As an IASME approved Certification Body for Cyber Essentials and Cyber Essentials Plus, Pera Prometheus has a duty to demystify the confusion surrounding scheme changes and ensure that the businesses we work with are always informed, prepared, and ahead of the curve. From the 27th of April 2026, all new Cyber Essentials assessments will be conducted under a revised question set named Danzell, representing some of the most significant updates to the scheme since its launch. Developed by the experts at the National Cyber Security Centre (NCSC) and managed through their official delivery partner IASME, Cyber Essentials remains the UK Government’s recommended minimum standard of cyber security for organisations of all sizes. If your business is part of the UK defence supply chain, or is working towards becoming one, these changes are not something you can afford to overlook. Here are the ten questions we are hearing most frequently from SMEs right now.
1. What exactly is changing with Cyber Essentials from April 2026?
The National Cyber Security Centre (NCSC) and IASME have updated the Cyber Essentials scheme to reflect the way modern businesses actually operate, particularly around cloud services, patching practices, and authentication. The new question set, called Danzell, replaces the existing Willow set. Any organisation opening a new assessment account from the 27th of April 2026 will need to complete the Danzell version. Organisations that already have an active Willow account will need to finalise their assessment by the 26th of October 2026. The changes tighten up some areas that have historically caused confusion or been inconsistently applied. For a full summary of what is changing, you can read our dedicated blog on what is changing and how it affects you.
2. What happens if we already have a Willow assessment in progress?
You have a transitional window. All existing Willow based portal accounts must be finalised by the 26th of October 2026. If your organisation is undergoing a Cyber Essentials Plus audit linked to a Willow self assessment, that Plus assessment must be completed by the 26th of January 2027. After that point, all assessments will be conducted exclusively under Danzell. If you are approaching renewal, it is worth planning ahead now rather than rushing to beat a deadline.
3. Why does Multi Factor Authentication now matter so much?
Under Danzell, Multi Factor Authentication (MFA) becomes a mandatory requirement for all cloud services where it is available, and failing to implement it will result in an automatic failure of the assessment. This applies regardless of whether MFA is free, included in a licence, or available as a paid option. If the feature exists and your organisation has not enabled it, you will not pass. For most businesses using Microsoft 365, Google Workspace, or similar platforms, enabling MFA is straightforward. However, if your staff are not currently using it, you will need to plan a rollout well before your next assessment date.
4. What is the new 14 day patching rule and why is it an automatic fail?
Two new questions in Danzell (A6.4 and A6.5) ask whether your organisation installs all high risk or critical security updates for operating systems, firewall firmware, and applications within 14 days of release. Both are designated as automatic fail questions. This means that if you cannot demonstrate compliance with either of them, you will not achieve certification regardless of how well you perform elsewhere. This change is designed to address a well known pattern where organisations delay applying critical patches, leaving systems exposed long after fixes are available. Enabling automatic updates is the simplest way for most SMEs to meet this requirement, though larger organisations with managed IT environments will need a documented process in place to demonstrate compliance.
5. How can Pera Prometheus help with achieving Cyber Essentials and Cyber Essentials Plus?
Pera Prometheus is an accredited Certification Body for both Cyber Essentials and Cyber Essentials Plus, which means we can take your organisation through the entire process from start to finish, under one roof. You do not need to engage a separate consultant for preparation and a separate body for certification. We handle both. The process begins with a readiness review, where we assess your current position against the Danzell requirements and identify any gaps that need to be addressed before a formal assessment opens. This stage alone saves many organisations considerable time and the cost of a failed first attempt. Once you are ready, we guide you through the self-assessment question set, ensuring your answers accurately reflect your environment and meet the scheme requirements. For Cyber Essentials Plus, our assessors then carry out the independent technical audit, testing your devices and configurations against what you declared. We work with SMEs of all sizes, including those with no dedicated IT function, and we are particularly experienced in supporting businesses operating in or entering the UK defence supply chain. Our approach is practical, straightforward, and designed to get you certified with confidence rather than confusion. To understand the full scope of what is changing ahead of April 2026, visit our Cyber Essentials changes overview page, or explore our broader Information and Cyber Security Frameworks service to see how certification fits into a wider security programme.
6. How has the scope changed and does it affect us?
The Danzell question set introduces greater transparency around what is and is not included in an assessment. Organisations will now be required to describe any areas of infrastructure excluded from scope, identify all legal entities covered by the certification, and provide company numbers and registered addresses for each. Additionally, cloud services can no longer be excluded from scope at all. A clearer definition of what constitutes a cloud service has also been added to remove any remaining ambiguity. If your organisation uses social media accounts, file sharing platforms, or online business tools, these are now explicitly in scope. For organisations with complex structures or multiple trading entities, this is an area worth reviewing carefully before opening an assessment.
7. Who actually needs Cyber Essentials if they are working with defence?
Any company holding or bidding for MOD contracts that involve handling official information or providing certain categories of goods and services may be required to hold a valid Cyber Essentials certificate. Beyond the contractual requirement, Cyber Essentials signals to primes and tier one contractors that your organisation takes baseline cyber hygiene seriously. Our team at Pera Prometheus works with defence SMEs across the supply chain to understand exactly where they sit and what level of certification applies.
8. What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a verified self-assessment. Your organisation answers a structured question set, a board level director signs the declaration, and a Certification Body reviews and validates your answers. Cyber Essentials Plus goes a step further. It includes an independent technical audit of your systems, carried out by an assessor who will test your devices, configurations, and controls for vulnerabilities. Cyber Essentials Plus is increasingly demanded for higher value contracts, contracts involving sensitive data, or where a prime contractor demands a greater level of assurance. As an approved Certification Body, Pera Prometheus can support you at both levels, which means your preparation and your certification are handled by the same experienced team with no handoff risk.
9. What does the Cyber Essentials Plus process actually look like?
Once an organisation completes its verified self-assessment, the Cyber Essentials Plus process can then begin with a technical audit. It is worth noting that Cyber Essentials Plus must be completed within 90 days of achieving Cyber Essentials. Our assessors will test a representative sample of your devices to verify that your configurations, software versions, MFA settings, and patching levels match your declared answers. Under the Danzell changes, if a sample fails on patching, a second random sample will also be tested to ensure the issue has been addressed across the full environment, not just the devices under scrutiny. Critically, your self-assessment must be finalised and must remain unchanged before Plus testing begins. You cannot adjust your answers based on what the audit reveals. Our team helps organisations prepare thoroughly before the audit takes place, which significantly reduces the likelihood of a failed or disrupted assessment.
10. What if our business is not yet certified? Can we still bid for defence contracts?
Yes, absolutely but don’t just see Cyber Essentials as a hurdle to win defence contracts. Cyber Essentials enables a business to protect itself from the majority of basic Cyber threats, it just makes good business sense to do it. In many cases, you can begin a bid or tender process before achieving certification, but you will need to demonstrate a credible plan to achieve it by contract commencement, or a specified milestone. That said, leaving it late creates unnecessary risk. If your assessment fails, remediation takes time and a second submission may not be possible within a contract timeline. We regularly help SMEs who are new to defence procurement understand what is required and build a clear roadmap towards compliance. Our Governance, Risk and Compliance service is specifically designed to support businesses navigating this situation, and our team understands the contractual and commercial pressures that come.
Final Thoughts
If any of the above has raised questions about your current position or your upcoming assessment, we would be glad to help. Get in touch through our contact page and we will respond without any obligation. Whether you are renewing, certifying for the first time, or working towards your first defence contract, we are here to make the process as straightforward as possible.
Stay Safe, Stay Secure
