Want to speak with sales?
Cyber Essentials changes 2026: what the move from Willow to Danzell means for you
By Glen Patrick, Head of Cyber Audit at CyberSmart
From 28 April 2026, significant changes to Cyber Essentials and Cyber Essentials Plus will come into effect, as IASME introduces the new Danzell question set to replace Willow.
These updates represent one of the most important shifts in the Cyber Essentials scheme in recent years - tightening requirements, reducing flexibility, and placing greater emphasis on real-world security.
In this guide, we explain:
- What’s changing in Cyber Essentials 2026
- How Cyber Essentials Plus audits are evolving
- What the move from Willow to Danzell means
- How to prepare for the new requirements
Why Cyber Essentials is changing in 2026
IASME updates Cyber Essentials annually to ensure the framework continues to reflect current cyber threats and best practices.
The April 2026 Cyber Essentials changes are designed to:
- Strengthen cyber resilience across UK organisations
- Improve consistency and reduce interpretation in assessments
- Prevent “last-minute fixes” or selective compliance
- Reinforce Cyber Essentials as a trusted supply chain standard
As discussed in our recent Ask the Auditors session, these changes aim to ensure organisations are genuinely secure - not just compliant on paper.
What is the difference between Willow and Danzell?
The transition from Willow to Danzell introduces stricter controls and removes much of the tolerance that previously existed in Cyber Essentials assessments.
1. Mandatory MFA across all cloud services
Under Danzell:
- Multi-factor authentication (MFA) must be enabled on all cloud services where available
- This includes SaaS platforms, business tools, and systems using single sign-on (SSO)
- Failure to implement MFA will result in an automatic fail
Previously, some MFA gaps could be tolerated. That is no longer the case.
2. Stricter Cyber Essentials scoping requirements
Cyber Essentials scope must now be:
- Clearly defined and justified
- Based on network boundaries (not departments or roles)
- Supported by detailed explanations for any exclusions
All internet-connected organisational devices must be included in scope unless explicitly justified.
3. Evidence must be explicit and verifiable
The new Danzell question set requires:
- Clear, documentable evidence
- Less reliance on assumed or theoretical controls
This reinforces Cyber Essentials as a verifiable security standard, not just a self-assessment exercise.
How Cyber Essentials Plus is changing in 2026
The most impactful changes affecting Cyber Essentials Plus:
New vulnerability sampling process
Under the updated model:
- A random sample of devices is tested
- If vulnerabilities are found:
- Organisations must remediate them
- A second random sample is tested
- If vulnerabilities are found again:
- The Cyber Essentials Plus audit may fail
- The underlying Cyber Essentials certification may be invalidated
This replaces the previous model, where passing a single sample could still lead to certification.
What this means in practice:
- Organisations must be fully compliant before audit
- Vulnerabilities cannot be deferred
- Audit preparation must happen earlier
- The risk of failure increases if organisations are not ready
Cyber Essentials is now a “point-in-time” certification
Another key change in 2026 is the move to point-in-time compliance.
This means:
- Certification reflects your organisation’s security posture at that exact moment
- You must be compliant before and during certification
- There is minimal opportunity to fix issues after audit activity begins
How to prepare for Cyber Essentials 2026 changes
To succeed under the new requirements, organisations should:
1. Implement MFA everywhere
Ensure MFA is enabled across all cloud services where available.
2. Prioritise vulnerability management
Address high and critical vulnerabilities quickly, especially within required timelines.
3. Review your Cyber Essentials scope
Ensure all relevant systems are included and exclusions are clearly justified.
4. Start audit preparation earlier
Do not wait until just before your Cyber Essentials Plus audit to begin remediation.
How CyberSmart supports Cyber Essentials and Cyber Essentials Plus
At CyberSmart, we’re already adapting our platform and processes to help organisations and partners succeed under the new Cyber Essentials framework.
A new, guided Cyber Essentials Plus experience
We’re developing a more structured journey that:
- Encourages earlier preparation
- Reduces uncertainty during audit
- Guides organisations step-by-step through the process
Improved audit readiness dashboards
We’re introducing enhanced visibility within the platform, including:
- Real-time vulnerability status
- Clear audit readiness indicators
- Actionable steps before booking an audit
Helping you achieve Cyber Essentials with confidence
Our focus is on helping organisations:
- Avoid last-minute surprises
- Reduce audit risk
- Achieve certification efficiently and confidently
Final thoughts: Cyber Essentials is evolving
The Cyber Essentials 2026 changes mark a significant step forward for the scheme.
While the requirements are stricter, they also increase the value and credibility of certification - particularly as Cyber Essentials continues to play a key role in supply chain security.
For organisations and partners, success will depend on one thing:
Being ready before the audit begins.
Learn more about the Cyber Essentials changes
For a deeper dive into the Willow to Danzell transition and what it means for you, revisit our Ask the Auditors webinar in the CyberSmart Community.
We’ll continue to share guidance, updates, and best practices to help you prepare for April 2026 and beyond.