As part of the periodic review process, key changes are coming to Cyber Essentials (CE / VSA) and Cyber Essential Plus (CE+) certification in April 2026.
Cyber security threats evolve constantly. The NCSC and IASME regularly review real‑world incidents, assessment data, and emerging risks to ensure Cyber Essentials remains effective and relevant. The new “Danzell” question set replaces today’s “Willow” version for all new certifications from 27 April 2026.
Any organisation that is undergoing an assessment using the current Willow question set (ordered prior to 27th April), will have 6 months to complete certification under those previous requirements.
Any certification not completed in that time will need to be reordered using the new Danzell application.
Overall there will be stricter marking criteria and moderation of each submitted application. Failure to meet these stricter requirement standards will result in the assessment receiving an automatic failure.
The scope is arguably one of the most important parts of the assessment process, as this defines your organisation and its elements that are in-scope of Cyber Essentials.
The following changes will look to improve the scoping sections:
After a lot of conversation around its benefits to protect systems, users and their identities, Multi-factor authentication (MFA) will become a mandatory requirement for ALL Cloud services. If MFA is available within your cloud service it MUST be enabled for all users, not just your admins.
MFA plays a critical role in modern security and this change highlights the importance of having strong authentication mechanisms in place.
If MFA is NOT implemented across the entire scope of the assessment the application will receive an automatic failure.
Two new questions are being introduced to assess compliance with prompt Security Updates. These questions look to ensure that security updates for Critical and High vulnerabilities for all operating systems and applications are applied within 14 days of release.
Yes, this means networks, servers, PCs, Linux, Mac, firewalls, routers etc. and not just windows based devices.
Any evidence of non-compliance in security update management will now result in automatic failure of the assessment.
The Cyber Essentials Plus audit will also see changes this April.
The core change is to support the Security Update Management section of the CE, enhancing the level of testing and verification that is required for compliance.
If you state in the CE that all systems are updated in 14 days, but evidence is found during the initial sample testing of CE+, that updates have not been applied, a second sample of different machines will need to be assessed once updates are applied. This second sample will be chosen by the assessor, and aims to prove that the updates are applied organisation wide.
If a second sample fails, the CE+ will be marked as a fail and the Cyber Essentials (verified self-assessment) certification will be revoked.
In addition, once the CE+ certification process has begun, applicants will no longer be able to amend any aspect of the CE (VSA) certification. CE certification must be completed, finalised and remain unchanged, prior to starting the CE+ testing.
Backups gain greater importance in the documentation by being positioned earlier, in order to emphasise their criticality when it comes to recovery. You cannot attain cyber resilience if you don’t have a robust backup and restoration process.
Always ensure that copies of backups are securely stored offline (away from the systems being backed up) and that restoration testing is performed periodically to ensure they work when you need them.
Evidence has shown in recent times that organisations are still not getting this right. When the chips are down and you are facing a significant cyber incident, could you confidently restore your systems quickly and effectively??
Questions have generally been improved removing some ambiguous terms, to simplify the questions and the scope criteria.
The Cloud services definition has been updated to remove any ambiguity. Cloud services are a mandatory inclusion and cannot be excluded from the scope of the assessment.
Cloud services includes any account on a cloud system used for business purposes; including Social Media accounts dedicated to business purposes. As a result this means that all business social media accounts MUST be configured to use MFA.
The User Access Control section now supports more secure alternative authentication methods such as, Passwordless, Passkeys and FIDO2 security keys. A positive move towards strong modern authentication.
You can review the Cyber Essentials Requirements for IT Infrastructure v3.3 here:
Cyber Essentials Requirements for IT Infrastructure v3.3
As a Certification Body for Cyber Essentials and IASME Cyber Assurance, Ironshare makes an ideal partner for cyber services; whether you’re at the very beginning of your cyber journey or just need to complete your annual renewal.
Contact us on the email below for more information or to get started:
cyberassurance@ironshare.co.uk
Stuart Hare is a Technologist with a passion for helping people in all aspects of IT & Cyber Security. Stuart is the Founder of Ironshare, an Information and Cyber Security company providing consultancy and managed services.
Samuel is a Security Analyst with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
Joshua is working as a Managed Service Lead with Ironshare, an Information and Cyber Security company providing Security consultancy and managed services.
