Cyber Essentials 2026 Changes: What Small Businesses Need to Know

Cyber Essentials quietly became significantly harder to pass on 27 April 2026 — and most small businesses have not noticed yet.

Version 3.3 of the requirements (known as “Danzell”) introduced automatic failure conditions that did not exist before. Miss MFA on a single cloud service. Fail to patch a critical update within 14 days. Scope out your Microsoft 365 environment. Any one of those can now end your assessment before it starts.

For local businesses across Shropshire and the wider region — whether you are bidding on public sector contracts, supplying a larger organisation, or simply trying to demonstrate solid cyber hygiene to clients — Cyber Essentials certification has real commercial weight. Getting caught out by a rule change you did not know about is an entirely avoidable problem.

This guide covers every significant change in the April 2026 update, explains what it means, and gives you a practical checklist to work through before your next assessment.

What Has Changed in Cyber Essentials for 2026?

The short version: the five core controls have not changed. Firewalls, secure configuration, user access control, malware protection, and patch management are still the foundation of Cyber Essentials. What has changed is how strictly those controls are assessed — and where failure is now automatic rather than a minor non-compliance.

The April 2026 updates aim to enhance clarity, consistency, and effectiveness, while the five core controls themselves remain unchanged. However, the NCSC and IASME have tightened assessment criteria, introduced automatic failure conditions, and closed loopholes that allowed some organisations to certify without genuinely meeting the standard.

In our experience working with small businesses around Shropshire on their certification, the most common reason for renewal failures has never been the exotic stuff. It is usually MFA not switched on, an old router running unsupported firmware, or a SaaS tool the team forgot to include in scope. The 2026 changes formalise all three of those as hard failures.

What Is the New Danzell Question Set?

On 27 April 2026, version 3.3 of the Requirements for IT Infrastructure went live, and the verified self-assessment process adopted a new name: Danzell. If you have previously certified using the “Willow” question set, Danzell is the updated replacement.

The Cyber Essentials scheme changed on 27 April 2026, and after this date, new certifications are assessed according to version 3.3 of the NCSC Requirements for IT Infrastructure using the new Danzell question set.

Is This a Completely New Framework?

No. Think of it as a meaningfully stricter version of a familiar standard, not a rebuild from scratch. The questions are clearer, several definitions have been tightened, and — critically — some questions that previously resulted in a minor non-compliance now result in an automatic fail.

Any active assessment accounts set up before 27 April 2026 will continue to use the previous version of the assessment questions. If you started your assessment before that date, you have up to six months to complete it under the old rules.

Why Could MFA Now Cause Your Business to Automatically Fail?

This is the change that catches most businesses off guard.

MFA must be enabled on every cloud service that supports it. If a cloud service offers MFA — whether free, included, or available at additional cost — and an organisation has not switched it on, the assessment is automatically failed with no remediation window.

Previously, there was room for interpretation. Some assessors accepted partial MFA rollout or noted it as a minor issue. That flexibility is gone.

IASME has been clear that the cost of an MFA add-on is not an acceptable reason for not implementing it. If MFA is available on a paid tier and you have not upgraded to enable it, you fail.

One client we recently supported had MFA enabled on their Microsoft 365 but not on their project management tool, their cloud accounting software, or the HR platform their team used daily. All three accepted inbound connections from the internet. All three would now trigger an automatic failure.

Which Cloud Services Need MFA Enabled?

This applies across SaaS platforms, email, identity providers, remote access tools, and any other cloud service that stores or processes your organisation’s data.

Practically, that means you need to audit:

• Microsoft 365 / Google Workspace — email, documents, collaboration
• CRM platforms — HubSpot, Salesforce, Zoho, and equivalents
• Cloud accounting software — Xero, QuickBooks, FreeAgent
• HR and payroll systems — BambooHR, Sage HR, and similar
• Remote access tools — VPNs, remote desktop solutions
• Any other internet-accessible platform where your data is stored

What Counts as Acceptable MFA?

The NCSC recommends using authenticator apps (such as Microsoft Authenticator or Google Authenticator) or hardware security keys as the preferred MFA methods, as SMS-based verification is increasingly vulnerable to SIM-swapping attacks.

SMS remains an acceptable form of MFA under Cyber Essentials 2026 — so if SMS is the only option your cloud service offers, it will still pass. But where stronger options exist, use them.

Passkeys and FIDO2 authenticators are now the NCSC’s preferred direction of travel. Passkeys in particular offer an easier, faster, and more secure way to log in, and the NCSC would like to see them become the default authentication recommendation.

What Are the New Patching Rules — and Why Are They Now Auto-Fail?

Patching has always been part of Cyber Essentials, but the 2026 update removes the tolerance that previously existed for slow or partial patch rollouts.

IASME has made two new questions in the security update management section into auto-fail questions. These ask whether all high-risk or critical security updates and vulnerability fixes are installed within 14 days.

Previous assessments allowed organisations to receive up to two major non-compliances for patching gaps and still pass. That tolerance has been removed.

The 14-day window is not new — it has been in the requirements for some time. What is new is that missing it is now an immediate, unambiguous failure.

How Do You Prove You Are Patching Within 14 Days?

This is where many small businesses struggle. Knowing you patch regularly is not the same as being able to evidence it.

Organisations must ensure they have: strong patching processes backed by buy-in from senior management; effective technical solutions for update deployment and vulnerability scanning; and clear governance around vulnerability and security update management.

In practical terms, that means:

• Using an RMM tool (remote monitoring and management) that logs patch status and timestamps
• Running regular vulnerability scans and keeping the reports
• Documenting your patching policy — when you check for updates, who is responsible, and how you handle exceptions
• Asking your IT provider to show you patch compliance reports, not just tell you it is handled

Don’t forget firmware. The 2026 requirements place greater emphasis on keeping firmware up to date on network devices — including routers, firewalls, switches, VPN appliances, and wireless access points. Many businesses diligently update their laptops but run routers on firmware from three years ago.

How Have the Cloud Scoping Rules Changed?

One of the quieter but significant changes in version 3.3 is the formal definition of a cloud service — and the explicit statement that cloud services can no longer be excluded from certification scope.

A cloud service, for Cyber Essentials purposes, is any on-demand, scalable service hosted on shared infrastructure, accessed via the internet through an organisational account, that stores or processes your organisation’s data. That covers everything from Microsoft 365 and Google Workspace through to CRM platforms, accounting software, and HR systems.

This closes a loophole mindset that some organisations still had. If a service is internet-facing and your team logs into it with company credentials, it is in scope. Full stop.

What Counts as a Cloud Service Under the New Definition?

IASME is also simplifying the scoping rules: any device that connects to the internet will be in scope. The previous complex language around “untrusted” or “user-initiated” connections has been removed to make this easier to understand.

For most small businesses, this simplification is welcome. The ambiguity in previous versions caused as many problems as it solved. The clearer rule is: if it is on the internet and your people use it for work, include it.

How Has Cyber Essentials Plus Changed in 2026?

Cyber Essentials Plus (CE+) — the higher-tier certification involving a hands-on technical audit — has seen some of the most significant tightening.

Recent audits revealed instances of organisations applying “selective updates” during the CE+ assessment process — specifically, when updates were identified as necessary during the CE+ audit, a small number of organisations only applied those updates to the devices included in the sample being tested, rather than implementing them across their entire CE+ scope.

If any device — old or new — still shows vulnerabilities that should have been patched within 14 days, including initial findings and any new ones, the organisation fails the CE+ audit and loses its Cyber Essentials self-assessment certification.

If Cyber Essentials Plus is failed, IASME will revoke the underlying Cyber Essentials certificate. That is a significant escalation. Previously, failing CE+ meant you could fall back on your basic Cyber Essentials certification. Now, failure at the Plus level strips both.

Does Your Business Still Need Cyber Essentials Certification?

For many businesses in the region, this is not an optional consideration. Cyber Essentials certification is already a prerequisite for many UK public sector contracts under PPN 014. For SMEs that supply larger businesses or bid for government work, maintaining valid Cyber Essentials certification is a commercial requirement. Failing to achieve it under the stricter criteria could mean being excluded from tender processes before a conversation starts.

Beyond contracts, certification signals to clients, insurers, and partners that your business takes cyber security seriously. Updating to the latest version demonstrates that your business takes cyber security seriously. Certification can help build trust with customers and partners and strengthen your position when competing for new contracts — particularly in regulated or data-sensitive sectors.

How Can You Prepare Before Your Next Assessment?

Work through this checklist well before your renewal or first application:

MFA Audit

• List every cloud service your team uses for work
• Confirm MFA is enabled on each — not just available, but switched on for all user accounts
• Check whether MFA is enforced (users cannot bypass it) or merely optional

Patching Review

• Ask your IT provider to produce a patch compliance report covering the last 90 days
• Confirm firmware is up to date on all routers, firewalls, and network hardware
• Check that your patching policy is documented and covers the 14-day critical update window

Scope Definition

• List all devices that connect to the internet (laptops, desktops, tablets, phones)
• List all cloud services used for business purposes
• Identify any exclusions and prepare a written justification for each

Documentation

• Keep patch logs, update records, and access control settings ready for review
• Ensure admin accounts are separate from standard user accounts
• Confirm no shared admin accounts exist

For CE+ Applicants

• Patching must be consistent across the whole scope — not just the sampled devices
• Prepare evidence of your update management process, not just the outcome

Act Before Your Next Renewal

The April 2026 changes to Cyber Essentials are not a minor administrative update. The introduction of automatic failure conditions for MFA and patching, combined with tighter cloud scoping rules, means businesses that sailed through previous assessments may now fail without warning.

The three most important actions to take right now:

1. Audit your MFA coverage across every cloud service — fix any gaps before your assessment date
2. Check your patch documentation — you need evidence of 14-day compliance, not just good intentions
3. Review your scope — if you have excluded any cloud services in the past, bring them into scope now

If you are unsure whether your current setup meets the Danzell requirements, speaking to a Cyber Essentials-accredited assessor or a local IT provider familiar with the 2026 changes is the most efficient route.

Ready to get certified or renew your Cyber Essentials certification under the new requirements? Contact us to book a pre-assessment review — we help businesses across Shropshire and the surrounding counties prepare, certify, and stay compliant.