The Cyber Essentials scheme is evolving to keep pace with modern security threats. On 27th April 2026, the current Willow question set will be replaced by Danzell (Version 3.3).
This major update reflects how organisations operate today; cloud-first, identity-driven, and facing increasingly sophisticated ransomware risks.
At the heart of Danzell is a simple message; identity is now the new security perimeter.
What’s Changing? Key Highlights of Cyber Essentials Danzell
MFA Is Now Non Negotiable
The old “comply or explain” flexibility around MFA is gone. If a cloud service offers MFA , even as a paid add-on, you must enable it for all users. This applies to Microsoft 365, Google Workspace, CRM platforms, and any other cloud tools.
Clearer Cloud Scoping Responsibilities
Danzell introduces new clarity on your responsibilities vs. your SaaS provider’s responsibilities.
You’ll need to demonstrate how you manage configuration, user access, and security controls you are responsible for, even when using shared responsibility platforms.
Backup Resilience and Immutability
Backups must now be:
- Immutable, or
- Offline / isolated, or
- Otherwise protected from ransomware
This ensures they cannot be encrypted or deleted during an attack.
Stronger JML (Joiners, Movers, Leavers) Controls
You will need to evidence that:
- Access is granted correctly when someone joins
- Permissions are updated when roles change
- Accounts are closed immediately when someone leaves
Dormant accounts are a major attack risk and Danzell tackles this head on.
Passwordless Is Officially Supported
Danzell formally recognises Passkeys and FIDO2 as “gold standard” authentication methods. This offers stronger security and a smoother user experience than traditional passwords.
Secure Software Development Requirements
For organisations that build or maintain their own applications, Danzell introduces clearer expectations around:
- Secure coding practices
- Code reviews
- Managing vulnerabilities in internal apps
Should You Certify Now or Wait?
If your existing certification expires before 27th April 2026, you can still recertify under the Willow question set.
However, preparing for Danzell now will future‑proof your security and reduce pressure when the change goes live.
If IASME follow the same process as with previous question set updates, then the last date candidates can submit Willow question sets will be October 2026. This is NOT confirmed however.
How We Can Help
Our team can support you with:
- Early Danzell readiness checks
- MFA rollout and identity best practices
- Backup hardening and immutability planning
- Cloud scoping guidance
- Staff access lifecycle reviews
- Software development security assessments
Just let us know if you’d like a Danzell readiness review! Find out more about how we can help your organisation achieve Cyber Essentials here.
Have you heard about CyberAscend?
Don’t wait for the next headline. Start with the basics today and begin your journey with CyberAscend.
We also have tailored CyberAscend journeys for Fire & Rescue, Government and Police and other public sector entities.