April 16, 2026
Cyber Essentials is a UK Government-backed scheme which is designed to help organisations improve their cyber security posture. The scheme focuses on five key areas of control:
1. Firewalls
2. Secure Configuration
3. User Access Control
4. Security Update Management
5. Malware Protection
The scheme comes in two different forms, Cyber Essentials, and Cyber Essentials Plus. Cyber Essentials is a self-assessment questionnaire with no technical audit to prove these controls are in place. The Cyber Essentials Plus assessment is a technical audit of the declared answers within your Cyber Essentials assessment, giving assessors a hands-on review of your organisation’s controls. To progress to the Cyber Essentials Plus assessment you must successfully complete the Cyber Essentials self-assessment.
In April 2026, the Cyber Essentials scheme is going to transition from the current 'Willow' question set to the new 'Danzell' question set. While the overall structure of the assessment will remain untouched, Danzell brings in several important updates to the scheme, which will directly impact an organisation’’s ability to achieve compliance.
This article will provide a clear and digestible summary of the key differences between the Willow question set and the Danzell question set, providing insight into areas where organisations will be affected the most.
With the introduction of Danzell, the way organisations must scope their assessment becomes more granular. While the scoping process remains recognisable from the Willow scheme, the level of detail and evidence needed by the Danzell scheme is increasing significantly. This is being done to ensure that organisations are presenting clear and accurate scope statements, ultimately showing systems, networks, and services within the assessment’s boundary.
Organisations who are looking to certify to their whole organisation will not see much of a process change, as no sub-setting (i.e. the part of the organisation’s network segregated from the rest of the organisation by a firewall or VLAN) needs to be carried out. However, if you are looking to certify partially, you are required to provide more evidence and information as to how you are sub-setting. A description of how you are sub-setting is required, with a list of equipment used to achieve this sub-set. Under the Danzell scheme, organisations must clearly evidence that any sub‑net provides effective and enforceable segregation. Software‑based controls may be challenged if they do not provide segregation equivalent to firewall or VLAN‑based controls. Applicants are required to list hypervisors, VLANs, firewalls, and any other relevant equipment or controls used to create sub‑nets.
An additional question surrounding legal entities being covered by your assessment has been added to the Danzell scheme. Organisations must identify all legal entities that are covered by the assessment. A board-level employee / representative must have the authority to sign off on the assessment on behalf of all included legal entities. Additions of legal entities after your assessment is completed is not allowed. All entities must be declared within the assessment.
Danzell requires organisations to declare where their in-scope networks are located. Specification surrounding the physical locations where in-scope networks and systems are located is now required, with confirmation of any additional sites using the declared networks in-scope. This reduces the possibility of omitting, for example, branch offices, warehouses, or remote locations that can access organisational data.
These changes to how your assessment is scoped ensures that the scoping process is accurate, with clear network boundaries being identified. It ensures robust controls are implemented for any required sub-setting. Organisations will benefit from these changes, as it forces the applicant to have a good understanding of how their organisation is segmented.
For subset scoping guidance, please visit the Cyber Essentials Knowledge Hub
Under the new Danzell scheme, the 14-day patching window is becoming stricter. Any failure to install critical or high-risk security updates within the 14-day window required by Cyber Essentials will now result in an automatic failure of the whole assessment. This is a dramatic shift from the Willow scheme, where this would only be marked as a non-conformity, with organisations undergoing the Cyber Essential Plus assessment having time to remediate their patching. This shift in acceptance removes any previous flexibility when dealing with patching systems and applications and places huge emphasis on proactive patch management.
If automatic updates are not being used by your organisation, stronger reasoning surrounding how you manage updates manually is required. If assessors believe that the 14-day window is not being met via your manual update method, the assessment can be marked as an automatic failure.
Not only are these requirements applied to applications, but they are also for operating systems. Any in‑scope device running an unsupported operating system or missing critical or high‑risk security updates beyond the 14‑day window, will now result in an automatic failure. This differs from the Willow scheme as this would only be marked as a non-conformity, with organisations undergoing the Cyber Essential Plus assessment given time to remediate the issue. To remain compliant, organisations should ensure that their operating systems are all kept up-to-date, and any unsupported operating systems are moved to a different sub-set.
This change, while seeming much stricter, strengthens the Cyber Essentials scheme by ensuring that organisations are addressing critical vulnerabilities in their applications and operating systems. By raising the bar for patch management, it is encouraging a stronger security posture and reducing the attack surface for cybercriminals.
For security update management guidance, please visit the Cyber Essentials Knowledge Hub
The absence of MFA on cloud user and cloud administrator accounts where it is available, under the current Willow scheme, would result in a non-conformity under the Cyber Essentials self-assessment. However, with the introduction of Danzell, this approach to MFA requirements is changing.
Danzell now requires all cloud user and cloud admin accounts to have MFA enabled, with zero exceptions. This means that if MFA is available on a cloud service, but comes at an extra charge, organisations will be required to pay this fee and implement the MFA. If organisations fail to implement MFA, the assessment will be marked as an automatic failure. This change is tied to strengthened requirements surrounding MFA and cloud service declaration.
Organisations must now list all cloud services that are used by the business, with no expectations allowed. A definition of what constitutes a cloud service is now provided to applicants.
Social media accounts such as X, Facebook, and LinkedIn are now required to be listed within the assessment. If a service is listed as not having MFA available, assessors may challenge this assertion. If it is seen that MFA is available on the service the applicant says it isn’t, the assessment will be marked as an automatic failure.
This is a major shift in the way organisations must approach the use of MFA. What was once treated as corrective action under the Willow scheme, is now treated as a mandatory baseline for compliance under the Danzell scheme. These changes provide additional security surrounding authentication across organisations, reducing the risk of account compromise and closing a common attack vector used by cybercriminals.
For MFA and cloud services guidance, please visit the Cyber Essentials Knowledge Hub
• Increased Granularity of Scope Declarations – Danzell requires more detailed scoping information, including clearer descriptions of network boundaries and evidential support for how sub-sets are created.
• Effective Sub-Setting Must be Evidenced – Organisations using partial scope must clearly demonstrate effective network segregation. Applicants must describe how sub‑nets are implemented and list the controls in place, such as VLANs, hypervisors, firewalls, or equivalent technologies. Software‑only controls may be challenged if they do not provide clear and enforceable separation.
• Legal Entity Declaration – All legal entities covered by the assessment must be explicitly listed. A board-level representative must be authorised to sign off on behalf of all entities, and additions cannot be made after submission.
• Physical Location Identification – Organisations must specify where in-scope networks and systems physically reside, including any additional sites that access in-scope data.
• Stricter 14 Day Patching Window – Any failure to install critical or high-risk security updates within 14 days results in an automatic assessment failure, removing the previous non-conformity allowance under Willow.
• Heightened Scrutiny for Manual Updates – Organisations not using automatic updates must justify their manual update process. If an assessor deems the process inadequate, this can lead to automatic failure.
• Unsupported Operating Systems Not Allowed – Any in-scope device running an unsupported operating system, or out of date operating system automatically fails the assessment, whereas under Willow, it was treated as a non-conformity.
• Mandatory MFA – All cloud user and cloud admin accounts must have MFA enabled wherever it is available, even if this requires additional licensing costs. Failure to do so results in an automatic failure of the assessment.
• Full Cloud Service Declaration – All cloud services used by an organisation must be listed, including social media platforms such as LinkedIn, Facebook, and X.
• Verification of MFA Availability – If an applicant states that MFA is unavailable for a cloud service, the assessor will verify this. If MFA is available and not implemented, the assessment will fail automatically
If you are planning to renew or certify soon, now is the time to act. Organisations with assessments started before the Danzell transition will still be able to certify against the current Willow version, while others will need to prepare for the stricter Danzell requirements.
If you would like to explore your options or get practical support navigating the changes and achieving certification with confidence, please get in touch with our team. We can help you assess readiness, reduce risk, and take a clear, proportionate approach to Cyber Essentials.