Danzell updates: Cyber Essentials self-assessment question updates coming this April
From 27 April 2026, organisations seeking Cyber Essentials certification will be assessed against a new Danzell self-assessment question set, following additional changes approved by the NCSC. These updates build on the annual Cyber Essentials review and reflect findings from breach investigations and audit insights.
While the five core Cyber Essentials controls remain unchanged, the way organisations are assessed has become stricter and more transparent.
What’s Changed?
Stricter Auto-Fail Conditions
The new Danzell question set expands the number of controls that will result in an automatic failure if not met:
- Multi-Factor Authentication (MFA) is now mandatory for all cloud services where it is available. Any absence of MFA will result in an automatic fail.
- Patch management requirements have tightened further. Organisations must apply high-risk or critical security updates within 14 days of release for operating systems, applications, and network devices. Failure to do so will also auto-fail the assessment.
These changes significantly reduce tolerance for delays or inconsistent security practices.
Greater Scope Transparency
Danzell now requires far more detail and clarity around certification scope:
- Organisations will be required to provide detailed scope descriptions that will be visible on the certification platform.
- Any out-of-scope areas must be justified, even though these explanations will not be made public.
- Where multiple legal entities are included, individual certificates will be issued per entity, increasing transparency.
For organisations with complex or group structures, poor scoping is now a common failure point.
Tougher Cyber Essentials Plus (CE+) Assessments
The CE+ process has also been strengthened:
- Assessors will conduct additional random sampling to confirm that patching is applied consistently across the environment, not just on previously non-compliant devices.
- Once CE+ testing begins, organisations can no longer amend their Verified Self-Assessment (VSA) responses.
This makes early accuracy in Danzell submissions critical.
What This Means for Organisations
Cyber Essentials is no longer a “tick-box” exercise. Organisations should expect:
- Higher likelihood of failure if MFA or patching is weak
- More preparation effort to define and justify scope
- Greater audit readiness expectations, especially for CE+
- Less opportunity to correct mistakes once assessment begins
Preparation and consistency are now essential.
Written by Lekai Lee, Cyber Security Consultant at Arcanum Cyber Security and OxCyber Ambassador
Support from the OxCyber Community
As these new Danzell requirements make certification more rigorous, getting the right guidance is more important than ever. We are proud that the OxCyber community includes a number of accredited Cyber Essentials Certification Bodies.
If you are looking for support to navigate these changes, define your scope, or prepare for a CE+ audit, we encourage you to connect with the experts within our network. Our members are here to help you move beyond the “tick-box” exercise and build genuine resilience.
