The cyber security landscape continues to evolve, and so does the UK’s baseline security standard. On 27 April 2026, the National Cyber Security Centre (NCSC) and IASME will introduce a major update to Cyber Essentials: Version 3.3, known as ‘Danzell’.
For many organisations, Cyber Essentials has often felt like a simple compliance task. The Danzell update changes that by placing more focus on demonstrated resilience rather than box‑ticking. At MASS, we see this as an important step in strengthening the UK’s supply chain, especially for organisations working in defence and other high‑security environments.
What’s changing?
The five core technical controls stay the same, but the new question set introduces clearer expectations and tighter requirements.
1. Mandatory MFA for all cloud services
Multi-Factor Authentication is now compulsory across all cloud services where it is available.
- Requirement: MFA must be enabled for every user.
- Outcome if not compliant: Any service offering MFA but not using it will result in an automatic failure – whether that’s email, admin portals, or everyday SaaS tools.
2. Greater transparency in scoping
Organisations must provide clearer, more detailed descriptions of what is in scope.
- No word limits: Scoping statements must fully describe the environment.
- Exclusions must be justified: Any excluded area requires evidence of proper segregation.
- Cloud services definition has been codified: Any cloud service that stores or processes business data must be in scope.
3. Tougher Cyber Essentials Plus (CE+) testing
The CE+ audit process has been reworked for more consistency.
- Random sampling: Assessors will select fresh device samples 3 working days prior in order to prevent selective preparation. If sample one is found to be non-compliant a second sample is selected to verify compliance across the organisation
How MASS can support you
As part of your CE and CE+ assessment MASS can support with the following. an NCSC‑approved IASME Certification Body, MASS brings deep experience from defence and high‑security sectors. We help organisations not only meet the standard but build stronger cyber resilience.
- Gap analysis: Identify potential points of concern before submitting.
- MFA & cloud review: Review your cloud services and ensure MFA is enforced everywhere.
- Vulnerability management support: Review the consistent 14‑day patching cycle requirement tailored your scope.
- Scoping guidance: Assist in developing a clear scope for complex environments.
Our view is simple: Danzell isn’t designed to make Cyber Essentials harder; it’s designed to make it meaningful. When your organisation displays the badge, it should reflect genuine security, not basic compliance.
Are you ready for the 27 April deadline?
Get in touch with our Cyber Security team for a readiness review or to plan your transition to the Danzell standard. The question set can be reviewed here if you want to get familiar before your assessment.
