Cyber Essentials 2026: Understanding the New Danzell Question Set

Cyber Essentials continues to evolve to reflect today’s cyber threat landscape, and the latest update is one of the most significant in recent years.

From 27 April 2026, all new Cyber Essentials assessments use the Danzell question set alongside Requirements for IT Infrastructure v3.3. While the five core Cyber Essentials technical controls remain unchanged, the way organisations are assessed has become considerably more rigorous. (IASME - Home⁠)

If your organisation is planning to achieve Cyber Essentials or renew an existing certification, understanding these changes is essential.

Why Has the Question Set Changed?

Cyber Essentials is reviewed annually by IASME and the National Cyber Security Centre (NCSC) to ensure it remains effective against modern cyber threats.

The Danzell question set introduces clearer guidance, removes ambiguity, and places greater emphasis on organisations demonstrating that security controls are genuinely implemented—not simply documented. (IASME - Home⁠)

The Biggest Changes

1. Multi-Factor Authentication (MFA) Is Now Critical

Perhaps the most important change is the stricter enforcement of Multi-Factor Authentication.

If a cloud service supports MFA, it must now be enabled for the relevant users. Missing MFA on supported cloud services can result in an automatic failure of the assessment.

Many organisations already use Microsoft 365, Google Workspace and other SaaS platforms with MFA enabled, but this update requires businesses to ensure there are no gaps across any in-scope cloud services. 

2. Faster Security Patching

The new requirements place greater emphasis on timely installation of security updates.

High-risk and critical vulnerabilities affecting operating systems, firewall firmware, routers and supported applications are expected to be remediated within the required timeframe. Failure to meet these requirements can now result in an automatic assessment failure. 

3. Improved Scoping Requirements

Organisations must now provide much clearer justification for what is included—and excluded—from the assessment.

The updated guidance makes it harder to artificially reduce scope. Assessors will expect organisations to accurately identify:

  • End-user devices
  • Servers
  • Cloud services
  • Firewalls and internet gateways
  • Remote workers
  • BYOD where applicable

Clear documentation is becoming increasingly important. 

4. Stronger Evidence Requirements

Although Cyber Essentials remains a verified self-assessment, applicants should expect greater scrutiny of their answers.

The Danzell question set requests more detailed information and reduces opportunities for vague or generic responses. Organisations should be prepared to demonstrate how security controls operate in practice. (IASME - Home⁠)

5. Cyber Essentials Plus Has Also Changed

The Cyber Essentials Plus assessment process has also become more robust.

Testing now places greater emphasis on representative sampling and point-in-time compliance. Organisations are expected to be fully compliant before the assessment begins, rather than relying on remediation during the audit process. (IASME - Home⁠)

What Should Organisations Do Now?

Preparation is more important than ever.

Before beginning your Cyber Essentials assessment, we recommend:

  • Review every cloud service and ensure MFA is enabled where available.
  • Confirm all supported devices are fully patched.
  • Remove unsupported operating systems from scope or upgrade them.
  • Review administrative accounts and privileged access.
  • Verify that your asset inventory is accurate.
  • Ensure your assessment scope reflects your actual IT environment.
  • Allow sufficient time to remediate any issues before submitting your assessment.

Organisations that leave preparation until the last minute are significantly more likely to experience delays or fail their assessment.

Our Advice

We’ve already seen that organisations who prepare early complete their certification much more smoothly.

The new question set isn’t designed to make Cyber Essentials harder—it is designed to ensure organisations genuinely meet the security baseline expected by customers, insurers and government bodies.

With the right preparation, most organisations will have no difficulty achieving certification.

Need Help With Cyber Essentials?

At Cyber Compliance, we help organisations of all sizes achieve both Cyber Essentials and Cyber Essentials Plus with expert guidance throughout the entire process.

Whether you’re certifying for the first time or renewing under the new Danzell question set, our assessors can help you prepare, avoid common pitfalls and achieve certification quickly.

📧 Email: info@cybercompliance.org.uk

If you’d like assistance with your Cyber Essentials certification, get in touch with our team today.

Back to blog