Each year, the Cyber Essentials scheme is revised to ensure it remains relevant to the current threat landscape. This blog post provides a high-level summary of what’s new for 2026 and how this year’s changes to the scheme affect your Cyber Essentials/Cyber Essentials Plus certification project.
Cyber Essentials and Cyber Essentials Plus: what’s new in the 2026 update?
All new Cyber Essentials certifications after 27 April 2026 will be assessed according to v3.3 of the NCSC Requirements for IT infrastructure and must use the new Danzell Question Set, which replaces the Willow version.
The changes introduced by the 2026 update are relatively minor. However, there are changes to the marking criteria for Danzell’s questions relating to MFA (multifactor authentication) and Cloud services (A7.14 to A7.17).
MFA is now mandatory for Cloud services rather than just expected. Where a Cloud service has MFA available and it’s not implemented, applicants will automatically fail. This applies regardless of whether MFA is free, bundled, relies on another service or is only available as a paid feature.
Cyber Essentials Requirements for Infrastructure version 3.3
Changes introduced by v3.3 of the Requirements for IT Infrastructure include:
- Cloud services are in scope
Cloud services are defined for the first time and are explicitly in scope for Cyber Essentials certifications:“A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials a cloud service will be accessed via an account (which may be credentials issued by your organisation, or an email address used for business purposes), and will store or process data for your organisation.“If your organisation’s data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.”
- Scoping criteria
The scoping requirements have been updated to clarify that all specified devices connected to the Internet are in scope.Where networks are excluded from scope, you “need to justify the reason for a partial scope to your assessor”.The web application section has been renamed “Application development” and now refers to the government’s new Software Security Code of Practice.
- Backups
Backups remain outside the five technical controls. However, v3.3 explicitly recommends appropriate backups and describes sensible precautions, such as keeping copies off the primary device and disconnecting removable media when it is not in use.
- User access control
This section now places greater emphasis on MFA and passwordless authentication, such as FIDO2 authenticators, biometrics, security keys or tokens, one-time codes, QR codes and push notifications.
Danzell question set
The new question set, known as ‘Danzell’, was due to be released yesterday (9 February 2026), alongside the new Cyber Essentials Plus Test Specification, but the publication date is now given as “as soon as possible“. We’ll update this blog post with more information when they are available.
In the meantime, if you need any help preparing for April’s changes to the scheme, please get in touch with one of our Cyber Essentials experts.
About us
- We’re one of the founding Cyber Essentials certification bodies and one of the largest in the UK, having issued more than 12,000 certificates to date.
- Our Cyber Essentials services have received a ‘World-Class’ NPS (Net Promoter Score) of +100.
- With a large team focused on Cyber Essentials, we offer same-day turnaround on your certificates.
- We have a 98% customer success rate.
- We offer everything you need to get Cyber Essentials certification, such as documentation, scanning and assessments.
- One-to-one support included as standard in all our packages.
- End-to-end support – we deliver all the technical tests and assessments ourselves, conducted by our experienced technical testers.
- Tailored solutions – our unique fixed-price bundles provide expert support and compliance tools at affordable rates.
- Credentials – our consultants are qualified cyber security practitioners.
- Unrivalled expertise – we have the knowledge and insight to help you take the next steps beyond Cyber Essentials.
