Download PDF

Apr 2026

Cyber Essentials Danzell: five changes that matter

Cyber Essentials is the UK government-backed certification scheme designed to help organisations protect themselves against the most common cyber threats and covers five technical controls. And Cyber Essentials Plus builds on the standard self-assessment with independent technical verification.

Categories Cyber Essentials and ISO 27001, Cyber Resilience

Callum Lake

Information Security Consultant

The scheme is periodically updated, and the latest version, Danzell, comes into effect for assessments from 28 April 2026, replacing the previous Willow standard.

Danzell raises the bar. Here is what has changed and what it means for your organisation.

1. MFA on Cloud services is now mandatory. No exceptions.

Under the previous Willow standard, missing MFA on a cloud service counted as a non-compliance. You were allowed up to two and could still pass.

Under Danzell, if MFA is available on a cloud service and it is not enabled, for admin or user accounts, the assessment fails automatically. This is the single biggest change, and the one with the most immediate operational impact.

2. Patching within 14 days is a hard requirement, not a recommendation

The 14-day patching requirement for critical and high-risk updates is not new. What has changed is the consequence of missing it.

Previously, falling short was a non-compliance. Under Danzell, it is an automatic fail. If you cannot demonstrate consistent patching within 14 days, you will not pass.

3. Social media accounts are now formally classified as cloud services

Danzell introduces a formal definition of ‘cloud service’ and explicitly includes social media platforms such as Facebook, LinkedIn and X within scope.

If your organisation uses social media for business purposes, those accounts must be listed in your scope and MFA applied where the platform supports it.

4. Scoping requirements have been significantly expanded

The scoping section of the assessment has been substantially revised. You will now need to document:

  • How your sites connect to each other
  • Which networks have been excluded from scope and the rationale
  • How any excluded network segments have been created
  • How home and remote workers connect to your systems
  • Whether multiple legal entities or subsidiaries are included

If you are certifying only part of your organisation, you must also list the equipment used to create the segregation. The standard now demands precision where vagueness was previously tolerated.

5. Cyber Essentials Plus has also tightened

The Danzell marking guide now formally states that no non-compliances can be accepted before proceeding to Cyber Essentials Plus. This has always been true in practice. Danzell makes it explicit.

The Plus retest process has also changed. If you fail and retest, a completely new random sample of devices will be selected. Fixing only the devices that were originally tested is not sufficient. A second failure can result in revocation of your self-assessment certificate.

 

Actions to take now

  • The scheme is stricter. Things that used to be a non-compliance now result in an automatic fail, so look into what impacts you.
  • MFA and patching are the two areas most likely to cause a failure. If either is not fully in place, that is where to focus first.
  • If you are renewing after 27 April 2026, you will be assessed against Danzell. Start preparing now.
  • Review your cloud services list. If you use social media for business, it needs to be in scope.
  • If Cyber Essentials Plus is on your roadmap, aim for a clean self-assessment with zero non-compliances.

 

Need help? That’s what we’re here for. Get in touch with our Cyber Essentials Team directly at cyberessentials@Waterstons.com