven’t enabled it: Under the new marking criteria, failing to enforce MFA on a cloud service that supports it will result in non-compliance even if all other controls are met. Organisations should review their identity and access management (IAM) configurations as soon as possible to avoid failing future assessments.

Two new auto-fail questions for security update management

This is one of the most impactful additions in the February 2026 scheme update and one that could catch organisations off guard if they aren’t prepared.

Two questions in the Danzell question set have been designated as auto-fail questions. Both relate to the timely installation of high-risk or critical security updates:

A6.4 asks whether all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware are installed within 14 days of release.

A6.5 asks whether all high-risk or critical security updates and vulnerability fixes for applications, including any associated files and extensions, are installed within 14 days of release.

Non-compliance with either question will result in an automatic failure of the assessment, regardless of how well you perform across all other controls. This change moves Cyber Essentials away from “apply updates in a timely manner” and introduces a defined, measurable 14-day remediation window aligned with NCSC guidance on high-risk vulnerabilities.

For many organisations, particularly those without continuous vulnerability visibility across their full estate, this change introduces a meaningful new compliance requirement. It’s not just about operating systems; routers, firewall firmware, applications, browser extensions and associated files all fall within scope.

New cloud services definition and why cloud cannot be excluded from scope

A clear definition for cloud services has been added to eliminate confusion. A cloud service is now defined as an on demand, scalable service that is hosted on shared infrastructure and accessed via the internet. It must be accessed with business related credentials and store or process organisational data.

This removes any grey areas around tools, platforms or features that previously sat in ambiguous territory. All cloud services that process or store organisational data are in scope and can’t be excluded.

Examples of in scope cloud platforms include Microsoft 365, Google Workspace, cloud storage platforms, SaaS products, CRM systems, and collaboration tools.

For organisations with multicloud or hybrid cloud environments, this means every relevant cloud service must be included in your assessment and aligned to the MFA requirement.

Organisations that use multiple cloud services with inconsistent authentication methods may need to update their identity strategy.

Updated scoping rules for devices, networks and internet connections

The April 2026 Cyber Essentials update removes the terms ‘untrusted’ and ‘user initiated’, which have historically caused inconsistent interpretations.

The new scoping rules make it clear that any device or service that can accept incoming connections from internet connected devices, establish outbound connections to the internet, or control the flow of data between such devices, is in scope.

Applicants must now justify any partial exclusions of infrastructure. This includes explaining why something is out of scope and describing how it has been adequately segregated.

Devices and services explicitly in scope include; laptops, desktops, servers, firewalls, routers, mobile devices, cloud platforms, and network components that interact with internet connected systems.

Improved scope definition and certification transparency

The 2026 update introduces new requirements around how scope is described, documented and presented on certificates. These are particularly relevant for larger organisations with complex group structures.

Organisations will no longer be limited to a brief scope description on their certificates. You’ll be able to provide a detailed scope description, which will be available to view via the digital certificate platform.

You’ll also be required to describe any areas of your infrastructure that are excluded from scope. This information won’t be made public, but it must be documented as part of the assessment.

All legal entities included within the scope of the assessment must be formally identified, with details including the entity’s name, address and company number. All included legal entities can be viewed on the digital certificate platform.

For group structures, there’s now an option to request an individual Cyber Essentials certificate for each legal entity certified as part of a larger scope. These additional certificates will be available for a small charge and will clearly indicate that the certification is part of the wider scope.

Clarification of ‘point in time’

There has been longstanding confusion about what “point in time” means in the context of a Cyber Essentials assessment. The 2026 update clarifies this explicitly: the point in time is the date the certificate is issued. Organisations must ensure that all systems in scope are supported and compliant on that specific date.

Signed director declaration now covers ongoing compliance

The declaration signed by a board member or director as part of the verified self assessment (VSA) process will be updated. It will now include a statement acknowledging the organisation’s responsibility to maintain compliance with all Cyber Essentials controls throughout the certification period, not just at the point of assessment.

This is a meaningful shift. It reinforces Cyber Essentials as an ongoing security posture commitment rather than a one-time certification exercise, and it places named accountability at board level for the controls remaining in place.

Revised guidance on backups and recovery readiness

Backup guidance has been moved to earlier in the requirements document because it plays a vital role in organisational resilience. The update reinforces that you should have robust backups that are segregated, tested and available to support recovery in the event of a cyber incident. Assessors will expect to see evidence of a considered backup strategy that’s fit for purpose.

Updates to web applications, now renamed application development

The web applications section has been renamed application development. Commercial web applications available to the public remain in scope. Bespoke or custom components are out of scope because they are not publicly accessible.

Organisations are directed to the UK Government’s Software Security Code of Practice to ensure that any development practices align to secure coding standards.

This shift places more emphasis on following good development and testing practice, without expanding the scope of assessment.

Strengthened user access control requirements

The user access control section has been updated to highlight the use of passwordless authentication. Passkeys, FIDO2 authenticators and similar methods provide a secure and frictionless way to authenticate users.

These technologies establish identity without traditional passwords, and are considered stronger, easier and less prone to compromise.

Assessors will expect organisations to demonstrate good access control practices and understand how passwordless authentication fits into their MFA strategy.

Changes to the Cyber Essentials Plus assessment process

The Cyber Essentials Plus assessment has seen some of the most significant procedural changes in this update, driven by findings from IASME’s own audit programme.

Selective updating during CE+ assessments will no longer pass. IASME’s audits identified a pattern of organisations applying remediation only to the devices included in the sample being tested, rather than across the full CE+ scope. To address this, if an organisation fails the initial test of a random device sample, they’ll be required to remediate the issues and undergo a full retest. The assessor won’t just recheck the original sample but will test a new random sample of devices to verify compliance across the wider environment. A second failure will result in revocation of the verified self-assessment certificate.

Verified self-assessments cannot be changed once CE+ testing begins. To protect the integrity of the certification process, organisations will no longer be permitted to adjust their VSA responses based on what the CE+ audit reveals. The VSA must be completed, finalised and remain unchanged before CE+ testing commences.

These changes make preparation before CE+ testing more important than ever. The days of treating CE+ as an opportunity to identify and patch gaps on the day are over.

What These Cyber Essentials 2026 Changes Mean for Your Organisation

The 2026 Cyber Essentials update affects organisations differently, depending on your cloud usage, MFA maturity, development practices and network complexity.

Most organisations won’t face major technical change, but some could see a notable impact on their next assessment.

Will the 2026 update affect existing Cyber Essentials certification?

The update doesn’t invalidate existing certifications. However, if your next assessment account is created after 26 April 2026, it will use the Danzell question set and version 3.3 requirements.

How will Cyber Essentials v3.3 impact annual renewals?

If your renewal date falls after the implementation date and you create a new assessment account after 26 April 2026, you’ll need to meet the updated requirements. Organisations that renew close to the date should plan accordingly, particularly around MFA enforcement and 14-day patching compliance.

Will Cyber Essentials Plus be affected?

Cyber Essentials Plus will reflect the updated requirements within its testing approach, and the process changes to the Plus audit are among the most substantive in this cycle.

Organisations should expect MFA enforcement, cloud scoping, security update compliance and access control to all be validated during the Plus audit. The changes to selective updating and VSA finalisation mean your preparation needs to be complete before the assessor arrives.

What types of organisations are likely to be most affected?

• SMEs that rely heavily on cloud services without MFA enabled will be affected by the auto-fail MFA rules
• Organisations without a structured 14-day patching process across their full estate, including router and firewall firmware and application extensions, will need to address this ahead of their next assessments
• Businesses with multicloud environments that have inconsistent authentication policies won’t be able to achieve certification under the Danzell question set without updating their identity strategy.
• Larger organisations with complex group structures will need to review how they document scope, identify legal entities and approach certificate requests under the new transparency requirements.

How to Prepare for Cyber Essentials 2026: A Practical Readiness Checklist

Preparing early ensures a smooth assessment following the update in April 2026, and reduces the risk of any unexpected non-conformities. The steps below help to align your organisation with version 3.3:

Step 1: Review your cloud services and ensure MFA is enforced everywhere

Identify all cloud services used within your organisation and confirm MFA is enabled for every user account. Document your configurations and ensure that each service meets the standard. Remember, if MFA is available on a platform, including as a paid option, not enabling it will result in an automatic failure.

Step 2: Audit your patching and vulnerability management processes

Review your current patching cadence and confirm you have a process in place to install all high-risk or critical updates within 14 days of release. This applies to operating systems, router and firewall firmware, applications, browser extensions and associated files. If you don’t have continuous vulnerability visibility across your estate, now is the time to address that.

Step 3: Audit devices, networks and internet connections against the new scoping statements

Check which devices and systems meet the updated in-scope criteria. Review network segmentation and ensure exclusions can be justified. Prepare detailed scope documentation, including a full list of legal entities and a description of any out-of-scope infrastructure.

Step 4: Review your application development processes against the Software Security Code of Practice

If your organisation develops internal or external applications, confirm your development practices align to the secure coding best practice guidance from the UK government.

Step 5: Validate your backup strategy and recovery steps

Make sure your backups are segregated, regularly tested and available to support recovery.

Step 6: Confirm your user access control policy aligns with passkeys and MFA expectations

Review your identity policies and determine whether passwordless methods are used correctly and understood as part of your MFA strategy.

Step 7: Finalise your verified self-assessment before CE+ testing begins

If you’re pursuing CE+, ensure your VSA is complete and accurate before your assessment commences. Under the new rules, you won’t be able to revise it once testing has started. Any gaps identified during CE+ will need to be remediated across your entire scope, not just the devices being tested.

Step 8: Speak to a certified Cyber Essentials partner for a gap analysis

A specialist provider can help you identify areas that need improvement so you’re prepared ahead of your next assessment.

How DigitalXRAID Helps You To Navigate the 2026 Cyber Essentials Update

Staying compliant with Cyber Essentials can feel complex, particularly when updates change how requirements are interpreted and introduce new auto-fail criteria.

Working with an experienced cyber security provider ensures that you can meet the updated v3.3 requirements confidently and efficiently.

Expert guidance through Cyber Essentials and Cyber Essentials Plus

DigitalXRAID provides fully managed Cyber Essential certification support throughout both levels of the scheme, helping you understand the requirements and prepare effectively for assessment. The service also comes with a Pass First Time service tier for unlimited support.

Pre assessment gap analysis aligned with updated v3.3 requirements

Our team identifies any configuration, scope, patching or policy gaps that could lead to non-compliance, including against the new MFA and 14-day patching auto-fail criteria.

Support with MFA, cloud scoping, access control and developer requirements

We help to assess your cloud environment, MFA readiness, user access controls, and development practices to ensure you can pass the certification requirements.

Why working with a highly certified cyber security services partner matters

DigitalXRAID is an IASME assured certification body, which demonstrates deep understanding of Cyber Essentials and how assessors interpret the scheme.

Our CREST, CHECK and multiple NCSC certifications, provide additional assurance that your organisation is supported by experts who meet the highest standards of technical quality and governance.

Ready to Prepare for the Cyber Essentials 2026 Update? Get Expert Support

If you want to ensure a smooth transition to Cyber Essentials v3.3 or prepare for your next certification cycle, our team is ready to help. To speak with a specialist or schedule a Cyber Essentials consultation, simply get in touch with the DigitalXRAID team.

Cyber Essentials 2026 FAQs

What is the name of the new Cyber Essentials question set for 2026?

The new question set is called Danzell. It replaces the Willow question set used in 2025 and will apply to all assessment accounts created after 26 April 2026. Danzell is available now on the IASME website.

What happens if a cloud service supports MFA but we haven’t enabled it?

If a cloud service supports MFA and you haven’t enabled it, your Cyber Essentials assessment will automatically fail under the 2026 marking rules. This applies whether MFA is free, bundled, available through a connected service or only available as a paid option.

What are the new auto-fail questions A6.4 and A6.5?

A6.4 and A6.5 are two new auto-fail questions in the Danzell question set. A6.4 requires that all high-risk or critical updates for operating systems and router and firewall firmware are installed within 14 days of release. A6.5 requires the same for applications and their associated files and extensions. Failing either question results in automatic assessment failure.

Do passwordless authentication methods meet MFA requirements?

Passwordless methods like passkeys and FIDO2 can meet MFA requirements when they involve more than one factor, such as possession plus biometric verification. The NCSC actively encourages organisations to adopt passkeys as a default authentication method.

Can we exclude some parts of our network from scope under the 2026 update?

You can exclude certain parts of your network only if you can justify the reason and show they are technically segregated from in-scope systems. The new rules also require you to formally document any exclusions as part of the assessment process.

What are the new certification transparency requirements?

Under the 2026 update, organisations must provide a detailed scope description, list all legal entities included in scope with their name, address and company number, and describe any excluded infrastructure. All of this information will be visible via the digital certificate platform, with the exception of excluded areas which won’t be made public.

What does ‘point in time’ mean under the 2026 update?

Point in time refers to the date the certificate is issued. All systems in scope must be supported and compliant on that specific date. This clarification removes previous ambiguity about when compliance needs to be demonstrated.

What is the difference between Cyber Essentials and Cyber Essentials Plus under the 2026 changes?

Cyber Essentials remains a self-assessment, while Cyber Essentials Plus includes hands-on technical verification. Both reflect the updated v3.3 requirements, and CE+ has additional process changes including stricter enforcement of organisation-wide patching and a prohibition on changing the verified self-assessment once CE+ testing has started.

How long do we have to complete the assessment once the new version goes live?

You have six months to complete an assessment from the date your account is created.

What is the new director declaration requirement?

Directors or senior leaders signing the verified self-assessment will now be required to confirm that Cyber Essentials controls will be maintained throughout the full certification period, not just at the point of assessment. This reinforces ongoing compliance as a board-level responsibility.