On 27th April 2026, the question set will update from ‘Willow’ to ‘Danzell’.

The Danzell update doesn’t change the key requirements of Cyber Essentials, but it introduces stricter rules, clearer requirements, and stronger enforcement, particularly around scoping, cloud services, multi-factor authentication (MFA), and patching.  

Whether you're planning your first certification or preparing to renew, here's what you need to know about the changes ahead.

Definition Changes

As part of the Danzell update, IASME has updated a couple of key definitions within the Guide to Infrastructure document: 

Formal Definition of Cloud Services

IASME has updated the definition of a cloud service, ensuring that they cannot be excluded from scope. 

New definition:‘A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet.  For the purposes of Cyber Essentials, a cloud service will be accessed via an account (which may be credentials issued by your organisation, or an email address used for business purposes) and will store or process data for your organisation. If your organisation’s data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.’

This update is to provide clarity to applicants on what systems they should include in their submissions. Overall, any services or applications creating, storing or processing organisational data must be included in your submission.

Updated Definition for Passwordless Authentication

Passwordless systems were included as compliant options in the Willow question set last year. This year, IASME has updated the definition of a passwordless system to include FIDO2. An open standard for multifactor passwordless authentication in mobile and desktop environments, as a compliant method of authentication.

New definition: ‘a method to establish a user's identity that uses a factor other than knowledge. Examples include but are not limited to: FIDO2 authenticators, biometric data, security keys or tokens, one-time codes, QR codes, and push notifications.’

Point in Time

Cyber Essentials is a ‘point in time’ assessment, but there has been confusion about what this term refers to. To address this, the scheme will explicitly state that the ‘point in time’ is the date the certificate is issued. Organisations will need to ensure that their systems are supported at the date of certification.

Improved Scope Definition and Certification Transparency

Defining and reviewing the scope of an assessment has been a persistent challenge, particularly for larger organisations with complex structures. To address this, the following changes will be introduced:

1. Unlimited scope descriptions: Organisations will no longer be limited to a brief scope description on their certificates. Instead, they will be able to provide a detailed scope description, which will be available to view via the digital certificate platform.

2. Out-of-scope areas: Organisations will be required to describe any areas of their infrastructure that are excluded from the scope. This information will not be made public.

3. Legal entity identification: Organisations will need to specify all legal entities included within the scope of the assessment, providing details such as the entity’s name, address, and company number before certification. All legal entities included in scope can be viewed on the digital certificate platform.

4. New certificate types: You will be able to request an individual Cyber Essentials certificate for every legal entity certified as part of a larger scope, but it will be clear that the certification is part of the wider scope. There will be a small charge for these additional certificates.

Changes to Cyber Essentials (self-assessment)

Updates to the 14 Day Patching Requirements

In previous Question Sets, organisations would receive non-compliances for failing to update systems within 14 days of a patch's release. This has been elevated to an automatic failure of the verified self-assessment to prevent organisations only patching the sampled devices, and to ensure scope-wide compliance.

Multi-Factor Authentication (MFA)

Cyber Essentials’ ’Willow’ scheme already imposes the requirement for MFA to be enabled on all cloud services that offer it. If a cloud service offers MFA, then it must be switched on; failure to do so would result in non-compliance. The ‘Danzell’ scheme requires the same thing: where MFA is available, it must be switched on, even if the feature remains behind a paywall. However, failure to enable MFA for a cloud service will result in an automatic failure of the assessment. This will be verified during a Cyber Essentials Plus audit.

Changes to Cyber Essentials Plus

If an organisation fails a Cyber Essentials Plus assessment because required security updates are missing, the assessor will now need to test not only the devices originally sampled but also an additional newly selected set. This update is designed to stop organisations from applying updates solely to the initial sample group and to ensure that patching standards are consistently met across the entire Cyber Essentials Plus scope.

Furthermore, organisations will no longer be allowed to revise their Vulnerability Scanning Assessment (VSA) answers after seeing the results of the Cyber Essentials Plus audit. The scheme’s Terms and Conditions will be updated to clarify that the VSA must be fully completed before Cyber Essentials Plus testing begins and must remain unchanged throughout the entire assessment process.