Cyber Essentials 2026: What's Changing and Why It Matters
Cyber Essentials is an 11-year-old UK government framework (NCSC) designed to help organizations of any size establish basic security controls. The new 2026 version (Danzell) strengthens multi-factor authentication requirements, adds passwordless controls, and clarifies that certification is continuous, not a one-time badge. Organizations face a deadline of April 27, 2026 for new assessments to meet the new standard, with a 6-month transition window for in-progress work. Common challenges include asset management and discovering unknown cloud services.
What Is Cyber Essentials
Framework Purpose and Origin
Cyber Essentials is a government-backed framework created by the NCSC (National Cyber Security Centre) to help UK businesses of any size establish a standard security posture. It provides foundational IT security controls without being overly burdensome, making it accessible even to organizations without dedicated IT departments.
Five Core Technical Controls
The framework is built on five fundamental technical controls that remain unchanged across versions. These are basic, sensible security practices that form the essential groundwork for protecting IT infrastructure and remain the same in the new Danzell version.
Value Proposition: Confidence and Credibility
Organizations gain confidence that their IT security is sound and receive a certificate to demonstrate commitment to partners, customers, and suppliers. It functions like business insurance or health and safety compliance—a fundamental responsibility that shows the organization takes cyber security seriously.
Not Just Compliance, But Cultural Change
Cyber Essentials drives organizational maturity by creating awareness and responsibility across the business. It requires internal engagement and understanding of controls, transforming how the organization approaches security rather than simply ticking boxes for certification.
Why Organizations Need It Now
Threat Landscape: When, Not If
Cyber threats are no longer a possibility but an inevitability. Organizations of all sizes—from sole traders to large enterprises—are targeted daily by threat actors seeking easy entry points. The question is not whether an organization will face an attack, but when.
Size No Longer Protects
Small organizations and sole traders are now equally targeted as large ones. Attackers view small organizations as entry points into supply chains; compromising one small business can disrupt 10 or 20 connected organizations, creating a ripple effect of disruption.
Financial Targeting via Public Records
Threat actors use publicly available financial records (Companies House, HMRC filings) to identify organizations with substantial cash reserves, then target them for extortion. Organizations with visible capital are at higher risk of ransomware attacks.
Cyber Essentials Raises the Bar
Implementing basic controls makes an organization a harder target. Attackers typically look for easy entry points; if your organization has security measures in place, they are more likely to move on to less-protected targets.
The Cyber Advisor Role
New Advisory Certification (3-4 Years Old)
The Cyber Essentials Cyber Advisor role was created by the NCSC and delivered through IASME to provide impartial, accessible cyber guidance to small and medium organizations. It fills a gap where small businesses cannot afford expensive enterprise-level cyber consultants.
Impartial Guidance, Not Compliance Enforcement
Cyber Advisors provide independent advice based on NCSC guidance and professional experience, tailored to each organization's needs. Unlike assessors who mark compliance, advisors help organizations understand options and make informed decisions about their security posture.
Training and Organizational Understanding
Advisors help organizations understand and implement controls in context, rather than imposing enterprise-level solutions. They train internal teams and ensure the organization understands why each control matters, supporting cultural change alongside technical implementation.
Cyber Essentials 2026 (Danzell): Key Changes
Five Controls Unchanged, Details Refined
The five core technical pillars remain the same, but the specific requirements within them have been updated to reflect current threats and technology. Changes focus on strengthening authentication and passwordless access controls.
Multi-Factor Authentication (MFA) Hardened
MFA now has a harder compliance line: if client-server systems support MFA, it must be applied or the assessment fails. This addresses the reality that weak passwords are a primary attack vector; MFA adds a second authentication layer (e.g., SMS code or app-based code) similar to banking security.
Passwordless Controls Added
New technical controls address passwordless authentication, where access is granted via encrypted device controls (mobile phone, physical key) rather than typed passwords. This reduces reliance on weak password practices.
Declaration Wording Emphasizes Continuous Compliance
The certification declaration now explicitly states that the signatory (director or board member) confirms the organization will work the Cyber Essentials controls continuously throughout the 12-month certification period. This clarifies that certification is not a one-time achievement but an ongoing commitment.
Point-in-Time Assessment, Continuous Responsibility
Certification reflects the organization's security posture at the moment of assessment, not a guarantee for the full year. Like a car service, if security issues arise after certification, they must be addressed immediately rather than waiting for renewal. This reinforces that Cyber Essentials is a continuous journey.
Cyber Essentials vs. Cyber Essentials Plus
CE: Self-Assessment and Certification
Cyber Essentials is a self-assessment framework where organizations answer questions about their controls and an assessor certifies compliance based on the information provided. The assessor marks answers but does not physically verify the controls are in place.
CE Plus: Audited Verification
Cyber Essentials Plus is the audited version where a CE Plus assessor physically verifies that controls are actually implemented. Within 90 days of achieving CE, the assessor checks a sample of equipment to confirm updates are installed, security software is active, firewalls are configured, and systems match what was declared.
Why Organizations Pursue Plus
Organizations pursue CE Plus for three main reasons: supply chain requirements (customers or partners mandate it), regulatory standards (defense contracts, medical industry), or internal testing to verify they are actually doing what they claimed. It signals organizational maturity and commitment to security.
Transition Timeline and Deadlines
Danzell Rollout Deadline
The new Cyber Essentials 2026 (Danzell) version launches at the end of April. From April 27, 2026, all new assessments must meet the Danzell standard. Assessments already in progress have a technical transition window of approximately 6 months (until end of October 2026) to complete under the previous version.
Common Implementation Challenges
Asset Management: The Biggest Struggle
Many organizations struggle to identify and track all their IT assets—both physical devices and cloud services. They often do not know what equipment exists, who uses it, or what version of operating systems and software are installed. This lack of visibility prevents effective security control.
Operating System Version Tracking
Organizations struggle to understand which OS versions are current and which are out of date. Lack of public clarity on support end dates creates confusion and fear. Knowing the correct version requirements is essential because you can only protect what you know you have.
Shadow Cloud Services
Many organizations are unaware of cloud services their employees are using (e.g., Zoom, Canva, cloud storage). These services often hold sensitive company data but are not tracked in asset registers. Discovering these services during assessment can be a shock and creates compliance gaps.
BYOD and Personal Device Complexity
Employees often use personal devices for work, expanding the IT estate beyond what the organization has purchased. Cyber Essentials requires understanding and managing this entire landscape, not just company-owned equipment.
Getting Started with Cyber Essentials
Step 1: Download and Self-Assess
Organizations can download the Cyber Essentials question set from the NCSC and IASME websites without committing to certification. Working through the questions internally helps identify gaps and build a gaps analysis, allowing the organization to become 'CE ready' before formal assessment.
Step 2: Build a Simple Asset Register
Create a basic spreadsheet (not a complex database) with four columns: device type, owner/user, operating system, and version. This straightforward approach provides the foundation for understanding and protecting your IT estate. Include both physical hardware and cloud services.
Step 3: Seek Impartial Guidance
If additional support is needed, engage a Cyber Advisor through the IASME website. The Cyber Advisor scheme provides a searchable database of certified advisors across the UK who can provide tailored, impartial guidance without enforcement pressure.
Step 4: Work with a Certified Assessor
Once gaps are closed and the organization is ready, engage a Cyber Essentials certified assessor (also found on IASME website). Assessors can work with organizations throughout the UK and will certify compliance against the framework.
Notable quotes
It's not if at all, it's when. So what CE will allow you to do is put in controls to help mitigate, to make it more difficult. — Paul Sinclair
Cyber Essentials is a framework that needs to be worked. It's not a certificate just to hang on the wall. — Paul Sinclair
You can only protect what the things that you know that you have. — Paul Sinclair
Action items
- Visit the NCSC and IASME websites to download the Cyber Essentials question set and begin a self-assessment.
- Create a simple four-column asset register spreadsheet listing all devices, owners, operating systems, and versions.
- Audit your organization to identify all cloud services in use (e.g., Zoom, Canva, cloud storage) and add them to your software asset register.
- Search the IASME website for a Cyber Advisor in your region to receive impartial guidance on your security posture.
- Once gaps are closed, engage a Cyber Essentials certified assessor (also listed on IASME) to pursue formal certification.
- Ensure leadership (director or board member) understands that Cyber Essentials certification is a continuous 12-month commitment, not a one-time achievement.
- Plan your assessment timeline to complete before April 27, 2026 if you want to use the previous version, or prepare to meet Danzell requirements for new assessments after that date.