Cyber Essentials
has changed.
The new Danzell question set replaces the old Willow framework, and it's the most significant update to the scheme in the last 10 years. For businesses that take security seriously, these changes are good news. Here's why.
From annual
tick-box to active,
ongoing security
Cyber Essentials has always been a valuable baseline. But the threat landscape has changed dramatically, and the Danzell update reflects that reality. The scheme now demands continuous security management, not just a point-in-time audit once a year.
For Roadmap IT and our customers, this means there is more we have to do. But it also means that organisations holding a Cyber Essentials certificate under Danzell can demonstrate a higher standard of protection than was previously possible.
A note on costs: Because Danzell introduces ongoing requirements, particularly around patch management and vulnerability scanning, additional tools and services are required. This page explains exactly what that investment covers and why it protects your business.
What's new:
and what it means for you
Significant changes, the solutions and services required to meet them, and the security benefit each one delivers.
14-Day Critical Patch Requirement
High-risk and critical security updates must now be applied within 14 days of release. If you are unable to prove this is in place, it is now an automatic failure. Fail this, and your entire certification is revoked, including Cyber Essentials itself.
Under the previous framework, patching was assessed at a single point in time. Under Danzell, if a CE+ vulnerability scan reveals unpatched critical issues and a second sample of different devices shows the same failures, certification is lost.
- Patching can no longer wait until your annual assessment, it must happen continuously
- You need a reliable process to detect critical patches and verify they've been applied
- Vulnerability scanning must become a regular activity, not a one-off exercise
- Devices cannot be cherry-picked for retesting, the second sample must be entirely different
Security benefit: The average time attackers exploit a known vulnerability after a patch is released is under 7 days. A 14-day requirement keeps your organisation ahead of the most common attack vectors.
Firmware & Browser Extension Patching
The 14-day patching requirement explicitly extends beyond operating systems and applications. Router firmware, firewall firmware, and browser extensions are now all named as automatic-fail questions in their own right (A6.4 and A6.5). A configuration change that fixes a vulnerability counts the same as a patch: it must be deployed within 14 days of the vendor publishing it.
- Router and firewall firmware must be checked and updated on the same 14-day cycle as software
- Browser extensions across all in-scope devices must be kept up to date and audited regularly
- Configuration-based fixes, not just patches, must be applied within 14 days of release
- Many organisations had overlooked firmware and extensions, these are now explicit auto-fail criteria
Security benefit: Firmware vulnerabilities are commonly exploited to gain persistent, hard-to-detect access to networks. Keeping firmware current closes one of the most frequently overlooked attack surfaces.
MFA Mandatory Wherever It's Available
If a cloud service offers MFA in any form, built in, free, paid, or via a third-party identity provider, you must have it enabled. If MFA is available and not turned on, your assessment automatically fails.
This applies to every cloud account used for business purposes, including social media accounts, which must now be declared on your self-assessment. Passkeys and FIDO2-compliant methods are treated as equivalent to MFA.
- Every cloud service your organisation uses must be audited for MFA availability
- Business social media accounts (LinkedIn, X, Instagram) must have MFA enabled and be declared
- SSO/SAML configurations must demonstrate MFA enforcement at the identity provider level
- Passkeys and FIDO2 passwordless methods now count as compliant MFA
Security benefit: Over 80% of account takeovers involve compromised passwords. MFA stops the vast majority of credential-based attacks, even when a password is leaked.
Cloud Services: Formally Defined & Always In Scope
Danzell introduces a formal definition of cloud services, removing all previous ambiguity. Any service that is on-demand, hosted on shared infrastructure, accessible via the internet, and processes your organisation's data is in scope, and cannot be excluded.
Every cloud service must be listed in your self-assessment. There is no longer any route to exclude cloud platforms from the scope of your certification.
Security benefit: Cloud services are one of the most common vectors for data breaches. Ensuring they're properly scoped and secured closes a gap that many organisations had previously overlooked.
Ongoing Vulnerability Scanning: Expected Year-Round
Danzell makes clear that vulnerability scanning is no longer something you do once before a CE+ assessment. Organisations are expected to run regular scans throughout the year to identify gaps, confirm patches have been applied correctly, and catch issues before they become failures.
- Regular vulnerability scans must be scheduled throughout the year
- Results must be acted upon promptly, particularly for critical and high-risk findings
- Scanning provides documented evidence that patching requirements are being met
- If the first CE+ sample fails, a second sample of entirely different devices is tested
Security benefit: You cannot fix what you cannot see. Regular scanning gives you a continuous, accurate picture of your security posture, catching misconfigurations and missed patches before attackers do.
12-Character Minimum Password Length
Danzell v3.3 introduces a new minimum password length requirement. All user accounts must now use passwords of at least 12 characters. This replaces the previous 8-character guidance and applies to every account in scope, not just administrators.
Shared or generic accounts are no longer acceptable. Every user must authenticate with unique individual credentials before being granted access to applications or devices.
- Password policies must be updated to enforce a 12-character minimum across all systems
- Shared mailboxes and generic accounts need to be reviewed and remediated
- Staff may need to update passwords that no longer meet the new length requirement
- Password manager adoption is strongly recommended to help users manage longer, unique passwords
Security benefit: Longer passwords are exponentially harder to crack by brute force. A 12-character password offers billions of times more resistance than an 8-character one against automated attacks.
Stricter Scoping: Fewer Exclusions Permitted
The rules around what is and isn't in scope have been significantly tightened. Devices that can accept incoming internet connections, establish outbound connections, or control data flow between devices are all in scope. The ability to exclude "trusted" networks is gone.
Organisations with test and development environments can no longer obtain whole-organisation certification, those environments must now be formally descoped.
Security benefit: Vague scoping has historically allowed organisations to exclude vulnerable systems. Clearer rules mean fewer gaps and a more honest picture of your actual security posture.
Asset Management & Backups
Danzell places greater emphasis on knowing what you own. Organisations must have clear asset management in place, you cannot secure systems you don't know exist. Backups are repositioned in the guidance to reinforce their importance as a recovery mechanism.
Security benefit: Good asset management is the foundation of every other security control. When you know what you have and it's properly backed up, you can respond to incidents quickly and confidently.
Passkeys & Passwordless Authentication
The user access control section has been updated to promote modern authentication. Passkeys, security keys, biometrics, and FIDO2-compliant passwordless solutions are now treated as equivalent to MFA, reflecting the shift away from traditional passwords across the industry.
Security benefit: Passwords can be phished, guessed, or stolen. Passkeys are cryptographically bound to a specific device and cannot be replicated, making account takeover significantly harder.
Director's Declaration: Ongoing Commitment, Not Just Assessment Day
Under Danzell, the director or board member who signs the certification declaration is now explicitly committing to maintaining Cyber Essentials controls for the full duration of the certification year, not just at the point of assessment. This is a fundamental shift in how accountability is framed.
The self-assessment is also locked once CE+ testing begins. Answers cannot be updated based on what the technical audit reveals, the declaration must reflect the actual state of your environment at the time of signing.
Security benefit: Placing personal accountability on a named director throughout the year, not just at renewal, creates a genuine governance commitment to ongoing security, rather than a once-a-year exercise.
Why patch management and security have never been more important
Attackers move faster than ever
Threat actors scan for unpatched systems within hours of a vulnerability being disclosed. A 14-day window isn't arbitrary, it's built around the reality of how quickly exploits appear in the wild.
Customers and partners expect it
Cyber Essentials is increasingly a commercial requirement, from public sector contracts to supply chain due diligence. Danzell certification signals your security controls are actively maintained, not just checked once a year.
Insurers are watching
Cyber insurance premiums are directly tied to your security posture. Demonstrable, documented patch management and vulnerability scanning can improve your insurability and may reduce premiums.
Prevention costs less than recovery
The average cost of a cyber incident for a UK SME runs into tens of thousands of pounds, downtime, recovery, reputational damage, regulatory fines. Active, ongoing security is the most cost-effective protection available.
We manage Cyber Essentials compliance so you don't have to
Meeting Danzell's requirements isn't a one-person job. We've built a managed compliance service that covers every aspect of the framework, continuously, throughout the year.
Ongoing Patch Management
We monitor your environment for critical and high-risk patches, including firmware and browser extensions, as they're released and apply them within the 14-day window, with documentation to prove it.
Regular Vulnerability Scanning
We run scheduled vulnerability scans throughout the year. You receive a clear report of findings, remediation actions taken, and your current compliance status, not just at assessment time.
MFA Audit & Enforcement
We audit every cloud service your organisation uses, identify where MFA is available but not enabled, and implement it, including social media accounts and SSO configurations.
Asset Discovery & Management
We maintain an accurate, up-to-date inventory of every device and cloud service in scope, so nothing falls through the cracks and you always know exactly what needs protecting.
Assessment Preparation
We guide you through the Danzell question set, review your self-assessment for accuracy, and ensure your environment is in the best possible shape before submission, minimising the risk of unexpected failures.
Year-Round Compliance Monitoring
Security doesn't stop when the certificate is issued. We keep monitoring, scanning, and patching throughout your certification period, so renewal is straightforward and your protection never lapses.
Security Awareness Training
While not a formal Danzell requirement, staff awareness is one of the most effective layers of defence. We provide regular security awareness training to help your team recognise phishing, social engineering, and other threats, going beyond the certificate to reduce your human risk.
Ready to talk through what Danzell means for your organisation?
Our team is here to explain the changes, answer your questions, and help you understand the investment required to stay compliant and properly protected.
