Navigating the "Danzell" Update: Essential Changes to Cyber Essentials (April 2026)

In an era where cyber threats are evolving with unprecedented speed, the National Cyber Security Centre (NCSC) remains committed to keeping the UK's foundational security standard robust. On 27 April 2026, the new Danzell standard for Cyber Essentials (CE) will officially take effect.

For clients of Temple these updates represent more than just a checklist change; they signify a shift toward deeper accountability and continuous compliance. Whether you are seeking initial certification or preparing for an annual renewal, here is a comprehensive breakdown of the Danzell update and what it means for your organisation.

1. The Cyber Essentials Verified Self-Assessment (VSA)

The Danzell update introduces "zero-tolerance" criteria for several core controls. Failing to meet these specific requirements will now result in an automatic failure of the entire assessment.

• Non-Negotiable MFA: Multi-Factor Authentication (MFA) for cloud services is no longer optional or subject to "best effort" grading. If MFA is available for a service and not enabled, the VSA will fail immediately.

• Stricter Patching (Questions A6.4 & A6.5): Two new questions specifically target the patching of routers and applications. Inadequate update management in these areas will now trigger an automatic failure.

• Scope Clarity: New, granular questions have been added to help organizations with complex network boundaries. This ensures that "shadow IT" or unmanaged segments don't inadvertently create holes in your security perimeter.

• Executive Accountability: A new declaration must be signed by a Board Member or Director. This move elevates cyber security from an "IT issue" to a fundamental corporate governance responsibility, acknowledging that compliance must be maintained 365 days a year, not just during the audit window.

2. Escalated Rigour for Cyber Essentials Plus

The "Plus" designation remains the gold standard for verified security, and the Danzell update closes loopholes that previously allowed for "quick fixes."

• Expanded Sampling on Failure: Previously, if a device failed due to a missing patch, only that device was re-tested. Under Danzell, if a failure occurs, the assessor is required to test an entirely new, additional sample set. This ensures that patching is consistent across the infrastructure, rather than being "cleaned up" just for the auditor.

• Locked VSA Responses: You can no longer "back-edit" your VSA after seeing the results of your Plus assessment. The VSA must be finalized and locked before Plus testing begins, demanding a higher level of accuracy and honesty from the outset.

3. Updated Infrastructure Requirements

The NCSC has released version 3.3 of the 'Requirements for IT Infrastructure' document. This version provides much-needed clarity on emerging technologies, ensuring that the standard remains applicable to modern hybrid work environments and advanced cloud integrations.

Key Transition Dates: If you start your assessment using the previous question set before 27 April 2026, you have:

6 Months to complete the VSA.

An additional 90 days to complete your Cyber Essentials Plus verification.

Review the New Standards: You can preview the new question set and the updated Infrastructure Requirements document here:
IASME: Preview Self-Assessment Questions

Important Transition Timeline: Organizations that start the previous question set before 27 April 2026 will have:

Six months from this date to complete their VSA.

An additional 90 days to complete the Cyber Essentials Plus testing.

Why This Matters for Quality Management

At Temple, we view Cyber Essentials not just as a technical badge, but as a critical component of your Integrated Management System (IMS).

The Danzell update aligns closely with the principles of ISO 9001 and ISO 27001 by emphasizing:

• Evidence-based decision making.

• Leadership commitment.

• Continual improvement.

A failure in cyber security is a failure in quality. By adopting these stricter controls, you are protecting your intellectual property, ensuring operational continuity, and building trust with your stakeholders.

Preparing for Danzell: Next Steps

The final versions of the standard are still being refined by the assessment board. To ensure your organization isn't caught off guard, we recommend taking action now:

1. Audit your MFA: Ensure every cloud-based account has MFA enabled—no exceptions.

2. Review Patch Management: Verify that your routers and third-party applications are on a strict 14-day update cycle.

3. Engage Leadership: Brief your board on the new signing requirements to ensure they understand their legal and operational responsibilities.

Ready to bridge the gap? Temple is here to guide you through this transition.

Our qualified security consultants can perform a comprehensive gap analysis to identify vulnerabilities before they become "automatic failures."