The 2026 changes to Cyber Essentials took effect on 26 April. Here is what has changed and what your organisation needs to do before the transition window closes on 26 October 2026.

If your organisation holds or is working towards Cyber Essentials certification, you need to know about the changes that took effect in April 2026. Whether you are a business owner juggling competing priorities, an IT manager driving digital modernisation, or a compliance lead responsible for regulatory adherence, the Cyber Essentials 2026 changes directly affect your next certification cycle.

Why Cyber Essentials Has Changed

The threat landscape evolves constantly. IASME, the body that manages Cyber Essentials on behalf of the NCSC, periodically revises the scheme to reflect current risks and technologies. The April 2026 revision introduced meaningful updates to the question set, technical controls, and assessment approach. For organisations tendering for public sector, MOD, or NHS contracts where certification is often a contractual requirement, understanding these changes is not optional.

The Transition Window You Need to Know About

Before getting into the detail, one critical point. If your organisation has an active assessment account created before 26 April 2026, you have six months from that date to attain certification using the previous version of the requirements (the Willow question set). That gives you until 26 October 2026.

After that date, all assessments are conducted under the new Danzell question set with the updated requirements and stricter auto-fail criteria. Organisations creating new accounts on or after 26 April 2026 are already on the new scheme.

Key Changes in the Cyber Essentials 2026 Update

1. The New Danzell Question Set

The Danzell question set replaces the previous Willow version. Danzell introduces updated terminology, revised scoping guidance, and more precise questions around device management and cloud services. If you prepared for certification using older materials, your readiness checklist may already be out of date. IT managers should review the full Requirements for IT Infrastructure v3.3 document to align their technical controls accordingly.

2. Strengthened MFA Requirements

Multi-factor authentication is now a mandatory requirement for all cloud services where it is available. The rule applies regardless of whether MFA comes as a free, included, or paid option: if your cloud service supports MFA and you have not enabled it, you will automatically fail the assessment. Organisations that have historically relied on simple password policies for cloud access must now audit every cloud service in use and confirm that MFA is enforced on each one.

3. New 14-Day Patching Auto-Fail

This is a major addition that organisations should not underestimate. Two new auto-fail questions have been introduced around security update management:

• 4: All high-risk or critical security updates and vulnerability fixes for operating systems, routers, and firewall firmware must be installed within 14 days of release.
• 5: All high-risk or critical security updates and vulnerability fixes for applications, including associated files and extensions, must be installed within 14 days of release.

Non-compliance with either question results in automatic failure of the assessment, regardless of performance in other areas. For IT managers, this means patching cycles need formal tracking, evidence retention, and an explicit policy for high-risk update prioritisation.

4. Expanded Scope for Cloud and Home Working

The updated scheme takes a clearer stance on cloud-hosted services and home working environments. Devices used to access organisational data from outside the office are now more explicitly in scope. Personal devices used by staff, even occasionally, must either be enrolled under your organisation’s device management policy or excluded from your certification scope through careful boundary definition.

5. Clearer Auto-Fail Criteria

The revised scheme introduces clearer auto-fail conditions. Specific situations now result in immediate assessment failure regardless of performance across other controls, including absent MFA on cloud services, late application of high-risk or critical security updates under the new 14-day windows (A6.4 and A6.5), and unsupported operating systems within scope. For compliance leads, this makes pre-assessment audits more important than ever. A single overlooked auto-fail condition the week before your assessment can mean costly delays and resubmission fees.

6. Cyber Essentials Plus 2026 Changes

The Cyber Essentials Plus assessment has been tightened in two ways. To address selective patching during audits (where some organisations were patching only the devices in the test sample), the retesting process has changed: if your organisation fails the initial test on a random device sample, the assessor will recheck the original sample and also test a new random sample. A second failure results in revocation of your verified self-assessment (VSA) certificate. Separately, organisations are no longer permitted to adjust their VSA responses based on what surfaces during CE+ testing. The VSA must now be completed, finalised, and remain unchanged before CE+ testing begins, so any inconsistency between your VSA and what the assessor finds will count against you.

What This Means in Practice

For business owners, the key message is this: do not assume your existing controls still meet the standard. Organisations that sailed through their last assessment may find themselves failing on the new criteria, particularly MFA enforcement and the 14-day patching windows.

For IT managers and compliance leads, the update is an opportunity to tighten controls that should arguably already be in place. The IASME Cyber Essentials certification framework now more closely mirrors real-world best practice. A gap analysis against the Danzell question set and Requirements for IT Infrastructure v3.3 is the right starting point, and a robust patching evidence trail is now non-negotiable.

Common Mistakes to Avoid

• Submitting under the old Willow question set after your six-month transition window has closed.
• Overlooking cloud services used by staff that sit outside the traditional network boundary.
• Assuming MFA on Microsoft 365 or Google Workspace alone is sufficient without reviewing every other cloud service in use.
• Failing to track and evidence the 14-day patching window for high-risk updates across both systems and applications.
• Adjusting your VSA after CE+ testing has begun, which is no longer permitted.
• Failing to document scope boundaries clearly, leading to unintended inclusion of non-compliant devices.
• Leaving preparation too late when a contract deadline is driving the certification requirement.

Act Now, Before Your Next Certification Window

The Cyber Essentials 2026 changes reward organisations that prepare early. If you have an active Willow assessment account, the six-month transition window means you have until 26 October 2026 to certify under the previous rules. After that, the new Danzell scheme applies in full.

If you are due for recertification, tendering for a contract that requires certification, or pursuing Cyber Essentials for the first time, now is the right time to understand exactly where you stand against the updated requirements.

Our team works with SMEs, schools, and MATs to navigate Cyber Essentials certification efficiently and successfully. We will assess your current controls against the latest Danzell question set, identify any auto-fail risks, and give you a clear remediation roadmap so there are no surprises on assessment day.

Book Your Free Cyber Essentials Readiness Assessment

Get in touch to arrange your free assessment. We will start by understanding your environment and current position, then work with you to map out a practical plan towards certification.