> series: cyber_essentials_demystified —— part: 08/10 —— update: danzell_v3.3 —— effective: 27_april_2026<span class="cursor-blink">_</span>_
The Danzell question set replaces Willow on 27 April 2026, introducing version 3.3 of the NCSC Requirements for IT Infrastructure. While the five core controls remain unchanged, the assessment criteria, marking rules, and certification process have been significantly tightened. This article consolidates every change into a single reference — the auto-fail criteria, the cloud scoping changes, the CE Plus process revisions, and the transition timelines.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your CertificationDanzell introduces three categories of automatic failure — areas where non-compliance results in immediate assessment failure regardless of performance across all other controls. Previously, these areas were assessed as major non-compliances and organisations could still pass with up to two major non-compliances. That flexibility is gone.
| Auto-Fail | Requirement | Scope |
|---|---|---|
| MFA not enabled | MFA must be enabled for all users on all cloud services where MFA is available — whether free, bundled, paid, or via IdP. | Every cloud service in scope. Microsoft 365, Google Workspace, Xero, CRMs, password managers, remote access tools, social media — all in scope. |
| A6.4 — OS and firmware patching | All high-risk and critical security updates for operating systems, router firmware, and firewall firmware must be installed within 14 days of release. | Every in-scope device running an operating system. Every router and firewall in scope. |
| A6.5 — Application patching | All high-risk and critical security updates for applications, including associated files and browser extensions, must be installed within 14 days of release. | Every application on every in-scope device. Explicitly includes browser extensions. |
Danzell introduces a formal definition of cloud services for the first time. A cloud service is defined as an on-demand, scalable service hosted on shared infrastructure and accessible via the internet. Cloud services can no longer be excluded from scope without explicit justification and evidence of genuine segregation. If organisational data is stored or processed in a cloud service, that service is in scope.
This closes a loophole that some organisations used under previous versions to keep cloud platforms out of their assessment scope. Under Danzell, everything counts — Microsoft 365, Google Workspace, your CRM, HR systems, cloud storage, accounting software, project management tools, and business social media accounts. IASME maintains a reference list of cloud services and their MFA capability, though the list is not exhaustive and the onus is on the applicant.
The CE Plus assessment process has been revised under Danzell to address practices identified through IASME's ongoing audits — particularly selective patching, where organisations applied updates only to sampled devices rather than across the estate.
| Change | Impact |
|---|---|
| VSA must be finalised before CE+ begins | The verified self-assessment must be completed and locked before the CE Plus technical audit starts. Answers can no longer be changed based on what the CE+ audit finds. Your self-assessment is your declaration of your actual state. |
| Double sampling on retest | If the initial random device sample fails due to missing updates, remediation is required. The retest now covers both the original sample AND a new random sample. You cannot fix just the devices the assessor tested. |
| Second failure = revocation | A second failure during CE+ retesting results in revocation of the verified self-assessment certificate. You lose your CE as well as failing CE+. |
| Non-compliances block CE+ progression | Non-compliances can no longer be accepted in the CE self-assessment if you intend to proceed to CE+. You must resolve all non-compliances before the technical audit begins. |
The director declaration — the formal sign-off required from a board-level individual — now includes a commitment to maintain Cyber Essentials controls throughout the certification period. Certification is no longer a point-in-time exercise. The declaration makes the director personally accountable for ongoing compliance, not just assessment-day compliance. This aligns Cyber Essentials with the direction of travel in UK cyber regulation — continuous obligation, not periodic checkbox.
Danzell repositions backup guidance to a more prominent place in the Requirements for IT Infrastructure document. While backups are not assessed as a technical control, this repositioning signals that resilience and recovery may take on greater importance in future versions of the scheme. Organisations should ensure backup processes are documented and tested — not because Danzell requires it, but because the direction of travel is clear.
Web applications developed in-house are now more explicitly addressed. If your organisation develops web applications, the requirements around secure development practices, input validation, and protection against common vulnerabilities (including those in the OWASP Top 10) are more clearly stated. For organisations with bespoke web applications, a web application penetration test provides assurance that goes well beyond Cyber Essentials requirements.
Next week, we compare Cyber Essentials and Cyber Essentials Plus in detail — what the Plus assessment actually involves, when you need it, what it costs, and how to prepare for the technical audit. If you are deciding between the two levels, Part 9 will give you the information to make the right choice.
As an IASME-approved certification body, we help organisations transition from Willow to Danzell with confidence. Our <a href="/cyber-essentials/concierge">Concierge service</a> includes a gap analysis against the Danzell requirements, MFA audit, patching review, and full certification support. For ongoing security beyond the certificate, <a href="https://www.socinabox.co.uk">SOC in a Box</a> provides continuous monitoring and compliance support.
We handle the Cyber Essentials process end to end — from gap analysis to certification.
Start Your Certification