Cyber Essentials is evolving again, and this time the changes are more significant than previous years. From 27 April 2026, a new version of the scheme (known as Requirements for IT Infrastructure v3.3 and the new “Danzell” question set) will apply to all newly created assessment accounts.

Cyber Awareness training

While the five core technical controls haven’t changed—firewalls, secure configuration, user access control, malware protection, and patch management—the rules around how organisations prove compliance are becoming far stricter.

  1. Multi‑factor authentication becomes an automatic pass/fail requirement
    MFA must be enabled for every cloud service where it is available. If a cloud service supports MFA and it’s not enabled, your assessment will automatically fail.
  2. Cloud services can no longer be excluded from scope
    Any platform storing or processing business data and accessed with company credentials is now in scope—including SaaS apps and collaboration platforms.
  3. Critical and high‑risk updates must be installed within 14 Days
    All high‑risk or critical updates must be applied within 14 days or the organisation will automatically fail.
  4. Clearer and stricter scoping rules
    Applicants must provide a detailed and accurate scope description. Exclusions must be explicitly justified.
  5. Cyber Essentials Plus has stricter retesting requirements
    Failures will result in extended retesting, including new random devices.

Priority IT can support businesses through these changes with pre‑assessments, MFA rollout, patch management, cloud discovery, and full Cyber Essentials preparation. Call us 01225 636000, or email [email protected]