Insights, Tips, and Trends for UK SMEs

Stay informed with practical advice on AI, automation, cybersecurity and business efficiency

Cyber Essentials Is Changing on 27 April — What UK SMEs Need to Know

3 min read • Cyber Security • 2026-04-20

On 27 April 2026, the Cyber Essentials scheme updates to version 3.3. Any assessment account created on or after that date must follow the new requirements and use a new question set called Danzell, which replaces the outgoing Willow version.

IASME and the NCSC have positioned these as refinements rather than a major overhaul, but several specific changes have real teeth. If you have been coasting on last year's setup, the new rules around cloud services and authentication will catch you out.

What Is Actually Changing?

1. MFA Is Now an Automatic Fail Trigger

This is the most significant change for small businesses. Under Danzell, if a cloud service offers Multi-Factor Authentication (MFA) and you have not enabled it, your assessment will automatically fail. There is no grace period.

  • IP allowlisting is no longer accepted as a substitute for MFA.
  • This applies to all logins, including Microsoft 365, Google Workspace, CRM, and accounting software.

2. Formal Cloud Service Definitions

For the first time, v3.3 provides a strict definition for cloud services. If your data sits in a service hosted on shared infrastructure, it is in scope. You can no longer exclude tools just because they are managed by a third party.

3. Scoping Language Simplification

Terms like "untrusted" and "user-initiated" have been removed. The 2026 rules are simple: if a device can establish or accept an internet connection, it is in scope. Where you want to exclude a network segment, you need clear justification and evidence of proper segregation.

4. Passkeys and Passwordless Authentication

Version 3.3 explicitly recognises passkeys as the NCSC preferred default. While not mandatory today, adopting FIDO2 authenticators and biometrics now will future-proof your business against upcoming tightenings of the scheme.

Preparation Checklist

Cloud Inventory Audit every tool staff log into, including apps used outside main IT oversight.
BYOD Policy Personal devices accessing business data are in scope unless used only for calls and MFA.
Backup Strategy Ensure copies are kept off the primary device and removable media is disconnected when idle.
Segregation Evidence Prepare documented proof of network segregation if you plan to exclude any segments.

Why This Matters Beyond Compliance

Cyber Essentials is often mandatory for government contracts, but it also triggers free cyber liability insurance up to £25,000 for UK firms with a turnover under £20 million. Certification helps address the most common route into small business systems: credential theft.

Frequently Asked Questions

When do changes take effect? Accounts created on or after 27 April 2026 follow v3.3. Older accounts have 6 months to finish under Willow.
What is the Danzell question set? It is the 2026 questionnaire replacing the Willow set used since April 2025.
Is IP allowlisting still okay? No. It has been removed as an accepted MFA method under the 2026 update.
Modern illustration contrasting an old wooden gate with a sleek metallic gateway
The evolution of Cyber Essentials: from basic security to robust multi-factor authentication requirements for UK SMEs.

Prepare for Certification

Not sure where you stand? Use our free email security checker to verify your configuration, or book a consultation to review your scope before the April deadline.

Related Insights

Cyber Security for Small Business UK: A Practical Guide for 2026

Cyber Security

Read Article →

Why Cybersecurity Still Matters in an AI-Driven World

Cyber Security

Read Article →

Cyber Security Workshop at Co Accounting, Norwood

Cyber Security

Read Article →

Ready to See AI in Action?

Book a free demo and discover how AI agents can transform your operations.

Book Your Free Demo Explore Services