A Critical Update for London And UK Organisations Holding Or Planning To Achieve Cyber Essentials Certification. Table of Contents Toggle A Critical Update for London And UK Organisations Holding Or Planning To Achieve Cyber Essentials Certification.NEW What Is the Cyber Essentials “Danzell” Update?What Has Changed in Cyber Essentials?Below are the Most Important Updates for UK OrganisationsNEW Passkeys and Password Less Authentication Are Now RecognisedCloud Services Are Fully in ScopePatching Must Be Completed and Proven Within 14 DaysTwo Separate Auto-Fail Questions Now Cover PatchingThe Point-In-Time Rule Has Been ClarifiedPersonal and Remote Devices Are Now IncludedCyber Essentials Plus Assessments Are TougherNEW Self-Assessment Responses Are Now Locked During CE+ TestingApplication Development Is Now in ScopeData Backups Now Formally EmphasisedWhy This Matters to Your UK BusinessWhat Speedster IT RecommendsHow Speedster IT Can Help London and UK Businesses Cyber Essentials is no longer a “tick-box” exercise. From 27 April 2026, significant changes to the Cyber Essentials scheme came into force, tightening requirements and removing much of the flexibility UK businesses and IT Support London providers previously relied on. If your organisation already holds Cyber Essentials or plans to achieve it this year these changes directly affect your compliance, risk exposure, and ability to win contracts across the UK. At Speedster IT, we work closely with London SMEs and small businesses across the UK every day, and we have already seen how these updates are catching organisations out. This article explains what has changed, why it matters to UK businesses, and what you should do next. NEW What Is the Cyber Essentials “Danzell” Update? The April 2026 changes are formally known as the Danzell update the new self-assessment question set that replaces the previous “Willow” version. All Cyber Essentials assessment accounts created on or after 27 April 2026 must use Danzell. The five core technical controls Firewalls, Secure configuration, User access control, Malware protection, Security update management Remain unchanged. Danzell tightens how they are assessed, not what they are. Important timing note: If your active assessment account was created before 27 April 2026, you can complete it under the previous Willow version until 27 October 2026. After that date, all outstanding assessments must restart under Danzell. If you are mid-process, speak to your certification body now. What Has Changed in Cyber Essentials? The five core Cyber Essentials controls remain the same. What has changed is how strictly they are enforced and how modern IT environments across London offices, remote workers, and UK-wide teams are assessed. Below are the Most Important Updates for UK Organisations Multi-Factor Authentication (MFA) Is Now Mandatory MFA must now be enabled everywhere it is available,not just for administrators. This is one of the most common gaps we are seeing among London SMEs and UK small businesses right now. This includes: Microsoft 365 Cloud email CRMs and finance platforms Remote access and admin portals Service and shared accounts (where supported) If MFA is available and not enabled, the assessment will automatically fail. There are no grace periods and no exceptions for “lower-risk” users regardless of where your team is based. NEW Passkeys and Password Less Authentication Are Now Recognised The v3.3 document clarifies that FIDO2 authenticators are now explicitly recognised as a form of MFA, and passkeys are acknowledged as a password less authentication method a welcome modernisation for UK businesses already moving away from traditional passwords. Cloud Services Are Fully in Scope Previously, many UK organisations excluded cloud services from their Cyber Essentials scope. That is no longer acceptable. Any cloud service that: Stores organisational data. Processes business information Provides access to internal systems. must be included, whether your business operates from a single London office or across multiple UK locations. This reflects how businesses operate today, with identity and cloud platforms at the centre of security for UK companies of all sizes. NEW A formal definition now exists: A cloud service is defined as an on-demand, scalable service hosted on shared infrastructure and accessible via the internet, accessed via an account that stores or processes data for your organisation. Cloud services cannot be excluded from scope. This removes any remaining ambiguity, if you use Microsoft 365, Google Workspace, Xero, Salesforce, or similar platforms, they must be included. NEW Build a cloud inventory now: For each service, your organisation uses, record what data it holds, who accesses it, and whether MFA is enabled. This one step will put most UK SMEs ahead of the curve. Patching Must Be Completed and Proven Within 14 Days Critical and high-risk security updates must now be: Applied within 14 days Evidenced, not assumed. Verbal assurances or informal processes are no longer sufficient. This is a particular challenge for smaller UK businesses and London SMEs that do not have dedicated IT resource in-house. If you cannot demonstrate patching with logs, reports, or system records, the result is a failure. Two Separate Auto-Fail Questions Now Cover Patching The April 2026 question set introduces two separate auto-fail questions that explicitly cover operating systems and router/security system firmware, high-risk or critical security updates must be applied within 14 days of release. Previously this was a single area of scrutiny; it is now split and weighted more heavily. The Point-In-Time Rule Has Been Clarified The April 2026 update clarifies that the point in time is the certificate issue date, meaning all systems within scope must be fully compliant on the date the certificate is actually issued, not the date you complete the self-assessment questionnaire. Personal and Remote Devices Are Now Included Bring Your Own Device (BYOD) and remote-working equipment are now in scope by default a meaningful change for UK businesses that adopted flexible and hybrid working post-pandemic. If staff access company systems from: Personal laptops Home devices Unmanaged machines You must either: Secure and manage them properly, or Clearly justify and document why they are excluded. For London businesses with hybrid teams or staff working remotely across the UK, simply ignoring these devices is no longer acceptable. NEW Scoping exclusions now require written justification: Where parts of infrastructure are excluded, organisations need to explain what is excluded, why, and how segregation is achieved. Narrow scope can still work, but only if it is genuinely defensible and properly documented. Cyber Essentials Plus Assessments Are Tougher For UK organisations going beyond basic certification: If an assessor evaluates a sample of devices and finds issues, A second sample will now be evaluated. Failing both can result in revocation of the base Cyber Essentials certificate. This closes loopholes that previously allowed selective fixes, and raises the bar for every UK business pursuing Plus certification. NEW Self-Assessment Responses Are Now Locked During CE+ Testing Organisations can no longer amend their self-assessment responses once CE+ testing has begun. This means accuracy at the point of submission is more important than ever. Application Development Is Now in Scope The web applications section has been renamed ‘application development’ and now references the UK Government’s Software Security Code of Practice. Publicly available commercial web applications are in scope by default, while bespoke and custom components are out of scope. For UK businesses that use or develop customer-facing web applications, including e-commerce, client portals, or booking systems, this is an important new consideration to factor into your assessment scope. Data Backups Now Formally Emphasised Guidance on backups has been repositioned earlier in the requirements document to emphasise their importance in enabling organisations to recover quickly from cyber incidents. While backups remain a recommendation rather than a hard requirement, their prominence in the updated framework signals the direction of travel, and assessors will be paying closer attention. Why This Matters to Your UK Business These changes reflect a simple reality: Cyber Essentials is now being enforced as a real security standard, not a formality, and that applies equally to a ten-person London startup and a 200-person business operating across the UK. For many organisations, the risk is not deliberate non-compliance, it is assumed compliance. Controls may exist on paper, but not consistently across: Cloud services User accounts Remote workers Personal devices The result? UK businesses discovering gaps on assessment day when it is already too late, and potentially losing public sector contracts or tender opportunities that require valid Cyber Essentials certification. The commercial stakes are rising Cyber Essentials certification is already a prerequisite for many UK public sector contracts under PPN 014, and the NCSC published a Cyber Essentials supply chain playbook in early 2026, encouraging larger organisations to require certification from their suppliers as a minimum-security baseline. For London and UK SMEs that supply larger businesses or bid for government work, this is increasingly a commercial requirement, not just a compliance one. What Speedster IT Recommends If your Cyber Essentials renewal is due within the next six months, now is the right time to act, especially with the new requirements now in force across the UK. At Speedster IT, we advise London and UK organisations to: ✅ Review every cloud service in use, not just the obvious ones ✅ Confirm MFA is enabled for all users, not just admins ✅ Verify patching processes and collect clear evidence ✅ Assess how remote and personal devices access company systems ✅ Identify gaps early, before they become automatic failures ✅ NEW Build a documented cloud inventory before your assessment ✅ NEW Check whether your renewal falls under Danzell or the previous Willow rules ✅ NEW If you develop or use web applications, confirm whether they fall within your assessment scope Cyber Essentials is still achievable for UK businesses of all sizes, but it now requires accuracy, consistency, and visibility across your IT environment. How Speedster IT Can Help London and UK Businesses We support London SMEs and businesses across the UK with: Cyber Essentials readiness assessments MFA and identity security design Cloud security and Microsoft 365 hardening Practical remediation before renewal Ongoing managed IT and cybersecurity support Whether you are a London-based business renewing your certificate, a UK SME certifying for the first time, or simply unsure where you stand under the new Danzell rules, our team can guide you through the changes with clarity and confidence. Contact Speedster IT today, we help UK businesses stay secure, stay compliant, and stay ahead. 0204 511 9111LouiseWith over 15 years at Speedster IT, I’ve built a career around helping businesses navigate the evolving world of technology. I publish all the content for the IT Support London Blog and Cyber Security Blog, where I share practical insights on infrastructure upgrades, cybersecurity trends, and smart IT strategies for growing companies.