Cyber Essentials Danzell: Mandatory MFA Requirements for 2026

The 24-hour countdown has officially begun. As of today, April 26, 2026, the UK’s cybersecurity landscape is standing on the precipice of its most significant regulatory evolution in a decade. Tomorrow morning, April 27, the National Cyber Security Centre (NCSC) and IASME will formally retire the “Willow” question set, ushering in the era of Cyber Essentials Danzell (Version 3.3). For IT directors and security officers across the country, the message is stark: the “best effort” era is over. Total compliance is the only remaining currency.

The Cyber Essentials Danzell update represents far more than a routine refresh of documentation. It is a fundamental realignment of the UK’s baseline security standard, designed to close the “execution gap” that has long plagued organizational defenses. While previous iterations allowed for a degree of interpretive flexibility, Danzell introduces a series of non-negotiable “hard-fail” criteria that will likely catch unprepared organizations off-guard. At the heart of this transition is a radical mandate regarding Multi-Factor Authentication (MFA) and a technical pivot toward phishing-resistant, passwordless infrastructures.

The MFA Mandate: Eliminating the Opt-Out Culture

For years, MFA has been categorized as a “recommended” or “best practice” control for many cloud services. Under the Cyber Essentials Danzell framework, this ambiguity is permanently deleted. MFA is now a mandatory requirement for every single cloud service an organization utilizes, provided that the service offers MFA in any capacity. This mandate applies regardless of whether the service is a free-tier application, a bundled legacy tool, or a premium subscription-based platform.

Critically, the Danzell update explicitly targets the “pay-for-security” model. In previous years, organizations often argued that they could not enable MFA because their service provider locked the feature behind a higher-priced “Enterprise” tier. The NCSC’s new stance is uncompromising: if a service offers MFA—even as a paid add-on—the organization must pay for and enable it. Failure to enforce MFA across every cloud-accessed platform now results in an automatic failure of the certification. There are no longer “major non-compliances” that can be offset by other strengths; the absence of MFA on a single in-scope cloud account is a total assessment collapse.

Cloud Services Redefined

To support this mandate, Cyber Essentials Danzell introduces a precise, codified definition of “Cloud Services.” For the first time, the standard defines a cloud service as any on-demand, scalable service hosted on shared infrastructure and accessible via the internet. This includes:

• Software as a Service (SaaS): Microsoft 365, Google Workspace, Xero, Salesforce, and even corporate social media accounts like LinkedIn or X (formerly Twitter).
• Platform as a Service (PaaS): Database hosting, web application frameworks, and developer environments.
• Infrastructure as a Service (IaaS): Virtual servers, storage buckets, and cloud-based networking components.

The scope no longer allows for “creative exclusion.” If organizational data is stored or processed within a service, that service is in scope. This closes the loophole where “Shadow IT”—apps used by specific departments without central IT oversight—was conveniently left out of assessments.

Passwordless Authentication: The Shift to FIDO2 and Hardware Keys

While MFA is the immediate hurdle, the long-term technical objective of Cyber Essentials Danzell is the eradication of traditional passwords. The update significantly elevates the status of “passwordless” authentication protocols. Specifically, the NCSC now prioritizes FIDO2-compliant authenticators and hardware security keys (such as YubiKeys or Google Titan keys) over traditional SMS-based or app-based OTP (One-Time Password) codes.

The rationale is grounded in the evolving threat of “MFA fatigue” and sophisticated “adversary-in-the-middle” (AiTM) phishing attacks. Traditional MFA methods, while superior to passwords alone, are increasingly vulnerable to proxy-based phishing that can intercept session tokens. FIDO2 and WebAuthn protocols utilize asymmetric cryptography to ensure that the authentication process is cryptographically bound to the specific website or service, making it virtually impossible to phish.

Under the Danzell requirements, organizations are encouraged to adopt:

• Platform Authenticators: Windows Hello for Business, Apple FaceID/TouchID, and Android Biometrics, which use the device’s Trusted Platform Module (TPM) to secure credentials.
• Roaming Authenticators: Physical hardware keys that can be moved between devices.
• Passkeys: Synchronized FIDO credentials that provide a seamless user experience while maintaining high-assurance security.

The 14-Day Patching Sprint: A New Hard-Fail Boundary

Beyond authentication, Cyber Essentials Danzell tightens the operational requirements for vulnerability management. The previous guidance to apply updates “in a timely manner” has been replaced by a rigid, 14-day remediation window for all “High-Risk” and “Critical” security updates. This requirement (referenced as questions A6.4 and A6.5 in the Danzell question set) is now an automatic failure point.

This 14-day clock begins the moment a patch is released by a vendor, not when the organization “discovers” it. This necessitates a move away from manual patching cycles toward automated Patch Management Systems (PMS). The scope of this requirement has also expanded to include browser extensions. As more corporate work moves into the browser (via SaaS), malicious or unpatched extensions have become a primary vector for credential theft and session hijacking. Under Danzell, every browser extension on every in-scope device must be monitored and updated within the same 14-day window.

Scoping and the End of “Ghost” Infrastructure

One of the most frequent reasons for failure in previous Cyber Essentials assessments was “incorrect scoping.” Organizations often tried to exclude complex or insecure parts of their network to simplify the certification process. Cyber Essentials Danzell removes the ambiguity that allowed this “selective compliance.”

The update removes the old qualifiers regarding “untrusted” or “user-initiated” connections. The new rule is binary: if a device connects to the internet or controls the flow of data between the internet and other devices, it is in scope. This has immediate implications for several areas:

BYOD and Home Workers

If an employee uses a personal device to access work email or corporate files, that device is now strictly in scope. Under Danzell, “having a policy” is no longer enough. Organizations must demonstrate technical control over these devices—either through Mobile Device Management (MDM) or by restricting access to a managed, sandboxed environment such as a Virtual Desktop Infrastructure (VDI). If a staff member’s personal iPhone receives a Slack notification containing organizational data, and that device is not secured to Danzell standards, the organization is technically non-compliant.

Third-Party and Contractor Access

The “Danzell transition” also mandates that any third-party or contractor hardware accessing the organizational network must meet the same rigorous controls. This often requires organizations to issue corporate-managed hardware to contractors rather than allowing “Bring Your Own” access, which is notoriously difficult to audit to the 14-day patching standard.

Executive Liability: The Boardroom’s New Signature

Perhaps the most subtle but impactful change in Cyber Essentials Danzell is the revision of the Director’s Declaration. Previously, the declaration was seen by some as a “point-in-time” confirmation. The new Danzell declaration requires a board member or director to explicitly acknowledge their responsibility for maintaining compliance throughout the duration of the certification period.

This shift from “point-in-time” to “continuous compliance” transforms Cyber Essentials from an annual audit into an ongoing operational requirement. If an organization suffers a breach six months after certification and it is discovered that MFA was disabled or patches were ignored, the director’s signature on the Danzell declaration could create significant legal and insurance liabilities. This change is designed to move cybersecurity out of the IT basement and into the boardroom, ensuring that security is treated as a core business risk rather than a technical checkbox.

Preparing for the Technical Audit: Cyber Essentials Plus

For those pursuing the Cyber Essentials Plus certification, the Danzell update introduces even more rigorous verification procedures. Under the new rules, assessors will select device samples for testing just 72 hours before the audit begins. This “randomized sampling” is intended to prevent “window dressing,” where IT teams quickly patch a specific subset of machines they expect the auditor to check.

Furthermore, the verified self-assessment (VSA) must now be locked and submitted before the technical audit begins. Organizations can no longer change their answers based on what the auditor finds during the on-site or remote testing. This “lock-down” mechanism forces organizations to be honest about their security posture from the outset, as discrepancies between the self-assessment and the technical audit will result in an immediate failure and the requirement for a full reassessment.

Conclusion: The Resilience Revolution

The transition to Cyber Essentials Danzell marks the end of “compliance theater.” By making MFA mandatory on every cloud service, enforcing 14-day patching for all software (including extensions), and prioritizing phishing-resistant passwordless authenticators, the NCSC is setting a new global benchmark for baseline cybersecurity.

While the final 24-hour window before the April 27 deadline may be a period of intense activity for IT departments, the long-term benefits of the Danzell update are clear. Organizations that embrace these stricter protocols will not only secure their certification but will also build a genuine resilience against the most common and damaging cyberattacks of 2026. As the clock ticks down, the message from the NCSC is loud and clear: security is no longer an option—it is a requirement for survival in the digital economy.