Cyber Essentials 2026: what’s changing and why it matters

Cyber Essentials has always been positioned as a baseline. A practical, accessible way for organisations to demonstrate a minimum level of cyber security.

The 2026 update suggests that baseline is shifting.

A new version of the Cyber Essentials self-assessment questionnaire (SAQ), with the rather distinguished name “Danzell”, will be released on 27 April 2026, replacing the current “Willow” version. After this date, all new registrations will follow the updated requirements.

The Cyber Essentials Plus Assessment checks your environment at a specific moment. In that sense, it’s still “point in time.” But the new requirements (like mandatory MFA and 14-day patching) mean you can’t easily fix things last minute anymore. If your day-to-day security isn’t in good shape, it may show during the assessment. So:

• If you maintain good security continuously, you’re always close to being compliant…so passing becomes more straightforward.
• If you only prepare right before the assessment, you’ll likely miss things…and risk failing.

That’s why ongoing compliance helps in two ways:

Easier to pass: You’re not scrambling to fix gaps under time pressure, most of the work is already done.

You are more secure: You’re reducing real risks every day (e.g. unpatched vulnerabilities, misconfigurations etc), not just meeting a requirement for the audit.

In short: You can still “cram” for a point-in-time assessment…but it’s getting harder. Running things properly all year round is the safer and easier approach.

From flexibility to enforcement

The most significant changes in Danzell are not new controls, but how strictly existing ones are applied.

MFA becomes mandatory

Multi-Factor Authentication (MFA) is now required for all cloud services where it is available. Failure to implement MFA will result in an automatic failure, rather than a one of your two allowed non-conformities. This removes a degree of flexibility that organisations may have experienced previously.

Patch windows are tightening

High-risk and critical vulnerabilities must now be addressed within 14 days of release.

For organisations with complex environments, this introduces a higher operational burden. Patching is no longer just a technical task; it becomes a time-bound control that must be consistently evidenced. This is now an auto-fail as opposed to a non-conformity.

Cyber Essentials Plus can become more rigorous

Verification requirements are expanding and Assessors may need to test additional devices if issues are found on the original sample to confirm that remediation has been applied across the wider estate.

Additional changes that may impact certification scope

Beyond the headline updates, there are a number of structural changes that are easy to overlook but can affect how certification is approached.

Stricter rules for Cyber Essentials Plus

Whilst it’s still acceptable to issue a Cyber Essentials Basic certificate with up to two non-compliances, Cyber Essentials Plus now requires a CE Basic report with zero non-compliances. So if you need a Plus certificate, your SAQ has to be squeaky clean.

Greater detail of scope definition

For larger, more complex organisations, where parts of the network are excluded from certification, you are now required to provide a clear justification for why those areas are out of scope and how this is being managed. This information is not made public

New requirements for multi-entity certification

Organisations seeking a single certificate across multiple legal entities must now identify all entities within scope, including company name, address and registration number.  This includes shared board-level responsibility and shared IT infrastructure.

The good news is…it is now also possible to request individual certificates for each legal entity within a shared scope, replacing what was previously a more manual, expensive administrative process.

How to Prepare

• Know your scope: Identify in/out of scope networks
• Identify devices: List all devices (network equipment, user devices, servers etc.) and cloud services in scope.
• Enable MFA everywhere: Required for all cloud services, must be enforced, not optional.
• Control admin access: Limit who has admin rights and use separate admin accounts.
• Stay on top of patching: Apply critical updates within 14 days.
• Use malware protection: Ensure antivirus is installed, active, and up to date.
• Be consistent: Controls must apply across all systems…not just some.
• Don’t rush it: Leave time to fix gaps before submitting.
• Answer honestly: Your SAQ answers must reflect what’s actually in practice…failure to do so could bite you during the Plus assessment.