Cyber Essentials (+ Plus)
for Creatives

The rules have changed. Here is what it means for you and how to prepare.

cyber essentials plus

What changed?

Cyber Essentials updated to version 3.3 with a new question set called Danzell. The five core controls are now assessed more strictly. If you already hold CE Plus, your next renewal is assessed under these rules. If you are preparing for the first time, these are the standards you need to meet from day one.

MFA is now
mandatory

If a cloud service offers MFA and it is not enabled for all users, the assessment is an automatic failure. This includes email, file storage, and social media accounts.

Patching is now an auto-fail

High and critical vulnerabilities must be patched within 14 days. A single missed patch can fail the assessment outright, with no remediation window on the second CE Plus sample.

CE Plus uses double sampling

If a patching failure is found during the CE Plus audit, a second independent sample is taken across the full estate. A second failure revokes the certificate.

Directors are now accountable

A board member or director must sign a declaration committing the organisation to maintaining CE controls throughout the full 12-month certification period.

Source: IASME, NCSC Requirements for IT Infrastructure v3.3

What's the Difference?

Cyber Essentials

A verified self-assessment covering the five core technical controls, with an external vulnerability scan. The entry-level certification recognised by clients, insurers, and government procurement.

Cyber Essentials Plus

Everything in Cyber Essentials, plus an independent hands-on technical audit of your actual systems. Required more frequently in tenders and enterprise supply chains.

Most agencies, practices and studios start with Cyber Essentials. CE Plus is increasingly a named requirement before a contract is awarded.

How does CE help?

Three reasons CE matters for agencies, practices and studios right now.

Address the threat that is actually growing

The NCSC has assessed it as almost certain that AI-enabled tools will enhance attackers’ ability to exploit known vulnerabilities by 2027. Cyber Essentials controls are specifically designed to close the gaps that automated, AI-assisted attacks look for first.

Win and retain clients who require it

Creative agencies, communications firms, architecture practices and design studios are seeing CE Plus appear more frequently in client onboarding checks and formal tender requirements. A current, valid certificate removes a barrier at exactly the point it matters most.

Understand the governance beforehand

The April 2026 Danzell update introduced a director declaration that commits your organisation to maintaining CE controls for the full 12-month certification period. This is a named, personal accountability. Knowing what it requires before you sign is not optional.

What CE Plus audits across your business

User access and
admin rights

Device patching
and security

Malware
protection

Firewall and
network controls

Secure system
configuration

Cloud services
in scope

Insurer data cited by NCSC shows organisations with Cyber Essentials certification are up to 92% less likely to make a cyber insurance claim. As AI lowers the barrier to automated attacks, that gap is widening.

Where agencies typically fail the assessment

The consequences of common failures are more serious under Danzell than they were before. What was previously a non-conformity that could be accepted and moved past is now, in several cases, an automatic failure that ends the assessment.

MFA gaps are the most common issue. Many agencies run Microsoft 365, Google Workspace, Adobe Creative Cloud, Dropbox, and Slack without MFA enforced consistently across all users. Under Danzell, a single user account without it will fail the assessment. Mixed Mac and Windows estates, remote workers, BYOD policies, and freelancers on company networks all add complexity to what should be a straightforward control.

Patching is the second most common gap. Devices that get updated in the office but miss updates when remote, software running on end-of-life operating systems, and specialist tools on irregular update schedules are all risks. Architecture practices in particular often run software with non-standard patch schedules. Any of these can trigger a failure.

The April 2026 Danzell changes make that explicit. A board member or director must now sign a declaration committing the organisation to maintaining CE controls throughout the full 12-month certification period. This is not a formality. It is a named, personal accountability.

The badge means more and carries more risk. Clients, insurers, and procurement teams are beginning to treat CE Plus as a standing indicator of governance, not just an annual checkbox. A lapsed or revoked certificate mid-year is a compliance gap that has to be managed and disclosed.

CE Plus appears more frequently in tender requirements. Architecture practices tendering for public work, agencies with regulated industry clients, and firms working in supply chains where the end client holds public sector contracts are all seeing it in more invitations to tender than before. A failed assessment during an active procurement can remove you from the process.

Governance now plays a bigger role

How have cost and risk changed?

The consequences of a failed CE Plus assessment are more significant under Danzell than before. A patching failure during the audit now triggers double sampling across the full estate. A second failure revokes the certificate, not just flags a remediation item.

Revocation has direct commercial consequences. If CE Plus is specified in a client contract or tender, a lapsed badge creates a compliance gap that needs to be managed and disclosed. Reinstatement means starting the assessment process again from scratch. Insurers are also increasingly using CE Plus as a factor in underwriting, and a lapsed certificate can affect your next premium.

CE Plus certificates are valid for 12 months. If your current certificate was issued under the previous Willow requirements, your next renewal uses the Danzell criteria. The cost of preparing properly is significantly lower than the cost of a failed assessment, a revoked certificate, or a delayed renewal during an active procurement.

Not sure where your systems stand?

The Cubit Cyber Check is a short online audit that gives you a quick, top-level view of how your current IT setup compares to the Cyber Essentials Plus requirements. It takes a few minutes and gives you an immediate sense of where the gaps are likely to be before any formal process begins.

Where Cubit fits

1. Review

We assess your setup against the Danzell requirements before you open an account. No surprises when the assessment starts.

2. Remediation

We fix the gaps. MFA rollout, patching, scoping documentation, end-of-life device replacement or isolation.

3. Ongoing Support

We keep systems at the certified standard between renewals. Certification is an ongoing obligation, not a one-day exercise

We work with agencies, practices and studios preparing for Cyber Essentials and CE Plus. Our work falls into three stages. Book a call with Ralph to discuss your IT challenges today.

FAQs

What is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme managed by the NCSC and delivered through IASME-accredited bodies. It certifies that an organisation has five core technical controls in place: firewalls, secure configuration, access control, malware protection, and patch management. It is the minimum cyber security standard recommended by the UK government for all organisations, and is mandatory for many public sector contracts.

What are the main changes in Cyber Essentials from April 2026?

The four most significant changes under Danzell are: mandatory MFA for all cloud services that offer it, with automatic failure if it is not enabled; a 14-day patching requirement for high and critical vulnerabilities, which is now an auto-fail if not met; a broadened definition of cloud services, including social media accounts accessed through organisational logins; and a new director declaration that makes board-level sign-off a commitment to ongoing compliance rather than a one-time statement.

Do social media accounts count as cloud services under Cyber Essentials?

Under Danzell, yes. The updated definition of cloud services explicitly includes social media accounts accessed through an organisational login. If your business uses LinkedIn, Instagram, or similar platforms via company credentials, they fall within scope and MFA must be enabled. This is a notable change from the previous question set, where peripheral SaaS platforms could often be excluded.

What happens if we miss a critical patch under the new rules?

A single missed high or critical vulnerability that is more than 14 days old is an automatic failure under Danzell. This applies to operating systems, firewall firmware, and applications on devices within the assessment scope. Under CE Plus, a failed sample can be remediated once, but a second sample failure has no further remediation window. The practical implication is that patch management needs to be consistent and documented before the assessment account is opened, not cleaned up once the process is underway.

Is Cyber Essentials the same as ISO 27001?

No. Cyber Essentials focuses on five specific technical controls that guard against common, automated cyber attacks. ISO 27001 is a comprehensive information security management standard covering governance, risk management, policy, and operational processes across an entire organisation. CE is a technical baseline. ISO 27001 is a broader management system. Some organisations pursue both; CE is typically the starting point.

What is the director declaration in Cyber Essentials?

The director declaration is a formal sign-off required from a board member or director at the end of the self-assessment. Under Danzell, it has been significantly strengthened. It now includes an explicit commitment to maintain Cyber Essentials controls throughout the 12-month certification period, not just as of the assessment date. This moves Cyber Essentials compliance from a periodic exercise into an ongoing obligation with named executive accountability.

Does the Danzell update affect our renewal if we already have CE Plus?

Yes. All assessment accounts created on or after 26 April 2026 must use the Danzell question set. If your current certificate was issued under the previous Willow requirements, your next renewal will be assessed against the Danzell criteria. That means your systems need to meet the stricter MFA, patching, and cloud scoping requirements before you open your next assessment account. We recommend starting preparation at least eight to ten weeks before your renewal date.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials is a verified self-assessment. You answer a structured question set and an external vulnerability scan is carried out. Cyber Essentials Plus includes everything in the standard certification plus an independent hands-on technical audit of your actual systems, carried out by an accredited assessor. CE Plus provides a higher level of assurance and is increasingly required by enterprise clients and in formal procurement processes.

How long does Cyber Essentials take to achieve?

It depends on how close your current systems are to the requirements. Organisations that are well-prepared can complete the process in a matter of days. Those with gaps in MFA, patching, or device management typically need several weeks of remediation before they are ready to open an assessment account. We carry out a review of your setup against the Danzell requirements before any assessment begins, so you know what needs to be fixed first.

Is MFA now mandatory for Cyber Essentials?

Yes. Under Danzell, if a cloud service offers multi-factor authentication and it is not enabled for all users, the assessment is an automatic failure. This applies to admin accounts and standard user accounts. It covers any cloud service accessed through an organisational account, including email platforms, file storage services, and collaboration tools. Passwordless methods such as passkeys and FIDO2 can meet the MFA requirement where they involve more than one factor.

Can AI-assisted attacks bypass Cyber Essentials controls?

The NCSC has assessed it as almost certain that AI-enabled tools will improve attackers’ ability to exploit known vulnerabilities by 2027. Cyber Essentials is specifically designed to address commodity-level attacks, which is the category AI tools are accelerating. The controls do not protect against sophisticated, targeted threats, but they close the gaps that automated scanning and exploitation tools look for first. For most agencies, practices and studios, that is where the actual risk sits.

What is the Danzell question set?

Danzell is the updated self-assessment question set for Cyber Essentials, introduced by IASME and the NCSC on 27 April 2026. It replaces the previous Willow question set and applies version 3.3 of the NCSC Requirements for IT Infrastructure. The five core controls have not changed, but the assessment is stricter. Several areas previously treated as non-conformities are now automatic failures, including MFA gaps and missed patches.

What does Cubit do to help us prepare for CE Plus?

We review your current IT setup against the Danzell requirements, identify the gaps, and fix them before you open an assessment account. That covers MFA rollout across cloud platforms, patching gap analysis, scoping documentation, removal or isolation of unsupported software, and any configuration work required. After certification, we provide ongoing support to keep systems at the certified standard through the 12-month period. We do not carry out the CE Plus assessment itself. Certification is conducted by an accredited assessor. Our role is to make sure you are ready to pass.

We use a mix of Macs, Windows devices, and freelancers. Does that affect the assessment?

Mixed device estates, remote working, and freelancers using personal devices are among the most common sources of complexity for agencies going through CE Plus. Each device within the defined scope needs to meet the same patching, MFA, and configuration requirements. Freelancer devices on company networks need to be either included in scope and managed accordingly, or excluded from scope with a clear technical justification. We work through these questions as part of our preparation support, so they are resolved before the assessment opens.

Does Cyber Essentials certification expire?

Yes. Both Cyber Essentials and Cyber Essentials Plus certificates are valid for 12 months. You must renew annually to maintain certification. If your current certificate was issued under the previous Willow requirements, your next renewal will be assessed against the stricter Danzell criteria. We recommend beginning preparation at least eight to ten weeks before your renewal date.

What is double sampling in Cyber Essentials Plus?

Double sampling is a new CE Plus process introduced under Danzell. If the assessor finds a patching failure during the audit, they are required to test a second independent sample of devices from across the estate, rather than retesting only the failing device. This is designed to catch selective patching, where organisations apply updates to sampled devices but not consistently across their full IT environment. A second failure following the additional sample revokes the CE Plus certificate.

Do I need Cyber Essentials to bid for government contracts?

Cyber Essentials is mandatory for many UK government contracts, particularly those involving the handling of personal data or the provision of certain ICT products and services. Architecture practices and agencies working in public sector supply chains or tendering for government-connected work should treat it as a baseline requirement, not an optional extra. Cabinet Office procurement policy makes this an expectation across an expanding range of contract types.