Cyber Essentials has changed. Here's what you need to know.

This week, Cyber Essentials officially moved to the new Danzell question set — and I've been working through the changes to understand what they mean in practice. A few of them will catch organisations out if they haven't prepared.

The five core controls haven't changed. What has changed is how strictly they're assessed, and for some organisations, their current setup simply won't pass anymore.

Here are my main takeaways.

1.  Lack of MFA on cloud services is now an automatic failure

MFA has always been part of the scheme, but previously missing it resulted in a major non-compliance — and you could still pass. Not anymore. If a cloud service offers MFA and you haven't enabled it, whether it's free, included, or a paid option, the assessment fails. There is no longer a route around it.

2.  Cloud services can no longer be excluded from scope

The scheme now formally defines what a cloud service is: any on-demand service accessed via an account that stores or processes your data. If your data is in it, it's in scope. The flexibility that previously allowed certain services to be argued out of scope is gone.

3.  Social media accounts are now explicitly included

This one catches people off guard. LinkedIn, Facebook, X — if they're used for business purposes, they now count as cloud services under the new definition. They need to be declared in your self-assessment and MFA needs to be enabled. Worth a quick check if you haven't done it already.

4.  You can no longer carry a non-compliance from CE into CE+

Under the previous scheme, you could pass basic Cyber Essentials with a major non-compliance and still progress to CE+. That path is now closed. A clean pass is required before CE+ can begin.

One more — specifically for CE+

Assessors will now test a second independent random sample after any remediation — not just recheck the original devices. Patching only what was tested is no longer enough. This change closes a loophole that IASME's own audits identified: organisations applying fixes only to the devices included in the sample, rather than across the full environment.

What this means for your organisation

If your Cyber Essentials renewal is due this year, the time to review your position is now — before the assessment, not during it. The three areas most likely to cause problems are:

MFA configuration — not just email and core platforms, but every cloud service your staff access with a business account.

Cloud service inventory — do you have a complete list of every cloud service in use across your organisation, including those adopted informally by individual teams?

Social media accounts — check that business LinkedIn, Facebook, and X accounts have MFA enabled and are included in your scope declaration.

The fundamentals are still key — but the scheme is getting sharper about what actually counts as a fundamental.

How Secure Pathway can help

If you're unsure where your organisation stands against the new Danzell requirements, Secure Pathway offers a Cyber Essentials Readiness Review — a structured gap analysis against all five technical controls that tells you exactly what needs to change before you submit.

We also provide full Assisted Certification support, working alongside you from gap analysis through to submission. For organisations targeting Cyber Essentials Plus, we prepare you for the independent technical verification so there are no surprises on the day.

Book a free 30-minute call at securepathway.co.uk to discuss your renewal or certification timeline.

Rory Hardyman is the founder of Secure Pathway, a cyber security advisory practice specialising in professional services firms. He has direct experience delivering Cyber Essentials Plus certification within a top-75 UK law firm.