Cyber Essentials v3.3: What the Danzell Update Changes and What You Need to Do

‍‌‌​​‌‌‌​‌​​‌‌​‌​​​​‌​​‌​‌‌​‌​​‌​​​​​​​‌‌​​‌‌​​​‌‌​​​‌‌​‌​‌​‌​‌​‌‍The Danzell question set replaces Willow for all CE and CE+ assessments from 27 April 2026. It aligns with version 3.3 of the Cyber Essentials Requirements for IT Infrastructure, which is the document that defines what your business must do to pass. Version 3.3 makes 16 changes to the requirements document. Most are structural or minor wording tweaks. Six of them change what you need to do, and this article covers each one. It also covers the CE+ double sampling process that has been indicated for Danzell, which is the biggest operational change for organisations going through CE+.

The same five technical controls still apply: firewalls, secure configuration, security update management, user access control, and malware protection. None of the five controls have been added to, removed, or rewritten. The firewall rules are the same, the malware protection rules are the same, and the password rules are the same. What v3.3 changes is how scope is defined, how cloud services fit in, and how passwordless authentication is recognised.

What is Danzell?

Danzell is the name of the new CE question set, named after a spring in the Malvern Hills. Question sets are the forms assessors use to evaluate whether your organisation meets the requirements. The underlying requirements document, version 3.3, is what actually defines the pass or fail criteria. Danzell replaces the Willow question set, which has been in use since April 2025.

Cloud services can no longer be excluded from scope

This is the biggest practical change in v3.3. The previous version said that cloud services hosting your data or services must be in scope. Version 3.3 adds one sentence that removes all ambiguity: "Cloud services cannot be excluded from scope."

Some organisations had been structuring their scope descriptions to put cloud services outside the assessment boundary. Depending on how the scope was worded, an assessor might have accepted that argument. That argument is now closed under the new wording.

Version 3.3 also adds a formal definition of what counts as a cloud service. A cloud service is defined as an on-demand, scalable service, hosted on shared infrastructure, and accessible via the internet. For CE purposes, a cloud service is one accessed via an account (which may be credentials issued by your organisation, or an email address used for business purposes) and which stores or processes data for your organisation.

That definition is deliberately broad in practice. Microsoft 365, Google Workspace, Dropbox, your accounting platform, your customer relationship management system. If you log in with an account and it holds your data, it fits the definition.

Social media accounts used for business purposes also fall within this definition. If your organisation manages a company page on a social media platform using a business email address, and that account stores or processes data for your organisation, the cloud service definition covers it. That means the MFA requirement for cloud services applies to social media accounts too.

What you need to do

Audit every cloud service your organisation uses. Include the ones people forget: project management tools, file sharing platforms, social media accounts managed with business credentials. If a service fits the v3.3 definition, it is in scope and you need to be able to demonstrate that every CE control is met for that service.

Scope criteria got broader

Version 3.2 said the requirements apply to devices that "can accept incoming network connections from untrusted internet-connected hosts" and "can establish user-initiated outbound connections to devices via the internet."

Version 3.3 removes two words. Both "untrusted" and "user-initiated" have been removed.

The scope now covers devices that can accept incoming connections from internet-connected devices and can establish outbound connections to devices via the internet. The removal of "untrusted" means you can no longer argue that a connection is to a "trusted" host and therefore out of scope. The removal of "user-initiated" means automated outbound connections (background services, scheduled syncs, update checks) bring a device into scope too.

Version 3.3 also adds a new rule: where parts of your infrastructure have been excluded from scope, you must justify the reason for a partial scope to your assessor. Under v3.2, you could declare a partial scope without explaining why. That approach has now changed under v3.3.

What you need to do

Review your current scope description carefully before renewal. If you excluded anything by arguing it only connected to "trusted" hosts, that justification no longer holds. If you have devices making automated outbound connections that you previously excluded as "not user-initiated", every one of them is now in scope. If you are using a partial scope, prepare a documented justification for your assessor.

Passkeys and FIDO2 are now formally recognised

Version 3.3 adds a significant new entry to the passwordless authentication section. Passkeys are defined as "passwordless login technology based on public-key cryptography used to securely authenticate a user." FIDO2 (Fast Identity Online 2) authenticators are included as a type of passkey.

The important detail is this sentence: "FIDO2 authenticators are regarded as MFA because user authentication is performed." That means a single FIDO2 security key satisfies the MFA requirement on its own, without needing a separate second factor. If your organisation has already rolled out FIDO2 keys or passkeys, you are already meeting the MFA requirement for the services where you use them.

The passwordless authentication section is also now presented first in the User Access Control section, before MFA and before password-based authentication. That ordering signals a clear preference for passwordless approaches as the direction of travel.

The full list of recognised passwordless methods in v3.3 is:

• Passkeys (including FIDO2 authenticators)
• Biometric authentication (fingerprints, facial recognition)
• Security keys or tokens (USB security keys, smart cards)
• Push notifications (approve or deny prompts on a smartphone)
• One-time codes (sent via email, SMS, or a mobile app)

What you need to do

If you are already using FIDO2 security keys or passkeys, document this in your assessment. You can reference them as satisfying the MFA requirement. If you are not using them, nothing changes for your current assessment. Password-based authentication with MFA remains a valid approach.

MFA on cloud services is mandatory

The v3.3 requirements state: "implement MFA, where available" and then add a specific clause that "authentication to cloud services must always use MFA."

This is not new wording. The same text appeared in v3.2 word for word. But with cloud services now firmly locked into scope (and the definition clarified), the practical effect is wider. Services that some organisations previously placed outside their scope boundary are now inside it and need MFA.

The "where available" qualifier still applies to non-cloud services. If a cloud service genuinely does not offer MFA in any form, you need to declare that during the assessment. But any well-known platform (Microsoft 365, Google Workspace, Amazon Web Services, and similar) supports MFA, and claiming otherwise will not be accepted.

It has been indicated that failing to enable MFA on cloud services where it is available may be treated as an automatic failure under the Danzell question set, with no assessor discretion. Treat MFA on all cloud services as a hard requirement regardless.

What you need to do

Check every cloud service in scope and confirm MFA is enabled, paying particular attention to services where MFA might be available but not turned on by default. Social media accounts managed with business credentials fall under this rule too. If a service truly does not support MFA, document that fact and declare it during your assessment.

Backing up data gets its own section

In v3.2, backup guidance was a minor note inside broader guidance content, but version 3.3 gives it a dedicated standalone section placed prominently before the scope rules. That signals how seriously the National Cyber Security Centre (NCSC) views data backup.

The first sentence makes the status clear: "Backing up your data is not a technical requirement of Cyber Essentials." It then says: "However, we highly recommend implementing an appropriate backup solution."

This is not a new requirement and backups are still not something you will be assessed on, but the elevation to a standalone section sends a clear message. The language around automatic backups has also become slightly more cautious. Version 3.2 said "you can also turn on automatic backup." Version 3.3 says "if automatic backups are available, you should consider turning them on."

What you need to do

Nothing, for assessment purposes. Backups are highly recommended but not a technical requirement. If you don't have a backup solution, this is a good prompt to put one in place.

Software development replaces web applications

The scope section previously had a subsection called "Web applications." Version 3.3 renames it to "Software development." The content is largely the same: publicly available commercial web applications are in scope by default, and bespoke or custom components are out of scope.

The notable change is the reference at the end. Version 3.2 pointed to the Open Web Application Security Project (OWASP) Application Security Verification Standard. Version 3.3 replaces that with the Software Security Code of Practice, the UK government's code of practice for software security. This reflects current UK government policy direction.

What you need to do

If your organisation develops software, review the Software Security Code of Practice. If you were previously referencing the OWASP standard in your development processes, that approach is still valid, but the official recommendation now points to the UK government code instead.

What changes for Cyber Essentials Plus

The v3.3 requirements document does not describe CE+ assessment procedures. But the IASME webinar on the Danzell transition indicated several important changes to how CE+ assessments will work from 27 April. These should be treated as expected rather than confirmed until they appear in the question set or assessor marking guide.

14-day patching is now an automatic failure (A6.4 and A6.5)

The Danzell question set introduces two new auto-fail questions for patching:

• A6.4: Are all high-risk or critical security updates and vulnerability fixes for operating systems and router/firewall firmware installed within 14 days of release?
• A6.5: Are all high-risk or critical security updates and vulnerability fixes for applications, including any associated files and extensions, installed within 14 days of release?

Answering "no" to either question results in an automatic failure of the assessment, regardless of how well you perform across all other controls. There is no assessor discretion. Under Willow, an assessor might have recorded a non-compliance. Under Danzell, the assessment fails outright.

The 14-day rule itself hasn't changed and has been a CE requirement for over a decade. What changed is the enforcement: it's now a hard auto-fail, not a judgment call.

MFA on cloud services is now an automatic failure

Failing to enable MFA on cloud services where MFA is available will also result in an automatic failure under Danzell. This applies to all cloud services in scope, including social media accounts managed with business credentials. There is no assessor discretion on this either.

This applies to all in-scope devices: servers, desktops, laptops, tablets, phones, firewalls, routers, and cloud services. The scope is wide and covers every device type. Firmware updates on firewalls and routers are the ones that tend to be forgotten for months. If you're running a patching cycle longer than 14 days for critical and high-risk fixes (those with a Common Vulnerability Scoring System version 3 base score of 7 or above), tighten it before your next assessment. Net Sec Group offers a patching service that handles this for you, or our Cyber365 managed service covers patching alongside CE and CE+ certification at £18 per endpoint per month.

Double sampling for internal vulnerability scans

This is the most operationally significant change for CE+ clients. If the first internal vulnerability scan sample finds unpatched critical or high-risk vulnerabilities older than 14 days, a second sample is triggered. The process works as follows:

First sample fails: the assessor identifies unpatched CVSS 7+ vulnerabilities older than 14 days in the initial internal vulnerability scan sample.

Second sample is taken: a second random sample of the same size as the first is selected. The assessor selects this sample, not the client. The client receives a maximum of 3 days notice before the second sample scan.

Both samples must pass within 30 days: there is only one 30-day remediation window. The second sample does not get its own 30-day period. The client must remediate vulnerabilities in both the first and second samples within that single window.

If the second sample also has vulnerabilities, the assessment fails: whether the same vulnerabilities or different ones appear in the second sample, the result is a failure. There is no partial pass and no third sample.

Double sampling applies only to internal vulnerability scans: it does not apply to other CE+ tests such as external vulnerability scans, authenticated scans, or MFA verification.

Sample sizes are minimums: assessors can sample more devices than the minimum threshold if warranted.

The purpose of double sampling is to test whether the organisation is applying 14-day patching across its entire estate, not just on the devices it expected to be sampled.

No non-compliances expected

It has been indicated that CE+ assessments are expected to show zero non-compliances. This was described as having always been the intended expectation, but it was previously undocumented. Under Danzell, this expectation is expected to be made explicit.

The Verified Self-Assessment must be completed before CE+ testing

The Verified Self-Assessment (VSA) must be completed before CE+ testing begins, and answers in the VSA cannot be altered after CE+ has taken place. The CE+ assessment is an audit of the answers given in the VSA. If the VSA says your patching is within 14 days and the CE+ scan finds otherwise, that is a failure.

Failed CE+ may lead to VSA revocation

If the second sample shows that 14-day patching is not being applied across the scope, this will result in revocation of the Verified Self-Assessment. The legal process for revocation is complex, but the principle has been stated.

What you need to do for CE+

Make sure your patching is consistent across your entire estate. Double sampling targets exactly this: organisations that patch visible devices and neglect the rest. If you have 200 devices in scope and your first sample of 20 turns up a missed patch, the second sample of 20 will be drawn from the remaining 180. You won't know which 20 until the assessor arrives.

Complete your VSA accurately and before your CE+ test date. If anything in the VSA is wrong, fix it before testing starts.

If patching across a large estate is difficult to manage manually, a managed service can help. Net Sec Group's Cyber365 service includes vulnerability scanning, patching, and endpoint detection alongside CE and CE+ certification. For a detailed look at why CE Plus is worth pursuing over basic CE, the business case for CE Plus under Danzell covers the practical benefits.

What did not change

It is worth being clear about what stayed the same between v3.2 and v3.3, because some of these have been reported elsewhere as changes.

Firewall rules: every firewall requirement is identical between v3.2 and v3.3. Default password changes, admin interface protection, inbound connection blocking, rule documentation, all carried over unchanged.

Secure configuration: all rules are identical between versions. Device unlocking credentials, brute-force protection, PIN and password minimums for device unlock. No changes.

Security update management (the 14-day rule): the requirement to apply critical and high-risk patches (those with a Common Vulnerability Scoring System version 3 base score of 7 or above) within 14 days of vendor release is unchanged. The wording is identical. The scope is the same: servers, desktops, laptops, tablets, phones, firewalls, routers, and cloud services. The note that bundled updates containing any critical fix must be applied within 14 days is also unchanged.

Password rules: the password requirements are identical. Brute-force protection, a minimum of 12 characters without MFA or 8 characters with a deny list, three random words guidance, no enforced expiry, no enforced complexity. None of this has changed.

MFA factor types: the four types of additional factor (a managed or enterprise device, an app on a trusted device, a physically separate token, a known or trusted account) are identical. The SMS guidance (not the most secure but better than nothing) is identical. The 8-character minimum for the password element of MFA is identical.

Bring your own device (BYOD) rules: user-owned devices accessing organisational data or services remain in scope, as they were in v3.2. The exceptions for devices used only for native voice, native text, or MFA applications remain the same.

Home and remote working rules: the same rules apply. Corporate or BYOD devices used for your organisation's business are in scope. Company-issued routers are in scope. All other routers are out of scope, meaning you need software firewall controls on user devices. (following the updated segmentation assessment protocol).

What is expected to change in practice (but is not in v3.3)

Some changes have been indicated for how the Danzell question set will work in practice, even though they are not written into the v3.3 requirements document. These are worth knowing about, but they should be treated as expected rather than confirmed until you see them in the question set or the assessor marking guide.

Stricter enforcement: it has been indicated that both MFA on cloud services and the 14-day patching window will be treated as automatic failure criteria, removing assessor discretion. The v3.3 document states the requirements but does not describe enforcement levels. Treat both as hard pass-or-fail rules regardless.

Partial scope justification: while v3.3 does require justification for partial scope, it has been indicated that assessors will be expected to actively challenge scope descriptions and verify their accuracy. A new marking guide is expected to clarify the scope challenge process.

Legal entity declarations: it has been indicated that legal entities must be declared before or during the certification process, not added afterwards. The v3.3 document does not use the term "legal entities" but this is expected to be addressed in the question set.

Key dates

Date	What happens
27 April 2026	Danzell becomes mandatory for all new CE assessments

Existing certificates issued under Willow remain valid until their expiry date. Any new assessment started after 27 April 2026 will use the Danzell question set against the v3.3 requirements.

What to do before 27 April

Start with your scope before anything else. Map every cloud service, every device accessing work data, and every connection to the internet. The scope rules got broader, and the cloud services definition now has a formal boundary. Get your scope description right before you submit.

Check MFA on every cloud service in your environment. The definition of cloud service is now clear, and MFA on cloud services is mandatory. If any service supports MFA and you haven't enabled it, fix that now because most MFA apps are free to use and take minutes to deploy.

Review your patching process well before the transition date. The 14-day window for critical and high-risk fixes hasn't changed, but enforcement is expected to be stricter. If your patching cycle runs longer than 14 days, tighten it. Firmware updates on firewalls and routers are the ones that tend to be forgotten for months.

If you develop software, read the Software Security Code of Practice. The v3.3 requirements now point to it instead of the OWASP standard.

If you use a partial scope, prepare your justification. You will need to explain to your assessor why parts of your infrastructure are excluded.

For CE+ clients: make sure your patching is consistent across your entire estate, not just the devices you expect to be sampled. Double sampling is designed to catch inconsistency. The Danzell readiness checklist covers scope, MFA, and patching with the specific settings you need to evidence.

Check your renewal date against the certification timeline, because if your certificate expires after April, your next assessment will use Danzell. You can see our CE and CE+ assessment pricing on the website. Don't let a failed first attempt mean paying for a second assessment because you weren't prepared for the scope changes.

Get in touch if you want to talk through what the Danzell changes mean for your organisation. You can reach Net Sec Group at [email protected] or +44 20 3026 2904.

---

Need help preparing for your Cyber Essentials assessment under Danzell? Get in touch or request a quote to discuss your scope.

---

Related articles

• Cyber Essentials Scope Changes Under Danzell
• BYOD Device Classification Under Danzell
• 14-Day Patching: What the Requirement Actually Means
• Software Security Code of Practice and Cyber Essentials
• The Five Cyber Essentials Controls: A Technical Guide
• Danzell Readiness Checklist
• The Business Case for CE Plus Under Danzell
• Cyber Essentials Certification Timeline

netsec-canary-164ca5952f2c.