Cyber Essentials Plus Certification for London Businesses
The 2026 Danzell update raises the bar. Mandatory MFA, cloud services in scope, and passkey support mean the certification you passed last year may not pass this year.
Key Requirements
Firewalls and Internet Gateways
Every device connected to the internet must be protected by a correctly configured firewall. Default credentials must be changed, unnecessary services disabled, and host-based firewalls enabled on all endpoints including remote worker devices.
Secure Configuration
All devices and software must be configured to reduce vulnerabilities. Remove unnecessary software, disable unused accounts, and change all default passwords. The Danzell update extends this to all cloud service configurations.
User Access Control
Access to data and services must be limited to what each user needs. Administrative accounts must be separate from day-to-day accounts. MFA is now mandatory across all user accounts with no exceptions — failure to implement MFA is an automatic certification failure under v3.3.
Malware Protection
All devices must run up-to-date anti-malware software or use an application allow-listing approach. Signatures must update automatically, and real-time scanning must be enabled. EDR solutions satisfy this requirement and are increasingly expected.
Security Update Management
Critical and high-severity patches must be applied within 14 days of release. All software must be licensed and supported. End-of-life operating systems and applications are an automatic failure unless isolated from the network.
Cloud Services Now In Scope
The Danzell update brings all cloud services — SaaS, IaaS, and PaaS — fully into scope for Cyber Essentials assessments. Configuration of cloud platforms is now assessed alongside on-premise infrastructure, closing a gap that many firms previously relied upon.
Cyber Essentials in 2026: The Danzell Update Changes the Game
Cyber Essentials has been the UK government’s baseline cybersecurity certification since 2014. Over 130,000 certificates have been issued. For many businesses, it is the minimum standard their clients, insurers, and supply chain partners expect.
But the scheme has never stood still, and the v3.3 update, codenamed Danzell, arriving on 27 April 2026, represents the most significant tightening of requirements since the scheme launched.
If your organisation passed Cyber Essentials or Cyber Essentials Plus in the last 12 months, do not assume you will pass again without preparation. The rules have changed.
What Danzell Changes
Three shifts matter most.
MFA is now mandatory and non-negotiable. Under previous versions, MFA was strongly recommended but not an automatic failure point. Under Danzell, every user account that can access organisational data must have multi-factor authentication enabled. No exceptions. No grace periods. A single account without MFA means the entire assessment fails. This catches many organisations off guard because it applies to cloud services, shared accounts, and administrative access equally.
All cloud services are in scope. Previously, the boundary of a Cyber Essentials assessment could reasonably exclude certain SaaS platforms. Danzell eliminates that ambiguity. If your staff use it for work, it is in scope. Microsoft 365 configuration, Google Workspace settings, CRM platforms, file sharing services, and project management tools all need to meet the five controls. The configuration of these platforms is now assessed alongside your on-premise environment.
Passkeys are formally recognised and promoted. The Danzell update acknowledges passkeys as a strong authentication method, aligning Cyber Essentials with the direction of travel across the industry. While not yet mandatory, organisations adopting passkeys will find certification smoother, particularly around the MFA requirements.
The Five Controls: Still the Foundation
Cyber Essentials has always been built on five technical controls. Danzell does not change the structure. It raises the standard within each.
Firewalls must protect every internet-facing device, including the laptops your staff use at home. Host-based firewalls must be enabled and correctly configured. Default rules must be reviewed and tightened.
Secure configuration now explicitly extends to cloud platforms. Default settings on Microsoft 365 tenants, for example, are not considered secure. Organisations must demonstrate active configuration of security settings across every service in use.
Access control is where MFA enforcement sits. Beyond MFA, user accounts must follow least-privilege principles, administrative access must be separated from day-to-day accounts, and leavers must be removed promptly.
Malware protection requires real-time, automatically updating anti-malware on every device. Endpoint detection and response solutions are increasingly the expected standard, particularly for Cyber Essentials Plus assessments where the assessor actively tests defences.
Patch management requires critical and high-severity updates applied within 14 days. End-of-life software that no longer receives security updates is an automatic failure. This remains one of the most common stumbling blocks, particularly for organisations running legacy line-of-business applications.
How Nerdster Gets You Certified
We support London businesses through both Cyber Essentials and Cyber Essentials Plus certification, handling the technical preparation and remediation that makes the difference between passing and failing.
Our process starts with a pre-assessment audit. We scan your environment against the current Cyber Essentials requirements, identify every gap, and build a prioritised remediation plan. For most well-managed environments, remediation takes two to four weeks. For organisations with legacy systems, BYOD policies, or inconsistent cloud configurations, we allow six weeks.
We deploy and configure MFA across all accounts, review and harden cloud platform settings, verify patch compliance across every endpoint, and ensure firewall configurations meet the standard. For Cyber Essentials Plus, we run internal vulnerability scans to identify issues before the external assessor arrives.
On assessment day, we provide documentation support and are available to answer technical queries from the certification body. Our clients maintain a 98% first-time pass rate because we do not submit organisations for assessment until we are confident they will pass.
Cyber Essentials certification is not difficult when your IT environment is properly managed. The organisations that struggle are those whose day-to-day IT operations do not meet the standard. We make sure yours does, not just at certification time, but every day of the year.
FAQ
Frequently asked questions
What is the Cyber Essentials v3.3 Danzell update?
Danzell is the codename for the Cyber Essentials v3.3 update, scheduled for release on 27 April 2026. It introduces mandatory MFA for all user accounts, brings all cloud services into assessment scope, promotes passkey adoption, and tightens requirements around BYOD and home working configurations.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment questionnaire verified by a certification body. Cyber Essentials Plus includes an independent technical audit where an assessor actively tests your systems for vulnerabilities, verifies configurations, and confirms that controls are working as claimed. Plus provides significantly higher assurance.
Is MFA really an automatic failure if missing?
Yes. Under the Danzell update, any user account that can access organisational data or services must have MFA enabled. If a single qualifying account lacks MFA at the time of assessment, the certification fails. This includes admin accounts, shared mailboxes with interactive logon, and cloud service accounts.
How long does Cyber Essentials Plus certification take?
If your environment is well-managed, the technical assessment typically takes 1-3 days. However, preparation and remediation can take 2-6 weeks depending on your starting position. Common blockers include legacy systems, inconsistent patch management, and MFA gaps in cloud services.
Do we need Cyber Essentials for government contracts?
Yes. Since 2014, Cyber Essentials certification has been mandatory for any UK government contract involving the handling of personal data or the provision of certain ICT products and services. Many private-sector organisations and insurers also require it from their supply chain.
How often do we need to recertify?
Cyber Essentials certification is valid for 12 months. You must recertify annually, and each recertification is assessed against the current version of the standard. This means firms recertifying after 27 April 2026 will be assessed against v3.3 Danzell requirements.
Need compliance guidance?
Book a free compliance review and we'll assess your readiness against the latest requirements.