Cyber Essentials Updates Coming in April 2026

Cyber threats are evolving, and the standards designed to protect your business are evolving with them. From 27th April 2026, updates to the Cyber Essentials scheme will come into effect, introducing a number of important changes to both Cyber Essentials (CE) and Cyber Essentials Plus (CE+).

The new Danzell question set goes live on this date, replacing the current Willow question set and introducing updated requirements across both CE and CE+ assessments.

These updates reflect how organisations now operate, particularly in cloud based and hybrid environments, and aim to ensure certification continues to represent genuine, real world security.

If your business relies on Cyber Essentials for contracts, insurance, or supply chain credibility, these changes are important. Not because they make certification harder, but because they make it more meaningful, consistent, and aligned with modern security risks.

 

Why This Update Matters

Cyber Essentials has always focused on the fundamentals of good cyber hygiene. However, as businesses increasingly adopt cloud platforms and distributed IT environments, those fundamentals must now be applied more consistently and robustly.

The April 2026 update strengthens trust in the scheme by ensuring organisations are not just compliant on paper, but properly protected in practice.

 

What’s Changing in April 2026?

The core five controls remain unchanged, but their application and enforcement are becoming clearer and more rigorous under the new Danzell question set.

Multi Factor Authentication (MFA) Becomes Mandatory Where Supported

One of the most significant changes for Cyber Essentials is the introduction of mandatory multi factor authentication (MFA) wherever it is supported by the cloud service in use.

This applies regardless of cost implications, meaning organisations may need to upgrade to higher tier subscriptions to comply.

If MFA is not fully implemented in applicable scenarios, this will result in an automatic fail.

MFA has long been one of the most effective security controls, and its wider enforcement reflects its importance in preventing unauthorised access.

 

Stronger Focus on Cloud Security Responsibility

The updated guidance places clearer responsibility on organisations using cloud services such as Microsoft 365.

While cloud providers secure the infrastructure, organisations remain responsible for how services are configured and used.

This includes:

  • User access and permissions
  • Secure configuration of services
  • Protection and control of data

Clearer expectations in this area help reduce common configuration mistakes that can leave systems unnecessarily exposed, such as overly permissive access, weak administrative controls, or insecure default settings.

While backups are not part of the Cyber Essentials requirements, organisations are strongly encouraged to follow good practice guidance and ensure that important data is being backed up regularly, with test restores carried out to confirm that data can be recovered when needed.

 

Stronger Focus on Asset Management and Visibility

A key part of the updated guidance is improved visibility of devices and assets across the organisation.

It is essential that organisations maintain an accurate understanding of what devices they have, who is using them, and where they are being used. Without this visibility, it becomes significantly harder to apply consistent security controls or ensure compliance.

You cannot effectively protect what you do not know you have.

This means greater emphasis on:

  • Maintaining up to date asset registers
  • Tracking devices assigned to users
  • Ensuring unmanaged or unknown devices are not present in the environment
  • Applying consistent security policies across all endpoints

 

CE+ Vulnerability Management Changes

Cyber Essentials Plus has also been strengthened, particularly around vulnerability management.

Where vulnerabilities are identified in the initial sample set, organisations will still be given 30 days to remediate them.

However, this is now followed by a second round of testing using a new sample set of the same size. This ensures fixes have been applied consistently across the wider environment, rather than only within the originally tested devices.

If the same vulnerabilities are found again in the second sample set, this will result in a fail. Any new or different vulnerabilities identified at this stage will be recorded as advisory findings and will not affect the overall result.

If an organisation chooses not to provide a second sample set, they will fail CE+ but retain their Cyber Essentials certification.

Impact on Certification Status

Failure to achieve Cyber Essentials Plus will now have a direct impact on Cyber Essentials certification.

If an organisation fails CE+, their CE certification will be revoked and they will need to complete the certification process again.

However, there is one exception. If an organisation declines to provide a second sample set, CE+ will be failed but CE certification will remain valid.

 

Application Timing and Transition Period

Any applications created before 27th April 2026 will remain on the current Danzell question set rollout transition rules, using the existing Willow question set.

These organisations will not be subject to the new Danzell requirements and will have a six month window to complete their certification before their application is archived.

 

How to Prepare

To support organisations through these changes, we offer:

  • Pre CE+ vulnerability assessments, available as a one off engagement or ongoing monthly service
  • Optional patching support to help maintain compliance and reduce risk

Preparing early helps identify gaps in advance, avoid delays, and ensure smoother certification outcomes.

What This Means for Your Business

For most organisations, these changes will not require a complete overhaul. However, they do demand greater attention to detail, particularly around MFA, access control, asset visibility, and cloud configuration.

If Cyber Essentials is linked to contracts or compliance requirements, failing or delaying certification could have a direct business impact.

 

Why Acting Early Matters

Many organisations wait until renewal before addressing certification requirements. With the introduction of the Danzell question set, early preparation is more important than ever.

Acting early allows you to:

  • Identify and remediate gaps in advance
  • Avoid last minute delays
  • Maintain compliance with contracts and insurers
  • Strengthen overall security posture

 

A Stronger Standard for Modern Security

Cyber Essentials remains focused on the fundamentals:

  • Securing devices
  • Controlling access
  • Keeping systems updated
  • Protecting against common threats

What is changing is the expectation that these controls are applied consistently across the entire organisation under the new Danzell question set.

Cyber Essentials is no longer just a certification. It is a signal to customers, partners, and insurers that your organisation takes security seriously.

 

Take Action Now

If your Cyber Essentials certification is due for renewal, or you are planning to become certified, now is the time to prepare. Understanding the changes early will help you avoid disruption, maintain compliance, and ensure your organisation remains protected under the updated scheme.

Blog

Read Latest Blog & News

March 30, 2026
Cyber Essentials Could Be The Certification That Wins You Your Next Contract

Learn why Cyber Essentials certification in the UK is essential for winning contracts, meeting compliance requirements, and protecting your business.

November 13, 2025
Cyber Self-Defence: Lessons from Martial Arts

Cyber Self-Defence: Lessons from Martial Arts

November 6, 2025
National Cyber Security Centre Approved Advisor

Cambridge Cyber Security Achieves Prestigious NCSC Assured Service Provider Status