From 27 April 2026, the UK Cyber Essentials scheme moves to Requirements for IT Infrastructure v3.3 (Danzell), applying to all new assessment accounts created on or after this date.
While the five core control areas remain unchanged (firewalls, secure configuration, access control, patching, and malware protection), the update significantly tightens how these controls are interpreted, enforced, and evidenced.
This is not a redesign it’s a shift from guidance to enforcement.
Key Technical Changes
- Mandatory Multi-Factor Authentication (MFA) – Now Pass/Fail
The most impactful change is the move to strict MFA enforcement:
- MFA must be enabled wherever it is available, especially for cloud services
- Applies to all users, admin accounts, remote access, and SaaS platforms
- Failure to enable MFA when available results in an automatic fail
This removes previous flexibility and aligns with the rise in credential-based attacks.
- Cloud Services Fully In Scope
For the first time, Cyber Essentials formally defines cloud services and makes them non-excludable:
- Any system storing or processing organisational data in the cloud is in scope
- Responsibility remains with the organisation even for SaaS providers
- Includes email platforms, CRMs, file storage, identity providers, etc.
This closes a long-standing gap where organisations could previously exclude third-party platforms.
- Tighter Scoping Rules and Transparency
Scoping has been clarified and tightened to eliminate ambiguity:
- All internet-connected devices are in scope (inbound or outbound)
- Organisations must explicitly justify exclusions with segmentation evidence
- More detailed scope descriptions are required, including legal entities
This increases assessor visibility and reduces “under-scoping” practices.
- 14-Day Patch Management Requirement
Patch management is now more prescriptive:
- Critical and high-risk vulnerabilities must be patched within 14 days
- Applies across operating systems, applications, and network devices
- Requires demonstrable, consistent patching processes
Failure to meet this timeline can lead to assessment failure.
- Expansion to Application Development Security
The previous “Web Applications” section evolves into Application Development:
- Aligns with the UK Government Software Security Code of Practice
- Requires secure coding practices and lifecycle patching
- Public-facing apps are always in scope
This reflects the growing risk of application-layer attacks.
- Stronger Emphasis on Identity and Passwordless Security
The update introduces modern identity expectations:
- Encouragement of passwordless authentication (e.g. passkeys, FIDO2, biometrics)
- Reinforces identity as a primary security boundary
- Supports reduced reliance on traditional passwords
- Backup, Recovery, and Resilience Requirements
Backup controls are strengthened:
- Backups must be documented, tested, and recoverable
- Organisations must demonstrate ability to recover from cyber incidents
This reflects increased focus on ransomware resilience.
- New Question Set (“Danzell”) and Assessment Changes
- A new self-assessment questionnaire (Danzell) replaces the previous version
- More detailed, less ambiguous wording
- Greater emphasis on evidence and consistency
Cyber Essentials Plus will also introduce more rigorous technical validation aligned with these changes.
What Hasn’t Changed
Despite stricter enforcement:
- The five core controls remain the same
- The scheme is still designed to be achievable for SMEs
- The update focuses on clarity, consistency, and modern relevance rather than new controls
Final Thoughts
The April 2026 update marks a clear evolution of Cyber Essentials from a baseline checklist to a more enforceable security standard.
Technically, the biggest shifts are:
- Identity-first security (MFA everywhere)
- Full accountability for cloud environments
- Strict patching timelines
- Elimination of ambiguous scoping
For organisations, success under v3.3 will depend less on documentation alone and more on demonstrable, consistently applied security controls.
