Cyber Essentials changes 2026: Danzell, mandatory MFA and cloud scope
In April 2026 the Cyber Essentials scheme moved to a new version of its requirements, version 3.3, and the assessment framework took a new name: Danzell, replacing the previous Montpellier version. The headline changes tighten the three areas that catch organisations out most often: multi-factor authentication, what counts as in-scope cloud, and how patching is verified during the Cyber Essentials Plus audit.
As an IASME-licensed certification body that has worked with the scheme since it launched in 2014, we now assess every certification against these requirements. Here’s what changed, who it affects, and what to do about it.
The 2026 changes at a glance
- New version and name. The requirements are now v3.3, and the assessment framework is named Danzell.
- MFA is mandatory. Where a cloud service offers multi-factor authentication, you must enable it. Failing to do so is now an automatic fail, not a fixable condition.
- Cloud is formally defined. A clear definition of “cloud service” means cloud platforms can no longer be left out of scope.
- Whole-scope patching. During the CE+ audit you must patch your entire scope, not just the sample devices being tested.
- Transition window. Assessment accounts opened before late April 2026 retained a window to certify under the previous requirements; new accounts are assessed against v3.3.
Multi-factor authentication is now a hard requirement
The most significant practical change: if a cloud service you use offers multi-factor authentication, you must turn it on, using a method approved by the NCSC. Previously, gaps here could sometimes be treated as remediation. Under the 2026 rules, an available-but-disabled MFA option is an automatic assessment fail.
What this means in practice:
- Inventory every cloud service in use, not just the obvious ones.
- Confirm MFA is enabled for all users, including administrators and, where supported, service accounts.
- Check the method meets NCSC-approved standards. App-based or hardware tokens are stronger choices than SMS.
This is the single most common reason organisations now fail, and the easiest to put right before the audit.
A formal definition of “cloud service”
For the first time, Cyber Essentials defines what a cloud service is: broadly, any on-demand, scalable service running on shared infrastructure and accessed over the internet. The effect is simple: cloud platforms can no longer be quietly excluded from scope to make certification easier.
If your organisation uses SaaS, IaaS or PaaS (Microsoft 365, Google Workspace, Azure, AWS and the rest), they are in scope and must meet the controls. For many organisations this widens the assessment surface compared with previous years. A cloud security assessment is the fastest way to see where your live configuration stands.
What to do:
- Build an honest inventory of every cloud service, including shadow IT.
- Confirm each one meets the five controls, particularly access control and MFA.
Patching: the whole scope, not just the sample
IASME identified that some organisations had been passing CE+ by patching only the sample devices an assessor happened to test, while leaving the rest of the estate vulnerable. The 2026 rules close that gap: when the audit identifies required updates, they must be applied across the entire in-scope environment, not just the tested sample.
Note that the deadline itself is unchanged: critical and high-severity updates must be applied within 14 days. What changed in 2026 is the reach: that standard now has to hold across your entire in-scope estate, not just the devices an assessor happens to sample.
In practice this rewards organisations with real, consistent patch management and penalises last-minute, selective fixes.
What to do:
- Apply patch management uniformly across all in-scope devices.
- Don’t treat the audit sample as the finish line; assessors are looking for estate-wide discipline.
Who’s affected and when
The new requirements apply to assessment accounts created from late April 2026 onward. Organisations with an active assessment account opened before then were given a window to complete certification under the previous requirements.
In plain terms:
- Starting fresh now? You’re assessed against v3.3 / Danzell.
- Mid-certification under an older account? Check your account date. You may still be able to finish under the previous rules, but the window is closing, so don’t leave it late.
If you’re unsure which version applies to you, a certification body can confirm it in minutes.
How to stay ahead of it
- Inventory your cloud services and devices. You can’t scope honestly without it.
- Switch on MFA everywhere it’s offered, using an NCSC-approved method.
- Apply patches across the whole estate, not just where you expect to be tested.
- Run a readiness review before the formal audit to catch fails cheaply.
- Talk to your certification body early, especially about which version applies to you.
At Layer 7 we assess against the current requirements and tell you exactly where you stand before you commit to the audit.
Cyber Essentials 2026 FAQs
What is “Danzell”? It’s the name of the updated Cyber Essentials assessment framework introduced in 2026, replacing the previous “Montpellier” version, alongside v3.3 of the requirements.
Is MFA really a hard fail now? Yes. If a cloud service offers MFA and it isn’t enabled, that is an automatic fail under the new rules.
Do I have to include cloud services in scope? Yes. The new formal definition of a cloud service means they can’t be excluded.
Will the changes make certification harder? For organisations with weak MFA, unmanaged cloud or inconsistent patching, yes. For those with solid fundamentals, it’s largely confirmation you’re already doing the right things.
How long is certification valid? Twelve months. You re-certify each year to keep it current.
Get certified to the 2026 standard
We’re an IASME-licensed certification body assessing to the current requirements. Tell us the shape of your environment and we’ll show you where you stand, and how to pass first time. If you’re weighing up which level you need or what it costs, see Cyber Essentials vs Cyber Essentials Plus and how much Cyber Essentials Plus costs.
Talk to an assessor: hello@layer7.uk or see Cyber Essentials Plus certification.