The cyber security framework championed by the UK Government, Cyber Essentials, is changing to v3.3 (Danzell). Existing certifications aren’t affected, but as of 27th April 2026 all assessments will be against v3.3. Here’s what it means to you.
What is Cyber Essentials?
Cyber Essentials was established by the UK Government to provide a basic level of security for organisations supplying to the public sector. Although any organisation can become Cyber Essentials Certified.
There are two levels, Cyber Essentials (basic) which consists of a self-assessment questionnaire and attestation.
And Cyber Essentials Plus, which has an additional Pen Testing requirement, carried out by the impartial certification body.
Both versions are independently assessed by a certification body.
What is Changing in Cyber Essentials v3.3 (Danzell)?
There are several key Changes in v3.3 including:
- Mandatory MFA: Multi-factor authentication (MFA) must be enabled on all cloud services and SaaS platforms where available; failing to do so now results in an automatic fail.
- All Cloud Services now in Scope: All cloud services storing or processing organisational data must be included in the assessment. This can be difficult for larger organisations who use multiple SaaS tools, but having control over those platforms is important.
- Stricter Patching Policy: High-risk or critical security updates must now be applied to software within 14 days of release.
- Board-Level Sign-off: A board member or director must now sign a declaration confirming compliance, shifting it to a governance-level responsibility.
While these changes could be significant if organisations do not currently apply them, we believe more firms will already be operating some way towards these and be able to easily attest.
How Does Cyber Essentials Affect Other Frameworks?
Cyber Essentials has been designed as a good starting point for organisations to ensure a basic level of security.
However for many buyers of technology or data services, cyber essentials alone may not be enough and many request either ISO 27001 Certification or SOC 2 audits.
While there is some cross-over in the requirements, both ISO 27001 and SOC 2 have quite different and more in-depth requirements.
Need Support with Cyber Essentials and Other Frameworks?
Assent Risk Management is a specialist information security compliance consultancy. We have helped many organisations implement frameworks including Cyber Essentials, ISO 27001 and SOC 2.
