Last updated 18 June 2026
Cyber Essentials Changes in 2026: Danzell v3.3 Explained
What changed in Cyber Essentials from 27 April 2026: full cloud scope, MFA auto-fails, the 14-day patching questions, and the year-round responsible-person declaration.
Cyber Essentials changed on 27 April 2026. The current question set is called Danzell, built on version 3.3 of the NCSC requirements. If your last certification, or the article you are reading, predates it, several things you think you know may now be wrong.
Assessment accounts created before 27 April 2026 may have up to six months to certify against the previous requirements. New accounts created from 27 April 2026 use Danzell.
1. Cloud services are fully in scope
Under Danzell, if your organisation's data or services live in a cloud service, that service is in scope. Microsoft 365, Google Workspace, your CRM, accounting platform, cloud storage, project tools, and HR system all count when they hold organisational data or services.
In practice, before any technical question, you need a complete list of the cloud services holding company data. Walk your subscriptions, bank statement, browser bookmarks, and supplier list. Most businesses find at least one service nobody centrally remembers buying.
2. Missing cloud MFA is now an automatic fail
The sharpest change in Danzell is that if a cloud service you use offers multi-factor authentication and you have not enabled it for all users, the assessment can fail automatically.
"MFA is available" and "most people have it" are both weak answers. Enforcement is what counts, evidenced from policy settings or conditional access reports rather than from one user's phone. Rolling MFA out across a company takes longer than people expect, so start weeks before you apply.
3. Patching has auto-fail questions of its own
Two auto-fail questions cover security updates: one for operating systems and firmware, one for applications. The substance is familiar: high-risk updates within 14 days. The assessment consequence is now sharper.
The 14-day rule covers vendor high or critical updates, anything with a CVSS v3 base score of 7.0 or above, and updates where the vendor gives no severity details at all. Cumulative updates inherit the highest severity of the fixes they contain.
"Updates are automatic" is a mechanism, not evidence. The failing pattern is edge cases: a laptop with updates paused, router firmware never touched, or a browser waiting weeks for a restart.
4. The responsible-person declaration now points beyond assessment day
The declaration an authorised responsible person signs now includes a commitment to maintain the controls throughout the certification period, not just to say they were true on assessment day.
Cyber Essentials is still a point-in-time assessment at the certificate issue date. The practical change is that the named responsible person is also acknowledging responsibility for maintaining the controls through the certification period. The sensible response is a small maintenance rhythm: monthly checks on updates and unsupported software, quarterly reviews of accounts and admin access, and a scope update whenever the business adds sites, systems, or suppliers.
5. Smaller changes worth knowing
Scoping language was simplified, which removes a classic source of arguments about what internet connections count. Cyber Essentials Plus also changed around update-management retesting and the rule that verified self-assessment answers should not be adjusted after Plus testing starts. Treat Plus as a separate technical-audit project, not just the same questionnaire with screenshots.
What to actually do
First, rebuild your cloud service list. Second, verify MFA is enforced for every user on every service that offers it. Third, check patching at the edges: paused devices, firmware, browsers, and supplier-managed systems. Fourth, find unsupported software. Fifth, if you certified last year, do not copy last year's answers without reviewing the changed wording.
FAQ
- When did Cyber Essentials v3.3 take effect?
- New Cyber Essentials assessments use the Danzell question set, aligned to the v3.3 requirements, from 27 April 2026.
- What are the automatic fails in the 2026 question set?
- The headline auto-fails include MFA offered but not enabled for all users on a cloud service, and failing the 14-day patching questions for operating systems, firmware, or applications.
- Can I exclude cloud services from Cyber Essentials scope?
- No. Under Danzell, cloud services that hold organisational data or services are in scope and cannot simply be excluded.
- Is my old certification still valid?
- Yes, until its expiry date. Your renewal should be prepared against the current Danzell question set rather than last year's wording.
RightCyber
Prepare the evidence behind the answers.
RightCyber is built around the Danzell question set and helps flag the preparation gaps that are hardest to fix after submission.
Last reviewed against official sources
Reviewed 18 June 2026 against current IASME, NCSC, or UK government sources. Official sources remain authoritative if requirements change.
RightCyber is an independent preparation tool and is not affiliated with or endorsed by IASME or the NCSC. This article is general guidance, not legal or professional advice. Official IASME and NCSC documentation remains authoritative.