Cyber Essentials changed on 27 April 2026, and the new rules are stricter than many businesses expect. The updated version 3.3, assessed through a new question set called Danzell, introduces hard auto-fail conditions around multi-factor authentication, cloud services and patching. In short, things that used to be best practice are now pass-or-fail. Here is what has changed, why it matters, and what to do before your next assessment.
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme, run by the National Cyber Security Centre (NCSC), that proves your business has five basic technical controls in place to defend against the most common cyber attacks: firewalls, secure configuration, user access control, malware protection and security update management. It is often a requirement to win public sector and many private contracts, and insurers and larger customers increasingly expect it before they will work with you.
What changed in April 2026?
From 27 April 2026, all new assessments are graded against version 3.3 of the NCSC Requirements for IT Infrastructure, using a new question set called Danzell that replaces the previous Willow set. The questions go into more detail on your cloud service inventory, your MFA implementation and your patching evidence. Most importantly, three areas now carry automatic failure conditions, which means getting any one of them wrong fails the entire assessment.
The three changes that can auto-fail your assessment
| Area | The v3.3 rule | Why it auto-fails |
|---|---|---|
| Multi-factor authentication | MFA must be enabled on every cloud service that supports it, for all users, not just admins. | If a cloud service offers MFA and you have not switched it on, the whole assessment fails. |
| Cloud services in scope | Cloud services now have a formal definition and cannot be excluded from your certification scope. | Any service that stores or processes your data is in scope and must meet the controls. |
| Patching and updates | High-risk and critical updates for operating systems, applications and firmware must be applied within 14 days of release. | Missing the 14-day window is an automatic failure. |
The theme is clear: with so much business now running in the cloud and on remote devices, the scheme has closed the gaps that used to let organisations scope those risks out. Cloud and MFA are no longer optional extras to mention, they are the assessment.
When do the changes take effect?
The scheme changed on 27 April 2026. There is a transition window: if your assessment account was created before that date, you can complete it under the previous Willow version until 27 October 2026. After that, every assessment must use the new Danzell question set. If your renewal falls later in the year, it is worth checking now which version you will be assessed against so there are no surprises.
What does your business need to do?
Preparing for v3.3 is mostly about evidence and consistency. The practical checklist looks like this:
- List every cloud service you use. Microsoft 365, accounting, CRM, file sharing and the rest. You cannot protect or scope what you have not inventoried.
- Turn on MFA everywhere it is offered, for every user account, not just administrators.
- Tighten your patching. Make sure high-risk and critical updates for operating systems, applications and firmware are applied within 14 days, and that you can show it.
- Check your routers and firmware. Network device firmware is explicitly in scope, so it needs the same patching discipline.
- Document your scope and any exclusions, explaining what is excluded, why, and how it is kept separate.
- Confirm Windows and other software are still supported, because unsupported, unpatchable software is an automatic fail. (If you are still on Windows 10, see our guide on what to do now that Windows 10 has ended.)
How Mastercopy helps you certify and stay compliant
Cyber Essentials is much easier with a managed IT partner who lives in this detail every day. As an ISO 27001 certified provider, Mastercopy helps businesses get ready for v3.3 and, just as importantly, stay compliant between assessments: inventorying your cloud services, rolling out MFA, keeping patching inside the 14-day window, and maintaining the evidence an assessor will ask for. It is all part of our managed IT support, and you can read more about our own security posture in our Trust Centre.
Certification is not a one-off form, it is an ongoing standard, and the 2026 changes make that clearer than ever. Get the foundations right and it becomes a routine renewal rather than an annual scramble.
Frequently Asked Questions
What is Cyber Essentials?
A UK government-backed, NCSC-run certification showing your business has five basic technical controls in place against common cyber attacks. It is widely required for public sector contracts and increasingly expected by insurers and larger clients.
What changed in Cyber Essentials in 2026?
From 27 April 2026, new assessments use version 3.3 and the new Danzell question set (replacing Willow), with stricter auto-fail rules on MFA, cloud services and patching.
Does Cyber Essentials now require MFA?
Yes. If a cloud service supports MFA and you have not enabled it, your whole assessment fails automatically. MFA must be on for every cloud service and all users, not just admins.
What is the patching rule in v3.3?
High-risk and critical updates for operating systems, applications and firmware must be applied within 14 days of release. Missing that window is an automatic failure.
When do the v3.3 changes take effect?
27 April 2026. Accounts created before then can finish under the previous Willow version until 27 October 2026, after which Danzell applies to all.
How do I get Cyber Essentials certified?
Complete the self-assessment and have it verified by a certification body. The real work is meeting the MFA, cloud, patching and configuration requirements first, which Mastercopy can manage for you.
Need to certify, renew, or simply work out where you stand against v3.3? Call Mastercopy on 01642 750404 or email sales@mastercopy.co.uk and our IT team will help you prepare.