Cyber Essentials: New changes coming April 2026
On the 27th April 2026, the latest changes to Cyber Essentials will come into effect, the new question set of Cyber Essentials will be called Danzell. There are several changes that will be impacting both the Cyber Essentials Basic and intern Cyber Essentials Plus when you come to complete the assessment.
Important note
When it comes to the changes, assessments which are started on the 27th April 2026 will only be affected, any organisations which are already in progress of their assessment will continue to be assessed against the current Willow question set.
Any organisations which are currently in progress of working towards Cyber Essentials will have up to the 27th October 2026 to be fully completed and certified. If organisations are also working towards Cyber Essentials Plus, under the Willow question set, they will have until 27th January 2027 to be fully certified.
It is worth noting that the Requirements for IT Infrastructure has also been updated to version 3.3 full in line with the changes to the scheme. This latest version is to be used with Danzell, and if you are working on the Willow question set, you should be using the 3.2 guide which can be found from the NCSC website.
Changes
Scoping
Scoping has always been a tricky area for businesses when not certifying the whole organisation. Under the new changes, organisations will now be able to provide a detailed scope of what is included and what isn’t. This will still be based around networks, connected sites and such.
Applicants will be required to list all their connected legal entities which are in scope, including their name, address, registration numbers, this will help assessors understand the scoping of larger and more complex organisations when going for certification.
Organisations will be required to describe any areas and their associated infrastructure which are being deemed out of scope for certification. These excluded areas will not be made publicly available.
For larger organisations, which have more than one legal entity within the group, you will be able to obtain individual certifications for each entity, however this will be at additional cost.
Multi-factor authentication (2FA)
Multi-factor authentication has been within the Cyber Essentials scheme for many years and is not a new thing. However, from April 2026, an important note to be aware of is that marking will become stricter around this area, both for the new question set as well as the current Willow one. Now if an organisation is using a cloud service which offers MFA and it is not enabled for all users (including administrators), you, as the applicant will automatically fail the assessment.
This means that if your cloud service, requires you to pay for the MFA offering, or it is built into another method or service, such as Single Sign On (SSO via Microsoft 365 or another service), then it must be enabled to be compliant.
If you are unsure whether your cloud service provides MFA, then you can check the IASME Cyber Essentials Knowledge Hub, which has a list which is being updated regularly.
Cloud Services
Cloud services cannot be excluded from scope when it comes to certification. If an organisation utilises a cloud service to process or store business data, it must be included. This includes social media platforms, financial platforms, HR and so forth. Multi-factor authentication must also be enabled on all these accounts, if the platform supports it.
Patching and updating
Questions around the patching and updating of machines within 14 days of release are being updated. If an applicant doesn’t apply high and critical security updates within 14 days of release, this will now be marked as an automatic failure of the assessment under the new question set. This includes ensuring laptops, desktops, mobile devices, routes and firmware are all kept up to date.
User access control
The section under user access control has been updated to highlight the importance of passwordless authentication methods now, such as passkeys and biometrics. Cyber Essentials is now trying to move away from password only authentication methods and concentrate more on more secure methods of authentication.
Scheme updates and clarification
There have been some changes within the IT Requirements for IT Infrastructure document as well as the question set to help clarify definitions and make questions easier to understand. Some questions have also been moved around or updated to make the flow of answering questions easier.
Cyber Essentials Plus
The Cyber Essentials Plus audit is also being overhauled at the same time, there will be stricter rules when it comes to testing and auditing of systems. Some of these testing methods, are already being performed by InfoSec Governance during our audits, as a course of best practice.
The biggest change is that during the audit, assessors will have to test a new random sample set of devices, which will be decided on the day, to ensure that all machines are being updated with security updates and that the applicant is not just applying updates and making sure certain machines are being compliant.
Further information
If you would like further information on the changes to Cyber Essentials or would like to know more, check out the IASME website, or get in touch with us to see how we can help you achieve Cyber Essentials for your business.