The National Cyber Security Centre has announced changes to the Cyber Essentials (CE) scheme, set to take effect from 27 April 2026.
The updated standard – Danzell – introduces stricter requirements around multi-factor authentication and patch management, along with enhanced accountability measures for certified organisations. Whether you're planning your first certification or preparing to renew, here's what you need to know about the changes ahead.
Changes to the Cyber Essentials Verified Self-Assessment (VSA)
For the CE VSA, the new changes mean a number of questions have stricter marking criteria:
- MFA for cloud services is now a strict requirement. If MFA is not in place where it is available, then this will result in an automatic failure of the entire VSA.
- There are two new questions, A6.4 and A6.5, that are related to patching of routers and applications. These will also result in an automatic failure if not compliant.
There are also new, more granular questions regarding the scope of an assessment. This is to allow organisations with complex boundaries to clearly define what is covered by their Cyber Essentials certification.
Additionally, at the end of the VSA, there will be a declaration to be signed by a board member or director acknowledging the organisation’s responsibility to maintain compliance with all Cyber Essentials controls throughout the certification period. This reinforces the importance of ongoing compliance after the assessment window.
Changes to the Cyber Essentials Plus standard
If an organisation fails its CE Plus assessment due to missing patches, the assessor will not only be required to test the failing devices but also a new, additional sample set. This change is designed to prevent organisations from selectively updating only the tested devices and to ensure that all required updates are applied across the entire CE Plus scope.
Organisations will also no longer be allowed to adjust their VSA responses based on the results of the CE Plus assessment. The scheme’s Terms and Conditions will be updated to explicitly require that the VSA must be completed, finalised, and remain unchanged prior to the commencement of CE Plus testing.
New Requirements for IT Infrastructure document
There is a new 3.3 version of the 'Requirements for IT Infrastructure' document. The changes improve clarity and guidance with the addition of new technologies.
The new question set and 'Requirements for IT Infrastructure' document can be viewed here:
https://iasme.co.uk/cyber-essentials/preview-the-self-assessment-questions-for-cyber-essentials/
It is important to note that organisations who have started the previous question set before 27 April 2026 will have six months to complete their VSA from this date, and an additional 90 days for CE Plus.
Further Guidance
Please note that the final versions of the standard have not fully been released by the assessment board and information may change before the general release in April. We will be releasing any updates through Cyber Labs.
If you would like to discuss these changes in detail and how they apply to your organisation please reach out to our team where we can organise a gap analysis with our qualified security consultants.
