On 27 April 2026, the Cyber Essentials update (to v3.3 ‘Danzell’) comes into effect to bring the scheme up to date with modern ways of working and the cyber threats we are facing. If your certification renewal or new application occurs on or after this date, you will need to make changes to comply with updated requirements.

Here is a quick summary of the changes:

Mandatory Multi-Factor Authentication (MFA)

Multi-Factor Authentication must be enabled for all user accounts accessing cloud services (e.g., Microsoft 365, AWS, Salesforce). Previously, missing MFA on some cloud services might have been a “non-compliance” but not an immediate fail. In the Danzell version, if a cloud service offers MFA and you have not turned it on, you will automatically fail the assessment. This applies even if the cloud provider charges extra for MFA. If it is available, it must be enabled for all users.

Cloud Services in scope: A new definition

A new definition requires that all cloud services that store or process company data are in-scope and cannot be excluded. This now includes social media accounts used for business (e.g. a company Facebook or LinkedIn page), which must be listed in your scope and protected with MFA.

Transparency in ‘Scope’

You are now expected to provide a detailed description of what is included in scope. If you choose to leave a part of your business out of the certification (e.g. a specific office or a separate network), you must now formally justify why it is excluded and how it is technically separated from the rest of your business.

Stricter Patching and Windows 10 Support

Two new questions will automatically fail the assessment if high-risk or critical security updates are not applied within 14 days. This now explicitly includes router firmware and office applications. Additionally, if your business still uses Windows 10, you must now prove you are signed up for the Microsoft Extended Security Update (ESU) program to remain compliant after October 2025.

New Brute-Force Protection Requirements

To prevent hackers from “guessing” their way into your systems, you must now confirm that your devices use specific protections against brute-force attacks. This can mean, for example, ensuring your systems either lock an account after 10 failed attempts or use “throttling” to slow down login guesses (no more than 10 attempts in 5 minutes).

Detailed Software Inventory

The requirements for listing your software have become more granular. You must now provide exact version numbers for a wider range of software, including all internet browsers, email apps, and office suites used to create organisational data.

Focus on Passwordless & Backups

The guidance now strongly promotes passwordless authentication (e.g. FIDO2) and places a greater emphasis on secure backups.

Assessment Process Changes to Cyber Essentials Plus

During Cyber Essentials Plus, organisations cannot change their verified self-assessment responses once testing begins, and random sampling will confirm patch management efficiency. There are also changes to testing; for example, if an auditor finds a device that isn’t updated, they will now test a new random sample of devices after you fix it. This is to ensure you have fixed the issue across the whole company, not just on the one device they caught.

Find out the differences between Cyber Essentials and Cyber Essentials Plus here.

Management Responsibility

The responsibility is ongoing. The declaration signed by your company director now includes a specific statement acknowledging that the business is responsible for maintaining these security standards for the entire year, not just on the day the form is submitted.

Are you prepared?

Finding a partner like Beaming who can interpret the technical jargon and provide the “evidence of control” your auditors and insurers are looking for can take the hassle away. Whether you want us to take the whole list off your hands or just provide an extra pair of eyes for peace of mind, we’re here to help.