SMEs do not need to relearn Cyber Essentials from scratch for April 2026. The five technical control themes are still the familiar ones: firewalls, secure configuration, security update management, user access control and malware protection. What changes from 27 April 2026 is that the question set and the supporting requirements leave less room to stay vague about scope, cloud services, ownership and renewal readiness.

For Microsoft 365-heavy businesses, that matters more than it first appears. When identity, email, file sharing and day-to-day work are spread across cloud services, remote access, user accounts and devices, a “roughly right” view of the estate becomes much harder to defend. The practical story here is not a brand-new scheme. It is the same baseline, asked and defined more precisely.

If you want the wider evergreen picture, point readers first to the [Cyber Security & Cyber Essentials hub]. This page is about the April 2026 update itself: what changed, what was already true, and what Microsoft 365 SMEs should review before renewal.

What changes on 27 April 2026

From 27 April 2026, assessments use the Danzell question set, Version 16, alongside the updated Cyber Essentials: Requirements for IT Infrastructure v3.3. Danzell still describes Cyber Essentials as a government-backed scheme focused on five technical security controls, and v3.3 keeps those same five controls as the foundation.

So this is not a “new Cyber Essentials scheme” story. It is a clarity story. The v3.3 requirements themselves say what is new includes a definition for cloud services and a definitive statement that cloud services cannot be excluded from scope. Danzell then reflects that firmer wording in the assessment flow and adds more operational questions around scope, boundaries and accountability.

The real headline: less room for ambiguity

Here is the practical headline: the April 2026 Cyber Essentials update does not replace the five core controls. It makes it harder for SMEs to stay vague about what is in scope, whether a partial scope is real, which cloud services count, who is accountable internally, and whether the answers would stand up at renewal.

That distinction matters. Some of what people are calling “new” in Danzell was already present either in the Willow question set or in the requirements. For example, cloud services were already in scope, and the responsible person was already required to be internal rather than the outsourced IT provider. What changes in 2026 is that v3.3 sharpens the requirements wording, while Danzell makes the operational questions harder to dodge.

That is why this is better treated as a governance issue than a paperwork issue. For SMEs, the underlying problem is usually not the form. It is whether the business can clearly define its baseline, show who owns it, and produce answers that match how the estate actually works day to day.

If the answers around scope, ownership and evidence already feel fuzzy, Book a Security Triage Call.

What has become more explicit

Scope and excluded sub-sets

Partial scope still exists, but it has to be real. That is not a new 2026 invention. Both v3.2 and v3.3 define a sub-set as part of the organisation whose network is segregated from the rest by a firewall or VLAN.

What Danzell does is make that boundary more explicit in the question flow. It says a partial organisation means some networks are excluded from scope, and that this must be done using a firewall or VLAN. It then goes further and asks how the sub-set was achieved, stating that other methods such as security groups, microsegmentation or software-based methods are not compliant.

In plain English, partial scope is not a convenient label for “the awkward bits”. If you are excluding part of the estate, the separation has to exist as an actual boundary, not as an assumption.

Cloud services are fully in scope

Cloud services being in scope is also not brand new. The v3.2 requirements already said that if your organisation’s data or services are hosted on cloud services, those services must be in scope. Willow also already told applicants that cloud services could not be excluded from the scope of Cyber Essentials.

What is newly explicit in April 2026 is the wording in v3.3 itself. The “What’s new” section says the document now includes a definitive statement that cloud services cannot be excluded from scope, and the scope section repeats exactly that. Danzell then mirrors that wording in the question set.

That matters for Microsoft 365 SMEs because Cyber Essentials is not only about office networks and Windows laptops. Microsoft 365 is listed in the requirements as an example of SaaS, and the requirements also make clear that while some controls may be implemented by the cloud provider, the applicant organisation remains responsible for ensuring the controls are in place.

Social media and business accounts count

This is one of the clearer Danzell-specific clarifications. The Danzell question set explicitly says that social media accounts such as Facebook, LinkedIn and X are considered cloud services. The v3.3 requirements define cloud services more clearly, but they do not spell out those social media examples in the same way.

For SMEs, the plain-English lesson is simple: if the business uses the account, it belongs in the conversation. A shared LinkedIn company account or another business-owned platform account is no longer something you can mentally file under “marketing, not IT”.

Named internal ownership

The requirement for a named internal responsible person is not new with Danzell. Willow already said the person responsible for managing in-scope IT systems must be a member of the organisation and cannot be employed by the outsourced IT provider. Danzell keeps that exact principle.

What makes it feel sharper in 2026 is how this now sits alongside the wider scope questions and the requirements language about applicant responsibility. The v3.3 requirements say the applicant organisation is responsible for meeting the requirements, and that all accounts owned by the organisation remain in scope even when used by a third party such as an MSP. If you use externally managed services, you still have to be able to confirm that the Cyber Essentials controls are being met and demonstrate that in your answers.

That is accountability, not bureaucracy. An MSP can help implement and maintain the controls. It cannot replace the applicant’s ownership of the answer.

More operational scope detail

This is where Danzell meaningfully changes the experience for SMEs. Compared with Willow, it asks for more detailed information about how the business and estate are actually set up. That includes employee count, operational addresses, additional legal entities in scope, excluded networks, how sites are connected, whether all in-scope networks are used at listed company locations, how remote workers connect, and what equipment is used to create any sub-sets.

Willow asked less. It covered the organisation address, geographical locations in scope, a list of networks, the number of home or remote workers, cloud services, and the responsible person. That is still substantial, but Danzell pushes further into operational reality.

The business lesson is straightforward: “we roughly know what we have” is less defensible now.

Supported software still matters

This part is best described as an ongoing requirement that is still easy to trip over. Both Willow and Danzell say that if you are using Windows 10 beyond 14 October 2025, you must be signed up to Microsoft Extended Security Updates to remain compliant.

That sits inside the wider rule in the requirements that software in scope must be licensed and supported, and kept up to date. So this is not a generic Microsoft lifecycle footnote. It is a renewal-readiness issue.

Why this matters to SMEs in practice

First, more things count. Cloud services, business-owned accounts, remote access methods and the real shape of the estate are harder to hand-wave away. For Microsoft 365-heavy SMEs, that means more of the day-to-day operating model is now obviously part of the Cyber Essentials conversation.

Second, assumptions count less. The question set now asks for more practical detail about networks, locations, connectivity and sub-set boundaries. If the renewal answer depends on broad reassurance rather than specific knowledge, that is now more visible.

Third, ownership and evidence matter more. The requirements say the applicant may need to supply evidence, and the organisation remains responsible for meeting the requirements even where cloud providers or third parties are involved. A defensible baseline is not just a configuration state. It is ownership, evidence and maintenance over time.

Fourth, MSP involvement does not remove applicant responsibility. External support helps, but it does not move accountability outside the business. That is why a standardised operating model matters more than patchwork reassurance.

Common assumptions this update exposes

“Our cloud apps are basically out of scope”

They are not. Cloud services were already in scope, and v3.3 now states more directly that they cannot be excluded from scope. Danzell reinforces that in the assessment questions.

“Our MSP handles that”

They may handle a lot of it, but the applicant organisation still has to name an internal responsible person and confirm the controls are being met. That was already true before Danzell.

“MFA on Microsoft 365 is enough”

MFA matters, but Cyber Essentials still operates across five technical control themes. MFA helps with user access control. It does not remove the need for supported software, defined scope, secure configuration, update discipline or malware protection.

“Partial scope solves the awkward bits”

Only if the boundary is real. The sub-set must be segregated by firewall or VLAN, and Danzell is explicit that software-based methods are not compliant for that purpose.

“We know roughly what devices and apps we have”

That is a weaker position now. The requirements say effective asset management should create authoritative and accurate information that supports day-to-day operations and decision-making, and Danzell asks more questions that depend on that being true.

What to review before renewal

Before renewal, review these points at a governance level:

• Your named internal owner for the in-scope IT systems.

• Your in-scope users, devices and cloud services.

• Whether any partial scope boundary is genuinely enforced by firewall or VLAN.

• Your business-owned social media and other cloud accounts.

• Your Windows 10 and ESU position.

• Your Microsoft 365 access, ownership and evidence discipline across users, devices and services.

If those answers are still fuzzy, the problem is not paperwork. It is baseline clarity.

Further Reading

• Cyber Essentials Self-Assessment Questionnaire

• Cyber Essentials Questionnaire: Evidence Checklist for SMEs

• What a Cyber Essentials-Aligned IT Environment Looks Like Day-to-Day

• Align Microsoft 365 to Cyber Essentials Controls

Not ready to book a call yet? Download CE-baseline Checklist.

Next step

The April 2026 update is not stricter because someone wanted more admin. It is stricter because vague scope, vague ownership and vague evidence are weak cyber security. If your renewal would currently rely on assumptions, your business has a baseline clarity problem before it has a certification problem.

That is why the next step should be diagnostic, not rushed. Book a Security Triage Call to clarify fit, scope and likely gaps first. Then, where a deeper paid piece of work is needed, Learn about the Security Baseline Review.

FAQs

What changes in Cyber Essentials from 27 April 2026?

From 27 April 2026, assessments move to the Danzell question set alongside the v3.3 requirements document. The five core technical controls remain the same, but cloud scope, boundaries and operational detail are defined more clearly.

Is Danzell a new Cyber Essentials scheme?

No. Danzell is the April 2026 question set, not a replacement scheme. Cyber Essentials still uses the same five technical control themes.

Do cloud services have to be in scope for Cyber Essentials?

Yes. That was already the direction of the scheme, and v3.3 now states definitively that cloud services cannot be excluded from scope.

Are social media accounts in scope?

Danzell explicitly says social media accounts such as Facebook, LinkedIn and X are considered cloud services.

Can our MSP be the person responsible for our in-scope IT systems?

No. The responsible person must be a member of the applicant organisation, not a person employed by the outsourced IT provider. That was already stated in Willow and remains true in Danzell.

Can we still use a partial scope?

Yes, but it has to be real. The sub-set must be segregated by firewall or VLAN, and Danzell makes that practical requirement more explicit.

Does Windows 10 still comply after October 2025?

Only if you are using Microsoft Extended Security Updates after 14 October 2025. Both Willow and Danzell make that explicit.