If your business holds Cyber Essentials certification – or you’re planning to apply for the first time – there’s a change coming in April 2026 that’s worth understanding well ahead of time.

A new version of the Cyber Essentials requirements, alongside an updated assessment question set called Danzell, will apply to all assessment accounts created from 27 April 2026 onwards.

Organisations that create their assessment account before that date will still be assessed against the current version, but anyone starting the process after it will need to meet the updated requirements.

For businesses across London and Essex that rely on Cyber Essentials to meet supply chain obligations, bid for government contracts, or demonstrate their cyber security posture to clients, now is a good time to understand what’s changing and to start preparing.

Why Cyber Essentials Is Being Updated

Cyber Essentials has always been designed to reflect how businesses actually operate.

The scheme’s five control areas – firewalls, secure configuration, security update management, user access control, and malware protection – remain the foundation of any assessment.

What’s changing in April 2026 is how certain aspects of those controls are defined and marked, particularly around the way businesses use cloud services and manage access to them.

This is a response to the reality of how most businesses work. Cloud platforms are central to day-to-day operations; remote and hybrid working is the norm rather than the exception; and the risks associated with weak access controls have grown significantly.

These new changes are focused on clarity and consistency rather than a fundamental redesign. The core structure of Cyber Essentials isn’t changing, but a number of the specific requirements are being tightened.

What’s Actually Changing in April 2026

There are four main areas to be aware of:

• MFA for Cloud Services Becomes a Hard Pass or Fail Rule: Under the updated requirements, if a cloud service has multi-factor authentication available – whether it’s included at no cost, accessible via a connected service, or available as a paid option – and your organisation has not implemented it, you will fail the assessment automatically. This applies across the board: email, file storage, CRM systems, finance platforms, HR tools, and any other cloud service used for business purposes.
• Cloud Services Can No Longer Be Excluded from Scope: The updated requirements include a clear definition of what constitutes a cloud service and confirm that any service your organisation uses to store or process data must be included in scope. If you use cloud platforms, your assessment needs to reflect that.
• Scoping Criteria Are Being Tightened: If you have previously excluded parts of your infrastructure, you will need to justify that clearly, including what was excluded, why, and how it is segregated from the rest of your environment.
• The New Danzell Question Set Is Already Available to Review: IASME released the updated assessment questions in February 2026, meaning businesses can familiarise themselves with the new wording now rather than waiting until April. This is particularly useful if your organisation uses answer templates prepared for previous renewals.

Why This Matters for London and Essex Businesses

For many organisations across London and Essex, Cyber Essentials is a requirement tied to supply chain contracts, government procurement, and client expectations across sectors like professional services, finance, and legal.

The April 2026 changes don’t alter that, but they do mean that businesses treating certification as a routine annual renewal may need to take a closer look this time.

Inconsistent MFA across cloud services and an outdated scope definition are both likely to result in a failed assessment under the updated requirements – and with credential-based attacks and phishing campaigns targeting cloud platforms remaining persistent threats, those aren’t gaps worth leaving open.

Steps to Take Before the Update Arrives

You don’t need to overhaul your entire IT environment between now and April, but there are several areas worth reviewing:

• Audit Your Cloud Services: List every platform your business uses and confirm MFA is available and switched on for all users.
• Prioritise High-Risk Accounts: Start with email, admin accounts, remote access tools, and anything handling customer data or payments.
• Revisit Your Scope: Check that your scope document reflects how your business operates today, including remote working devices and cloud services.
• Review Device Security: Confirm all in-scope devices are running supported software with active malware protection. Out-of-support systems are one of the most common causes of a failed assessment.
• Prepare for Cyber Essentials Assessment Early: The account creation date determines which version you’re assessed against, so if your renewal falls close to April 2026, factor that into your planning.

Work With a Local Cyber Security Partner

The April 2026 update is a good opportunity to review controls that may have drifted since your last certification.

Get in touch to gain a clear picture of where your current setup stands.

FAQs

1. When does the Cyber Essentials update take effect in 2026?
   The updated requirements apply to assessment accounts created from 27 April 2026. Accounts created before that date remain on the current version, with up to six months to complete the assessment.
2. What is the Danzell question set?
   Danzell is the updated self-assessment question set accompanying the v3.3 requirements. It was released in February 2026 and will be used for all assessments from 27 April 2026.
3. Will I fail Cyber Essentials if I don’t have MFA enabled?
   For assessments created from 27 April 2026, yes. If MFA is available for a cloud service and hasn’t been implemented, it results in an automatic failure – regardless of whether MFA is free or paid.
4. Do cloud services have to be included in my Cyber Essentials scope?
   IASME has confirmed that cloud services cannot be excluded from scope if your organisation uses them to store or process business data.
5. How can London and Essex businesses prepare for Cyber Essentials in 2026?
   Audit your cloud services and enable MFA across all of them, revisit your scope, and confirm all devices are running supported, up-to-date software. A local IT partner can help you identify and close any gaps before the new requirements come into effect.