AI
IT Solutions
Depend on us to get your organisation to the next level.
Sectors
BCN have a heritage of delivering outcomes through our cloud-first services and currently support over 1200 customers across specialist sectors.
About Us
Your tech partner
Cyber Security
Understanding the Danzell update, mandatory MFA, tighter patching rules, the transition timeline and how to prepare.
22 Mar 2026
10 min read
Cyber Essentials remains one of the strongest indicators of effective cyber security for UK organisations. It provides a clear, government‑backed baseline for protecting systems and data against the most common cyber attacks.
The scheme is built around five core technical controls and is underpinned by guidance from the National Cyber Security Centre (NCSC), with delivery and assessment operated through IASME. As technology and threats evolve, Cyber Essentials is reviewed regularly to ensure it remains relevant and effective.
From 27 April 2026, Cyber Essentials will undergo one of its most significant operational updates in recent years. While the core controls haven’t changed, the way they are assessed has. The Danzell update expands scope, tightens enforcement and removes ambiguity, meaning organisations often need more time to identify and remediate gaps before renewal.
In this article we explain everything you need to know about the updates – what’s changing? What’s Danzell? And how it will affect organisations across the UK.
Cyber Essentials certification is valid for 12 months, requiring organisations to renew annually. Each review cycle can introduce refinements that strengthen clarity, consistency and real‑world effectiveness.
The 2026 update is delivered through:
These changes apply to all assessment accounts created on or after 26 April 2026. Organisations with an active assessment account created before that date will have six months to complete certification using the previous requirements.
Expert View
Speak to our cyber security experts
The intent behind the April 2026 changes is not to add new controls, but to:
In particular, the updates respond to common issues identified through breach investigations and scheme audits, such as inconsistent scoping, delayed patching, and partial implementation of multi‑factor authentication (MFA).
Cyber Essentials continues to represent the minimum cyber security standard that UK organisations should aim to meet and maintain.
Cyber Essentials is still built on the same five technical control areas:
What has changed is how clearly and strictly these controls are assessed under the new Danzell question set.
The updated Danzell question set introduces:
Organisations should not rely on answers from previous assessments, as responses that previously passed may no longer meet the updated criteria.
For the first time, Cyber Essentials formally defines cloud services and makes it explicit that they cannot be excluded from scope. Any cloud service that stores or processes organisational data must now be included in the assessment. This includes, but is not limited to:
While cloud providers may implement some security controls, responsibility for correct configuration, access control and user security remains with the organisation under Cyber Essentials’ shared responsibility model. This ensures assessments reflect real‑world operating models and reduce the risk of insecure cloud configurations being overlooked.
For example: A small accountancy practice might rely almost entirely on Microsoft 365 and a cloud bookkeeping platform. Previously, their assessment could have focused mainly on laptops. Under the new rules, the cloud services holding sensitive financial data are also assessed — providing reassurance that client data is protected at the source, not just on the endpoint.
Multi‑factor authentication (MFA) is now a strict requirement for all cloud services where it is available. If a cloud service supports MFA and it has not been enabled, the assessment will result in an automatic failure. This applies regardless of whether MFA is free, bundled or available as a paid feature. In practice, this applies most critically to cloud services, which are now explicitly in scope and where MFA is almost always available.
For example: A legal firm may have strong password policies in place, but if a solicitor reuses a password elsewhere and that external site is breached, attackers could gain access to case files. MFA significantly reduces this risk by ensuring a stolen password alone is not enough to access sensitive systems.
Understanding all cloud services in use — including those outside of central IT oversight — is therefore essential ahead of assessment or renewal.
Security update management is one of the most tightly enforced areas in the April 2026 update. Two assessment questions are now classed as automatic fail if not met:
Failure to meet either requirement results in an automatic assessment failure, regardless of performance elsewhere.
For Example: A growing consultancy might patch laptops regularly but overlook a critical update for a firewall or a widely used browser extension. Under the new rules, that single gap could cause a failed assessment, encouraging organisations to adopt more structured and automated patching processes.
The updated scheme places greater emphasis on transparency and clarity of scope. Organisations must now:
This reduces ambiguity for both assessors and organisations, improves the credibility of certification outcomes and avoids disputes late in the assessment process.
For Example: A multi‑site organisation that excludes a warehouse network will need to demonstrate how that network is technically separated from core systems — not simply state that it’s “out of scope”.
Expert view
The April 2026 update also strengthens the Cyber Essentials Plus (CE+) assessment methodology to prevent “selective compliance”.
Key changes include:
For Example: A professional services firm that manually patches a handful of devices may find CE+ increasingly difficult to pass without automated update management. The changes encourage consistency and reduce reliance on best‑effort approaches.
These changes don’t introduce new technical requirements, but they do close previous loopholes and ensure CE+ provides a stronger level of technical assurance. As a result, organisations are expected to demonstrate that controls are not just defined, but consistently applied across their real operating environment.
The April 2026 changes do not invalidate existing Cyber Essentials certificates overnight. Instead, they apply based on when you create your next assessment account, not when your current certificate expires. Which rules apply depends on when you start your next assessment — not when your current certificate expires.
In simple terms, there are two scenarios:
Because Cyber Essentials is a point‑in‑time certification, organisations should plan ahead. Waiting until the last minute — especially without checking MFA, patching and cloud scope — increases the risk of delays or failed assessments.
The April 2026 Cyber Essentials update strengthens the scheme without changing its fundamental purpose. By tightening definitions, enforcing critical controls and improving consistency, Cyber Essentials becomes a more reliable indicator of real cyber resilience. As certification continues to be widely required for tenders, partnerships and supplier assurance, maintaining compliance is increasingly important for UK organisations of all sizes.
If your organisation is due to renew Cyber Essentials or Cyber Essentials Plus in 2026, now is the time to prepare. The April 2026 changes don’t introduce new controls — but they do remove ambiguity and increase enforcement. Good preparation is simple and practical. Before starting your next assessment:
A little preparation now can prevent delays, rework or failed assessments later — and helps ensure Cyber Essentials continues to reflect real cyber resilience, not just compliance.
At BCN, we help organisations prepare for, achieve and maintain Cyber Essentials and Cyber Essentials Plus certification — including readiness assessments aligned to the new Danzell requirements.
Our BCN Cyber security Pledge reflects our commitment to raising every customer to an appropriate, defensible level of cyber security maturity as standard. If you’d like support navigating the April 2026 changes or preparing for certification, our team is always ready to help.
Book your free consultation today
Read some of our latest guides and resources on cyber security to help protect your business
