What is Changing and When?
From 27 April 2026, the Cyber Essentials scheme is moving from its current question set — known as Willow — to a new version called Danzell, aligned to version 3.3 of the NCSC Requirements for IT Infrastructure.
If your business starts a Cyber Essentials assessment on or after 27 April 2026, you will be assessed against Danzell. If you have already started an assessment under Willow before that date, you have a grace period of six months — until 27 October 2026 — to complete it. For organisations also pursuing Cyber Essentials Plus, an additional three months applies, giving until 27 January 2027.
One important note: do not assume that answers that passed under Willow will automatically pass under Danzell. The marking criteria have changed in some areas, and a previous pass does not guarantee the same result under the new version.
What is Actually Different in Danzell?
The overall structure of Cyber Essentials remains the same — the same five technical controls, the same 106-question self-assessment format. However, Danzell introduces stricter marking criteria in two areas that are now automatic fails, as well as clearer definitions around cloud services and authentication.
1. MFA on Cloud Services is Now an Automatic Fail
Multi-factor authentication has been part of Cyber Essentials for several years. What has changed under Danzell is the consequences of not having it in place.
From 27 April 2026 — and importantly, this change applies to both Danzell and any remaining Willow assessments — if a cloud service offers MFA and it is not enabled for all users, the assessment will automatically fail. There is no partial credit and no opportunity to explain the circumstances.
This means:
- If Microsoft 365 has MFA available and it is not enabled for all users and administrators, your assessment fails
- If Google Workspace has MFA available and it is not enabled, your assessment fails
- If a cloud service requires payment to access its MFA feature, you must still enable it — the cost of the feature is not an acceptable reason for non-compliance
- If MFA is delivered via SSO (for example, Microsoft Entra ID or Google Workspace single sign-on), that counts — but it must be properly configured
The two questions that will automatically fail your assessment if answered No are:
- A7.16 — Has MFA been applied to all administrators of your cloud services?
- A7.17 — Has MFA been applied to all users of your cloud services?
If a cloud service genuinely does not offer any MFA option, you must list it explicitly in question A7.15. IASME maintains a knowledge hub with a list of cloud services and their MFA availability, which is being updated regularly.
What to do now: Audit every cloud service your organisation uses. Enable MFA on every account — user and administrator — before you apply. Do not assume that because MFA is enabled for administrators it is also enabled for standard users. Check both.
2. The 14-Day Patching Requirement is Now an Automatic Fail
Danzell makes it an automatic fail if critical and high-risk security updates are not applied within 14 days of release. Previously, failing this requirement resulted in a flag from the assessor. Under Danzell, it results in an immediate failure with no exceptions.
The two questions that will automatically fail your assessment if answered No are:
- A6.4 — Are all high-risk or critical security updates for operating systems and firmware applied within 14 days?
- A6.5 — Are all high-risk or critical software updates applied within 14 days?
This includes firmware on firewalls and routers, not just software on end-user devices. It also includes vulnerability fixes that are delivered via configuration changes rather than traditional patches.
What to do now: Enable automatic updates wherever possible. For systems where automatic updates are not feasible — servers, production systems, specialist software — document your manual patching process and ensure you can evidence that updates are applied within 14 days. Without a clear process, you will not be able to answer these questions confidently.
3. Cloud Services Are Now Explicitly in Scope
Danzell formally defines cloud services for the first time and makes explicit that they cannot be excluded from scope. This includes:
- Email and productivity platforms (Microsoft 365, Google Workspace)
- CRM systems (Salesforce, HubSpot)
- Accounting software (Xero, QuickBooks)
- Social media accounts (LinkedIn, Facebook, X)
- Any other third-party service where organisational data is stored or processed
If your staff use it to access organisational data, it is in scope. The definition is intentionally broad and reflects how modern businesses actually operate.
4. Passwordless Authentication is Now Recognised
Danzell introduces clearer, more modern authentication guidance. For the first time, passwordless authentication methods — including passkeys, biometrics, FIDO2 hardware authenticators, security keys, and one-time codes — are explicitly recognised as valid methods for meeting login requirements across firewalls and external services.
This is a positive change for organisations that have moved beyond traditional passwords. If your organisation uses passkeys or hardware security keys, these now count towards compliance.
5. Scoping Requirements Are More Detailed
Danzell requires more detailed scoping documentation than Willow. Organisations must now:
- Provide a comprehensive description of what is in scope
- Clearly define any out-of-scope areas and how they are segregated
- Explicitly list all legal entities covered by the assessment, including full name, address, and company registration number
If your organisation has multiple legal entities or subsidiaries, make sure all are accounted for before you start.
Key Dates
| Date | What Happens |
|---|---|
| 9 February 2026 | Danzell question set becomes available to download and practice |
| 27 April 2026 | All new assessments must use Danzell. Willow is retired for new starts. |
| 27 October 2026 | Deadline for completing assessments started under Willow |
| 27 January 2027 | Deadline for completing Cyber Essentials Plus under Willow |
How to Prepare
IASME themselves recommend drafting your answers in a working document before starting the official assessment. This gives you the opportunity to identify gaps before they become a failed submission, gather the information you need at your own pace, and fix issues before they cost you a resubmission fee.
The two auto-fail areas — MFA across all cloud services and 14-day patching — both require technical changes that cannot be made overnight. Start now, before you are under the pressure of an assessment deadline.
CE FastTrack guides you through all 106 Danzell v3.3 questions with plain-English guidance on every question, flags any answers that would automatically fail your assessment, and generates a formatted working document you can use to complete the official IASME portal with confidence.
CE FastTrack is an independent preparation tool for Cyber Essentials certification. It is not affiliated with IASME or NCSC. Official certification must be completed through an IASME-approved Certification Body.