contact@it-ms.co.uk

01634 218362

Have you checked out our youtube channel?

Unit 7, 26 Railway Street, Chatham ME4 4JT

SUPPORT

Cyber Essentials 2026 Changes: What Kent SMEs Need to Know

As of 27 April 2026, Cyber Essentials assessments are scored against a stricter rulebook. One missing MFA setting is now enough to fail the whole thing.

The Cyber Essentials 2026 changes, known as version 3.3, affect every UK business that holds the badge or plans to apply. The five core controls have not changed. How they are marked has.

This guide explains what is different, what now triggers an automatic fail, and what to fix before your next assessment. No jargon, no padding.

What changed in Cyber Essentials in April 2026?

The Cyber Essentials 2026 changes took effect on 27 April 2026 under version 3.3 of the Requirements for IT Infrastructure. They introduced a new question set called Danzell, mandatory multi-factor authentication on all cloud services, an expanded cloud services definition, and automatic failure for missing MFA or unpatched software.

The five headline changes are:

  1. Multi-factor authentication is mandatory on every cloud service where available.
  2. The definition of a cloud service has been expanded and clarified.
  3. The Danzell question set replaces the previous Willow set.
  4. New auto-fail triggers apply to MFA and security update management.
  5. The director declaration now carries an ongoing compliance commitment.

The five core control themes still apply: firewalls, secure configuration, user access control, malware protection, and security update management. Only the marking has tightened.

When did Cyber Essentials v3.3 take effect?

Cyber Essentials v3.3 took effect on 27 April 2026. It applies to all assessment accounts created on or after that date.

If your assessment account was created before 27 April 2026, you stay on the previous Willow question set. You have six months from account creation to complete that assessment, with a final cut-off of 27 October 2026.

After that date, all outstanding assessments restart under Danzell. If you are mid-renewal, check with your certification body which version your account is locked to.

MFA is now mandatory on every cloud service

Yes, multi-factor authentication is mandatory under Cyber Essentials v3.3. If MFA is available on a cloud service and you have not enabled it, your assessment fails automatically.

Available means MFA is offered for free, included in the service, connected through another service like Microsoft 365, or available as a paid add-on. The paid option still counts. There is no opt-out.

This applies to every user, not just administrators. A single standard user without MFA on a single in-scope service is enough to fail.

Auto-fail also means no remediation within the assessment cycle. You pay again, you start again. According to IASME, the rule is enforced strictly under the new Danzell marking criteria.

What counts as acceptable MFA?

The following methods are accepted under v3.3:

  • Authenticator apps (Microsoft Authenticator, Google Authenticator, Authy).
  • Hardware security keys.
  • Passkeys and FIDO2 authenticators (the strongest option).
  • SMS and email codes (still accepted, but weaker).

If you are choosing an MFA method now, build toward passkeys or authenticator apps. SMS will likely face tighter scrutiny in future updates.

The new cloud services definition and your expanded scope

Under v3.3, a cloud service is an on-demand, scalable service hosted on shared infrastructure and accessible via the internet. In practice, any SaaS tool signed up to using a business email or business account is now in scope.

That includes Microsoft 365, Google Workspace, Salesforce, Slack, Xero, Canva, ChatGPT, Notion, and every other tool your team uses day to day. Most SMEs underestimate their cloud footprint by 30 to 50 percent.

How to find your real cloud scope

Most businesses we work with discover a dozen SaaS tools their IT team did not know about. Marketing signed up for one. Sales adopted another. A developer started trialling something six months ago.

To build a complete inventory:

  1. Log in to your Microsoft 365 or Google Workspace admin centre.
  2. Export the enterprise apps and sign-in logs from the last 90 days.
  3. Ask each department lead to list every tool they use with a work email.
  4. Cross-reference and remove duplicates.

That list is your real scope. Anything missing on assessment day is a risk.

Willow is out, Danzell is in: the new question set

Danzell is the new self-assessment question set introduced with v3.3. It replaces Willow, which itself only launched in April 2025.

The questions are more granular, especially around cloud service inventory and MFA implementation. If you sailed through Willow last year, do not assume Danzell will feel the same.

Same five control themes. Stricter marking. More evidence expected.

The new auto-fail rules under Danzell

Two auto-fail triggers now apply across the assessment:

  • Missing MFA on any in-scope cloud service that offers it.
  • Out-of-date or unsupported software within scope, including missed high-severity patches beyond the 14-day window.

For Cyber Essentials Plus, assessors now check MFA enforcement across both administrative and standard user accounts. Sampling admins alone is over.

The director declaration has also been updated. A board member or director must now acknowledge responsibility to maintain compliance throughout the certification period. IASME can investigate post-certification incidents and revoke the badge if controls were dropped.

The badge is no longer a snapshot. It is a year-long commitment.

How to prepare for your next Cyber Essentials assessment

Work through these six steps before your renewal date:

  1. Build a complete cloud service inventory from your admin console, not from memory.
  2. Audit MFA status on every cloud service and enable it where missing.
  3. Move standard users towards passkeys or authenticator apps where possible.
  4. Confirm all in-scope software is supported and patched within 14 days for high-severity issues.
  5. Update your asset register and brief your director on the new declaration.
  6. Decide whether to use a remaining Willow account window or transition to Danzell.

When our team renewed our own Cyber Essentials this year, the cloud inventory step took the most preparation. Everything else followed once that list was clean.

What this means for Kent SMEs in supply chains

Many Kent businesses hold Cyber Essentials for tendering. Kent County Council frameworks, NHS Kent and Medway contracts, MoD work at Discovery Park, and larger prime supplier flow-downs all require it.

These buyers will not accept an expired or revoked badge. A failed assessment can delay a contract by months.

ITMS is itself Cyber Essentials and Cyber Essentials Plus accredited. The same team that supports your assessment has been through the same process. If you want help getting your cyber security and IT support in Kent ready for Danzell, we can walk you through the gaps before you submit.

The bottom line

The five Cyber Essentials controls have not changed. The cost of getting them wrong has.

Mandatory MFA, expanded cloud scope, and auto-fail rules mean assessments now reward businesses that prepare properly. The ones that assume last year’s answers still work are the ones failing.

Not sure whether your current setup would pass under Danzell? Book a Cyber Essentials readiness call and we will identify the gaps before your renewal date.

Sources and further reading

Official IASME guidance: Important Update: Changes to Cyber Essentials for April 2026

IASME scheme update detail: Upcoming Changes to the Cyber Essentials Scheme: April 2026 Update

NCSC overview: National Cyber Security Centre, Cyber Essentials

Submit a Comment

Your email address will not be published. Required fields are marked *