Cyber Essentials, Denzell

Changes to Cyber Essentials Scheme: 6 Critical Updates for April 2026

Cyber Essentials logo

It’s that time of year again, Cyber Essentials has received its annual refresh.

Each year, the scheme evolves in response to real-world threats and emerging trends identified by the NCSC and its delivery partner IASME. These updates ensure the standard remains relevant, practical, and aligned with today’s cybersecurity landscape.

The April 2026 update, named Danzell, introduces several important clarifications and enhancements. While many of the core principles remain unchanged, the expectations around implementation, scope definition, and validation have become clearer and, in some cases, stricter.

Cloud services

Have now been given a much more detailed definition. This removes ambiguity and reinforces the need for organisations properly to identify and document all cloud services in use. These services must now be fully considered when defining assessment scope.

Means an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For the purposes of Cyber Essentials, a cloud service will be accessed via an account (which may be credentials issued by your organisation, or an email address used for business purposes), and will store or process data for your organisation.”

Bottom line: If it is accessed using a business account and holds business data, it must now be deliberately considered in your assessment.

Multi-factor Authentication

Multi-Factor Authentication (MFA) has been a requirement for several years. However, the way assessors mark this control has changed significantly. Where a cloud service supports an NCSC-approved MFA method, it must now be enabled. Failure to do so will result in an automatic failure. There is still a route to certification where a service genuinely does not support MFA in any capacity. However, given the direction of travel, it is reasonable to expect this flexibility may tighten in future updates.

Bottom line: If MFA is available – turn it on.

User Access Control

This section now more clearly integrates passwordless authentication as an approved authentication method. For those unfamiliar, passwordless authentication verifies identity without traditional username and password combinations. Examples include but are not limited to: FIDO2 authenticators, biometric data, security keys or tokens, one-time codes, QR codes, and push notifications.

This reflects a broader industry movement away from passwords, which remain one of the most commonly exploited weaknesses in cyber-attacks.

Scope Requirements

Scoping requirements have been improved; applicants will notice that Section A2 of the self-assessment question has been expanded better to capture the definition of what is and importantly, what is not included in your assessment.

Previously, exclusions needed to be included within the publicly visible scope statement on your certificate. Organisations can now confidentially document exclusions within the assessment itself, improving clarity while reducing unnecessary public detail.

However, exclusions must now be clearly justified. Where networks are excluded from scope, applicants must explain:

  • What parts of the infrastructure are excluded.
  • Why they are excluded.
  • How are they segregated from in-scope networks.

Definition of Devices in Scope

The longstanding wording for what constitutes a device being in scope has been refreshed.

Cyber Essentials requirements apply to all devices and software in scope that meet any of these conditions:

  1. Can accept incoming network connections from internet-connected devices.
  2. Can establish outbound connections to devices via the internet.
  3. Control the flow of data between any of the above devices and the internet.

Bottom line: If a device can send data to the internet, receive data from it, or control traffic between other systems and the internet, it is likely in scope.

CE+ Testing Logistics

Along with the hardening of the random device sampling requirements. A further change has been made to ensure applicants are adhering to the 14-day patch cycle. Going forward, internal scans will need to be carried out on two separate groups should the initial scans fail and detect missing patches. This reinforces that patching is being done estate-wide, not just to devices sampled.

Other worthwhile mentions

While these aren’t currently represented as technical controls, they still serve as important activities and considerations for the Cyber Essentials audience and have been expanded upon within the suite of documents published with this year’s update.

Asset management – Effective asset management underpins all five Cyber Essentials controls. You cannot protect what you do not know exists. Without this visibility, compliance becomes guesswork.

Backups – Enable automatic backups where available, for greater data redundancy, should the worst happen. It is recommended to implement an appropriate backup solution where absent.

Conclusion

Fundamentally, the ongoing maintenance and incremental updates to Cyber Essentials demonstrate a clear commitment from its stakeholders to keep the scheme practical, relevant, and aligned with evolving threats.

The 2026 Danzell update does not radically change the scheme, but it does remove ambiguity, strengthen enforcement in key areas such as MFA and patching, and place greater emphasis on accurate scoping and asset visibility.

Get in touch

You can learn more about our ‘Managed’ Cyber Essentials & Cyber Essentials Plus services here. To receive a free, no-obligation quote, simply get in touch.

Contact Us