Cyber Essentials v3.3 Launches 27 April 2026: The Danzell Update, Auto-Fail Rules and the 8-Day Countdown for UK SMEs

The clock is ticking. On Monday 27 April 2026 the biggest change to UK Cyber Essentials certification in three years takes effect — and every UK SME that currently holds the badge, is planning to renew, or wants to win public sector work has just eight days to decide what to do about it. The NCSC and IASME are retiring the familiar “Willow” question set and v3.2 requirements, replacing them with the new “Danzell” question set that maps to v3.3 — and Danzell brings the first automatic-fail questions the scheme has ever contained, a fundamentally tightened definition of what counts as a “cloud service”, and a Cyber Essentials Plus audit process that will finally catch the selective-patching habits many businesses had quietly been relying on.

For roughly 40,000 UK organisations that hold Cyber Essentials and the far larger population that plans to certify in 2026, this is not a tweak. It is a genuine step change in what the scheme demands and what your assessor will reject on the spot. This article unpacks every significant change in v3.3, shows you exactly where most SMEs will trip up, and gives you a practical 10-step plan to be ready on 27 April — or, realistically, to have a clear runway through the summer.

What Is Actually Changing on 27 April 2026?

Cyber Essentials is a Government-backed, NCSC-designed certification scheme administered by IASME. It is built around five technical controls — firewalls, secure configuration, user access control, security update management and malware protection — that together block roughly 80% of the commodity cyber attacks UK SMEs face. Certification has two tiers: the self-assessed Cyber Essentials badge, and the independently audited Cyber Essentials Plus badge, which is increasingly a tender prerequisite for public sector, healthcare, legal and supply-chain work.

The scheme is refreshed approximately every two years. The current v3.2 Requirements for IT Infrastructure came into force in April 2025 and are paired with the “Willow” question set you see in the IASME self-assessment portal today. v3.3 was published on 8 January 2026 to give organisations a full quarter of notice, and on 27 April 2026 it replaces v3.2 entirely for new applications. The matching question set is called Danzell. Together these are widely referred to as the “Danzell update” or simply “Cyber Essentials 2026”.

The Three Changes Every UK SME Must Understand

There are many smaller adjustments in the Danzell update, but three in particular will determine whether your next assessment passes or fails. These are not minor clarifications — each one converts what was previously an advisory or best-effort control into a hard, binary pass-or-fail gate that your assessor is instructed to apply without discretion.

1. MFA on cloud services is now an automatic fail

Under Willow, multi-factor authentication on cloud services was strongly required and checked during assessment, but missing MFA on a single standard user account would typically trigger a remediation request rather than an instant failure. Under Danzell, question A6.4 makes MFA on every administrative and standard user cloud service account an automatic-fail requirement. If a single eligible account does not have MFA enforced, the assessment fails at that question and you cannot progress further until it is fixed.

The definition of “where available” has also tightened. Under the new rules, if a cloud service supports MFA — which in 2026 includes virtually every mainstream SaaS product from Microsoft 365 and Google Workspace through to Xero, QuickBooks, Salesforce, HubSpot, GitHub, Slack, Dropbox, Zoom, DocuSign and the rest — MFA must be enabled. You can no longer justify its absence by arguing that it is inconvenient, that users dislike it, or that your service provider has not made it a default. SMS remains an acceptable MFA method, although authenticator apps and FIDO2 keys are strongly preferred.

2. 14-day patching is now an automatic fail

Question A6.5 introduces a second automatic-fail trigger around patch management. Under Danzell, critical and high-severity patches for operating systems, applications and firmware must be applied within 14 days of release. One unpatched device sampled during Cyber Essentials Plus testing can fail the entire assessment.

The CE Plus audit process has been specifically redesigned to catch “selective patching” — the pattern IASME spotted in audits where organisations would rush to patch the specific devices their assessor had asked to sample, rather than genuinely running a consistent patch policy across the estate. Danzell introduces a two-stage sampling process: if the first device sample reveals a patching failure, the assessor takes a second, larger sample. If the second sample also fails, the overall CE Plus assessment fails and IASME will revoke any existing certificate. This is the first time the scheme has contained an explicit revocation route for in-life certificates.

3. The definition of “cloud service” has been widened

Under v3.2, organisations could sometimes exclude cloud services they felt were peripheral to their operations. Under v3.3, the definition is rewritten as any on-demand, scalable service hosted on shared infrastructure, accessed via the internet through an organisational account, that stores or processes your organisation’s data. This pulls in a much wider list: file storage, accounting, CRM, customer support, marketing automation, code repositories, payroll, e-signature platforms, HR tools, AI assistants, password managers and every other SaaS product your business uses.

Every one of those services must be documented, scoped, protected with MFA, and brought under the shared responsibility model. For many SMEs this will be the single biggest piece of preparation work: producing an accurate, complete inventory of every SaaS product in use, who uses it, what data it touches, and who owns the security configuration.

The Wider Danzell Changes You Still Need to Plan For

Beyond the three headline rules, Danzell introduces a set of operational and procedural tightenings that collectively raise the bar for what “compliant” actually looks like. These are not auto-fail items on their own, but they shape how your assessor will interpret the evidence you submit and how forgiving they will be when you fall short.

The director declaration now requires ongoing commitment

Every Cyber Essentials application requires a board-level sign-off. Under Danzell, that declaration is explicitly extended: the director signs not just a statement of truth about the current state of controls, but a commitment to maintain those controls for the full 12 months of the certification period. IASME is empowered to investigate subsequent incidents and, if evidence shows controls were dropped post-certification, to revoke the badge. This mirrors the approach taken by ISO 27001 and similar frameworks and aligns Cyber Essentials with the direction of travel for regulated sectors.

Scoping is stricter — and whole-organisation is the default assumption

Under v3.2, organisations could relatively easily opt for partial scopes, certifying only a particular department, product line or office. Under v3.3, whole-organisation scope is presumed unless you can justify and document a clear boundary. Any excluded systems must be supported by a credible rationale and evidence that the excluded segment cannot access certified assets, certified data or certified users. This is intended to stop the creative scoping that some organisations were using to bypass controls on troublesome legacy systems.

BYOD and home working have tighter rules

Any device used to access organisational data must be in scope, and any personal device (BYOD) in scope must have the five controls applied — including software firewall, patching, malware protection, and a documented, enforced BYOD policy. Remote workers must also have patch management that covers their home devices within the 14-day window. Many SMEs have been relaxed about remote patching; Danzell closes that loophole.

Passwords, brute-force and the 12-character rule

Password rules under v3.3 remove the legacy expiry and complexity requirements and replace them with a length-based approach: minimum 12 characters without MFA, or minimum 8 characters with MFA. Brute-force protection — lockout after a small number of failed attempts, or equivalent throttling — is mandatory. Password managers must be provided to users where practicable. Expiry on a timed basis is now explicitly discouraged.

CE Plus sampling is tougher and more prescriptive

CE Plus now requires the assessor to use IASME-approved vulnerability tooling (Qualys, Nessus and other mainstream tools remain eligible). The sampling logic has been rewritten so that an assessor can expand the sample if irregularities are detected, can verify MFA across both admin and standard user accounts rather than admins only, and can test cloud service configurations directly rather than relying on the organisation’s self-description. Point-in-time certification is preserved, but the window for modifying Verified Self-Assessment (VSA) responses after submission is narrowed.

Where Most SMEs Will Fail: The Gap Analysis

We have run preliminary gap analyses across a cross-section of Cloudswitched clients and prospective clients in recent weeks. The pattern is remarkably consistent. Here is where businesses are landing when measured against v3.3 today.

Willow vs Danzell: The Side-by-Side Comparison

If you are trying to work out whether to push for a Willow-based certification before 26 April or wait and prepare properly for Danzell, this comparison shows the material differences that will shape your decision.

The Real-World Business Impact

The tighter rules will hurt if you are not ready, but the commercial value of the badge has never been higher. Here is why Cyber Essentials still matters more than ever in 2026.

Tenders, supply chains and insurance

Cyber Essentials is increasingly a hard requirement. It is mandatory for most central government contracts, for handling sensitive Government information, and for an expanding list of NHS, local authority, defence supply chain and professional services tenders. The NCSC published a supply chain playbook in early 2026 that encourages large organisations to require Cyber Essentials from their suppliers as a minimum security baseline — and the biggest UK employers are increasingly following through. If your business is in a B2B supply chain, losing or failing to achieve the badge is now a revenue risk, not just a compliance inconvenience.

Cyber insurance is following the same path. Most UK cyber insurance policies now either require or heavily discount for Cyber Essentials certification. Insurers are tightening their wording so that a revoked certificate during an incident can become grounds for claim reduction. The Danzell revocation rules make this more than hypothetical.

The 19 June 2026 management deadline

The cost of not certifying versus the cost of certifying

Looked at purely as financial risk management, a few hundred pounds a year to carry the Cyber Essentials badge is one of the cheapest insurance products a UK SME can buy. What Danzell changes is that buying the badge now requires you to do the work the scheme was always supposed to demand — no more paper-only compliance.

Your 10-Step Danzell Readiness Plan

This is the practical action plan Cloudswitched walks clients through when we are preparing them for v3.3. Whether you are certifying for the first time, renewing, or stepping up from CE to CE Plus, working through these ten items in order will put you in a passing position.

Cyber Essentials Plus: Why the Audit Has Suddenly Become Much Harder

The headline Danzell changes apply to both CE and CE Plus, but CE Plus carries extra weight because its independent audit stage is where selective compliance gets exposed. Here is what has specifically changed in the Plus audit process and why businesses that passed CE Plus last year should not assume they will breeze through in 2026.

CE Plus audits must now use IASME-approved vulnerability tooling. Assessors are given a fresh mandate to check MFA enforcement across both administrative and standard user cloud accounts, rather than sampling admin accounts only. Endpoint configuration is tested more rigorously, particularly firewall configuration, browser security settings and locked-down admin accounts. The audit window for modifying VSA responses has been narrowed, so you cannot materially change your answers after submission.

The most important change is the two-stage device sampling process. In a first-stage sample, the assessor picks a handful of devices and runs vulnerability scans. If any device fails — for example, missing a critical patch released more than 14 days ago — the assessor takes a second, expanded sample. If the second sample also fails, the assessment fails overall and IASME has the authority to revoke the certificate. This directly targets selective patching, where organisations historically rushed to patch “the devices the assessor wanted to see” rather than genuinely applying consistent patch policy across the whole estate.

What this means for your CE Plus budget

Expect audit times to lengthen by roughly 20–40%, and expect remediation cycles to become more common rather than less. Budget for proactive vulnerability scanning in the months before your audit — not as a Cyber Essentials cost, but as an ongoing operational investment. The businesses that pass CE Plus cleanly under Danzell are the ones that run their own monthly vulnerability scan rather than treating the annual audit as their only check.

Timeline: What to Expect in the Next 90 Days

For organisations planning their next certification cycle, the next three months split into three distinct phases. Here is how to think about sequencing decisions and spend.

Should You Push for a Willow Purchase This Week?

Cloudswitched is genuinely asked this question most days at the moment. The honest answer is: it depends on your starting position, your contractual pressure and your appetite for deferring hard work.

Push for Willow this week if…

• You already have a v3.2 assessment mostly complete and can finish inside the 6-month self-assessment window.
• Your certification is lapsing in the next 60 days and you need continuity.
• You have a live tender or contract renewal that requires a current Cyber Essentials badge in the next quarter.
• Your estate has one or two Danzell gaps (typically missing MFA on a peripheral SaaS product or Windows 10 devices) that you genuinely cannot resolve in the next 4–6 weeks.

Take the time and go straight to Danzell if…

• You have time, budget and executive support to do the work properly.
• You are certifying for the first time and want a certification that actually reflects good security hygiene.
• Your next certification anniversary is six months or more away, giving you breathing room to do the gap closure work.
• You are stepping up from CE to CE Plus and want the certification to be defensible against Danzell’s tougher audit.

How Cloudswitched Helps UK SMEs Pass Cyber Essentials v3.3

Cloudswitched is a UK-based managed IT and cybersecurity provider. We deliver Cyber Essentials readiness, remediation and certification support as an embedded part of our managed services for SMEs across the UK. Our Cyber Essentials service covers the full journey from initial gap analysis to certified badge and ongoing compliance management.

Gap analysis & readiness assessment

We walk the Danzell question set across your real environment — Microsoft 365, Google Workspace, your device estate, your network, your SaaS portfolio, your remote workers, your suppliers. You receive a pass/fail/remediate scoring against every Danzell question, a prioritised remediation plan, and a fixed-fee scope to close the gaps.

Remediation delivery

Deployment of Microsoft Intune or Jamf for device management, Conditional Access and MFA configuration, patch management tooling with compliance reporting, firewall and router hardening, password manager rollout, BYOD policy and enforcement, and the evidence pack your assessor will expect.

Certification support

We work alongside an IASME-certified assessment body to guide you through the Danzell VSA or CE Plus audit. Our clients have a consistent track record of first-time passes, because the assessment is never the first time anyone looks at the evidence.

Ongoing compliance management

Post-certification, our managed service maintains the controls through the 12-month period — monthly patch compliance reporting, quarterly evidence reviews for the director declaration, MFA enforcement monitoring across your SaaS stack, and proactive remediation before any control drifts. This is how the director declaration’s ongoing commitment becomes real rather than theoretical.

Frequently Asked Questions

The Bottom Line

Cyber Essentials v3.3 is not a quiet refresh. It is the most consequential update to the scheme since its launch in 2014. The Danzell question set introduces genuine automatic-fail triggers on the three areas that have historically been weakest in UK SME security practice — MFA on cloud services, timely patching, and unsupported software. It broadens the definition of cloud service to cover the entire modern SaaS stack, tightens scoping, demands ongoing director-level commitment, and makes CE Plus audits meaningfully harder to breeze through.

That is uncomfortable if you have been treating Cyber Essentials as a paperwork exercise, and welcome if you have been treating it as a genuine security framework. For UK SMEs, the pragmatic path is simple: accept that the Danzell rules are the new floor for responsible cyber hygiene, do the work, and emerge from the next certification cycle with a badge that actually represents the resilience your customers, insurers and regulators increasingly expect.

The 27 April switchover is the forcing function. Eight days is not enough time to transform your security posture from scratch — but it is enough time to make a clear, informed decision about how you want to navigate the next 12 months, and to start the gap-closure work that will pay for itself many times over in avoided breaches, retained contracts and reduced insurance risk.

CloudSwitched

London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.