InfoShelter Ltd | Danzell: The Cyber Essentials update that means business

30 Mar Danzell: The Cyber Essentials update that means business

Posted at 11:02h in Compliance, Cyber Essentials by InfoShelter 0 Comments

0 Likes

The Cyber Essentials scheme, backed by the UK’s National Cyber Security Centre (NCSC), gets a refresh every year to keep pace with how organisations actually work and the threats they face. The 2026 update known as “Danzell” goes live for any assessment account created on or after 27 April 2026, replacing last year’s Willow version and bringing with it a revised question set alongside version 3.3 of the Requirements for IT Infrastructure.

IASME has called these changes minor, but don’t let that lull you into a false sense of security. Two of them will cause an automatic failure if you’re caught out and unlike a standard non-conformity, there’s no chance to fix and resubmit within the same assessment cycle. In this blog we’ll walk you through what’s changed and what it means for your organisation.

TLDR

All cloud services are fully in scope; none can be excluded without valid justification.
Mandatory MFA for ALL cloud services; failure to enable MFA where available results in automatic fail.
CE+ must test an additional sample set if patch failures are found.

CE+ evidence validation is more rigorous, with assessors challenging unclear claims.
VSA answers cannot be changed once CE+ testing begins.

14‑day patching rule strictly further enforced for High and Critical updates.
All exclusions to scope require justification, including legal entity listing and scope explanation.
Partial scopes must prove technical separation (e.g., VLANs, firewalls).

Cloud Services Are Formally Defined and Always in Scope

For the first time, the requirements document includes a proper definition of a cloud service: an on-demand, scalable service hosted on shared infrastructure and accessible over the internet. The practical test is straightforward if a service stores or processes your organisation’s data and your team accesses it with a work account, it is in scope. No exceptions, and no way to exclude it.

This closes a loophole that some organisations have used in previous years to keep certain platforms out of their assessment scope. Under Danzell, everything counts Microsoft 365, Google Workspace, your CRM, HR systems, cloud storage, and project management tools. It’s also worth noting that social media accounts used for business purposes are now explicitly called out as cloud services too.

If your cloud estate has grown since your last certification, now is the time to revisit your scope. The combination of mandatory cloud inclusion and the tightened MFA rules means that any SaaS platform your team uses day-to-day needs to be on your radar and MFA needs to be switched on for it.

For more detail on cloud services and scope, visit the IASME Knowledge Hub:

About the Cloud

MFA: Now a Hard Pass/Fail for Cloud Services

Multi-factor authentication (MFA) has been part of Cyber Essentials since 2022, but under Danzell the rules have been significantly tightened. If a cloud service your organisation uses offers MFA even if it’s only available as a paid add-on, delivered through a third-party integration, or bundled into a higher licensing tier you must have it switched on for every user. If it’s available and you haven’t enabled it, that’s an automatic fail with no remediation opportunity.

It’s also worth thinking about the accounts that are easy to overlook. Standard user accounts are the obvious ones, but service accounts, shared mailboxes, administrator accounts, and legacy integrations all need to be covered too. The gap assessors are finding most often isn’t that organisations have no MFA it’s that they’ve enabled it for most accounts but missed a few. Under Danzell, any of those would fail the assessment.

The updated guidance also gives greater prominence to passwordless authentication methods passkeys, FIDO2 hardware keys, biometrics, and hardware tokens as valid alternatives to traditional MFA. The NCSC has signalled that it would like passkeys to become the default authentication recommendation over time.

Take note

Before you open your assessment account, map every cloud service your team accesses with business credentials and check whether MFA is available on each one. Discovering a gap after you've started the assessment means an automatic fail so it's worth doing this groundwork well in advance.

What if a cloud service doesn’t offer MFA at all? You won’t be automatically penalised. You can declare the service in your response to question A7.15, and your assessor will verify that MFA genuinely isn’t available. If confirmed, no negative marking is applied. However, a cloud service with no MFA capability is a real security risk, and it’s worth asking your provider whether support is on their roadmap. IASME is also maintaining a list of cloud services and their MFA status a useful starting point when you’re working through your inventory. If MFA remains unavailable and the service handles business data, it’s worth considering whether it’s the right long-term fit for your organisation.

For more detail on MFA requirements, visit the IASME Knowledge Hub:

14-Day Patching Is Now an Automatic Fail

The requirement to apply high and critical security updates within 14 days of release isn’t new it’s been part of Cyber Essentials for some time. What has changed under Danzell is the consequence of missing it. Two questions in the Danzell question set A6.4 (operating systems, routers and firewall firmware) and A6.5 (applications and their associated files and extensions) are now designated as automatic-fail questions. Miss the 14-day window on either, and the assessment fails regardless of how well everything else is performing.

This matters because having a patching policy isn’t the same as being able to prove your patches are applied on time. Under the updated requirements you need a structured, monitored process with an audit trail something that demonstrates compliance across your entire estate, not just the devices most likely to be reviewed. Organisations that have been managing patches informally, or relying on end users to apply updates themselves, will need to tighten this up before their next assessment.

Take note

Good vulnerability assessment tooling is increasingly important here. You need line of sight on what's missing and when it was released not just a general sense that your estate is "mostly up to date." Don't rely on your Certification Body to surface these gaps during the assessment itself.

For more detail on security update management, visit the IASME Knowledge Hub:

Scope Descriptions Must Be Detailed and Transparent

Danzell places much greater emphasis on clarity around what you’re certifying. You need to provide a detailed description of everything included in your assessment scope, and where anything is excluded, a clear justification is required including evidence that excluded systems are properly segregated from the in-scope environment, typically using a firewall or VLAN.

Vague or informal scoping that may have passed without challenge in previous years is unlikely to hold up now. There are also some new transparency requirements: organisations must now identify all legal entities included in scope, and for larger group structures there’s an option to request separate Cyber Essentials certificates for individual entities within a broader certified scope. This is one area where good asset management pays off if you have an accurate, up-to-date inventory of your devices, networks and cloud services, building a solid scope description becomes much more straightforward.

For more detail on scoping, visit the IASME Knowledge Hub:

Scope: Guidance

What About Cyber Essentials Plus?

The CE+ assessment has been tightened up considerably to close a loophole that IASME identified in recent audits. Some organisations had been applying patches only to the devices selected for the assessor’s sample passing the technical test while leaving the rest of their estate unpatched.

Under Danzell, that approach no longer works. If any device in the initial random sample fails the patching check, the assessor must test a second random sample. If that also fails, the organisation fails the entire CE+ certification and critically, the underlying Cyber Essentials Level 1 certificate is revoked too. That means you lose your existing certification entirely and have to start the whole process again from scratch. There is no cool-down period to wait out before reapplying you can restart immediately but the time, cost and disruption of going back to square one is a serious consequence, particularly if your certification is tied to contract requirements or supply chain obligations.

There’s also an important sequencing change. The verified self-assessment must now be finalised before CE+ testing begins. You can no longer update your answers based on what the technical audit turns up. Your self-assessment needs to reflect the actual state of your environment before the hands-on work starts.

Take note

If you're going for CE+, the stakes are higher than they used to be. A second sample failure doesn't just mean failing the Plus assessment it means losing your basic Cyber Essentials certificate as well. Treat CE+ preparation as an estate-wide exercise, not a single assessment day.

How to Prepare for Danzell

The good news is that none of these changes require your organisation to do anything fundamentally new the five core Cyber Essentials controls haven’t changed. What has changed is how strictly they’re assessed, and how little room there now is for gaps. The organisations that will find Danzell straightforward are the ones that treat security as ongoing business-as-usual rather than an annual certification exercise. Here’s how to get ready.

Build a complete cloud service inventory
Start here, because almost everything else depends on it. List every cloud service your team accesses with a work account including tools that might sit outside central IT ownership, like project management apps, communication platforms, and file-sharing services. If it stores or processes business data and requires a login, it’s in scope. Don’t forget social media accounts used for business purposes.
Check MFA status on every service
For each service on your inventory, check whether MFA is available and, if so, whether it’s switched on for every account not just standard users but admin accounts, service accounts, and shared mailboxes too. Enable it wherever it exists. If a service doesn’t offer MFA at all, document that clearly so you can declare it at question A7.15. And if MFA is only available on a paid tier, the cost of upgrading is almost certainly less than the cost of a failed assessment.
Get your patching process in order
You need to be able to demonstrate that high and critical updates are applied within 14 days across your entire estate not just show that a policy exists. If you don’t already have vulnerability management tooling in place, now is the time to put it in. You need consistent visibility of your patch status across all in-scope devices, and an audit trail to back it up. Informal or manual processes won’t hold up under the new auto-fail criteria.
Review and document your scope
Make sure your scope description is detailed, accurate and current. If you want to exclude any part of your infrastructure, you’ll need to justify it and demonstrate that the excluded systems are technically segregated typically via a firewall or VLAN. If multiple legal entities are involved, identify them all. Vague or out-of-date scoping is one of the most common reasons assessments run into difficulty.
Do a dry run against the Danzell question set
The Danzell question set is already published on the IASME website. Work through it against your current environment before you open a formal assessment account. This costs nothing and can surface gaps particularly around MFA coverage and patching evidence that are far easier to fix before the clock is running than after.
If you’re going for CE+, prepare the whole estate
Don’t approach CE+ as a single assessment day to get ready for. With the new two-sample retest rule and the risk of Level 1 revocation on a second failure, every in-scope device needs to be genuinely compliant before testing begins. Lock down your self-assessment first you won’t be able to change your answers once CE+ testing starts. Then make sure your patching is consistent and evidenced across the board, not just on the devices most likely to be sampled.
Plan your timing carefully
The version of the standard you’re assessed against is determined by when you create your assessment account, not when you submit or receive your certificate. If your renewal falls around the April 2026 deadline, think carefully about which side of the date makes more sense for your organisation’s current readiness. If you create an account before 27 April, you’ll still be assessed against Willow but you’ll only have six months to complete it.

Useful Links

How Can We Help?

At InfoShelter, we help organisations get Cyber Essentials and Cyber Essentials Plus ready whether you’re going for it for the first time or coming up for renewal. We’ll work through the new Danzell requirements with you, help you track down any MFA gaps across your cloud services, check your patching processes are up to scratch, and make sure your scope documentation is solid before you open your assessment account.

With InfoShelter by your side, you’ll be fully prepared, fully compliant, and fully confident on your path to certification.