Danzell vs Willow: What Actually Changed in Cyber Essentials
Danzell vs Willow: What Actually Changed in Cyber Essentials
Danzell v3.3 replaces Willow v3.2 from 27 April 2026. The five technical controls are identical. The scope rules, definitions, and authentication guidance are not. This is a side-by-side comparison of what moved.
I've been through both documents line by line. There are 16 changes between the two versions, and most are structural or wording tweaks that won't affect your assessment. Six change what you actually need to do. Those six are what this article covers.
If you want the full walkthrough of every change, read the Danzell changes guide. This article is the comparison table version for quick reference.
Three dates. That's it.
| Date | What happens |
|---|---|
| 27 April 2026 | Danzell mandatory for all new assessments. No choice. |
| 27 October 2026 | Last date to finish a CE assessment started under Willow before April |
| 27 January 2027 | Same grace period for CE Plus assessments |
If your renewal is after 27 April, you're on Danzell. If you started before April and haven't finished, you can complete under Willow within the grace window. Your next renewal will be Danzell regardless.
What the five controls look like under both versions
This table is the quick answer for anyone asking "do I need to change my technical setup?"
| Control | Willow v3.2 | Danzell v3.3 | Changed? |
|---|---|---|---|
| Firewalls | Default passwords changed, admin interfaces protected, inbound blocking, rules documented | Identical | No |
| Secure configuration | Device credentials, brute-force protection, unlocking PINs | Identical | No |
| Security update management | CVSS 7.0+ patched within 14 days, applies to all in-scope devices and cloud services | Identical | No |
| User access control | Least privilege, MFA where available, password rules (12 chars without MFA, 8 with) | Identical | No |
| Malware protection | Anti-malware plus application allowlisting option | Identical | No |
Five for five, no changes. If you passed Willow on the technical controls, you'll pass Danzell on the technical controls.
The 14-day patching window should have been this strict from the start. The rule existed under Willow but assessors had some discretion. Under Danzell, missing a CVSS 7.0+ patch beyond 14 days is expected to be an automatic fail. Same rule as before, but with a harder consequence for non-compliance.
Where Danzell actually differs
This is where it gets interesting for anyone preparing their assessment. Willow left terms undefined and scope boundaries soft, and Danzell tightened both.
| Area | Willow v3.2 | Danzell v3.3 | Impact |
|---|---|---|---|
| Cloud service definition | Used the term. Never defined it. | Defined: on-demand, scalable, shared infrastructure, internet-accessible, accessed via an account holding your data | Kills the "is it really a cloud service?" argument |
| MFA definition | Used throughout, undefined | "Two or more verification factors" | Assessors no longer interpret this individually |
| Scope definition | Undefined | "Networks, hardware, software assets, and cloud services included in the assessment" | Formal boundary where there was convention |
| Cloud exclusions | "These services must be in scope" (subsection) | Adds "Cloud services cannot be excluded from scope" (main overview) | Closes the subset exclusion workaround |
| Partial scope justification | Declare without explaining | Must justify exclusions to your assessor | New requirement |
| Inbound connections | Devices accepting connections from "untrusted" hosts | Drops "untrusted". Any internet-connected device. | Wider scope |
| Outbound connections | "User-initiated" outbound connections | Drops "user-initiated". Automated connections count. | Background syncs, update checks all in scope |
Two words got deleted, "untrusted" and "user-initiated," and both removals widen scope.
Under Willow, you could argue a connection was to a trusted host and therefore out of scope. Under Danzell, that argument no longer holds up. Similarly, automated outbound connections (scheduled syncs, background services, anything that phones home without someone clicking) now bring a device into scope.
I think the scope changes are the most significant thing in Danzell. Not because they're technically difficult, but because a lot of businesses had their scope descriptions wrong under Willow and didn't know it. Danzell just made that scope obligation explicit.
Authentication changes
| Area | Willow v3.2 | Danzell v3.3 | Impact |
|---|---|---|---|
| FIDO2/Passkeys | Not mentioned | Explicitly recognised as MFA. One FIDO2 key satisfies the requirement. | Removes ambiguity for organisations already using FIDO2 |
| Passwordless definition | "Factor other than knowledge." Examples: biometrics, physical devices, OTPs | Same concept. FIDO2 added first. "Physical devices" becomes "security keys or tokens" | Market shift reflected |
| Section order | Password first, then MFA, then passwordless | Passwordless first, then MFA, then password last | Signals NCSC direction of travel |
| Password rules | 12 chars without MFA, 8 chars with MFA, deny list, no forced expiry | Identical | No change |
| MFA factor types | Managed device, app on trusted device, physical token, known/trusted account | Identical | No change |
The FIDO2 change is long overdue and clears up a genuine grey area. Under Willow, assessors had to make a judgement call on whether a single FIDO2 key counted as two factors. The answer was always yes, but the standard didn't say so explicitly until now. If you're already using FIDO2 security keys, that's one less conversation during your assessment.
Everything else
| Area | Willow v3.2 | Danzell v3.3 |
|---|---|---|
| Backup guidance | Buried in "Further guidance" | Own standalone section, placed before scope rules. Still not a technical requirement. |
| Software development | Section called "Web applications" | Renamed "Software development". Broader scope. |
| Best practice reference | OWASP Application Security Verification Standard | UK Software Security Code of Practice |
| BYOD rules | User-owned devices accessing org data in scope | Identical |
| Home working rules | Corporate/BYOD devices in scope, ISP routers out | Identical |
Backups getting their own section is NCSC sending a signal, even though they're still not assessed as part of the certification. The fact they moved it says something about what comes next.
CE Plus: the enforcement change that isn't in v3.3
The requirements document itself doesn't describe CE Plus procedures. But IASME's Danzell webinar indicated changes that matter.
If your first internal vulnerability scan sample finds unpatched CVSS 7.0+ vulnerabilities older than 14 days, a second random sample gets triggered. The second sample uses the same number of devices but drawn from different machines, with a maximum of three days notice, and both samples must pass within a single 30-day remediation window. There is no third sample and no further remediation window.
The point is to catch organisations that patch the devices they expect to be tested and leave the rest. Under Willow, you could get lucky with one sample. Under Danzell, the second sample picks from the devices you weren't expecting. Patch everything or patch nothing, because patching just the visible devices will get caught.
The Danzell changes guide covers the full double sampling process.
What I've noticed changing in assessments
I've certified over 800 organisations across the life of this scheme. The shift from Willow to Danzell isn't the first time the requirements have been tightened, and it won't be the last. But I can tell you what's different about this one from an assessor's perspective.
Cloud services used to be the area where people negotiated. An organisation would list their scope, quietly leave off their project management tool or their CRM, and the assessor would have to decide whether to push back. Under Willow, the wording was soft enough that you could make a case for excluding things. Under Danzell, that conversation is over because cloud services cannot be excluded from scope under any circumstances. If you log in with business credentials and it holds your data, it's in.
The organisations I'm seeing struggle most are the ones that built their scope descriptions years ago and haven't revisited them. They passed under Willow because their scope was narrow enough. Danzell won't let them keep that narrow scope. I've had conversations with businesses that have 15 cloud services in use and only three on their scope document. That gap has to close before their next assessment.
The other thing I've noticed is MFA awareness has improved a lot. Two years ago, I'd find cloud services with MFA available but not turned on in most assessments. Now it's maybe one in five assessments that have this issue. The problem has moved from "we didn't know we needed it" to "we missed one service." That single missed service is still a fail under Danzell.
Patching is still the biggest problem across the board, and it's been the biggest problem for the entire time I've been doing this. Organisations that patch their laptops forget their firewall firmware. Organisations that patch their servers forget their phones. The 14-day rule hasn't changed, but double sampling means you can't just patch the devices you think we'll look at. I'll be picking the second sample from the devices you didn't expect.
The double sampling impact
Double sampling changes the maths for CE Plus in a way that's worth thinking through properly.
Under Willow, if the assessor sampled 20 devices out of your 200 and all 20 were patched, you passed. If you'd only patched those 20 and ignored the other 180, you might get away with it. Most organisations weren't doing this deliberately, but some had patching processes that only covered their most visible devices.
Under Danzell, that gamble doesn't work any more. If sample one finds a problem, sample two gets pulled from different devices. The assessor picks the devices, not you. You get a maximum of three days notice, which isn't enough time to patch 180 neglected devices. And both samples have to pass within one 30-day window. That is not 30 days each, but 30 days total.
The practical impact is this: if you've got inconsistent patching across your estate, double sampling will find it. The first sample might get lucky and come back clean. The second one won't, because the assessor is targeting the devices that weren't in sample one.
I've seen this play out in CE Plus assessments already. An organisation patches their Windows devices religiously but hasn't updated their router firmware in eight months. Under Willow, the router might not be in the sample. Under Danzell, if it's in scope and the first sample flags anything, the second sample is drawn from the rest of the estate. That router is suddenly very exposed and likely to cause a failure.
The only defence against double sampling is genuine, consistent patching across every device in scope. No shortcuts and no "we'll get to those later." Every device, every 14 days, every critical and high-risk patch.
Preparing for the switch
If your renewal is after 27 April 2026, work through this list before your assessment.
Audit your cloud services. Open your browser, check your saved passwords, look at your single sign-on dashboard if you have one. Every service you log into with business credentials that holds your data is in scope. Write them all down. The ones people forget: project management tools, file sharing services, accounting platforms, social media accounts managed with work email. If it fits the Danzell definition, it's in scope.
Check MFA on every cloud service. Every single one, including the obscure ones. If a service supports MFA and you haven't turned it on, that's an automatic fail under Danzell. Most MFA apps are free. There's no cost excuse for this one.
Verify your 14-day patching across the entire estate. Laptops, servers, tablets, phones, firewalls, and routers. Check firmware versions on all of them. If you've got devices that haven't been updated in months, start now. Don't wait for the assessment to find them.
Review your scope description. If you wrote it two years ago, it's probably wrong under Danzell. The removal of "untrusted" and "user-initiated" means devices you previously excluded might now be in scope. Automated background connections count. Connections to any internet host count, not just "untrusted" ones.
Check BYOD. If staff use personal phones for work email, the phones are in scope. They need screen locks, encryption, current security updates, and anti-malware where it's available. The only exceptions are phones used only for voice calls, texts, or MFA apps. (referenced in the comprehensive segmentation benchmarking report).
If you're going for CE Plus, patch everything. Double sampling is designed to catch inconsistency. If your patching only covers 80% of your estate, the other 20% is where the second sample will find problems. There's no way to predict which devices will be sampled. Patch them all.
What this means if you're renewing after April
If your technical controls already pass, the Danzell changes probably won't fail you. The controls are the same as before, so what might catch you out is scope.
Check these three things:
Cloud services. List every platform you log into with a business account that holds your data. Microsoft 365, Google Workspace, your CRM, your accounting software, your project management tool. Under Danzell, every cloud service you log into with business credentials is in scope by definition and cannot be excluded. MFA must be on for every one that supports it.
Social media. If your business manages a company page using a business email, the cloud service definition covers it. That means MFA on your LinkedIn, Facebook, and X accounts too. I'm not convinced IASME thought through how many businesses this catches, but it's in the definition.
Automated connections. Anything that connects to the internet without someone clicking, including background services, scheduled syncs, and software that checks for updates, now brings a device into scope. Systems you previously excluded as "not user-initiated" need reviewing.
For the full walkthrough of every change and what to do about each one, read the Danzell changes guide. For MFA specifics, see the MFA and cloud services guide. For patching requirements, see the 14-day patching guide.
Need help preparing for your Danzell assessment? Get in touch or request a quote, and you can reach us at [email protected] or +44 20 3026 2904.
Related articles
- Cyber Essentials v3.3: What the Danzell Update Changes
- Cyber Essentials Scope Changes Under Danzell
- 14-Day Patching: What the Requirement Actually Means
- MFA and Cloud Services Under Cyber Essentials
- Cyber Essentials Renewal Process
- Can AI Actually Do a Pen Test?
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Can Your CE Basic Certificate Be Revoked? What Happens When You Fail CE Plus Under Danzell
Under Danzell, failing the CE Plus second sample scan can revoke your CE Basic certificate too. Here is how revocation works, what it costs, and how to prevent it.
Cyber Essentials Plus First-Time Pass: What Danzell Actually Requires
Under Danzell, CE Plus scans must pass first time. No remediation during the assessment. Here is the double sampling process, what triggers it, and how to prepare.
Why RMM Scanners and Windows Defender Will Fail Your Cyber Essentials Plus Assessment
RMM tools and Windows Defender are not approved for CE Plus internal vulnerability scans. Here is what the assessment actually requires and why your IT provider's scanner will miss critical vulnerabilities.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.