Cyber Essentials,
Explained

The Cyber Essentials scheme moved to version 3.3, known as Danzell, on 27 April 2026. The five core controls remain the same, but three areas tightened significantly: multi-factor authentication became a mandatory auto-fail requirement on cloud services, cloud services storing or processing organisational data can no longer be excluded from scope, and high or critical patches must now be applied within 14 days or the assessment fails automatically.

Yes. Existing certifications are not affected by the Danzell update. If your certificate was issued before 27 April 2026, it remains valid until its renewal date. When you come to recertify, you will be assessed against the v3.3 standard.

Yes, and it is now an automatic failure if it is missing. Under Danzell v3.3, if any cloud service you use supports multi-factor authentication and you have not enabled it for all users, your assessment fails regardless of how well you perform on other controls. This applies to Microsoft 365, Google Workspace, Slack, Adobe Creative Cloud, and any other SaaS tool that offers MFA.

Any cloud service that stores or processes your organisation’s data is now in scope. Danzell defines a cloud service as an on-demand, scalable service hosted on shared infrastructure and accessible via the internet. For most agencies that means email, file storage, project management tools, finance software, and any other SaaS platform your team uses day to day.

High and critical vulnerabilities must be patched within 14 days of release. This applies to operating systems, router and firewall firmware, and applications including browser extensions. Failure to meet this on either of two specific questions in the Danzell questionnaire is an automatic fail, even if everything else passes.

Cyber Essentials is a verified self-assessment: you complete a questionnaire describing your IT setup, which an accredited assessor reviews. Cyber Essentials Plus involves independent technical testing of your environment by an auditor who verifies the controls are actually in place. CE Plus carries more weight in public sector procurement and is increasingly required for government supply chain contracts.

Once your IT environment is prepared and meets the requirements, the self-assessment process typically takes a few days. The preparation work, so gap assessment, remediation, and scoping documentation, is where most of the time is spent. For an agency with a mix of cloud and on-premise systems, expect two to four weeks from starting the gap assessment to submitting.

This session is for operations managers, office managers, and IT leads at creative, marketing, PR, and design agencies who are planning to certify or recertify under the new Danzell standard. No technical background is required. The session explains the changes in plain language and covers what you need to do before opening an assessment account.