Key Takeaways
- The Danzell question set replaces the current Willow set from 27 April 2026 for all new accounts and assessments.
- MFA for cloud services is no longer optional. If it is available and you have not enabled it, you will automatically fail.
- Two new auto-fail questions require all critical and high-risk security updates to be installed within 14 days of release.
- The board level declaration now includes a commitment to maintain compliance throughout the certification period, not just on the day of assessment.
- CE Plus assessments have been tightened to close the loophole of selective patching during testing.
- Transitional arrangements give existing Willow accounts until 26 October 2026 to finalise their submissions.
Cyber Essentials has always been more than a box-ticking exercise. For organisations working within the UK Defence supply chain, it is a baseline contractual requirement and one of the first things a procurement team will check before a contract is awarded. But the scheme is not static. From 27 April 2026, a new question set called Danzell comes into effect, bringing with it some of the most significant changes the scheme has seen in recent years. If you are due to renew your certification or are applying for the first time, this is something you will want to understand before the deadline arrives.
What Is Danzell and When Does It Apply?
Danzell is the updated question set that replaces the previous version, known as Willow. Any new account created on the IASME portal after 26 April 2026 will use Danzell. If you already have an active Willow account in progress, the transitional deadlines below apply:
| Milestone | Deadline |
| All Willow portal accounts must be finalised | 26 October 2026 |
| Last date for a Willow-based CE Plus assessment | 26 January 2027 |
The window is shorter than it sounds, particularly if your organisation needs time to implement the technical changes the new question set demands.
The Changes: What Has Actually Changed
1. MFA for Cloud Services Is Now Mandatory
What changed: Multi-factor authentication (MFA) is no longer simply encouraged for cloud services. It is now a mandatory requirement for every cloud service where MFA is available, whether that option is free, included in the licence, or requires a paid upgrade.
What this means in practice: If a cloud service supports MFA and your organisation has not enabled it for all users and administrators, the assessment will fail automatically. There is no partial credit. This applies to services such as Microsoft 365, Google Workspace, CRM platforms, project management tools, and any other service that stores or processes your organisational data over the internet. Business social media accounts are also classed as cloud services under the new definition and cannot be excluded from scope.
What you should do: Investigate every cloud service your organisation uses and confirm MFA is enabled for all accounts. If your current licences do not include MFA, check whether a paid tier is available. Not having it enabled will result in an automatic failure.
2. Two New Auto-Fail Questions on Security Update Management
What changed: Two new questions have been introduced that will result in an automatic failure if answered no, regardless of how well the rest of the assessment goes.
- Question A6.4 – Are all high-risk or critical security updates and vulnerability fixes for operating systems and router and firewall firmware installed within 14 days of release?.
- Question A6.5 – Are all high-risk or critical security updates and vulnerability fixes for applications (including any associated files and extensions) installed within 14 days of release?
What this means in practice: If your organisation relies on ad-hoc or irregular patching, or runs maintenance windows that fall outside the 14-day window, you will not meet these requirements. This is a meaningful change for many SMEs where update management is handled manually or reactively.
What you should do: Review how updates are currently managed across your devices, applications, and network equipment. Where possible, enable automatic updates. Where manual processes are in place, document them clearly and ensure they can consistently meet the 14-day deadline.
3. A Clearer Definition of Cloud Services
What changed: A formal definition of what counts as a cloud service has been added to the question set to remove ambiguity.
A cloud service is defined as an on-demand, scalable service hosted on shared infrastructure, accessible via the internet, accessed via an account, and used to store or process organisational data. Business social media accounts such as LinkedIn, Facebook, and X fall within this definition.
What this means in practice: Cloud services cannot be excluded from scope under any circumstances. If your organisation uses cloud services, they must be included in the assessment and MFA requirements apply to them.
4. Updated Scope Requirements
What changed: The way organisations describe and document their assessment scope has been updated in four ways.
- Scope descriptions can now be as detailed as needed. There is no character limit, and the full description is visible through the digital certificate platform.
- Any areas excluded from scope must be formally described. This information is not made public.
- All legal entities included within the scope must be named with their registered company number and address. These details will be visible on the digital certificate.
- Individual certificates can be requested for each legal entity at a small additional cost.
What this means in practice: For organisations with subsidiaries or multiple companies sharing a certification, this requires careful preparation before the assessment begins. Any legal entities not declared before certification is complete cannot be added afterwards.
5. Clarification of the “Point in Time” Assessment
What changed: The term “point in time” has been formally defined. The point of reference is the date on which the certificate is issued.
What this means in practice: All systems must be compliant and fully supported on the day the certificate is issued, not just at the point of submission. If a piece of software becomes unsupported or a vulnerability is discovered between submission and certification, that needs to be addressed before the certificate is released.
6. Passwordless Authentication Is Now Formally Recognised
What changed: Passwordless authentication methods, such as biometric login or hardware security keys, are now formally recognised within the question set and are actively encouraged as a more secure alternative to traditional passwords.
What this means in practice: If your organisation already uses passwordless authentication or is considering it, this is now an accepted and supported approach within the Cyber Essentials framework.
7. Updated Board Level Declaration
What changed: The declaration signed by a board member or director as part of the verified self-assessment now includes an explicit statement acknowledging the organisation’s responsibility to maintain compliance throughout the entire certification period.
What this means in practice: Achieving the certificate is not the end of the obligation. The signatory is formally committing to ongoing compliance, not just compliance on the day of assessment. This is an important shift in accountability that directors and business owners should be aware of before signing.
Changes to Cyber Essentials Plus (CE Plus)
CE Plus is the independently assessed version of Cyber Essentials, where an external assessor verifies the claims made in the self-assessment. Danzell introduces two significant changes here:
- Tighter Retesting for Update Management
If a random sample of devices fails the update management test during a CE Plus assessment, the organisation must remediate and undergo a retest. Under Danzell, that retest will check both the original sample and a brand new random sample. This is designed to prevent organisations from patching only the devices under examination rather than their full environment. A second failure results in revocation of the verified self-assessment certificate.
- Self-Assessment Must Be Finalised Before Testing Begins
Organisations can no longer adjust their self-assessment responses after CE Plus testing has started. The submission must be completed, finalised, and locked before the assessor begins. This closes a previous grey area and ensures the assessment reflects the organisation’s genuine security posture.
What This Means If You Are in the Defence Supply Chain
For organisations working with or seeking to work with the Ministry of Defence, prime contractors, or other government-facing clients, Cyber Essentials is rarely optional. In many cases it is a prerequisite, and the Danzell changes raise the bar in ways that require practical action rather than paperwork. Enabling MFA, tightening update management processes, and ensuring your scope documentation is complete are not large-scale projects, but they do take time and they do require someone to take ownership.
Our team at Pera Prometheus works closely with Defence industry organisations of all sizes on exactly this kind of compliance challenge. Whether you are preparing for your first Cyber Essentials assessment or renewing ahead of a contract requirement, we can help you understand what the changes mean for your specific setup. You can explore our information and cyber security framework services or review how we approach governance, risk and compliance for organisations in your position.
If you have a specific question about your current certification status or want to understand how Danzell affects your renewal, the best place to start is our contact page, then we can conduct a discovery call to identify the exact need of your organisation.
The April deadline will come around quickly. The good news is that for most SMEs, the changes are manageable if they are addressed now.
Stay Safe, Stay Secure
