Cyber Essentials is set to change in April 2026. Businesses across London and Essex that take proactive steps now will be in a much stronger position, while those who wait could face complications come assessment time.

A new set of assessment questions, known as the Danzell question set, will apply to all organisations creating an assessment account from 27^th April 2026.

This update reflects how businesses use technology today and raises the bar in key areas of cyber security, particularly with cloud services and authentication controls.

Understanding what the new questions require, and where your current setup may need attention, is the first step to making certification straightforward.

A New Question Set Is Coming

The updated assessment questions are known as the Danzell question set. IASME released them in February 2026, which means organisations can already review the new wording ahead of the April implementation date.

The five control areas that underpin Cyber Essentials remain unchanged:

• Firewalls
• Secure configuration
• Security update management
• User access control
• Malware protection

What has changed is the way specific requirements within those areas are defined, tested, and scored. The Danzell questions now offer clearer guidelines on cloud services, authentication controls, and scope – key areas where businesses may need to adapt.

Why the Scheme Evolves

Cyber Essentials is periodically updated to ensure it remains relevant to the real threats and working practices businesses face. Several factors drive that evolution:

• The widespread adoption of cloud services across businesses of all sizes
• Growing cyber threats specifically targeting SMEs, including credential attacks and phishing
• The shift to remote and hybrid working, which changes how devices and data are accessed
• The need to ensure certification reflects current security practices rather than outdated assumptions

These updates are about keeping the scheme practical and meaningful, not adding unnecessary complexity.

What the New Questions Actually Ask

Understanding what the Danzell question set covers helps businesses identify where they may need to act before starting certification. The updated questions focus on several specific areas:

• Multi-Factor Authentication (MFA) for Cloud Services: The new questions ask whether MFA is enabled across all cloud services in use. Under the updated requirements, if MFA is available for a cloud platform and hasn’t been switched on, it results in an automatic assessment failure. This applies to email, file storage, CRM tools, finance platforms, and HR systems.
• Cloud Service Scope: The questions now include a clearer definition of what constitutes a cloud service and require that any platform used to store or process business data is included within scope. Services can no longer be excluded without clear justification.
• Scoping and Infrastructure: Businesses will be asked to confirm what has been included in scope and where anything has been excluded to demonstrate why and how it is segregated from the rest of the environment.
• Device and Software Status: The questions continue to verify that in-scope devices are running supported operating systems with up-to-date security patches and active malware protection.

According to recent industry research, UK organisations experienced a 36% year-on-year increase in cyber-attacks per week. This is in comparison to an average of a 9.8% year-on-year increase globally.

The Danzell updates reflect that environment directly, particularly the prominence of cloud-based attacks.

Why This Matters for London and Essex Businesses

For many organisations across London and Essex, Cyber Essentials is a firm requirement tied to:

• Supply chain contracts with larger organisations
• Government and public sector procurement
• Demonstrating a credible security baseline to clients and partners
• Sector-specific expectations in professional services, legal, finance, and healthcare

The April 2026 update doesn’t change those requirements, but it does mean businesses approaching renewal need to take a closer look at their setup rather than treating certification as a straightforward repeat of previous years.

Gaps in MFA coverage and an outdated scope are two of the most likely causes of a failed assessment under the new question set.

Steps to Take Before April

Businesses don’t need to overhaul their entire IT environment to prepare. Reviewing the following areas now will make the process significantly smoother:

• Audit cloud services. List every platform in use across the business and confirm MFA is enabled for all users on every service where it’s available.
• Review authentication policies. Prioritise admin accounts, email, remote access tools, and anything handling client data or financial information.
• Check device security. Confirm all in-scope devices are running supported software, are fully patched, and have active malware protection in place.
• Revisit scope. Ensure your scope document reflects how the business currently operates, including remote working devices and cloud services added since the last assessment.
• Review the Danzell question set early. Reading through the questions before starting certification helps identify gaps and avoids surprises during assessment.

Get Ready with NetPlatforms Before the Update Arrives

The April 2026 update reflects the way businesses operate today and the risks they face in an increasingly cloud-based environment.

For organisations across London and Essex, reviewing cloud services, authentication policies, and device security ahead of the deadline will make certification considerably smoother.

Get in touch with us today to find out where your current setup stands against the updated requirements – we help businesses prepare for Cyber Essentials and maintain a strong security baseline throughout the year.

FAQs

1. What is the Danzell question set?
   Danzell is the updated self-assessment question set that will apply to all Cyber Essentials assessments from 27^th April 2026. Released by IASME in February 2026, it introduced revised requirements across several areas, with the most significant changes relating to cloud services and multi-factor authentication.
2. When do the new requirements come into effect?
   The updated question set applies to any assessment account created from 27^th April 2026. Organisations that create their account before that data will still be assessed against the current version.
3. Do cloud services need to be included in a Cyber Essentials assessment?
   Under the updated requirements, any cloud service used to store or process business data must be included within the scope of certification. Excluding cloud platforms is no longer permitted without clear justification and evidence of proper segregation.
4. Can a missing MFA setting cause an assessment failure?
   If MFA is available on a cloud service and hasn’t been enabled, the Danzell question set treats this as an automatic failure. This applies whether MFA is included at no cost or available as a paid option.
5. How can NetPlatforms help with Cyber Essentials certification?
   NetPlatforms works with businesses across London and Essex to prepare for Cyber Essentials certification. That includes reviewing cloud service coverage, authentication policies, and device security ahead of the April 2026 changes. Get in touch to talk through your current setup.