From 27 April 2026, the Cyber Essentials scheme will introduce a significant update to how organisations are assessed. While the five core security controls remain unchanged, the new version (known as the “Danzell” question set) strengthens enforcement, removes ambiguity, and introduces stricter pass/fail criteria.

For businesses preparing for certification or renewal, understanding these changes early is essential.

Why Cyber Essentials is being updated

Cyber Essentials is designed to protect organisations against the most common cyber threats. As attack methods evolve, the scheme is regularly updated to reflect real-world risks and improve consistency in assessments.

The 2026 update focuses on:

  • Eliminating unclear or subjective assessment areas
  • Strengthening enforcement of critical controls
  • Ensuring certification reflects actual security posture

When do the changes take effect?

  • The new requirements apply to all assessments created on or after 26–27 April 2026
  • Organisations already in progress will have six months to complete under the previous version

What’s changing in Cyber Essentials 2026

1. Mandatory Multi-Factor Authentication (MFA)

Multi-factor authentication is now a strict requirement across all cloud services.

  • MFA must be enabled wherever it is available
  • Applies to all users accessing organisational data
  • Failure to enable MFA results in automatic failure

This includes services such as:

  • Microsoft 365
  • Google Workspace
  • CRM, HR, and finance platforms

There are no exceptions — even if MFA is optional or incurs additional cost.

2. 14-Day Patch Management Requirement

A key technical change is the introduction of stricter timelines for security updates.

  • Critical and high-risk vulnerabilities must be patched within 14 days
  • Applies to operating systems, applications, and network devices
  • Non-compliance leads to automatic failure

This reflects the increasing speed at which vulnerabilities are exploited in real-world attacks.

3. Expanded Auto-Fail Criteria

The 2026 update introduces more binary pass/fail conditions.

You may now automatically fail if:

  • MFA is not implemented where required
  • Critical patches are not applied within the timeframe
  • Key controls are incorrectly configured

Previously, some of these issues could be remediated during assessment — this flexibility has been removed.

4. Broader Scope for Cloud Services

The definition of “cloud services” has been expanded and clarified.

Organisations must now include:

  • SaaS platforms (e.g. CRM, collaboration tools)
  • Cloud storage and email systems
  • Any externally hosted system storing organisational data

All in-scope services must meet Cyber Essentials requirements, including MFA and access control.

5. New Danzell Question Set

The updated assessment introduces a completely revised questionnaire.

Changes include:

  • More detailed and structured questions
  • Greater emphasis on evidence and accuracy
  • Clearer scoping requirements

The aim is to ensure assessments are more consistent and reflective of real security practices.

6. Increased Accountability at Leadership Level

Organisations must now provide a formal declaration confirming compliance.

  • A board member or director must sign off the assessment
  • Responsibility extends beyond IT teams to senior leadership

This reinforces that cyber security is a business-wide responsibility, not just a technical one.

7. Changes to Cyber Essentials Plus

For organisations pursuing Cyber Essentials Plus:

  • Assessors require stronger technical evidence
  • Failed patching may trigger expanded device testing
  • Self-assessment answers cannot be changed after testing begins

This ensures that certification reflects actual implementation, not just documented intent.

What hasn’t changed

Despite the updates, the core framework remains the same.

Cyber Essentials still focuses on five key controls:

  1. Firewalls
  2. Secure configuration
  3. User access control
  4. Malware protection
  5. Security update management

What this means for your organisation

The 2026 update does not introduce new controls — but it does make compliance more rigorous.

Organisations should expect:

  • Less flexibility during assessment
  • Greater scrutiny of cloud environments
  • Increased importance of evidence and documentation

In practical terms, many businesses will need to:

  • Review MFA coverage across all systems
  • Improve patch management processes
  • Clearly define and document scope

How to prepare for Cyber Essentials 2026

To reduce the risk of failure:

1. Audit all cloud services
Identify every system storing organisational data and ensure it is in scope.

2. Enable MFA everywhere possible
This is the most common cause of failure under the new rules.

3. Review patching processes
Ensure critical updates can be applied within 14 days.

4. Validate your scope
Clearly define users, devices, and systems included in certification.

5. Prepare evidence early
Be ready to demonstrate compliance, not just state it.

Cyber Essentials Readiness Assessment

Preparing for Cyber Essentials under the new 2026 requirements can be challenging, especially with stricter pass/fail criteria and tighter controls around MFA and patching.

Our Cyber Essentials Readiness Assessment is designed to help you prepare with confidence.

We provide:

  • A full security review of your current environment
  • A clear gap analysis against Cyber Essentials requirements
  • Practical, prioritised recommendations to achieve compliance

This ensures you understand exactly where you stand, and what needs to be done before certification.

✔ Designed for SMEs and growing organisations
✔ No technical jargon — just clear, actionable guidance

👉 Learn more about our professional services and get started today.

📞 Call us on 01925 818448
📧 Email sales@smsbusinesscloud.com
🛒 Or buy online 24/7 via our cart