On 27 April 2026, the National Cyber Security Centre (NCSC) will officially implement Cyber Essentials v3.3, delivered through a new self-assessment question set known as Danzell, which replaces the previous Willow set.

The foundational five technical controls remain the bedrock of the scheme, but this latest iteration tightens wording, scoping, and marking criteria in ways that have immediate consequences. The changes apply to all UK organizations that handle business or customer data on internet-connected systems, and to any supplier bidding on government and public sector contracts where certification is mandatory.

For many, the move to v3.3 is more than a documentation update. As the baseline rises, so does the pressure on security teams to produce evidence of control, not just policy.

What’s new in Cyber Essentials v3.3?

1. Cloud services are explicitly in scope

The NCSC has added a formal definition of a cloud service for the first time: an on-demand, scalable service hosted on shared infrastructure and accessed via the internet. If your organization’s data or services sit on it, it is in scope, and it cannot be excluded. This covers Infrastructure as a Service, Platform as a Service, and Software as a Service, from Microsoft 365 and Google Workspace to your CRM, HR platform, and file-sharing tools.

2. Multi-factor authentication (MFA) is now a hard fail

MFA has long been part of the scheme, but v3.3 changes the marking criteria. Where a cloud service offers MFA (whether free, bundled, delivered through another service, or available only as a paid option) and it is not enabled, the assessment is an automatic fail. IP allowlisting is no longer accepted as a form of MFA.

3. The 14-day patching rule is now an auto-fail criterion

All critical and high-risk security updates for operating systems, router and firewall firmware, and applications (including extensions) must be installed within 14 days of release. Miss the requirement and the assessment fails, regardless of how well you perform elsewhere.

4. Scoping language has been tightened

The qualifiers “untrusted” and “user-initiated” have been removed from the definition of internet connections, closing interpretive gaps that previously let organizations carve out exposed assets on a technicality. Backups have also been moved to a more prominent position in the document, a signal that recovery and resilience are edging up the NCSC’s agenda.

Three operational problems, three phases

These changes cluster into three operational problems. First, you have to know what’s in scope and with cloud assets now unable to be excluded and scoping language tightened that’s harder than it sounds. Second, you have to patch the high-risk vulnerabilities in those assets within 14 days, every time. Third, you have to prove the controls you’ve put in place actually work, especially if you’re pursuing Cyber Essentials Plus. The rest of this guide walks through each in turn.

Phase 1: Mastering scope with External Attack Surface Management

You cannot apply controls to assets you don’t know exist. Under v3.3, where cloud resources can be spun up in seconds by any department and cannot be excluded from scope, shadow IT becomes a direct compliance risk.

Outpost24 External Attack Surface Management (EASM) is the primary tool for solving the scoping problem. Rather than relying on internal spreadsheets that are outdated the moment they are saved, EASM takes an outside-in approach. It scans the global internet and discovers your domains, subdomains, IP addresses, cloud infrastructure, and forgotten assets exactly as an attacker would, without agents or credentials.

When you sit down for your v3.3 assessment, you have a continuously updated inventory of every internet-facing asset including development servers, marketing microsites, and unsanctioned cloud instances that would otherwise cause a compliance failure.

For organizations that want to extend this visibility further, Outpost24 CompassDRP is a digital risk protection solution that pairs EASM with threat intelligence, surfacing leaked credentials, exposed data, and external threats across the open, deep, and dark web, all of which feed directly into a stronger, better-evidenced scope.

Phase 2: Vulnerability management

With the 14-day patching window now an automatic-fail criterion, timely remediation is no longer a best-practice aspiration. It is the difference between certification and assessment failure. In a sprawling hybrid environment, tracking every update for every piece of software is a monumental task.

Outpost24 OutscanNX streamlines this through risk-based, high-frequency vulnerability scanning. The platform doesn’t just list missing patches; it prioritizes them using real-world threat intelligence and severity data aligned to NCSC criteria.

Precision scanning provides deep visibility across hybrid environments, from legacy on-premise servers to cloud workloads and containers. Risk-based prioritization tells your IT team exactly which patches are mandatory for compliance, so limited resources are spent on the fixes that matter most. Continuous monitoring means that as soon as a new critical or high-risk vulnerability is disclosed, your 14-day compliance clock starts with a clear, evidenced plan of action, not a scramble.

Phase 3: Validating controls

An organization might have a policy for MFA or a firewall rule in place, but is the control actually effective? Version 3.3 moves closer to requiring proof of efficacy, not just proof of existence, and for organizations pursuing Cyber Essentials Plus, where an independent technical audit is required, that shift is especially sharp.

Outpost24 CyberFlex bridges the gap between automated scanning and human-led expertise. By combining EASM with Penetration Testing as a Service delivered by certified pen testers, CyberFlex validates your security controls in real conditions.

A standard scan might show that a cloud portal is active. CyberFlex determines whether a misconfiguration lets an attacker bypass the login screen, whether an API is leaking sensitive data, or whether MFA enforcement has gaps an attacker could exploit. For teams preparing for Cyber Essentials Plus, using CyberFlex to pre-validate your environment removes the surprises from the final inspection and produces the kind of expert-verified evidence that stands up to auditor scrutiny.

Compliance as a competitive edge

Cyber Essentials v3.3 is more than a regulatory necessity. It is an opportunity to strengthen resilience and qualify for a wider range of contracts. Cyber insurers increasingly require certification as a condition of coverage, so the business case extends well beyond the assessment itself.

The organizations that thrive in 2026 will treat exposure management as continuous, not periodic. That means discovering assets as they appear. It means remediating vulnerabilities before the 14-day clock runs out. And it means validating controls against real-world attack conditions.

Book a demo with Outpost24 to see how continuous asset discovery, risk-based vulnerability management, and expert-led control validation can help you achieve and maintain Cyber Essentials v3.3 compliance.