Cyber Essentials v3.3 "Danzell" Launches 27 April: Every Change UK Businesses Must Prepare For

On 27 April 2026, the Cyber Essentials scheme undergoes its most significant overhaul in years. Version 3.3, codenamed "Danzell", replaces the current v3.2 "Willow" question set with stricter requirements across multi-factor authentication, cloud service scoping, and vulnerability patching. For the 39,000-plus UK organisations that currently hold certification, this isn't a minor refresh. It's a fundamental tightening of the baseline security standard that underpins government contracts, cyber insurance policies, and supply chain trust.

If your business relies on Cyber Essentials, the time to prepare is now. Here's what's changing, what could cause you to fail, and how to get ready.

What Is Cyber Essentials v3.3 "Danzell"?

Cyber Essentials is the UK Government's baseline cyber security certification, backed by the NCSC. It covers five control areas: firewalls, secure configuration, user access control, malware protection, and patch management. Danzell doesn't add new areas — it sharpens existing ones, closing loopholes that attackers exploit and assessors interpret inconsistently.

The NCSC reported 204 nationally significant cyber attacks in the year to September 2025, up from 89 previously — a 129% increase. Cyber attacks cost the UK economy an estimated £15 billion annually. Danzell targets the weaknesses that keep causing breaches: weak authentication, unpatched systems, and uncontrolled cloud sprawl.

MFA: Now Mandatory for All Cloud Services

This is the single biggest change in Danzell. Under v3.2, MFA was required for cloud services but the scope was ambiguous. Danzell eliminates that ambiguity: MFA must be enabled on every cloud service where it is available. No exceptions.

The Auto-Fail Rule

If a cloud service offers MFA — even on a higher-tier subscription — you must enable it. If it's available and not turned on, your assessment fails immediately.

This has serious implications for SMEs on Microsoft 365. Many have MFA for standard users but have overlooked:

• Shared mailboxes — info@, sales@, support@ accounts frequently left without MFA
• Service accounts — integrations, automated workflows, third-party connectors
• Legacy application accounts — older systems authenticating against cloud directories
• Admin and break-glass accounts — sometimes left on basic authentication

Approved MFA Methods

Method	Status	Notes
FIDO2 Security Keys	Approved	Hardware keys (YubiKey, etc.) — strongest option
Biometric Authentication	Approved	Fingerprint, face recognition on device
Authenticator App (TOTP)	Approved	Time-based codes (Google/Microsoft Authenticator)
Push Notifications	Approved	App-based approve/deny prompts
QR Code / Security Tokens	Approved	Scan-to-verify and hardware OTP generators
Passwordless Authentication	Approved	Formally recognised under Danzell
SMS-Only Verification	Not Recommended	Vulnerable to SIM-swapping; last resort only

Industry surveys suggest around 35% of UK SMEs still lack MFA across all cloud services. Under Danzell, every one of those organisations would fail certification.

Cloud Services: Fully In Scope

Danzell introduces a precise definition of a cloud service:

"A cloud service is an on-demand, scalable service, hosted on shared infrastructure, accessible via the internet, accessed via an account, that stores or processes data for your organisation."

Under v3.2, some organisations excluded "peripheral" services. Danzell closes this gap: if it stores or processes organisational data and is accessed via an account, it's in scope.

Social Media Is Now a Cloud Service

Your company's Facebook, LinkedIn, X, and Instagram accounts are explicitly classified as cloud services. They store organisational data and are accessed via accounts. This means:

• All social media accounts must be in your Cyber Essentials scope
• MFA must be enabled on every platform that offers it
• Shared credentials must be eliminated — each user needs their own login

Patching: 14-Day Hard Deadline

Critical and high-severity vulnerabilities must be patched within 14 calendar days. This applies to operating systems, applications, firmware, and network devices. Missing the deadline is an automatic failure.

Firmware: The Forgotten Attack Surface

The most overlooked gap is firmware. Routers, firewalls, switches, and access points all receive security updates. Many SMEs have never updated firmware on network equipment since installation. Under Danzell, this is a failure point.

Other Changes

• Simplified internet scoping — "untrusted" and "user-initiated" qualifiers removed
• Terminology aligned with the UK Government's Software Security Code of Practice
• Backup guidance — off-device copies explicitly recommended (not mandatory)
• Secure-by-design principles reinforced across the development lifecycle

v3.2 Willow vs v3.3 Danzell

Transition Timeline

The determining factor is when your assessment account is created, not when you submit.

Scenario	Version	Deadline
Account created before 27 April 2026	v3.2 Willow	6 months (by 27 October 2026)
Account created on/after 27 April 2026	v3.3 Danzell	New requirements immediately
CE+ (Willow, before 27 April)	v3.2 Willow	9 months (by 27 January 2027)
CE+ (Danzell, on/after 27 April)	v3.3 Danzell	New requirements immediately

Common Pitfalls for SMEs

1. Shared Mailboxes Without MFA

The most common gap in Microsoft 365 environments. Shared mailboxes (info@, accounts@, sales@) are accessed by multiple staff but rarely have MFA. Microsoft 365 now supports this — there's no excuse.

2. Social Media With Shared Credentials

Many SMEs share a single login for company social media. Danzell requires individual access with MFA, meaning migration to Meta Business Suite or LinkedIn Business Manager.

3. Legacy Applications Without MFA

Older cloud applications without MFA must be documented. If alternatives offer MFA, assessors may question why you haven't migrated. These may need replacing.

4. Shadow IT Cloud Services

Employees sign up for Trello, Notion, Canva, Dropbox, ChatGPT without IT knowledge. Under Danzell, all cloud services storing organisational data are in scope. A cloud audit is essential.

5. Firmware on Network Equipment

When did you last update firmware on your router or firewall? For many SMEs: "never." Under Danzell, firmware vulnerabilities must be patched within 14 days, just like OS vulnerabilities.

Your Danzell Preparation Checklist

Step 1: MFA Audit (Week 1-2)

1. List every cloud service your organisation uses — SaaS, social media, email, storage, CRM, accounting
2. Check whether MFA is available on each (including higher subscription tiers)
3. Enable MFA everywhere available — prioritise admin and privileged accounts
4. Audit shared mailboxes, service accounts, and integration accounts
5. Document services where MFA is unavailable and plan migrations

Step 2: Cloud Inventory (Week 2-3)

1. Survey all departments for cloud services — marketing, finance, operations, HR
2. Check browser passwords and SSO dashboards for forgotten services
3. Review expenses and credit card statements for SaaS subscriptions
4. Include social media — Facebook, LinkedIn, X, Instagram, TikTok
5. Categorise: business-critical, operational, or decommission candidate

Step 3: Patch Management (Week 3-4)

1. Verify patch management covers all endpoints, servers, and network devices
2. Check firmware on routers, firewalls, switches, and access points
3. Set up automated patching with a 14-day maximum deployment window
4. Create an emergency patch process for critical vulnerabilities

Step 4: Documentation (Week 4)

1. Update scope to include all identified cloud services
2. Document MFA status for every in-scope service
3. Prepare patching evidence (screenshots, management tool reports)
4. Update acceptable use policy to address shadow IT

Beyond Compliance

It's tempting to view Danzell as a box-ticking exercise. But the changes reflect genuine security improvements that protect your business regardless of certification.

"Cyber Essentials isn't just a badge. The controls it mandates stop the vast majority of commodity cyber attacks. Danzell makes those controls harder to get wrong."

Insurance: Many cyber insurers require CE or offer premium discounts. Losing certification could increase costs or void coverage.

Contracts: CE is mandatory for many UK Government contracts and increasingly required across private-sector supply chains in defence, finance, and healthcare.

Security: MFA prevents 99% of automated account attacks. Patching stops 60% of breaches. Cloud visibility closes the gaps ransomware exploits.

The Bottom Line

Danzell is the most significant Cyber Essentials update in years. Three changes matter most:

1. MFA on everything — every cloud service, every account, no exceptions, auto-fail
2. All cloud services in scope — including social media, no exclusions
3. 14-day patching or fail — hard deadline, firmware included

None of these are unreasonable for a prepared business. The challenge is awareness and execution — particularly around MFA and cloud scoping for services many businesses haven't previously considered. Don't wait until renewal to discover you're not compliant.