- Cyber Essentials
- 15th Jul 2026
- 1 min read
Cyber Essentials v3.3 Danzell: What Changed and How to Prepare
- Written by
In Short..
Cyber Essentials v3.3 (Danzell) applies to new assessment accounts created after 26 April 2026. MFA on cloud services is now an automatic failure point. Two security update questions, A6.4 and A6.5, are also auto-fail. Cloud services cannot be excluded from scope. Verified self-assessment responses are locked once Cyber Essentials Plus testing begins.
Working towards certification? Our Cyber Essentials resource hub brings together everything in one place: the five controls, certification costs, the self-assessment questionnaire, and what Cyber Essentials Plus actually tests. Start there to plan your route to certification.
Introduction
Cyber Essentials v3.3, known as the Danzell question set, introduces one of the most significant updates to the scheme in recent years. Applying to new assessment accounts created after 26 April 2026, v3.3 makes several requirements stricter, clearer, and harder to remediate late in the assessment process.
The most significant change is the introduction of new auto-fail criteria. If multi-factor authentication is available for a cloud service but has not been enabled, the organisation will automatically fail the assessment. Two security update management questions, A6.4 and A6.5, also become auto-fail questions where high-risk or critical updates and vulnerability fixes are not applied within 14 days.
The core message: v3.3 does not reinvent Cyber Essentials. The five technical controls remain the same. What changes is the tolerance for gaps. Selected controls that previously counted as major non-compliances now cause immediate, unrecoverable failure. If your scope is inaccurate, your MFA enforcement is inconsistent, or your patching records are incomplete, you will not pass.
For organisations preparing for Cyber Essentials or Cyber Essentials Plus, Danzell raises the bar. It is no longer enough to know what controls should be in place. You need accurate scope, current evidence, maintained remediation records, and confidence that your self-assessment answers will hold up under CE+ testing.
This guide covers the material changes in v3.3, compares them with v3.2 Willow, and sets out what your organisation needs to do before assessment.
When Does Cyber Essentials v3.3 Apply?
Cyber Essentials v3.3 applies to new assessment accounts created after 26 April 2026. The new question set is called Danzell and replaces the previous Willow question set used under Cyber Essentials v3.2.
Organisations with an active assessment account created before 26 April 2026 can continue using the previous requirements within the allowed six-month certification window. However, any organisation starting a new assessment after that date must prepare against the v3.3 Danzell requirements.
This timing matters for renewal planning. Cyber Essentials certification is annual. Even if an existing certificate remains valid until expiry, renewal after 26 April 2026 will be subject to the new question set. That means new evidence expectations, stricter MFA enforcement, and updated scope documentation, regardless of how well-prepared the organisation was under v3.2.
Key dates at a glance:
| Event | Date |
|---|---|
| Cyber Essentials v3.2 Willow introduced | April 2025 |
| Danzell question set published | 13 February 2026 |
| Cyber Essentials v3.3 Danzell effective | 26 April 2026 |
| Assessment accounts created before this date | May continue under v3.2 within certification window |
| Assessment accounts created after this date | Must use v3.3 Danzell requirements |
| Certification validity | 12 months from issue |
What Is the Danzell Question Set?
Danzell is the name of the Cyber Essentials v3.3 question set. Each version of Cyber Essentials carries a named question set alongside the version number: v3.1 used Evendine, v3.2 used Willow, and v3.3 uses Danzell.
In practice, "Cyber Essentials v3.3" and "Danzell" refer to the same update cycle. The version number describes the iteration of the requirements; the question set name is used within the assessment portal and certification documentation.
What Danzell is not: a conceptual overhaul. As IASME's April 2026 guidance confirms, the five technical controls (firewalls, secure configuration, user access control, malware protection, and patch management) remain unchanged. Danzell is a wording and enforcement update. The controls are the same; the consequences of getting them wrong are not.
If you need to review the previous version in detail, see our guide to Cyber Essentials Plus v3.2 Willow.
What Changed from v3.2 Willow to v3.3 Danzell?
Cyber Essentials v3.2 Willow expanded MFA requirements, clarified vulnerability fix timelines, and tightened cloud scoping. Cyber Essentials v3.3 Danzell builds on that foundation by raising the cost of non-compliance on the controls that matter most.
The most important shift is the move from major non-compliance to automatic failure for selected requirements. Under v3.2, an organisation accumulating too many major non-compliances would fail overall. Under v3.3, specific questions cause immediate failure on their own, regardless of how well the rest of the assessment goes.
The key changes across the scheme are:
- MFA for cloud services becomes an automatic failure point where MFA is available but not enabled.
- Questions A6.4 and A6.5 become auto-fail questions for high-risk or critical security updates and vulnerability fixes not applied within 14 days.
- Cloud services receive a formal definition within the requirements.
- Cloud services cannot be excluded from scope where they meet the scheme's definition.
- Organisations must provide clearer disclosure of legal entities included in scope, and can request individual certificates for entities within a wider scope.
- Excluded infrastructure areas require more specific description, and the terms "untrusted" and "user-initiated" have been dropped from the scoping criteria.
- Cyber Essentials Plus retesting becomes stricter where update management fails.
- Verified self-assessment responses cannot be changed once CE+ testing begins.
- Backups, software development, and scoping guidance are strengthened for more consistent interpretation.
- Passwordless authentication is more clearly defined, with FIDO2 authenticators explicitly recognised as qualifying for MFA.
The sections below cover each of these changes in detail.
MFA for Cloud Services Is Now an Auto-Fail Requirement
One of the most significant Cyber Essentials v3.3 changes is the treatment of multi-factor authentication for cloud services.
Under v3.3, MFA is mandatory for every cloud service where MFA is available. If a cloud service offers MFA, whether included in the base subscription, available as a paid add-on, or built into the platform, and the organisation has not enabled it, the assessment will automatically fail. There is no remediation opportunity within that assessment cycle.
The NCSC's Requirements for IT Infrastructure v3.3 states plainly: "implement MFA, where available – authentication to cloud services must always use MFA." Responsibility for configuring MFA sits with the organisation, not the cloud provider.
What this means in practice:
- Every cloud service in scope must be audited for MFA availability before the assessment begins.
- "Available" includes MFA that requires an additional licence or subscription tier. If the organisation has access to MFA and has not enabled it, that is a failure.
- MFA must be enforced at the account level, not just offered as an optional setting for users.
- A single cloud service without MFA enabled will fail the entire assessment.
This is a binary control. One gap, anywhere in scope, fails everything.
Security Update Management: A6.4 and A6.5 Auto-Fail Questions
Questions A6.4 and A6.5 relate to the management of high-risk and critical security updates. Under v3.3, both become automatic failure points.
- A6.4 asks whether all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware are installed within 14 days of release.
- A6.5 asks the same question for applications, including any associated files and extensions.
Under v3.2, failure on these questions contributed to the overall non-compliance count. Under v3.3, a failure on either question causes immediate assessment failure, regardless of performance elsewhere.
The practical implication: organisations need to demonstrate, with evidence, that their patching and vulnerability management processes reliably meet the 14-day window. Verbal confirmation or approximate records are not sufficient. If CE+ testing reveals a gap between the self-assessment answer and the actual state of systems, the assessment will fail and the verified self-assessment response cannot be amended.
Cloud Services Are Formally Defined and Cannot Be Excluded from Scope
Cyber Essentials v3.3 introduces a formal definition of cloud services within the requirements: an on-demand, scalable service, hosted on shared infrastructure and accessible via the internet, accessed via an account, that stores or processes data for the organisation. This includes Software as a Service (SaaS) platforms, cloud-hosted infrastructure, and shared services used by employees for work purposes.
Critically, cloud services can no longer be excluded from the assessment scope. Under earlier versions, some organisations attempted to carve out cloud services on the grounds that security was managed by the provider. That approach is no longer permitted: the requirements state directly that "if your organisation's data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope."
The applicant organisation remains responsible for ensuring all five controls are met, even for services such as SaaS, where the provider typically implements some controls (firewalls and malware protection, for example) on the organisation's behalf. Responsibility does not transfer to the provider by default; the organisation must be able to evidence how each control is met, whether directly or through the provider's contractual commitments.
This has direct implications for scope documentation. Organisations need a complete and accurate inventory of cloud services in use before the assessment begins, including services adopted through shadow IT or departmental procurement outside central IT.
Legal Entity and Certificate Transparency Changes
Cyber Essentials v3.3 requires organisations to provide clearer disclosure of the legal entities included within the assessment scope, including company name, address, and company number where relevant. Where a certificate covers multiple entities or subsidiaries, the assessment documentation must reflect this accurately.
Organisations can also request an individual Cyber Essentials certificate for each legal entity certified as part of a larger scope, at a small additional charge, while it remains clear that certification sits within the wider scope.
This change addresses a previous ambiguity where group-level certifications did not always make clear which entities were covered. Under v3.3, assessors will expect precise scope definitions that match the legal structure of the organisation.
Cyber Essentials Plus Retesting Changes
Cyber Essentials Plus involves independent technical testing of the controls declared in the self-assessment. Under v3.3, the retesting process for update management failures becomes stricter.
Audits identified organisations selectively applying updates only to the sample of devices being tested during CE+, rather than across the full scope. To close this gap, if an organisation fails the initial sample test for update management, the retest checks both the original sample and a new random sample of devices, not just the systems that were remediated. A second failure results in revocation of the verified self-assessment certificate.
Verified Self-Assessment Responses Cannot Be Changed Once CE+ Testing Starts
This is one of the most operationally significant changes for organisations pursuing Cyber Essentials Plus.
Under v3.3, once CE+ testing begins, the self-assessment responses submitted during the verified self-assessment stage are locked. They cannot be amended to reflect remediation carried out after testing starts. If a CE+ test reveals a discrepancy between what was declared and what is found on systems, the assessment fails.
The implication is straightforward: the self-assessment must be accurate at the point of submission, not aspirationally accurate based on planned remediation. Organisations that previously used the CE+ window to tidy up minor gaps will no longer be able to do so.
Backups, Software Development, Passwordless Authentication, and Scoping Updates
Cyber Essentials v3.3 also updates guidance in several supporting areas. None of these introduce new mandatory controls, but they reduce ambiguity that previously allowed inconsistent assessor interpretation.
- Backups: Backing up data is still not a mandatory technical control under Cyber Essentials. The guidance has been repositioned earlier in the requirements document and given more prominence, to emphasise its role in recovering quickly from an incident. Organisations should not assume backups are now separately assessed or scored.
- Software development: The former "web applications" section is renamed "application development" and now references the UK Government's Software Security Code of Practice. Publicly available commercial web applications are in scope by default; bespoke and custom components remain out of scope.
- Passwordless authentication: The definition of passwordless authentication has been updated to explicitly include FIDO2 authenticators, which are recognised as satisfying the MFA requirement.
- Scoping: The terms "untrusted" and "user-initiated" have been removed as qualifiers for internet connections, simplifying the scoping criteria. Organisations must justify any exclusions from scope and describe specifically, rather than generally, what has been left out and why.
Two further procedural changes are worth noting: the scheme now explicitly defines the "point in time" of a Cyber Essentials assessment as the date the certificate is issued, and the board-level declaration signed as part of the verified self-assessment now includes an explicit acknowledgement of the organisation's responsibility to maintain compliance throughout the certification period, not just at the point of assessment.
v3.2 Willow vs v3.3 Danzell: What Changed?
| Area | v3.2 Willow | v3.3 Danzell |
|---|---|---|
| MFA for cloud services | Required; major non-compliance if missing | Auto-fail if MFA available but not enabled |
| A6.4 security updates | Major non-compliance | Auto-fail |
| A6.5 vulnerability fixes | Major non-compliance | Auto-fail |
| Cloud service definition | Guidance-level | Formally defined in requirements |
| Cloud service scope exclusion | Possible in some circumstances | Not permitted |
| Legal entity disclosure | General | Specific; company details required; individual certificates available |
| CE+ retesting for update failures | Some flexibility | Stricter; original plus new random sample; second failure revokes certificate |
| Self-assessment lock | Could be amended during CE+ | Locked once CE+ testing begins |
| Backup guidance | Standard, later in document | Repositioned earlier, given more prominence (still not mandatory) |
| Software development scoping | "Web applications", limited guidance | Renamed "application development"; references Software Security Code of Practice |
| Passwordless authentication | Not separately defined | FIDO2 explicitly recognised as satisfying MFA |
| Excluded infrastructure description | General description acceptable | Specific description and justification required |
How Organisations Should Prepare for Cyber Essentials v3.3
The most common reason organisations fail Cyber Essentials is not that their security is poor. It is that their preparation is incomplete. Under v3.3, that gap is more expensive than it used to be. Here is what needs to be in place before the assessment begins.
1. Audit Every Cloud Service for MFA Availability
Start with a complete inventory of cloud services in use across the organisation, including services procured by individual teams or departments outside central IT oversight. For each service, determine whether MFA is available, at any subscription tier, and whether it has been enabled and enforced at the account level.
Do not assume that a service without MFA enabled will be acceptable. If MFA is available and not enabled, the assessment will fail. If the service does not offer MFA at all, document that clearly as part of scope evidence.
2. Verify Your Patching Process Meets the 14-Day Window
Questions A6.4 and A6.5 require evidence that high-risk and critical security updates are applied within 14 days of release. That means:
- A defined process for identifying high-risk and critical updates when they are released.
- A documented and enforced timeline for applying those updates across in-scope systems.
- Evidence records that demonstrate compliance, not just a policy that describes the intention.
If your vulnerability management process relies on periodic scans rather than continuous monitoring, review whether the current cadence reliably catches and remediates critical updates within the window.
3. Confirm Your Scope Is Accurate Before Self-Assessment
Scope errors are one of the most common causes of CE+ failure. Under v3.3, the self-assessment is locked once CE+ testing begins. If the scope declared in the self-assessment does not match what is found during technical testing, the assessment fails with no opportunity to correct it.
Before submitting the self-assessment:
- Confirm that all legal entities covered by the certificate are named correctly.
- Confirm that all cloud services in scope are included and that MFA status is accurate.
- Confirm that any excluded infrastructure is described and justified specifically, not generically.
- Confirm that remote working environments and personal devices used for work are addressed within the scope.
4. Treat the Self-Assessment as Final
Under v3.3, the verified self-assessment is not a draft. It is the document against which CE+ testing will be conducted. Any gap between what is declared and what is found on systems will fail the assessment.
Complete a technical review of in-scope systems before submitting the self-assessment. Do not submit and plan to remediate during the CE+ window. That approach will not work under v3.3.
5. Maintain Evidence, Not Just Controls
Cyber Essentials Plus tests whether controls are in place. It does not accept that controls were in place at some point. Evidence of patching, MFA enforcement, access control, and vulnerability management must be current and retrievable at the point of testing.
If your evidence is held in spreadsheets, email chains, or manual records, consider whether those records are reliable enough to withstand independent verification. Gaps in evidence are treated the same as gaps in controls.
How SureCloud Supports Cyber Essentials Readiness
Cyber Essentials certification is annual. The controls it tests, MFA, patch management, access control, secure configuration, and firewall management, need to be maintained year-round, not assembled in the weeks before assessment.
SureCloud helps organisations maintain the evidence, controls, remediation records, and audit readiness needed to support Cyber Essentials and Cyber Essentials Plus certification continuously. That means:
- Continuous controls monitoring that tracks control status in real time, so patching gaps and MFA enforcement issues are visible before an assessor finds them.
- Evidence management that keeps records current, retrievable, and organised against the specific questions in the Cyber Essentials question set.
- Remediation tracking that closes the loop between a vulnerability being identified and a fix being applied and evidenced, within the 14-day window A6.4 and A6.5 require.
- Scope documentation that accurately reflects cloud services, legal entities, and excluded infrastructure, so the self-assessment matches the technical reality of the environment.
Under v3.3, the organisations that pass first time are the ones that treat Cyber Essentials as an ongoing programme, not an annual project. SureCloud is built for that model.
Get Cyber Essentials Ready With SureCloud
FAQ’s
Does Cyber Essentials v3.3 replace v3.2 Willow?
Yes. Cyber Essentials v3.3, known as Danzell, replaces the v3.2 Willow question set for new assessment accounts created after 26 April 2026. Organisations with an active assessment account created before that date can continue using the previous requirements within the allowed certification window. If you are starting a new assessment after 26 April 2026, you should prepare against the v3.3 Danzell requirements.
Is MFA now an automatic failure point for all cloud services?
Yes, where MFA is available. If a cloud service in scope offers MFA, whether as a standard feature or an available add-on, and the organisation has not enabled it, the assessment will automatically fail. There is no remediation opportunity within that assessment cycle. If a cloud service genuinely does not offer MFA, that must be documented as part of the scope evidence.
What are A6.4 and A6.5?
A6.4 and A6.5 are questions within the Cyber Essentials question set relating to security update management. A6.4 covers the application of high-risk or critical security updates and vulnerability fixes for operating systems and router/firewall firmware within 14 days of release. A6.5 covers the same requirement for applications, including associated files and extensions. Under v3.3, failure on either question causes automatic assessment failure.
Can cloud services be excluded from the Cyber Essentials scope?
No. Under v3.3, cloud services that store or process organisational data cannot be excluded from scope. This is a formal change from earlier versions, where some organisations attempted to exclude cloud services on the basis that security was managed by the provider. Under v3.3, the organisation is responsible for ensuring cloud service controls are met, regardless of which party — organisation or provider — implements them in practice.
What happens if my self-assessment answers change after CE+ testing starts?
They cannot be changed. Under v3.3, verified self-assessment responses are locked once Cyber Essentials Plus testing begins. If CE+ testing reveals a discrepancy between what was declared and what is found on systems, the assessment fails. Organisations should complete a full technical review of in-scope systems before submitting the self-assessment.
Does v3.3 introduce new technical controls?
No. The five technical controls (firewalls, secure configuration, user access control, malware protection, and security update management) remain unchanged from v3.2. What changes is the marking approach: selected questions now cause automatic failure rather than contributing to an overall non-compliance count, plus a set of clarifications to definitions, scoping, and CE+ retesting.
Platform +
Frameworks +
Products +
Industries +
Resources +
Company +
London Office
1 Sherwood Street, London, W1F 7BL, United Kingdom
US Headquarters
6010 W. Spring Creek Pkwy., Plano, TX 75024, United States of America
© SureCloud 2026. All rights reserved.