The Cyber Essentials v3.3 Danzell manufacturer UK standard replaced the previous Willow question set on 27 April 2026, and for UK manufacturers it is the biggest tightening of the scheme in years. The headline changes are an automatic-fail rule for missing MFA on any cloud service that supports it, a hard 14-day window for critical patches, and a much wider definition of what counts as a cloud service in scope.
TL;DR for busy MDs
- From 27 April 2026, all new Cyber Essentials assessments use the v3.3 Danzell question set — Willow is retired for new applications.
- If a cloud service offers MFA and you have not enabled it, you fail automatically. Cost of an MFA add-on is no longer an acceptable excuse.
- Critical and high-risk patches must be applied within 14 days of release — missing the window is another auto-fail.
- Cloud scope is now much wider: any SaaS account signed in with a business email or account is in scope, including free tiers and shadow apps.
- Passwordless and FIDO2 passkeys are now actively encouraged; IP allowlisting alone no longer counts as MFA.
Last updated: 11 June 2026
What the Cyber Essentials v3.3 Danzell update actually changes
Cyber Essentials is the UK government-backed baseline for cyber hygiene, run by IASME under the National Cyber Security Centre. The Cyber Essentials v3.3 Danzell manufacturer UK update is the new question set, published as the “Requirements for IT Infrastructure v3.3” on 3 November 2025 and live for all new assessments from 27 April 2026. It keeps the same five technical controls — firewalls, secure configuration, user access control, malware protection and security update management — but tightens what “compliant” looks like in practice.
For manufacturers, three headline shifts matter. First, multi-factor authentication is now a hard fail rather than a major non-compliance. Second, the cloud scope is broader: every SaaS account accessed via a business email is in scope, including free trials your shop-floor team or marketing department signed up to last year. Third, critical patches must land inside 14 days, with no remediation window.
The NCSC’s own overview of Cyber Essentials still positions the scheme as a minimum standard, but the Danzell question set significantly raises the floor. Manufacturers selling into MoD supply chains, automotive Tier 1 customers or large retailers will feel this most quickly, because Cyber Essentials — and increasingly Cyber Essentials Plus — is now a routine contractual requirement.
Why the Cyber Essentials v3.3 Danzell manufacturer UK changes matter on the shop floor
It is tempting to read the Danzell changes as an IT problem. In a manufacturing business, they are an operations problem. Here is what is genuinely different for a UK manufacturer in 2026.
- MFA is now an auto-fail if missing. Where MFA is supported — free, bundled or paid — it must be enabled for all users. No exceptions for legacy SaaS used by accounts or design.
- Cloud scope has expanded sharply. Every SaaS account signed in with a business email is in scope. Shadow apps used by buyers or marketing now count, and they must all be inventoried for the self-assessment.
- 14-day patch window for criticals. Critical and high-risk security updates on operating systems, applications and firmware must be applied within 14 days of release. Manual patching of office and shop-floor laptops will not keep up.
- IP allowlisting alone is no longer MFA. If you have been relying on “only our office IP can reach the portal”, you need to add a proper second factor.
- Separate admin accounts are now required. Anyone eligible to request administrative roles must use a separate account from their day-to-day user account.
- Passwordless and passkeys are encouraged. FIDO2 authenticators and passkeys are recognised compliant methods, with NCSC pushing them as the default direction of travel.
- Zero Trust is now explicitly compatible. The v3.3 document confirms Cyber Essentials reinforces a Zero Trust model rather than conflicting with it — useful for boards investing in identity-led architecture.
How to prepare a UK manufacturer for Cyber Essentials v3.3 Danzell
The gap between Willow and Danzell is a few months of disciplined work, not a project. Approach it as you would any change on the production line: scope, plan, do, check.
Build a real SaaS inventory. Pull a list of every cloud service used across the business from your identity provider (Microsoft Entra ID, Google Workspace or Okta), from finance card statements, and from each department head. Expect surprises: design will be using a CAD-sharing tool, HR an applicant tracker, the shop floor a tablet-based handover app. Each of these is now in scope and needs MFA verified.
Enforce MFA everywhere it is supported. Configure conditional access in Microsoft 365 or Google Workspace to require MFA on all sign-ins, including external contractors. Disable legacy authentication protocols such as basic auth on Exchange, POP and IMAP. Where a SaaS tool only offers MFA on a paid tier, budget for the upgrade or migrate — cost is no longer an excuse under Danzell.
Industrialise your patching. A 14-day window is achievable for office endpoints with a managed patch tool, but harder for shop-floor machines that vendors restrict. Document a patching SLA, automate where possible, and document the risk treatment for any device that genuinely cannot be patched in 14 days. The IASME Cyber Essentials portal has the current self-assessment guidance and is the canonical source for what assessors will accept.
What good looks like under the new Danzell question set
If a Cyber Essentials assessor sat down with your IT Director tomorrow, the Danzell question set rewards organisations that can show, not tell. A few practical signals of being ready.
A written, current asset list. Hardware, OS versions, cloud services, identities, and who owns each one. Held in a single sheet or a tool such as Microsoft Intune, dated within the last quarter.
MFA enabled on every cloud service, evidenced. Screenshots or admin-portal exports for each in-scope SaaS app showing MFA enforced. Conditional access policies named, exported and version-controlled.
Separate administrative accounts. Each admin has a normal day-to-day account and a separate admin account, used only for privileged tasks. No shared admin logins.
Patching evidence within 14 days. A patch report from your endpoint manager showing critical KBs applied to all in-scope devices inside the window. Exceptions logged and risk-assessed.
A documented passwordless plan. Even if you are not yet on FIDO2 or passkeys, a written roadmap with a target date signals the right direction of travel to assessors and to large customers.
Cyber Essentials Plus and what changes for the on-site test
Cyber Essentials Plus, the audited version of the scheme, also moves to Danzell from 27 April 2026 and the on-site element gets tougher. Assessors will spot-check that MFA is actually being prompted in practice, not just configured. Where single sign-on is used and MFA is not prompted on a given app, the assessor will review your conditional access policies to confirm enforcement.
For manufacturers, this matters because Cyber Essentials Plus is increasingly the standard your large OEM customers and MoD-linked primes want to see. Plan a mock assessment two months before renewal, fix every finding, and only book the audit when MFA, patching and admin separation are all evidenced. Leaving it to the assessment week is the most common reason manufacturers fail under the new rules.
Frequently Asked Questions
When does Cyber Essentials v3.3 Danzell come into force?
All new Cyber Essentials assessments started on or after 27 April 2026 are scored against the v3.3 Danzell question set. Assessments set up before that date are completed under the previous Willow standard.
What automatically fails a Cyber Essentials v3.3 Danzell assessment?
Two main triggers. First, if any in-scope cloud service supports MFA and you have not enabled it, you fail with no remediation window. Second, if critical or high-risk security updates are not applied within 14 days of release on in-scope devices.
Is the cost of an MFA add-on still a valid reason for not enabling it?
No. Under Danzell, IASME has been explicit that the licence cost of MFA or SSO is no longer an acceptable reason for not enabling it. If the cloud service offers MFA on any tier, you are expected to enable it.
Do UK manufacturers really need Cyber Essentials in 2026?
For most, yes. It is a contractual requirement for MoD-linked supply chains, increasingly expected by automotive OEMs and large retailers, and is the cheapest demonstrable baseline of cyber hygiene for cyber insurance renewals. The Danzell update raises the bar but does not remove the commercial reasons to certify.
Take the Next Step
Bailey & Associates is a virtual IT Director service built for UK manufacturers. We will scope your Cyber Essentials v3.3 Danzell readiness, fix the gaps on MFA, patching and admin separation, and run the assessment so your renewal lands first time. Fixed monthly pricing from £2,000/month, cancel anytime, with 15+ years of manufacturing IT experience behind every engagement. See how we work on our manufacturing IT services page, then contact us to talk it through. Book a free discovery call today.
