On 27 April 2026, Cyber Essentials v3.3 ('Danzell') replaced Willow as the mandatory question set. For the first time in the scheme's history there are auto-fail questions — missed MFA on a cloud service or a high-risk patch left longer than 14 days will now fail the assessment outright. Here is what changed and what to fix before your next renewal.
Key takeaways
- Cyber Essentials v3.3 ('Danzell') replaced 'Willow' on 27 April 2026 and is now mandatory for any new assessment account. If your account was opened before that date you have until 27 October 2026 to finish under the old rules — after that, you start again under Danzell.
- Two questions are now auto-fail: high-risk or critical patches must be applied within 14 days for operating systems and firewall firmware (A6.4), and within 14 days for applications and their extensions (A6.5). One missed update on a sampled device fails the whole assessment — no remediation window.
- MFA is now mandatory on every cloud service that supports it — standard users, admins and shared accounts included. 'It costs extra so we skipped it' is no longer accepted; if the provider offers MFA at any price, you must turn it on or you fail.
- Cloud services are now formally defined and cannot be excluded from scope. Microsoft 365, Google Workspace, your CRM, HR system, cloud storage, accounting software, project tools and any social media account that processes business data all sit inside the assessment boundary.
- Cyber Essentials Plus has been tightened too. If patching or configuration fails on the initial device sample, the assessor pulls a second sample — and a failure on either will fail CE+ and revoke your CE Basic certificate. The 'fix the tested machines' shortcut is dead.
Cyber Essentials is the UK's baseline security certification — government-backed, run by IASME on behalf of the NCSC, and for many of our clients the price of admission to bid for public-sector work, education contracts, or supplier panels at larger customers. As of Monday 27 April it has a new question set, and for the first time ever it has rules that fail you on the spot.
If your last assessment was under the old 'Willow' rules and you assumed renewal would be a similar exercise, it will not be. The version that went live this week — v3.3, codenamed 'Danzell' — is materially harder, with two auto-fail questions and a fundamentally tighter definition of what counts as 'in scope'.
Here is what changed, who needs to act now, and the short list of things to check before your renewal date arrives.
What 'auto-fail' actually means
Until this week, every Cyber Essentials question allowed some judgement. Get one wrong and the assessor would usually flag it, give you a chance to remediate, and you would still pass. Danzell removes that for two specific questions, both about patching speed:
- A6.4 — high-risk or critical security updates and vulnerability fixes for operating systems and router/firewall firmware must be installed within 14 days of release.
- A6.5 — high-risk or critical security updates and vulnerability fixes for applications, including extensions and any associated files, must be installed within 14 days of release.
Answer 'no' to either, or have the assessor find a counter-example on a sampled device, and the assessment fails immediately. There is no negotiation, no remediation window, and no partial pass. This is the first time the scheme has ever had questions that work this way.
Fourteen days is not a generous window. It is a forcing function, and it will catch organisations that have been getting by on 'we apply patches when there is time' or 'we wait until the half-term holiday'. If your patch cadence relies on a quiet week, your patch cadence is now a Cyber Essentials risk.
MFA is now non-negotiable, on every cloud service
Under Willow, multi-factor authentication on cloud services was a 'should' that softened in places — particularly for shared mailboxes, service accounts, and tenants where MFA cost extra. Danzell removes the softness:
If a cloud service supports MFA, every user account on that service must have MFA enabled. Standard users, admins, shared accounts, all of them. If the service charges extra for MFA, you pay for it. Otherwise you fail.
That is a meaningful change for anyone running a finance pack on the cheaper tier of an accounting or CRM SaaS, anyone with shared inboxes used by a team, and anyone whose MAT had quietly excluded a small subsidiary from the central identity provider. Those gaps will now produce a fail rather than a discussion.
On the upside, Danzell also explicitly recognises passwordless authentication (passkeys, FIDO2) as a valid alternative to traditional MFA — so if you have been moving towards passkeys for staff sign-in, that work counts.
Cloud services can no longer be argued out of scope
This is the change most likely to surprise organisations that scoped narrowly under previous versions. Danzell formally defines a 'cloud service' and states that cloud services storing or processing your organisation's data cannot be excluded from the assessment. In practice that means:
- Microsoft 365 and Google Workspace are in scope — including SharePoint, OneDrive, Drive, Teams and Meet — for every account that touches business data.
- Your CRM, HR system, payroll, accounting software, MIS or finance system are in scope.
- Cloud storage and backup services are in scope.
- Project management and ticketing tools are in scope.
- Business-controlled social media accounts are in scope.
If you previously ran a partial-scope certification that excluded a specific subsidiary, school or product line, that exclusion now needs explicit justification — and excluding 'because it is too hard' is no longer enough.
Cyber Essentials Plus: the testing got real
For organisations that go further and certify against Cyber Essentials Plus, Danzell tightens the on-site testing in a way the old scheme had been quietly forgiving about.
Under Willow, the assessor would test a sample of devices. If the sample passed, the certification was awarded. If it failed, you fixed the sampled devices and re-tested. That created a well-known shortcut: keep most of the estate at whatever patch level was convenient, and only bring the sampled machines fully up to date for the audit.
Under Danzell, if the initial sample fails the internal vulnerability-scan stage, the assessor pulls a second, independent sample. A failure on either the first or the second sample fails CE+ — and revokes the CE Basic certificate that was awarded a few weeks earlier. There is no longer a way to selectively patch the tested devices and keep the badge.
The practical effect is that CE+ becomes a test of whether your patching process works across the whole estate, not whether you can patch ten machines well.
What you need to do this week
If you are renewing in the next six months:
- Audit MFA across every cloud service. Not just email and the identity provider — every SaaS that holds your data. List the services, list the user accounts on each, and confirm MFA is on. Pay attention to shared mailboxes, service accounts used by automations, and any subsidiary that was bolted on after the last assessment.
- Tighten the patch clock. Set a 14-day SLA for high-risk and critical updates across operating systems, firewall and router firmware, and applications including browser extensions. Make somebody accountable for it. If that person is on leave, somebody covers — the clock does not pause for half-term.
- Re-scope. Walk through every cloud service that touches business data and decide what is in scope under the new rules. If you have been running a partial scope, document the justification or expand the scope.
- For CE+ holders specifically: stop relying on sample-only patching. Either you patch the whole estate within the 14-day window, or you risk losing both certifications when the audit comes round.
If you opened your assessment account before 27 April 2026 you can still complete it under the old Willow rules until 27 October 2026, with an additional three months for CE+. Use that grace period — but use it to finish under Willow only if you are very close. If you are not, it is usually faster to start fresh under Danzell with a clean scope rather than fight the old questions and then face the new ones at renewal in twelve months.
Why this matters beyond the certificate
It would be easy to dismiss this as compliance theatre, but the two auto-fail questions are not arbitrary. The 14-day patch clock and mandatory MFA address the two failure modes that show up in almost every UK incident response report: an unpatched edge device or browser plugin, and a cloud account compromised because MFA was off. Both are still the dominant routes attackers take into small organisations. Danzell is the scheme catching up to where attackers already are.
The organisations that will struggle with the new rules are the ones whose Cyber Essentials posture has always been a once-a-year scramble. The ones who already run a real patching cadence and a real MFA policy will find the renewal feels much the same.
How ReadyToday can help
If you hold Cyber Essentials and your renewal is in the next six to twelve months, we can run a Danzell readiness review: a scope walk-through against the new cloud-service definition, an MFA coverage audit across every SaaS that holds your data, a patching-process check against the 14-day clock, and a clear remediation list before you sit the assessment.
For schools and multi-academy trusts in particular, the cloud-services scope change is worth attention now — most MATs run more SaaS than the last assessment captured, and the easiest time to find that out is before the assessor does.
Get in touch via our Cybersecurity & Resilience service page, or book a discovery call and we will walk through where you sit against the new question set.