Cyber Essentials April
2026: Introducing the New “Danzell” Update
Cyber Essentials is a UK government backed cyber security certification that defines five essential protections every organisation should have in place. It is designed to defend businesses against common online threats, and following these basic controls can prevent around 95 per cent of routine cyber attacks.
From firewalls and secure system configuration to user access management, malware protection, and timely software updates, the scheme establishes a strong baseline for digital security. Achieving Cyber Essentials certification not only protects your operations from cyber criminals but also demonstrates to customers and partners that your organisation treats cybersecurity as a priority.
On 27 April 2026, Cyber Essentials will receive a significant update. The current self-assessment question set, known as “Willow”, will be replaced with a new set named “Danzell”.
Although Danzell does not completely overhaul the scheme, the same five control areas still apply; it introduces stricter requirements in several key areas.
Put simply, some controls that were previously considered good practice will now be mandatory. Failure to meet these new requirements will result in an automatic fail. Below is an overview of what is changing, why it matters and how to prepare.
What Is Changing Under “Danzell”?
1. Multi-Factor Authentication (MFA) on Cloud Services Becomes Mandatory
If your organisation uses any cloud-based services, such as email or file storage, you must enable multi-factor authentication for all users. MFA adds an extra step to the login process, such as entering a one-time code from a mobile device.
Under the updated rules, if a cloud service offers MFA and you have not enabled it for every user, your organisation will automatically fail the assessment.
This is a substantial shift because the previous version allowed some flexibility. Now, MFA must be enabled wherever it is available.
2. Faster Software Updates, Including a 14 Day Deadline for Critical Fixes
Keeping devices and software up to date has always been part of good cyber hygiene. Under Danzell it becomes non negotiable for high risk patches.
All critical or high-impact updates must be installed within 14 days of release.
This includes updates for operating systems, applications and firmware on equipment such as routers and firewalls.
Two new questions in the assessment, A6.4 and A6.5, address this specifically. Leaving a critical update uninstalled for longer than two weeks will lead to an automatic fail.
This change reflects the fact that delayed patching is one of the most common causes of security breaches.
Danzell makes it clear that prompt updates across all in-scope assets are required.
3. Clearer Scope Definition and Executive Accountability
The updated question set requires organisations to clearly define which parts of their IT environment are included in the assessment. You will need to describe the scope, such as offices, networks, devices and cloud services, and provide justification for anything excluded.
Cloud services used for data or operational activities are automatically considered in scope by default. Organisations can no longer assume that responsibility for cloud security sits entirely with the provider.
The application will also include a final declaration requiring a board member or director to sign. By doing so, they confirm that the organisation will maintain Cyber Essentials controls throughout the year, not only on the assessment date.
This elevates cybersecurity to a leadership responsibility and reinforces the need for continuous compliance.
Notes for Cyber Essentials Plus Applicants
For organisations pursuing Cyber Essentials Plus, Danzell tightens several audit procedures. For example, if a sample of devices fails security checks due to missing updates, the assessor will require the issues to be resolved and will then test an additional random sample.
You will also no longer be allowed to amend your self-assessment answers once the CE Plus audit has begun.
These changes prevent organisations from adjusting answers after the fact and ensure that security practices are genuinely embedded.
Why Does Danzell Matter for Business?
For many organisations, the update raises the baseline for good cyber hygiene. It focuses on areas that are often weak points despite being simple to address, such as strong authentication and timely patching.
These weaknesses are among the most frequently exploited by attackers. By making certain measures compulsory and pass-or-fail, the scheme encourages businesses to consistently close these gaps.
Any organisation seeking certification or renewal after April 2026 will need to comply with the new requirements. Even if your industry does not require Cyber Essentials, the updated controls reflect best practice.
Strong authentication methods and rapid software updates significantly reduce the risk of incidents, including data breaches and ransomware.
Cyber Essentials and Cyber Essentials Plus are widely used by UK organisations as a trust signal and are often required for government-related contracts.
Staying aligned with the Danzell standards strengthens both operational resilience and reputation.
How Should Leaders Prepare?
Double Check MFA Across All Accounts
Ask your IT team to confirm that multi-factor authentication is enabled for every cloud service and every user.
If any critical service does not support MFA, consider applying additional layers of security or moving to a platform that does.
Strengthen Your Update and Patch Management Process
Ensure you have a clear policy and appropriate tools to install critical patches within 14 days across all systems.
Automated update tools or vulnerability scanners can help identify any missed updates. Treat update management as a routine operational activity rather than a reactive task.
Define Your Scope Early
Work with IT and compliance teams to document which assets are in scope.
This typically includes office devices, servers, mobile devices and cloud services.
Identify any areas you believe should be excluded and provide justification, while recognising that many exclusions will not be permitted under the new framework.
Appoint an Executive Sponsor
A senior leader will now be required to sign the Cyber Essentials declaration.
Consider setting up regular reviews, such as quarterly check-ins on access management and update status, to ensure ongoing compliance.
Aabyss: Committed to High Standards
At Aabyss, we lead by example in security and quality.
We are certified under both Cyber Essentials and Cyber Essentials Plus and also hold ISO certifications for Information Security (ISO 27001), Quality Management (ISO 9001) and Environmental Management (ISO 14001).
These internationally recognised standards reflect our commitment to strong governance, robust security and responsible operations.
Holding both Cyber Essentials Plus and ISO 27001 is considered best practice because together they provide a strong technical defence and a comprehensive information security management system.
These certifications reassure our clients that we maintain high standards and are committed to helping them achieve the same level of resilience.
In Summary
The Danzell update strengthens Cyber Essentials to keep pace with modern cyber threats.
The message for business leaders is clear. Ensure multi-factor authentication is implemented, apply critical updates promptly, understand what is in scope for assessment and recognise that cybersecurity requires ongoing attention.
Cyber Essentials has always focused on getting the fundamentals right.
Danzell simply raises the standard of what “right” looks like. Preparing now will allow your organisation to meet the new requirements with confidence.
Aabyss is here to guide you through every step.
We would love to hear from you.