Each year, the Cyber Essentials question set is updated to reflect how technology and security practices evolve.
In April 2026, the current “Willow” question set will be replaced by a new version, “Danzell.” As with previous updates, the core framework isn’t being reinvented, but there are some important changes in how organisations are expected to demonstrate compliance.
If you’ve been through Cyber Essentials before, this isn’t a dramatic change. But if your renewal is coming up soon you might want to earmark a little more time to ensure you’re prepared.
The Core Controls Aren’t Changing
At its heart, Cyber Essentials is still built around the same five technical control areas:
- Firewalls and internet gateways
- Secure configuration
- User access control
- Malware protection
- Patch management
Those foundations remain exactly the same. What’s changing is how you evidence and explain what you’re doing.
What’s Different in Danzell?
The move from Willow to Danzell is less about new controls and more about depth and clarity.
1. More emphasis on how controls are applied
Under Willow, many questions could be answered relatively simply. Under Danzell, there is more focus on:
- how processes are carried out
- how controls are maintained over time
- how consistently they are applied across the environment
For example, instead of confirming that passwords are changed or access is controlled, you may be asked to describe how this is managed in practice.
2. Greater visibility of your environment
Danzell places more weight on understanding what’s actually in use.
In practical terms, that means being clearer about:
- systems in scope
- applications (including email platforms and versions)
- how those systems are supported and updated
For organisations with a well-managed asset estate, this is straightforward. For others, it can expose gaps that haven’t previously been documented.
3. Clearer expectations around access and roles
User access control has always been part of Cyber Essentials, but Danzell makes expectations more explicit around:
- limiting access based on role
- separating administrative privileges
- maintaining control over who can do what
Again, this isn’t new in principle, but it does require a more deliberate and evidenced approach.
What This Means in Practice
For most organisations, the impact isn’t about passing or failing. It’s about how prepared you are when you start the process.
If your environment is:
- well understood
- consistently managed
- and documented to a reasonable level
…then Danzell shouldn’t present any real difficulty.
Where organisations tend to run into friction is when:
- systems have evolved over time without being fully reviewed
- user access has grown organically
- asset visibility is incomplete
- or processes exist, but aren’t clearly defined
In those cases, the newer question set can make the process of certification more involved.
A Practical Way to Approach It
The most effective way to handle either version is the same: Understand where you stand before you submit.
That means:
- identifying any gaps early
- checking that controls are applied consistently
- making sure your environment is properly understood
This avoids the common situation where issues only become visible during the assessment itself.
Where We Can Help
We’re offering a free Cyber Essentials assessment to help organisations sense-check their position before starting the certification process.
It’s a straightforward review with one of our engineers, followed by a clear roadmap of anything that may need attention.
- If you’re planning to certify before the April change, we’ll assess you against the current Willow requirements
- If you’re planning to certify afterwards, we’ll align the assessment to Danzell so you know what to expect
Either way, the goal is the same: no surprises when you come to submit. Contact us for an initial discovery call or find out more about this assessment here.
