Cyber Essentials is updating, and if you are planning to certify or renew in 2026, now is the time to pay attention.
From 27th April 2026, a set of updates approved by the National Cyber Security Centre and DSIT, delivered through the scheme operated by IASME, will come into effect. These changes are based on real breach investigations and audit insights and are designed to strengthen the consistency, clarity, and credibility of Cyber Essentials.
As part of this update, the Cyber Essentials self-assessment question set is changing. The existing question set, known as Willow, will be replaced by a newly named and updated version called Danzell.
At CybaVerse, we work closely with businesses completing Cyber Essentials every day. These updates do not change the purpose of the scheme, but they do raise the bar on preparation and accuracy. This guide breaks down what is changing, what is staying the same, and how to get ready without stress.
What has not changed
The foundations of Cyber Essentials remain exactly the same.
The scheme is still built around the five core technical controls:
- Firewalls and internet gateways
- Secure configuration
- User access control
- Malware protection
- Security update management
Cyber Essentials continues to focus on defending against common cyber attacks using clear, achievable controls. If your organisation already takes security seriously, these changes should feel like a tightening of clarity rather than a shift in direction.
What is changing from April 2026
While the controls remain the same, how they are assessed and verified is becoming more explicit.
A new self-assessment question set: Willow to Danzell
From April 2026, Cyber Essentials will move from the Willow self-assessment question set to a newly named version called Danzell.
The Danzell question set:
- Removes ambiguity from previous wording
- Sets clearer expectations around MFA and patching
- Introduces more detailed questions around scope and legal entities
The key takeaway is simple. Do not rely on answers from previous assessments completed under Willow. Organisations should always complete the current question set in use at the time of assessment, as responses that previously passed may no longer meet the updated criteria under Danzell.
Stricter marking and new auto-fail requirements
Some requirements are now classed as automatic failures if they are not met.
Multi-Factor Authentication (MFA)
MFA is now mandatory for all cloud services where it is available.
If MFA is not enabled, the assessment will automatically fail.
This applies to services such as email platforms, cloud productivity tools, and cloud administration portals.
Security updates and patching
High-risk and critical security updates must now be installed within 14 days of release.
This includes:
- Operating systems
- Applications
- Firewalls and routers
Failure to meet this requirement will result in an automatic fail. This change reflects how frequently attackers exploit known vulnerabilities shortly after release.
Greater transparency around scope
Scope definition is becoming clearer and more visible.
Organisations will now be required to:
- Provide a detailed description of what is in scope, with no word limit
- Declare all legal entities included in the certification
- Explain any exclusions and why they are excluded
What this means in practice:
- Scope descriptions will be visible on the digital certification platform
- Individual certificates will be issued for each legal entity where applicable
- Exclusion justifications will be collected, but not made public
This improves trust and makes it easier for customers, partners, and stakeholders to understand what a Cyber Essentials certificate actually covers.
What’s changing for Cyber Essentials Plus (CE+)
Cyber Essentials Plus is also being strengthened to improve assurance.
Wider update verification
Assessors will now:
- Test a new random sample to confirm fixes have been applied more broadly
This ensures updates are not applied just to a small test group.
Locked self-assessment responses
Once CE+ testing begins:
- Verified self-assessment responses can no longer be changed
This reinforces the importance of being fully prepared before testing starts.
Why these changes matter
From our experience supporting organisations through incidents and certification alike, these updates reflect real-world risk.
Breach investigations consistently show that:
- MFA gaps remain one of the most common entry points
- Delayed patching is still heavily exploited
- Poorly defined scope creates false confidence in certification
The updated Cyber Essentials framework addresses these issues while keeping the scheme practical and accessible.
How to prepare now
If you are certifying or renewing after April 2026, early preparation makes all the difference.
Focus on four areas:
- Confirm MFA is enabled across all cloud services
- Ensure critical updates are applied within 14 days, everywhere
- Review scope carefully, including legal entities and exclusions
- Treat CE+ preparation as final before testing begins
Good preparation avoids delays, rework, and failed assessments.
A CybaVerse perspective
Cyber Essentials is not becoming harder for the sake of it. It is becoming clearer, more consistent, and more aligned with how modern attacks actually happen.
For organisations that already follow good security practice, these changes should feel like a natural progression. That’s because true cyber resilience isn’t a one-off snapshot, it’s a continuous process.
At CybaVerse, we don’t see security as a point-in-time test that’s ‘passed’ and then forgotten. Threats evolve constantly, new vulnerabilities emerge between quarterly scans, and systems change daily. That’s why our CybaOps platform is built with continuous visibility, scanning, and risk prioritisation at its core.
With CybaOps you get:
- Continuous automated scanning across your external and internal assets, so you’re not relying on occasional checks that can miss newly introduced vulnerabilities.
- Always-on vulnerability management that updates your security posture in real time as new weaknesses are found, assessed, and contextualised.
- Dynamic risk prioritisation fed by live telemetry and threat intelligence, helping to focus effort where it matters most rather than only at audit time.
This means security controls stay effective long after initial certification and patch windows stay short, not just around assessment dates. Ultimately, CybaOps helps organisations shift from reactive, point-in-time testing to continuous assurance and control, making compliance easier and security far more resilient.
If you’re unsure how the Danzell updates affect your approach to ongoing cyber risk, our team would be glad to walk you through how CybaOps keeps your environment secure and continuously aligned to good practice.