The Cyber Essentials Requirements Tracker.

Danzell is the active scheme version as of 27 April 2026. The five technical control themes are unchanged, but the wording, evidence expectations and acceptable technologies inside several themes have moved on materially.

• MFA mandatory on cloud admin and remote-access services. SMS one-time codes are no longer accepted as a "good" second factor for new certifications.
• Passwordless authentication formally accepted. Passkeys (synced and device-bound), FIDO2 hardware tokens and platform authenticators (Windows Hello for Business, Touch ID with secure enclave) are explicitly listed as acceptable primary methods.
• BYOD sub-set scoping clarified. Personal devices may be excluded from scope only if restricted to a defined cloud-service set with their own MFA, no local data store and no VPN access into the corporate network.
• 14-day patch window enforced strictly. Quarterly patching cycles are no longer compatible with certification.
• SaaS explicitly in scope. Microsoft 365, Google Workspace, Salesforce, Stripe and equivalents cannot be answered as "out of scope because it's the cloud provider's problem".

Willow expanded the cloud-services definition to bring all SaaS handling business data formally in scope and broadened the MFA requirement beyond email to include any administrative interface. SMS-based MFA was retained as acceptable but flagged as discouraged. Willow ran as the live scheme until 27 April 2026 when Danzell superseded it.

• Cloud services (IaaS, PaaS, SaaS) brought formally in-scope under all five themes.
• MFA expanded from email-only to all administrative interfaces (cloud consoles, payment processors, source control).
• "Thin client" devices clarified - they are in scope where the user can interact with business data.

Montpelier introduced the formal concept of a sub-set - a defined portion of the organisation that can be certified independently provided the boundary is clearly documented. This was the version that made multi-entity SMEs viable certification candidates without forcing the whole group through a single assessment.

• Sub-set scoping introduced - a documented boundary inside the organisation can be certified independently.
• Asset management language formalised - applicants must be able to enumerate every device and service in scope.
• Software firewall expectations clarified - the host firewall on every in-scope device must be enabled and logged.

v3.0 Evendine (introduced 24 January 2022) was the most significant overhaul of Cyber Essentials since 2014. It rewrote the scheme around cloud-first organisations, brought home-working into scope, and added MFA on cloud services as a hard requirement. It also restructured the question set into the five themes used today.

• Five-theme structure (Firewalls, Secure Configuration, Security Update Management, User Access Control, Malware Protection) introduced.
• Home-working brought into scope - routers used by remote workers count where business data is processed.
• MFA on cloud services made mandatory for the first time.
• Bring-your-own-device (BYOD) brought into scope where used to access organisational data.

The original Cyber Essentials scheme launched in June 2014 under the then-Cabinet Office in partnership with industry. From 1 October 2014 it became mandatory for suppliers bidding for certain UK central government contracts handling personal information or providing ICT products and services.