Cyber Essentials 2026: What Is Changing and Why It Matters

Your Cyber Essentials certification is about to get harder to pass.

On 27 April 2026, the biggest update to the Cyber Essentials scheme in years takes effect. It is called the Danzell question set (v3.3), and it introduces automatic failures for things that used to be recommendations.

If your business holds Cyber Essentials, or you have been thinking about getting certified, you need to understand what is changing before your next renewal.

Wondering whether your team’s credentials have already been exposed? Get a credential exposure check and find out in minutes.

The three changes that will catch businesses out

1. MFA is now mandatory, with no second chances

If any cloud service you use offers multi-factor authentication and you have not enabled it for every user, your assessment is an automatic failure. No compensating controls. No remediation window. Fail.

This applies to Microsoft 365, Google Workspace, Xero, Dropbox, CRMs, password managers, remote access portals, and any other cloud service in scope. If the option exists, it must be switched on.

Right now, only 40% of UK businesses use MFA on their email (DSIT Cyber Security Breaches Survey 2025). That means the majority would fail this requirement today.

2. Critical patches must be applied within 14 days

Two new auto-fail questions (A6.4 and A6.5) require all high-risk and critical security updates to be installed within 14 days of release. This applies to operating systems, router and firewall firmware, applications, and browser extensions.

No exceptions for change boards. No risk acceptance workarounds. If a critical patch has been available for more than two weeks and you have not applied it, you fail.

For businesses managing their own patching, this is a tight window. For businesses relying on an IT provider, it is worth asking: can they prove they are meeting this SLA?

3. Cloud services can no longer be excluded from scope

For the first time, Cyber Essentials includes a formal definition of “cloud service” and states that cloud services cannot be excluded from scope. If your organisation stores or processes data in a cloud platform, that platform is part of your assessment.

This means your Microsoft 365 configuration, your cloud-hosted CRM, your accounting software, and your file sharing tools all need to meet the standard. Assessors will want to see live evidence, not just policy documents.

What else is new in the Danzell update

• Director accountability: The board member or director signing off on the assessment must now acknowledge responsibility for maintaining compliance throughout the certification period, not just at the point of assessment.
• Passwordless authentication recognised: FIDO2 security keys and passkeys are explicitly supported as MFA methods. The NCSC is pushing passkeys as the default recommendation going forward.
• Stricter scoping rules: Devices are in scope if they accept incoming connections, establish outbound internet connections, or control data flow. Exclusions require documented justification and segregation proof.
• CE Plus gets tougher: Assessors now validate against live systems rather than static documentation. Random re-sampling means they can check additional devices during remediation. A second failure results in revocation of the verified self-assessment certificate.
• Unsupported software is an automatic failure: If any device in scope runs an operating system or application that is no longer supported by the vendor, the assessment fails.

Why this matters beyond the certificate

Cyber Essentials is not just a badge for your website. It is increasingly a business requirement.

The UK Government’s Lock the Door campaign, launched in February 2026, is built around the five Cyber Essentials protections: firewalls, secure configuration, software updates, access control, and malware protection. Businesses with Cyber Essentials certification file 92% fewer insurance claims than those without (DSIT 2026).

Only 3% of UK businesses currently hold Cyber Essentials certification (DSIT 2025). That number is expected to grow as supply chain requirements tighten and the Cyber Security and Resilience Bill progresses through Parliament.

For professional services firms handling sensitive client data, the question is not whether you need certification. It is whether you can afford to be in the 97% that do not have it.

How to prepare before 27 April

If your renewal falls after 27 April 2026, your assessment will use the new Danzell question set. Here is what to check now:

1. Audit your MFA: List every cloud service your business uses. Check whether MFA is available and whether it is enabled for every user. If any service offers MFA and it is not switched on, fix it now.
2. Check your patching: Can you prove that critical and high-risk patches are applied within 14 days? If you rely on an IT provider, ask them for evidence.
3. Map your cloud services: Know what is in scope. If your team uses cloud tools that store business data, those tools are now part of the assessment.
4. Retire unsupported software: Any device running Windows 10 after October 2025, or other end-of-life software, will cause an automatic failure.
5. Get a baseline assessment: A vulnerability assessment now will show you exactly where the gaps are, before the assessor finds them.