Cyber Essentials May 2026 Update: What Businesses Need to Do to Pass Danzell

Under Danzell a new definition has been added ‘any cloud service that stores or processes organisational data is now in scope’. This removes previous ambiguity around excluding Software as a Service platforms.

Practical considerations for business

You should now:

The previous concepts of “untrusted” or “user initiated” devices have been removed.

The new rule is straightforward: If a device or service owned by the organisation connects to the internet, or manages internet connected data, it is in scope.

Why this matters

This clarity reduces misinterpretation during assessments and ensures organisations take a more holistic view of their environment. Laptops, mobile devices, servers and cloud platforms should all be considered equally when applying controls. BYOD devices should also not be forgotten when accessing organisational data or services.

All legal entities applying must be listed on your Cyber Essentials application.

Can I exclude systems?

Excluded networks must be clearly detailed in new Danzell scoping statements for any partial scope assessments.

The scope formerly referred to as “Web Applications” has now evolved into Application Development.

This aligns Cyber Essentials with the UK Government’s Software Security Code of Practice, increasing focus on:

• Secure coding principles
• Timely patching of applications and frameworks
• Managing vulnerabilities throughout the development lifecycle

Guidance for development teams

Organisations involved in application development should:

• Document secure development practices
• Keep third party libraries up to date
• Demonstrate how vulnerabilities are identified and remediated
• This change reinforces that security must be built in, not bolted on

While not yet mandatory, the Danzell standard actively promotes passwordless authentication such as passkeys and FIDO2 authenticators.

Why organisations should take notice

Passwordless authentication:

• Reduces reliance on weak or reused passwords
• Improves user experience without sacrificing security
• Aligns with the long‑term direction of secure identity management

Adopting passwordless methods now can simplify future compliance and strengthen overall security posture. For further information IASME guidance should be consulted.

No selective remediation:

Sample 1: If high or critical vulnerabilities are detected by the approved scanning tool in the first sample – a mandatory retest (scanning) with new sampled devices is required (Sample 2).

Sample 2: Random sample of devices which had detected vulnerabilities (high or critical) older than 14 days. If the same vulnerabilities are detected as those from Sample 1 a CE+ fail report is issued and CE certificate revoked by IASME.

• If new or different high or critical vulnerabilities (older than 14 days) are detected this will result in an advisory being noted on the CE+ report and a CE+ Pass awarded.

Assessment rules:

Point in time assessment: All version and system information must be supported and meeting the criteria on the certificate issue date.

• Systems must be supported on certificate issue date, not just submission date.
• Version information should be within the 14-day window for patching if build numbers are provided.

Director declaration: now includes ongoing compliance responsibility.

Whilst not required, backup and recovery have received increased emphasis but are highly recommended by IASME.

Organisations should ensure that backups are:

• Robust and documented
• Protected from unauthorised access
• Regularly tested to ensure recovery is achievable
• If automatic backups are available, you should consider turning them on.

Practical steps to take:

Businesses should review:

• Backup frequency and retention policies
• Offline or immutable backup options
• Evidence of routine restore testing

This ensures organisations are better prepared to recover from ransomware or other disruptive incidents.

There is a critical timing consideration for organisations planning certification.

• Assessments set up before 27 April 2026 will follow the previous Willow standard
• Assessments initiated on or after this date must comply with Danzell Standard

For some organisations, this presents a short‑term opportunity. For most, however, preparing for the new requirements is the more sustainable approach.

The Danzell update raises the bar, but it also brings clarity. Organisations that take a proactive approach will find that these changes not only support compliance but meaningfully improve resilience.

Key preparation steps include:

• Reviewing MFA and account separation coverage across all systems
• Bringing all cloud services into scope
• Rigorous system wide patching in line with 14-day requirements, implementation of patching tools
• Updating asset inventories and scoping assumptions
• Strengthening backup and recovery processes
• Aligning development practices with secure coding standards
• Mobile device management for both organisation owned devices and BYODs is strongly advised.

Navigating updated Cyber Essentials requirements can be complex, particularly for organisations with growing cloud environments.

CyberLab supports businesses through:

• Cyber Essentials readiness assessments
• Practical remediation guidance
• Ongoing Cyber Security strategy aligned to evolving standards

If you are planning Cyber Essentials certification or renewal after May 2026, now is the right time to act.