Cyber Essentials Changes Coming April 2026 – Willow to Danzell

Cyber Essentials is updated each year to reflect how organisations operate in practice as well as emerging threats. The 2026 update focuses on cloud usage, user access, and how controls are applied across modern environments.

The changes, introduced by IASME and the National Cyber Security Centre, take effect on 27th April 2026. Any new assessment created from that date will need to meet the updated Danzell requirements.

The structure of the scheme remains consistent. The update mainly refines how existing controls are defined and assessed.

Assessment timing

The version of Cyber Essentials or Cyber Essentials Plus you complete depends on when your portal login credentials are issued and your assessment is created.

Assessments created before 27th April 2026 will continue under the current requirements, Willow. Any created on or after 27th April will follow the updated Danzell version.

Once an assessment has been set up, there is a six month window to complete it. This allows organisations to plan around the transition and avoid disruption.

For Cyber Essentials Plus, you are assessed against the same requirement set as your Cyber Essentials Basic. Example: If your Cyber Essentials assessment is created on the IASME portal before 27 April 2026, it will remain under the current Willow standard. This still applies when you progress to Cyber Essentials Plus at a later date, even if that takes place after the April 2026 changes.

Vulnerability management and CE Plus

The Danzell update also brings more structure to how vulnerability management is assessed, particularly within Cyber Essentials Plus.

The expectation is now clearly defined. High and critical vulnerabilities must be resolved within 14 days and applies across the full scope of the assessment. If this requirement is not being met, it will result in an automatic failure. This also has a direct impact on how the technical audit is carried out.

For Cyber Essentials Plus, if vulnerabilities are identified during testing, remediation is required before retest, at which point the original sample is checked again alongside an additional sample set to confirm fixes have been applied consistently across the environment.

If the same vulnerability is found on any device in the second sample set, the organisation fails their Cyber Essentials Plus, in addition to having their Cyber Essentials revoked. This also means they would have to restart the Cyber Essentials and Cyber Essentials Plus process in full at additional cost.

This change is designed to verify that remediation is not limited to a small number of devices and that controls are working across the wider environment.

In practical terms, this means having clear visibility of vulnerabilities, defined timelines for remediation, and confidence that fixes are applied consistently.

Multi Factor Authentication

One of the most direct changes relates to Multi Factor Authentication.

For Danzell, if a system supports MFA, it must be enabled.

This applies in all scenarios, including where MFA is:

• included as standard

• provided through another service

• available at an additional cost

  
  

If MFA is available and not enabled, the assessment will result in a fail.

This aligns with how commonly account compromise is used as an entry point during attacks.

If MFA is not supported, it is recommended to review alternative providers, although it is still possible to meet the standard without doing so.

Cloud services in scope

The updated requirements introduce a defined view of what constitutes a cloud service.

A cloud service is one that:

• is delivered over the internet

• operates on shared infrastructure

• requires an account to access

• stores or processes organisational data

Any service that meets these criteria is considered in scope.

Cloud services cannot be excluded from a Cyber Essentials assessment. If organisational data is stored or processed within a service, it must meet the required controls.

This includes email platforms, identity providers, social media platforms and business applications.

Updates to wording and structure

A large portion of the update focuses on clarity.

The requirements document has been refined to improve consistency in language and remove ambiguity. Changes have been clearly marked to make them easy to identify.

For most organisations, this does not introduce new technical controls, but it does reduce uncertainty during assessment, allowing for an easier process.

Further updates expected

Additional changes to the assessment questions and marking criteria are expected later in the year.

These will align with the updated requirements and will be published separately to allow time for review.

Preparation steps

Organisations have time to prepare ahead of April 2026.

Key areas to review include:

• identifying all cloud services in use

• confirming where MFA is available

• enabling MFA across users and systems

• ensuring cloud services are included within scope

• reviewing the updated definitions within the requirements

These steps support both compliance and day to day security.

Final point

The 2026 update reflects how organisations manage systems and data today. By defining and clarifying the requirements around Cloud platforms and user access controls, which form a central part of most environments, the requirements have been adjusted and tightened, to align with increasingly common infrastructure configurations.

Addressing MFA and confirming cloud scope ahead of time will reduce the likelihood of issues during assessment. Improved tooling can also assist with managing high/critical vulnerabilities, which go beyond normal day to day patching.

If you want support reviewing your environment or preparing for the updated requirements, our assessors are here to help. Visit our product pages for more information on how the team at Delta help simply the Cyber Essentials and Cyber Essentials Plus process.

Contact the team at Delta to organise a free consultation.

Tel: 01243 266 077