Cyber Essentials in 2026: What the New Danzell Question Set Means for Your Renewal
Cyber Essentials moved to the new Danzell question set on 26 April 2026. Here's the five-day fix window, AI tools in scope, passkeys, and what your renewal now needs.
If your Cyber Essentials certificate is coming up for renewal, the goalposts have moved. On 26 April 2026, IASME replaced the long-running Willow question set with a new one called Danzell. The five technical controls behind Cyber Essentials haven't changed, but the way you're assessed against them has — and a couple of the updates will catch people out if they renew on autopilot.
This is a plain-English walk-through of what's different, where most renewals get stuck, and how to give yourself a smooth pass. No scare tactics, no jargon for its own sake.
Danzell vs Willow: what actually changed
Danzell is an evolution rather than a reinvention. The scheme still covers the same five controls — firewalls, secure configuration, security update management, user access control, and malware protection. What's tightened is the detail underneath them. Three changes matter most for SMEs:
1. The fix window for high-severity vulnerabilities is now five days
Previously you had a 14-day window to patch or remediate vulnerabilities rated high or critical. Danzell shortens that to five days from the point a fix becomes available. In practice that means relying on "we patch when we get round to it" no longer works. Most small teams will need either automatic updates switched on across operating systems and key applications, or a named person who reviews and applies critical patches weekly as a minimum.
2. AI and LLM tools are explicitly in scope
The new question set acknowledges that AI assistants and large-language-model tools are now part of everyday business software. If your team uses an AI tool that touches company data — drafting documents, summarising emails, handling customer information — it sits inside your assessment scope like any other application. That means it needs to be a supported, properly configured product with access controls, not a free account someone signed up for with a personal login.
3. Passkeys and biometrics are accepted
One genuinely welcome change: Danzell formally recognises passkeys and biometric authentication as valid forms of multi-factor authentication. If you've moved away from SMS codes towards fingerprint, face unlock, or passkeys on your accounts, that now counts in your favour rather than leaving you explaining yourself to an assessor.
Where most renewals get stuck
Across the renewals we see, the same three things trip people up — and none of them are difficult, they're just easy to forget between certificates.
- An out-of-date asset list. Cyber Essentials asks you to declare the devices, operating systems and cloud services in scope. Laptops get replaced, people join and leave, new SaaS tools creep in. If your list is a year stale, you'll either understate your scope (a problem if it's checked) or scramble to rebuild it the week before. Keep a simple running inventory and review it quarterly.
- MFA on admin and cloud accounts. The control everyone agrees with in principle and forgets in practice. Every administrator account, and every user account on internet-facing cloud services like email and file storage, needs multi-factor authentication. The common gap is a shared admin login, or a service account, that quietly skipped MFA when it was set up.
- Patching discipline. With the window now at five days for high-severity issues, the old approach of occasional manual updates is the single biggest reason a renewal slips. Turn on automatic updates wherever you can, and make sure unsupported software — anything past its end-of-life — is removed or isolated, because it can't be patched at all.
The pattern is clear: the certificate rewards organisations that treat security as routine housekeeping rather than an annual fire drill.
Who needs Cyber Essentials — and who just benefits
For a growing number of UK SMEs, certification has stopped being optional. It's commonly a condition of supply — many public-sector contracts and an increasing number of private-sector buyers require their suppliers to hold it before signing. It's also frequently asked for by cyber insurers, and holding it can affect both your eligibility and your premium.
Even where no one is demanding it, the exercise is worth doing. Working through the question set forces a useful review of your basics — who has access to what, what's actually patched, where your data lives. For a small business with no dedicated IT team, that's often the most structured security check it gets all year.
What to do before you renew
A sensible run-up looks like this:
- Rebuild your asset and software inventory so it reflects reality today, including any AI or cloud tools added since your last certificate.
- Confirm MFA is on for every admin and internet-facing account — passkeys and biometrics now count, so use them where you can.
- Check your patching can meet the five-day window for critical fixes, and retire anything that's no longer supported.
- Confirm the current fee. Pricing is now tiered by organisation size and sits in the region of roughly £330–£500 +VAT for most small businesses — but check the exact band for your headcount directly at iasme.co.uk before you budget, as figures move.
How SummitBridge Horizon can help
We're a UK technology company and a Cyber Essentials founding client, so we've been through the Danzell question set from the inside. If the five-day patch window or the AI-in-scope changes have you unsure where you stand, our SME Cyber Starter gives you a clear baseline, and our Cyber Essentials readiness support walks you through the assessment so you go in confident rather than guessing.
The whole point of Cyber Essentials is that the controls are achievable for any small business. Danzell hasn't changed that — it's just nudged the bar towards keeping things current rather than catching up once a year. Get your inventory, MFA and patching in order, and the renewal itself becomes the easy part.
If you'd like a second pair of eyes on where you are before your certificate expires, get in touch — a short conversation now saves a scramble later.
Need help with this?
Our team can help you assess where you stand and build a practical remediation plan. Free 30-minute consultation — no obligation.
Book a Free Consultation