When did the new Cyber Essentials rules take effect?

The Cyber Essentials v3.3 requirements (also known as the Danzell question set) took effect on 27 April 2026. All assessments from that date use the updated question set.

Is MFA mandatory for Cyber Essentials certification?

Yes. From April 2026, multi-factor authentication must be enabled on every account where it is available. Failure to do so is an automatic fail.

Do cloud services count for Cyber Essentials now?

Cloud services have been in scope for several years and cannot be excluded. What changed under Danzell in April 2026 is that multi-factor authentication is now mandatory on every cloud service that offers it, and you have to describe your full assessment scope. This covers Microsoft 365, accounting software, CRM tools, and any other cloud-based service.

How quickly do I need to apply security patches for Cyber Essentials?

Critical and high-risk security patches must be applied within 14 days of release. This applies to operating systems, browsers, firewalls, and all other software in scope.

Do I need Cyber Essentials to bid on government contracts?

Yes. Cyber Essentials certification is mandatory for any UK Government contract that involves handling personal or financial data.

Cyber Essentials v3.3 Danzell: What Changed and Why It Matters

Cyber Essentials Changed in April 2026. Here's What You Need to Know.

On 27 April 2026, the Cyber Essentials scheme got its biggest update in years with the v3.3 "Danzell" question set. Three major requirements changed: multi-factor authentication became mandatory on every cloud service, you now have to account for and secure every cloud tool your team uses, and critical patches need to be applied within 14 days. For any assessment started on the new question set, there are no exceptions.

If you're due for renewal, or you're thinking about getting certified for the first time, these changes affect you. Assessments under the updated rules are catching gaps that would have passed before.

We helped a local construction firm achieve Cyber Essentials Plus certification, and we keep a number of businesses across the region compliant year on year. Here's what's changed and what to do about it.

Why Should You Care?

If you're thinking "we don't even have Cyber Essentials", this still matters. Here's why:

It's mandatory for any government contract that involves personal or financial data. If you work with councils, the NHS, schools, or any public sector body in Cumbria, you either have it or you can't bid.
Larger private companies are increasingly requiring it from their supply chain. We're seeing this more and more with construction firms, legal practices, and manufacturers locally.
It includes free cyber liability insurance up to £25,000, and with 43% of UK businesses reporting a breach in 2024, that's worth having.
Many cyber insurance providers now expect Cyber Essentials as a baseline before they'll even quote you.

Put simply: losing your certification, or not having it, can cost you real money and real opportunities.

What Changed in Cyber Essentials From April 2026

The v3.3 Danzell update introduced three changes, and none of them are optional.

1. Multi-Factor Authentication Is Now Pass or Fail

MFA has been recommended for a while. Since 27 April, it's mandatory. If a platform offers MFA and you haven't turned it on, that's an automatic fail. Full stop.

That means Microsoft 365, your accounting software, your CRM, remote desktop, VPN access: anything your team logs into that supports MFA needs to have it switched on. Not just for the boss, for everyone.

The good news is that if you're on Microsoft 365, MFA is built in and free. If you're not sure whether it's enabled, log into your Microsoft admin centre and check under Security. If you can't find it, give us a ring. It takes about 20 minutes to sort out for most businesses.

2. Every Cloud Service You Use Has to Be Accounted For

Cloud services have always been in scope for Cyber Essentials, but Danzell tightens the screws. You now have to describe and justify your full scope, and MFA has to be switched on for every cloud service that offers it. In practice that means every cloud tool your business touches needs proper access controls and MFA, and you can no longer quietly leave one out of the assessment.

Think about what your team actually uses day to day. Microsoft 365, sure, but what about Xero? Sage? Trello? Slack? That HR platform someone signed up for last year? They all count now. Each one needs proper access controls, MFA where available, and appropriate security settings.

The tricky part is that most business owners don't have a complete list of every cloud service in use. Staff sign up for tools all the time without IT knowing. Before your next assessment, you need to do a proper audit, and that means asking every department, not just checking what you pay for.

3. Critical Patches Within 14 Days

When a critical security patch is released, whether for Windows, your firewall, your web browser, or anything else, you now have 14 days to apply it. Miss the window, fail the assessment.

If you're managing updates manually across a handful of machines, that might sound manageable. But in practice, patches come out constantly. Microsoft alone has pushed out over 900 security patches in a single year. Keeping track of which ones are critical, which devices still need them, and getting them applied without disrupting people's work, that's a full-time job.

This is honestly where we see the most businesses fall down. It's not that they don't care. It's that nobody has the time to stay on top of it. Automated patch management takes this off your plate entirely. We deploy it for businesses across Cumbria and it runs quietly in the background: patches go out, devices stay compliant, and you don't have to think about it.

Where Most Businesses Get Caught Out

From the assessments we've done locally, here's where the gaps usually are:

MFA is only turned on for some people: typically the directors have it, but the wider team doesn't. Under the current rules, that's a fail.
Nobody knows what cloud tools are actually in use: there's always a few rogue subscriptions that didn't go through IT.
Updates are set to "remind me later": staff dismiss patch notifications for weeks because they don't want to restart their machine.
Old devices are still connected to the network: that Windows 10 laptop in the corner that "still works fine" is now a liability, especially since Microsoft ended support in October 2025.

What You Should Do Right Now

The rules changed on 27 April 2026. If you haven't worked through these yet, here's where to start:

Check MFA is on for every user: not just admin accounts. Log into your Microsoft 365 admin centre, go to Users > Active Users, and check the MFA status column. Every account should show "Enforced."
List every cloud service your business uses: send a quick email to your team asking what tools they log into daily. You'll be surprised what comes back.
Check your devices are up to date: on any Windows machine, go to Settings > Windows Update and check for pending updates. If any machine is still on Windows 10, that needs sorting as a priority.
Review who has access to what: when was the last time you removed an ex-employee's account? Or checked whether a temp still has admin access? Now's the time.

We Can Take This Off Your Hands

Most of the business owners we work with across Cumbria don't have time to audit cloud services or chase patch compliance across every device. That's exactly what we're here for.

We'll review your setup against the updated Cyber Essentials requirements, tell you exactly what needs fixing, and handle the work to get you compliant. It's all part of our cyber security service. No jargon, just a clear picture of where you stand and what needs to happen.

If your renewal is coming up, don't leave it until the last minute. Give us a call and we'll make sure you're ready.