| 22 April 2026
Cyber Essentials is Changing in 2026: What You Need To Know
From 27 April 2026, Cyber Essentials is changing. These changes will affect your business if you hold a Cyber Essentials certificate or planning to get one. A new version of the certification framework, known as Danzell, replaces the previous version called Willow. The core purpose of the scheme has not changed, but the rules around how businesses are assessed have become stricter. This guide explains what is different, what it means for your business, and what you should do before the deadline.
Table of Contents
What Is Cyber Essentials and Why Does It Matter for SMEs?
Cyber Essentials is a government-backed certification scheme developed by the National Cyber Security Centre (NCSC). It is designed to help UK businesses protect themselves against the most common types of cyber attack.
For SMEs, Cyber Essentials is particularly important. Many larger businesses and public sector organisations now require their suppliers to hold a valid Cyber Essentials certificate before working with them. It can also be a requirement for certain contracts, tenders and grants.
The scheme is built around five core security controls:
- Firewalls
- Secure configuration
- User access control
- Malware protection
- Security update management (patching)
These five controls remain unchanged in 2026, however how businesses are assessed against them has changed.
What Is the Cyber Essentials Danzell Update?
Danzell is the name given to the new Cyber Essentials question set that takes effect on 27 April 2026. Each year, the scheme is reviewed and updated by IASME (the organisation that manages Cyber Essentials on behalf of the NCSC) to keep pace with new cyber threats and technology. This year’s update is one of the more significant revisions in recent years.
Danzell replaces the previous question set, known as Willow. The questions businesses complete as part of their self-assessment have been updated to version 3.3 of the Requirements for IT Infrastructure standard.
For most SMEs, the changes are manageable. But there are three specific areas that could catch businesses out if they are not prepared.
The Three Biggest Changes in the Cyber Essentials 2026 Update
Multi-Factor Authentication (MFA) Is Now Mandatory for Cloud Services
Multi-factor authentication means using more than just a password to log in to an account. For example, entering a code sent to your phone as well as your password.
Under Danzell, if a cloud service your business uses offers MFA and you have not switched it on for all users, your business will automatically fail the Cyber Essentials assessment. Previously, there was some flexibility in how this was marked.
Cloud services include tools like Microsoft 365, Google Workspace, accounting software, and any other online platform where your business stores or processes data.
Patching Rules Are Stricter
Patching means keeping your software and devices up to date with the latest security fixes released by the manufacturer.
Under the Danzell update, failing to apply high-risk or critical security updates within 14 days of their release is now an automatic-fail on two specific questions. Previously, this type of non-compliance could be noted without automatically failing the whole assessment.
Scoping Rules Are Tighter and More Detailed
Scoping refers to defining exactly which parts of your business and IT systems are covered by your Cyber Essentials certificate.
Under Danzell, businesses must now list all connected legal entities included in scope, along with their addresses and registration numbers. Any systems or networks that are left out of scope must be clearly justified. Test and development environments can no longer be included in a whole-organisation certification.
What Are the Key Transition Dates?
If you are planning your Cyber Essentials certification or renewal, these dates matter:
27 April 2026: The Danzell question set becomes live. All new assessment accounts created from this date must use Danzell.
27 October 2026: The deadline for organisations that started their certification before 27 April 2026 using the Willow question set.
27 January 2027: The extended deadline for those also completing Cyber Essentials Plus.
If you are due to renew before April 2026, it is worth speaking to an IT partner about whether completing your renewal now under the existing Willow requirements makes sense for your business.
How a Managed Service Provider Can Help With Cyber Essentials
For many SMEs, keeping up with Cyber Essentials requirements alongside running a business is challenging. This is where working with a managed service provider (MSP) makes a real difference.
An MSP like Omnia Systems can support your business through the whole process. This includes reviewing your current IT environment against the new Danzell requirements, identifying any gaps in MFA coverage or patching processes, helping you define the correct scope for your assessment and providing ongoing IT management to ensure your systems stay compliant throughout the year, not just at the point of certification.
Omnia Systems works with SMEs across the North West, Midlands and the wider UK to help them achieve and maintain Cyber Essentials certification. With over a decade of experience supporting businesses with their IT, we understand the practical challenges smaller organisations face and help you navigate them.
What Should Your Business Do Before 27 April 2026?
Whether your certification is due for renewal now or later in the year, there are practical steps you can take today.
Start by checking your MFA coverage across all cloud services. This is the single most common area where businesses fail under the new rules, and it is one of the most straightforward to fix.
Next, review your patching process. Do you have visibility of all the devices and software your business uses? Are updates being applied consistently and within 14 days? If the answer to either of those is no, it is worth addressing this before your assessment.
Finally, think about your scope. Do you have a clear understanding of which systems your certificate will cover? Are there any networks or environments that need to be formally excluded?
If you are unsure about any of these areas, speaking to a managed IT provider before you apply is the best use of your time.
Get Ready for Cyber Essentials Danzell With Omnia Systems
The Cyber Essentials 2026 changes are coming whether your business is ready or not. The good news is that with the right support, preparing for Danzell does not have to be complicated.
Omnia Systems is a managed IT provider based in Manchester, supporting SMEs across the North West and Midlands since 2011. We help businesses achieve and maintain Cyber Essentials certification, manage their IT day to day and stay protected as requirements evolve.
Let us manage your IT so you can concentrate on what matters most: your business.
