If your business holds a Cyber Essentials certification, or you are planning to get certified for the first time, there is something important you need to be aware of. The scheme was updated on 27 April 2026, and the changes are more significant than the usual annual tweaks.

The new version is called Danzell, and while the core structure of Cyber Essentials has not changed, the way organisations are assessed has become considerably stricter. Put simply, you now need to prove your security controls are actually working, not just that you have a policy saying they should be.

What Has Actually Changed?

The biggest shift is around multi-factor authentication, or MFA. Most people know MFA as the extra step when logging in where you get a code sent to your phone. Under the new rules, if a cloud service you use offers MFA and you have not turned it on, you will automatically fail the assessment. No exceptions. It does not matter whether MFA is free or costs extra. If it is available, it must be switched on for all users.

This matters more than it might sound. The updated scheme now includes a formal definition of cloud services, and it is a broad one. Any online tool or platform your team logs into using a business email address, and that stores or handles your company data, is now in scope. That includes things like Microsoft 365, your CRM, your project management tool and so on. Previously there was some ambiguity about what counted. Now there is not.

Patching has also become an auto-fail area. If your devices, software, routers, or firewalls are not being kept up to date in a timely way, particularly for high-risk or critical vulnerabilities, you will fail outright.

What About Cyber Essentials Plus?

If you go for the higher-level Cyber Essentials Plus certification, auditors are also clamping down on a loophole that some organisations have been exploiting, perhaps without even realising it. Some businesses were only applying security updates to the specific devices being tested during the audit, rather than across all their systems. That approach will no longer work. If you fail the initial test, a retest will now include a fresh random sample of devices, not just the ones you already fixed.

Why This Matters for Your Business

Cyber Essentials is increasingly required for government contracts, supplier frameworks and cyber insurance. Failing to certify or failing an assessment because of gaps that could have been fixed in advance, can quickly become a commercial problem.

The good news is that none of this is complicated to address if you act early. A quick audit of your cloud tools and whether MFA is switched on across all of them is a solid starting point. If you are unsure whether your business is ready for the updated requirements, we can help. Get in touch. At Three Cherries, we take the gamble out of business technology.