Cyber Essentials v3.3 (Danzell): What Changed in April 2026

What is Cyber Essentials v3.3?

Cyber Essentials is the UK's foundational cyber-security certification scheme, owned by the National Cyber Security Centre (NCSC) and administered on its behalf by IASME Consortium Limited. The scheme was first launched in 2014 and is updated periodically through a co-ordinated requirements review. The latest version, Cyber Essentials v3.3 (codename "Danzell"), took effect on 28 April 2026. From that date, every new self-assessment submission and every new on-site Cyber Essentials Plus assessment is marked against the v3.3 requirements; assessments started against v3.2 ("Willow") before that date may be completed under the older rules at the assessor's discretion within a short grace period.

Cyber Essentials remains designed for organisations of all sizes, but the scheme is most heavily relied on by UK SMEs. It is the de facto baseline that government departments, healthcare buyers and an increasing number of insurers expect a supplier to meet before any contract is signed or any cover is bound. v3.3 is best understood as a tightening, the five control themes are unchanged in scope, but the wording, evidence requirements and acceptable technologies inside each theme have moved on significantly to reflect what NCSC sees in the live threat landscape.

The 5 control themes (unchanged in scope, tightened in detail)

Every version of Cyber Essentials is built around the same five technical control themes. v3.3 keeps the same five headings, but every theme has had its detail re-written. The themes are:

1. Firewalls. Both boundary firewalls (perimeter and cloud edge) and software firewalls on every in-scope device. Default-deny inbound, documented exceptions, and administrative interfaces never reachable from the public internet without an MFA-protected route.
2. Secure Configuration. Devices, accounts and services are deployed in a hardened state. Default credentials are removed, unused services and accounts are disabled, auto-run is restricted, and devices have screen-lock with a sensible inactivity timeout.
3. Security Update Management. All in-scope software is licensed, supported by the vendor and kept up to date. High and critical patches must be applied within 14 days of release. End-of-life software (e.g. Windows 10 after October 2025) is either removed, isolated or sub-set out of scope with documented justification.
4. User Access Control. Accounts follow least privilege, administrators have separate non-admin accounts for day-to-day work, joiners-movers-leavers process is documented, and MFA is enforced on every cloud admin account and every remote-access gateway (see next section).
5. Malware Protection. Every in-scope endpoint runs a continuously-updated anti-malware solution, application allow-listing or sandbox-based isolation. Browser extensions and macro-execution policies must be hardened in line with NCSC guidance.

What's actually different in v3.3

The headline changes in Danzell are concentrated in the User Access Control theme. The most important shifts are:

• Passwordless authentication is now formally accepted. Passkeys (synced and device-bound), FIDO2 hardware tokens and platform authenticators (Windows Hello for Business, Touch ID with secure enclave) are explicitly listed as acceptable primary authentication methods alongside passwords-with-MFA. v3.2 tolerated these in practice; v3.3 names them.
• MFA is mandatory for cloud-admin accounts and remote-access services. SMS one-time codes are no longer considered a "good" second factor for new certifications. The acceptable factors are TOTP authenticator apps, hardware security keys, push-based authenticator apps with number matching, and on-device biometrics combined with a possession factor.
• Sub-set scoping for BYOD has been clarified. Where an organisation cannot bring personal devices fully under management, those devices may be excluded from scope only if they are restricted to a defined set of cloud services with their own MFA enforcement, no local data store and no VPN access into the corporate network. The wording removes a long-running ambiguity that some assessors had treated more leniently than others.
• Patch window is enforced more strictly. "High" and "critical" CVE-classified patches must be applied within 14 days. v3.3 explicitly notes that quarterly patching cycles are no longer compatible with certification.
• Cloud services explicitly in scope. Every Software-as-a-Service used to handle business data, typically Microsoft 365, Google Workspace, Salesforce, Stripe, Supabase and your Git host, counts as in-scope. The applicant cannot answer "we use a cloud provider, so this question doesn't apply".

None of these changes will surprise an organisation that already takes cyber-hygiene seriously. They will, however, surprise an organisation that achieved Cyber Essentials in 2023 by ticking the "MFA on email" box and never extended MFA to its admin consoles, payment processor or source-control host.

Cost of certification

Cyber Essentials self-assessment is priced on a sliding scale depending on the size of the certified organisation. As of April 2026 the public list prices set by IASME-licensed Certification Bodies are:

• Micro (1-9 employees): £400 + VAT for Cyber Essentials self-assessment.
• Small (10-49 employees): £450 + VAT.
• Medium (50-249 employees): £500 + VAT.
• Large (250+ employees): £600 + VAT.

The basic Cyber Essentials certificate is valid for 12 months. After that you re-assess against whatever requirements version is current at the time of renewal, meaning a 2026 renewal will be measured against Danzell, not against the version your previous certificate covered.

Cyber Essentials Plus, which adds an on-site (or video-conference based) technical audit, is priced separately. CE+ assessment usually lands in the £1,500 to £3,000 + VAT range for an SME, depending on the number of devices to sample, the number of cloud services and the geographic spread of staff. An assessor will physically (or via screen-share) test patch state, malware protection, secure configuration and a sample of MFA enforcement on real user accounts, they don't take your word for it.

To these direct fees you should add internal effort. Even a well-organised SME should expect to spend three to five working days assembling evidence, fixing surfaced gaps and walking the team through the questionnaire before submission. A first-time applicant with weak baselines will spend more.

The compliance trigger most SMEs hit first

Most UK SMEs do not get certified because they want to. They get certified because a buyer made it a condition. The two most common triggers are:

• Public-sector procurement under PPN 014/21. Central government and many wider public sector contracts now require either a current Cyber Essentials certificate or evidence of equivalent certification (most commonly ISO 27001 mapped to NCSC's 10 Steps). For higher-risk contracts handling sensitive personal data, CE+ is required. See our PPN 014/21 explainer for the full list of who is in scope.
• Cyber-insurance underwriting. A growing number of UK insurers now refuse to bind cover at SME premiums unless the proposer can show a current Cyber Essentials certificate. Where they will bind cover without it, premiums are markedly higher and exclusions are wider.

Our advice: stop treating Cyber Essentials as an annual paperwork exercise and treat it as a forcing function. The controls it asks about are exactly the controls that prevent the credential-stuffing, ransomware and supply-chain attacks that disable UK SMEs every week.

How CrowAgent helps

CrowCyber, part of the CrowAgent platform, is a Cyber Essentials co-pilot built specifically for UK SMEs preparing for or maintaining certification. It walks an applicant through every one of the 44 Cyber Essentials self-assessment questions and the additional 22 Cyber Essentials Plus questions, mapped against the v3.3 (Danzell) requirements. For each question, CrowCyber provides plain-English guidance on what the assessor is actually looking for and an AI-suggested draft answer that you can edit before submission (the AI runs server-side and never sees your secrets). CrowCyber sits alongside CrowAgent Core (MEES and property compliance) and CrowMark (PPN 002 social value) on the CrowAgent platform, so a supplier can manage cyber, property, and procurement compliance in one place.

Behind the questionnaire sits an evidence library. Every screenshot, policy document and configuration export is timestamped and tagged against the question it supports. CrowCyber automatically flags any evidence item older than 12 months as stale and prompts you to refresh it before your renewal, the single most common reason that a returning applicant fails an assessment.