top of page

Cyber Essentials changes
from 27th April 2026

The new Question set is called Danzell.

​

The full question is available in PDF from the Downloads section.

​

The changes will apply to all new online account requests from 27th April 2026​​.

​

Transitional arrangements​

  • All existing portal Willow accounts will need to be finalised by 26th October 2026

  • Cyber Essentials Plus assessments will be conducted based upon the question set used for the online assessment.​

  • Last date for a Willow based CE+ assessment is 26th January 2027.

​​​​

​​​Question set changes from Willow​

​

  • Multi-factor authentication (MFA)

MFA will now be a mandatory requirement for all cloud services where it is available. Organisations that fail to implement MFA for cloud services—whether it is free, included, or a paid option—will automatically fail the assessment. This change underscores the critical role of MFA in protecting systems and highlights the importance of adopting strong authentication measures.

​

  • Security Update management 

Two new questions will be designated as ‘auto-fail’ questions. These questions address the timely installation of high-risk or critical security updates and vulnerability fixes for operating systems, router and firewall firmware, and applications (including associated files and extensions).

 

Specifically:

  • A6.4: Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?

  • A6.5: Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?

​

Non-compliance with either of these questions will result in an automatic failure of the assessment, regardless of performance in other areas. This change is intended to address instances where the delay of critical updates, leaves systems vulnerable to exploitation

​

  • Scope wording

    • 1. Unlimited scope descriptions: Organisations will no longer be limited to a brief scope description on their certificates. Instead, they will be able to provide a detailed scope description, which will be available to view via the digital certificate platform.

    • 2. Out-of-scope areas: Organisations will be required to describe any areas of their infrastructure that are excluded from the scope. This information will not be made public.

    • 3. Legal entity identification: Organisations will need to specify all legal entities included within the scope of the assessment, providing details such as the entity’s name, address, and company number. All legal entities included in scope can be viewed on the digital certificate platform.

    • 4. New certificate types: You will be able to request an individual Cyber Essentials certificate for every legal entity certified as part of a larger scope but it will be clear that the certification is part of the wider scope. There will be a small charge for these additional certificates.
       

These changes aim to improve transparency, reduce ambiguity, and ensure that the scope of an assessment is clearly defined and accurately represented.
​ 

  • Cloud services definition

A clear definition of cloud services has been added to eliminate ambiguity about what constitutes a cloud service.

 

Cloud service – A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account (which may be credentials issued by your organisation or an email address used for business purposes) and will store or process data for your organisation.

​

If your organisation’s data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.​​​​

 

  • Clarification of ‘point in time’

Cyber Essentials is a ‘point in time’ assessment, but there has been confusion about what this term refers to. To address this, the scheme will explicitly state that the ‘point in time’ is the date the certificate is issued. Organisations will need to ensure that their systems are supported at the date of certification.

​​

  • Use of passwordless authentication are considered more secure and are encouraged.
     

  • Signed declaration and ongoing compliance

The declaration signed by a board member or director as part of the verified self-assessment (VSA) process will be updated to include a statement acknowledging the organisation’s responsibility to maintain compliance with all Cyber Essentials controls throughout the certification period. This change reinforces the importance of ongoing compliance and ensures that organisations remain committed to maintaining robust cyber security measures.

​​

​​​​Changes to CE Plus assessments - applicable to Danzell based assessments​

​

  • Verification of update management compliance

    • Recent audits have revealed instances of organisations ‘applying selective updates’ during the Cyber Essentials Plus (CE+) assessment process. Specifically, when updates are identified as necessary during the CE+ audit, a small number of organisations have only applied these updates to the devices included in the sample being tested, rather than implementing them across their entire CE+ scope. As a result, these organisations have passed the CE+ assessment despite failing to address vulnerabilities across their broader environment.

    • To address this issue, the CE+ assessment process for update management will be revised. If an organisation fails the initial test of a random sample of devices, they will be required to remediate the issues and undergo a retest. During the retest, the Assessor will not only recheck the original sample, but will also test a new random sample of devices to ensure compliance across the wider environment. This change is designed to prevent organisations from selectively updating only the tested devices and to ensure that all required updates are applied consistently across the entire CE+ scope. It is important to note that a second failure will result in a revocation of the verified self-assessment certificate.

​​

  • Prohibition of adjustments to the verified self-assessment post-CE+ testing

To maintain the integrity of the certification process, organisations will no longer be allowed to adjust their verified self-assessment (VSA) responses based on the results of the CE+ assessment. The scheme’s Terms and Conditions will be updated to explicitly require that the VSA must be completed, finalised, and remain unchanged prior to the commencement of CE+ testing.

​

​Any questions please email us - info@cyberstrategies.co.uk

​

​

bottom of page