Cyber Essentials is has had a glow-up. The certification has experienced one of its biggest updates in recent years. The changes are reflective of how people work now, with most organisations using cloud services to enable remote working.
If you were interested, the new set of questions is called Danzell, and it replaces the previous Willow version. What this means in real terms is that the controls are stricter, which might not sound great, but it means that businesses will continue to have the right protections in place to defend against common cyber threats.
As a reminder, Cyber Essentials is a government backed certification. It provides a clear and practical baseline for cyber security, helping UK organisations demonstrate good cyber hygiene and keep all the pesky cyber security issues at bay.
The basic level is a self-assessment, which means it is relatively straightforward. For the super secure, Cyber Essentials Plus is externally assessed. Understandably, as technology and ways of working have evolved, the scheme has evolved too.
In short, these are the changes:
- Multi-factor authentication (MFA) must be enabled for all users wherever it is available
- Strong passwords are still required, even where MFA is in place
- All cloud services storing or processing organisational data must be declared and considered in scope.
- Admin access is more tightly controlled
- More emphasis on evidence, especially for Cyber Essentials Plus
- Less tolerance for incomplete scopes or “fix it later” approaches
Multi‑factor authentication (MFA) for everyone
You have almost certainly come across MFA already. It is where you use more than one step to sign in, such as a password plus an app on your phone or a code sent by text or email.
Under the new Cyber Essentials assessment, MFA is now required for all users wherever a service supports it. If a cloud service offers MFA and it has not been enabled for everyone, the organisation will fail the assessment immediately, with no opportunity to fix this during that assessment cycle. So, it is pretty important to get right.
This applies to everyday tools such as Microsoft 365, Google Workspace, CRM platforms, cloud backup services and any other systems that store or process business data. MFA is no longer a nice‑to‑have, it is essential.
But, even with MFA enabled, strong password controls are still part of the assessment.
Cloud services can no longer be excluded from scope
The Danzell update introduces a clearer definition of cloud services and removes much of the flexibility around scoping. Any cloud service that stores or processes organisational data must now be included in the Cyber Essentials assessment.
This means organisations need an accurate and up-to-date list of users, devices and cloud services. If a service is in use and holds business data, it needs to be considered, whether it was officially approved or not.
If you need to exclude something, it must be clearly justified and supported by evidence.
Administrator access and privileged accounts
Administrator access is another area that receives closer attention under the new scheme. Admin rights should only be given to people who genuinely need them and should not be part of everyday user accounts.
This means privileged accounts are expected to be clearly identified. Where possible, organisations should use separate admin accounts rather than elevating standard user access.
These changes are designed to reduce risk and are a common area to review when preparing for certification.
Stronger evidence and verification
The new questions place more emphasis on evidence that controls are working in practice. Assessors want to see some the evidence, for instance the company would have to explain that the permissions of all staff are reviewed annually, showing the records and not just have a policy saying this happens.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Under Danzell, the gap between what is declared and what is tested in Plus assessments is much smaller. In the basic Cyber Essentials assessment, it is a self-assessment. The company gives honest and accurate answers about their cyber security, which are then verified by a certification body.
In Cyber Essentials plus, an external assessor checks that the answers are correct by looking for evidence. Cyber Essentials plus is therefore more rigorous. For instance, if the permission settings are inconsistent or incomplete, in a Plus assessment a company would likely fail. Whereas in a Cyber Essentials basic assessment, the assessor isn’t looking at the cloud settings and a company might pass.
In summary:
Cyber Essentials is a self-assessment certification. Organisations confirm that they meet the required controls based on the information they provide.
Cyber Essentials Plus goes a step further, with independent technical testing carried out by an assessor. This includes vulnerability scans and hands‑on checks to verify that security controls are properly implemented.
You can learn more in our explainer video here.
How can I prepare for the new Cyber Essentials questionnaire?
After 27 April 2026 the new Cyber Essentials questions take effect. Which means, they are in effect now! If you are planning to certify or renew, now is a great time to start preparing.
Start by reviewing MFA coverage for all users and admin accounts, auditing cloud services, validating asset inventories and identifying shadow IT will make the process far smoother.
Although the changes are stricter, they are designed to reflect the real-world threats to your business. It helps keep Cyber Essentials a valuable and trusted standard for UK organisations.
We have helped numerous businesses pass Cyber Essentials – and we are Cyber Essentials Plus certified too. So, if you have any questions or would like Resolve to guide you through Cyber Essentials certification or renewal, we would be happy to help.
