Each year, the Cyber Essentials scheme is revised to ensure it remains relevant to the current threat landscape. This blog provides a summary of what’s new for 2026. We also detail how this year’s changes to the scheme affect your Cyber Essentials/Cyber Essentials Plus certification project.
Cyber Essentials and Cyber Essentials Plus
What’s new in the 2026 update?
All new Cyber Essentials certifications from 27th April 2026 will be assessed according to v3.3 of the NCSC Requirements for IT infrastructure and must use the new Danzell Question Set. This replaces the Willow release.
The changes introduced by the 2026 update are relatively minor. However, there are changes to the marking criteria for Danzell’s questions relating to MFA (multifactor authentication) and cloud services (A7.14 to A7.17).
MFA is now mandatory for cloud services rather than just expected. Where a cloud service has MFA available and it’s not implemented, applicants will automatically fail. This applies regardless of whether MFA is free, bundled, relies on another service or is only available as a paid feature.
Cyber Essentials Requirements for Infrastructure version 3.3
Changes introduced by v3.3 of the Requirements for IT Infrastructure include:
Cloud services are in scope
Cloud services are defined for the first time and are explicitly in scope for Cyber Essentials certifications:
“A cloud service is an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials a cloud service will be accessed via an account (which may be credentials issued by your organisation, or an email address used for business purposes), and will store or process data for your organisation. “If your organisation’s data or services are hosted on cloud services, these services must be in scope. Cloud services cannot be excluded from scope.”
Scoping criteria
The scoping requirements have been updated to clarify that all specified devices connected to the Internet are in scope. Where networks are excluded from scope, you “need to justify the reason for a partial scope to your assessor”.
The web application section has been renamed “Application development” and now refers to the government’s new Software Security Code of Practice.
Backups
Backups remain outside the five technical controls. However, v3.3 explicitly recommends appropriate backups and describes sensible precautions, such as keeping copies off the primary device and disconnecting removable media when it is not in use.
User access control
This section now places greater emphasis on MFA and authentication without passwords. This includes elements such as FIDO2 authenticators, biometrics, security keys or tokens, one-time codes, QR codes and push notifications.
The Danzell Question Set
The new question set, known as ‘Danzell’, is now available on the IASME website. If you need any help preparing for April’s changes to the scheme, please get in touch with one of our team.
Cyber Essentials Plus Test Specification
The new Cyber Essentials Plus Test Specification will be published soon. We’ll update this blog with more information when it is available.
0 Comments