Cyber Essentials Danzell v3.3 — What Changed in 2026
Last updated: 28 March 2026
From 27 April 2026, all new Cyber Essentials assessments use the Danzell v3.3 question set, replacing the previous Willow version. This guide explains every significant change and what it means for your organisation.
What is Danzell?
Danzell is the name of the updated Cyber Essentials self-assessment question set, introduced by IASME on behalf of the National Cyber Security Centre (NCSC). The name follows the convention of naming each annual update after a UK lighthouse. Per IASME guidance, the Danzell question set takes effect for all assessment accounts created on or after 27 April 2026.
The three most significant changes
1. MFA on cloud services — now an automatic fail
This is the most significant marking change in Danzell v3.3. Per IASME's published guidance, if any cloud service used by your organisation offers MFA and you have not enabled it for all users, your assessment fails automatically. This applies whether MFA is free, available as a paid add-on, or delivered through a connected service. It applies to every cloud service in scope and to all users — not just administrators. Relevant questions: A7.14, A7.15, A7.16 (administrators), A7.17 (all users). CrownSync tracks A7.16 and A7.17 as AUTO_FAIL questions. See our complete MFA requirements guide for details.
2. 14-day patching — now an automatic fail
Two questions — A6.4 and A6.5 — carry automatic-fail status per IASME's published marking guidance. A6.4 covers operating systems and firmware; A6.5 covers all software and cloud services. CrownSync tracks both as AUTO_FAIL questions. Read our 14-day patching guide for a full breakdown of what is required.
3. Cloud services formally defined and explicitly in scope
Danzell v3.3 introduces the first formal definition of a cloud service in the Cyber Essentials scheme. IASME has clarified that social media accounts used for business purposes — including LinkedIn, Facebook, and X — fall within this definition and are in scope. See our cloud services scope guide for the full definition and examples.
Other changes
- Stricter scoping rules — updated with clearer rules, exclusions must be documented
- Legal entity declarations — must be formally declared
- Passwordless authentication — FIDO2, passkeys, biometrics explicitly recognised
- Updated board declaration — signatory commits to maintaining controls for 12 months
- Cyber Essentials Plus — assessors can re-sample after remediation
Several of these changes introduce new automatic-fail questions that CrownSync flags in real time as you complete your assessment.
Transition timeline
| Date | Milestone |
|---|---|
| 27 April 2026 | Danzell v3.3 takes effect for all new assessment accounts |
| 26 October 2026 | Deadline for completing assessments under Willow |
| 27 January 2027 | Deadline for completing CE+ under Willow |
How CrownSync helps
CrownSync CE Readiness guides you through all 106 Danzell v3.3 questions, flags every automatic-fail risk in real time, and produces a certifier-ready submission pack — free during our launch period.
Related guides
Start your Cyber Essentials preparation today
CrownSync CE Readiness walks your team through the official Danzell v3.3 question set, identifies gaps, and helps you get board sign-off — completely free during our launch period.
Get started freeNo credit card required. Full access to all features.