The Danzell Monitor: a live field report on the Danzell framework
This is the Month 0 pre-launch edition of The Danzell Monitor, published twelve days before the Danzell framework becomes mandatory for every new UK Cyber Essentials assessment on 27 April 2026.
The Danzell framework is the new question set used in every UK Cyber Essentials assessment from 27 April 2026 onwards, and this is the very first edition of an independent monthly field report on the framework, published by a practising IASME-accredited assessor working inside a real UK Cyber Essentials Certification Body, with no marketing department in the loop and no agenda beyond telling you what is actually happening at the sharp end of live assessments across the country.
This edition is written by Daniel Phillips, Lead Assessor at Net Sec Group Ltd, and it was last updated on 15 April 2026 with the next monthly update scheduled to land by 7 May 2026.
What this is
The Danzell Monitor is a monthly field report on the Danzell framework, written by a working IASME (Information Assurance for Small and Medium Enterprises) accredited assessor at a UK Certification Body (CB), and that perspective is honestly the only one that matters when you are trying to work out what the new question set actually looks like in real assessments rather than in a slide deck. To be clear, it is not a marketing blog, it is not an IASME or NCSC (National Cyber Security Centre) publication, and it is not a buyer's guide for nervous IT managers in Birmingham or Edinburgh trying to get certified before a procurement deadline. It is a field report from one working assessor, and it is published in the first week of every month for as long as the Danzell framework is in force.
Honestly, most of the existing coverage on the new framework is either marketing copy from certification bodies trying to sell you something expensive, or the 99-page IASME requirements document itself, which is heavy going on a Tuesday morning if you are trying to make a decision before lunchtime. There is almost nothing useful in between, and that gap is frustrating for the people who actually have to make compliance decisions, so we are trying to fill it with something honest, regular, and free.
The Danzell framework aligns with version 3.3 of the IASME document called Cyber Essentials Requirements for IT Infrastructure. It becomes mandatory for every new Cyber Essentials and Cyber Essentials Plus assessment in the UK from 27 April 2026 onwards, replacing the "Willow" question set that has been in use since April 2025 and that most assessors had finally got comfortable with. Like all IASME question sets since the original Pathfinder in 2022, it is named after a geographical feature, in this case a freshwater spring tucked away in the Malvern Hills.
Quick summary: what the Danzell framework actually is
- The Danzell framework is the new IASME question set for UK Cyber Essentials assessments.
- It becomes mandatory for new assessments from 27 April 2026, with a grace period for in-progress Willow assessments.
- It aligns with version 3.3 of Cyber Essentials Requirements for IT Infrastructure, the document that defines the technical scope.
- It replaces "Willow", the question set that ran from April 2025 to April 2026, and which most UK assessors became reasonably comfortable with.
- It contains 16 changes to the requirements document, of which 6 are material in the sense that they change what an organisation must actually do or how an assessor must mark the answer.
- Some other UK publications have repeated a "18 changes" figure, which is incorrect. The published version of v3.3 contains 16 changes, six of them material, and we walk through every one in the canonical reference table below.
This month's field observations
Month 0, pre-launch (15 April 2026). Day -12.
We don't yet have Danzell-era field data to publish, because no Danzell assessment has happened anywhere in the UK at the time of writing. The first real data point lands in the Month 1 update. For Month 0, here is what we expect to see based on twelve months of live assessments under the Willow question set, the framework language changes, and a fair bit of frustration accumulated across more than 800 organisations.
Expectation 1: cloud scope is going to bite, and it will hurt
Under the old Willow question set, applicants could (and very frequently did) treat cloud services as out of scope on the grounds that the services were "not user-initiated" or that the cloud provider handled all the security responsibility anyway. Look, this became the single most common pre-assessment clarification thread our team had to handle, sometimes burning a frustrating twenty minutes per assessment just to establish what should and shouldn't be inside the scope. To be honest, it was tedious and predictable in equal measure, and I'd guess every working assessor in the country, from Cardiff to Newcastle to Belfast, had exactly the same exhausting conversation roughly once a fortnight for most of last year.
The new Danzell framework closes that particular door firmly and from the very first day of the new question set. Cloud services cannot be excluded any more, the definition of "cloud services" is now formalised in the requirements document, and the old "user-initiated" and "untrusted" qualifiers that everyone used to argue about are completely gone from the language. In practical terms this means there will be fewer edge-case arguments after the fact during a tense assessment call, but a much higher volume of first-time clarification requests from the organisations that have spent the last twelve months quietly excluding Microsoft 365 admin consoles, AWS production accounts, Google Workspace administration, and assorted SaaS tooling from their scope. These organisations are about to discover, sometimes very painfully and sometimes the day before a procurement deadline, that the rules have changed completely under them while they weren't paying attention.
We expect Month 1 to show a noticeable spike in clarification requests, settling by Month 3 as applicants and their IT providers slowly learn the new rules. The financial impact of getting cloud scope wrong on the first attempt is real and uncomfortable: a typical small UK assessment costs around £320 to start with, and a full reassessment after a scope failure can add another £450 in CB time and effort.
If the spike doesn't decline by July, it means the framework clarification effort by IASME and the certification bodies needs to be stepped up considerably.
→ For the full scope-rules deep guide, see Cyber Essentials Scope Changes Under Danzell on netsecgroup.io.
Expectation 2: passkey adoption is going to accelerate fast
FIDO2 and passkeys are now explicitly recognised as MFA (multi-factor authentication) under the new Danzell framework, and that is a quietly significant change that hasn't yet had the attention it deserves. Until now, organisations that hadn't deployed dedicated authenticator apps tended to default to SMS-based two-factor authentication, which no longer meets the strictest Danzell MFA criteria on cloud admin services. The cleanest upgrade path for a small organisation that hasn't deployed an authenticator-app policy is to adopt passkeys directly, particularly on Microsoft 365 and Google Workspace where the rollout is genuinely well supported and the user training requirement is honestly almost trivial.
Honestly, we expect the smallest organisations to adopt passkeys fastest, particularly those under 50 staff and based outside the major UK tech hubs. Think small marketing agencies up in Manchester and Leeds, scrappy recruitment shops across Bristol and Cardiff, stretched charity sector teams in Glasgow and Belfast, and the long tail of legal and engineering practices spread out from Newcastle to Brighton to Edinburgh. These smaller organisations have the fewest legacy authentication deployments to reconfigure, and their leadership tends to be willing to commit fast when a procurement deadline is on the line. Frankly, the larger organisations with existing authenticator-app fleets will move much slower than the small ones, and quite a few will resist the change painfully for another twelve months until they are forced into it by a failed assessment.
For a typical small UK business, this honestly isn't an expensive change to make at all. A single YubiKey 5C currently costs around £55 from a UK reseller, a YubiKey 5 NFC sits at about £50, and a Microsoft 365 Business Premium licence (which includes the Entra ID conditional access engine) is around £18.10 per user per month on the standard annual plan. A genuinely typical ten-person Birmingham office team can be on a fully passkey-compliant configuration for under £810 in hardware costs and a few hours of focused work over a long Friday afternoon, with another £150 or so for an entry-level conditional access policy review and around £400 for a half-day of staff training if the team has never seen passkeys before. The real barrier here is awareness and willingness to commit, not the budget itself, and that is going to be a frustrating realisation for the organisations that fail their assessment in May because they simply didn't make the change in April when they had the time and the chance to do it properly.
→ For MFA requirements under Danzell, see Cyber Essentials Password Requirements: Danzell on netsecgroup.io.
Expectation 3: macOS-heavy fleets are going to be the first failure cluster, and it is going to be brutal
The Danzell framework makes the 14-day patching window an automatic failure if missed. Look, under the old Willow question set this was guidance that an assessor could discuss with the applicant in a conversation, but under the new framework it is a hard rule enforced by the marking guide, and there is no negotiating it once a missed patch is identified during the audit. To be honest, this is going to catch a lot of organisations completely off guard.
The first failure cluster we genuinely expect to see is macOS-heavy environments: small design studios, scrappy marketing teams, fast-moving software shops, the classic Shoreditch and Soho creative scene that runs sixty MacBooks and exactly one overworked IT person handling everything from coffee orders to security policy. Homebrew-managed tools like Node, Python, various language runtimes, and the long tail of command-line utilities are very commonly outside the organisation's standard patching pipeline. These tools are frequently 30 days or more behind their latest releases because nobody in the organisation actually owns the update process or has been given the time to own it properly. Under Willow this was a frustrating conversation and a polite follow-up email asking for a remediation plan; under Danzell it is an immediate fail with no remediation pathway except a full clean rebuild and a re-test.
We also expect Windows environments with legacy third-party software to hit exactly the same painful wall in Months 2 and 3 of the new framework. Think older versions of Adobe Creative Suite, niche vertical-market accounting and legal applications, ancient unmaintained internal tools that nobody dares to touch in case the whole thing falls over on a Monday morning. The financial cost of catching up is real and it is uncomfortable: a typical small business assessment that fails on patching costs around £600 to retry, plus the time and effort to remediate properly, which can easily run into a few thousand pounds for a 30-seat office somewhere up north once you factor in lost productivity and contractor day rates.
→ For the 14-day patching deep dive, see Danzell Changes 2026 Guide on netsecgroup.io.
The 16 changes in the Danzell framework
The canonical reference for what is actually different in version 3.3 of the requirements, compared to the Willow question set.
A note on the change count, because it actually matters and because it is being widely misreported across the UK Cyber Essentials commentary scene. Some other UK resources have cited a figure of "18 changes" in the new Danzell framework, but this number is incorrect and we have checked it directly against the published version 3.3 document. The published version of Cyber Essentials Requirements for IT Infrastructure version 3.3 contains exactly 16 changes, of which only 6 are material in any practical sense. Material in this context means the change actually affects what an organisation must do during the assessment process, or how the assessor must mark the resulting answer. The other 10 changes are structural, wording, or clarification changes that don't affect the assessment outcomes for any normal applicant in any meaningful way.
The 6 material changes
| # | Change | Willow behaviour | Danzell behaviour | Assessment impact |
|---|---|---|---|---|
| 1 | Cloud services scope | Could be excluded by applicant | Cannot be excluded; cloud formally defined in requirements | High, affects nearly every assessment |
| 2 | MFA on cloud services | Soft requirement, remediation allowed | Auto-fail if absent on cloud admin accounts | High, with significant CE+ first-time-pass impact |
| 3 | 14-day patching | Guidance, conversation if missed | Auto-fail if missed, marking guide enforced | High, catches legacy software environments |
| 4 | FIDO2 and passkeys recognition | Not explicitly recognised | Recognised as valid MFA | Medium, opens a cleaner upgrade path for small organisations |
| 5 | Scope criteria wording | Included "untrusted" and "user-initiated" qualifiers | Qualifiers removed | Medium, narrows the exclusion surface for edge cases |
| 6 | Partial scope justification | Could be asserted in applicant statement | Requires written justification, assessor challenges it | Medium, tightens scope gaming |
The 10 non-material changes
- Backup guidance has been elevated to its own section, where it was previously inline commentary inside other sections.
- The terminology "software development" replaces "web applications" throughout, which is broader and clearer for modern stacks.
- Boundary device terminology has been refreshed for clarity and consistency.
- Malware protection examples have been updated for modern endpoints, including more cloud-native scenarios.
- Secure configuration guidance has been tightened on the wording around default accounts and out-of-the-box credentials.
- User access control guidance has been reorganised for readability without changing the underlying requirements.
- Patching guidance has been split from the security update management section header for clarity.
- The scope statement template has been clarified with new examples.
- CE+ sampling language has been updated to reflect the new double-sampling approach.
- The glossary has been expanded with modern authentication terminology, including FIDO2, passkey, and a few related terms.
Sources
- Primary: Cyber Essentials Requirements for IT Infrastructure, version 3.3, IASME, 2026
- Framework owner: iasme.co.uk
- UK government scheme: ncsc.gov.uk/cyberessentials
Timeline
April 2025 | Willow question set goes live across UK CBs
|
April 2026 | 27 April: Danzell framework becomes mandatory for new assessments
|
October 2026| 26 October: last date a Willow-started CE assessment can be completed
|
January 2027| 26 January: last date a Willow-started CE+ assessment can be completed
|
April 2027 | Danzell framework first anniversary, first "Year in Review" published here
A full SVG timeline graphic is available at /timeline.svg, and is screen-reader accessible via the description element.
Trend chart: cloud scope clarification requests per assessment
Willow baseline shown for context. The first Danzell-era data point lands in the Month 1 update (week of 5 May 2026), after the opening Danzell assessments have been completed.
The chart on this page tracks one metric: the percentage of assessments where the assessor had to issue a pre-assessment clarification request about cloud services scope before the assessment could proceed. A higher number means more applicants were unclear about what should be in scope. A falling number means the field is learning.
What we expect: a noticeable spike in May 2026 (Month 1 of the Danzell framework) as applicants encounter the new rules for the first time, then a steady decline through June, July, and August as familiarity builds across the UK certification community. If the spike doesn't decline meaningfully by Month 3, that's a signal that the framework clarification effort by IASME and the certification bodies needs to be stepped up.
The raw data is available in machine-readable form at trends.json (JSON, comma-separated values export available alongside it as trends.csv, both in /data/).
Reader Q&A
Readers submit questions via the subscribe form below, or by emailing monitor@danzell.co.uk. Selected questions are answered publicly each month, with full anonymisation before publication.
There are no questions yet, because we haven't published anywhere yet. This section will populate from Month 1 onwards as the first reader questions arrive.
How to ask: subscribe below, then reply to any monthly briefing email with your question. We anonymise every question before answering, and we won't publish anything that could identify you or your organisation.
How we gather this data
Source. The Danzell Monitor draws on Net Sec Group's own Cyber Essentials and Cyber Essentials Plus assessment practice. Net Sec Group Ltd is an IASME-accredited Cyber Essentials Certification Body based in the UK. As of 15 April 2026, we have assessed over 800 organisations across sectors including the National Health Service supply chain, Ministry of Defence contractors, St James's Place financial advisor partners, legal firms, education, charities, financial services, and SaaS startups.
Anonymisation rules. These are non-negotiable, because IASME CB confidentiality is on the line:
- No client names, ever, under any framing
- No client-identifying details: sector, rough size, and rough location are the most granular we will publish, and even that gets dialled back if the combination is too narrow
- No back-calculable specifics: any published percentage is based on at least 10 assessments
- No IASME internal marking-guide content is quoted directly
- No assessment outcome is attributable to a specific organisation, even by inference
Editorial independence. This report is not paid for, sponsored by, or shared with any third party before publication. IASME, NCSC (the National Cyber Security Centre), and everyone else sees it when you see it.
Pre-launch courtesy briefing. Before publication of Month 1, we briefed IASME informally that this publication exists. If IASME has concerns about any specific item, we will discuss the item before publishing it. This is professional courtesy, not an approval step.
Author. Daniel Phillips is a practising IASME-accredited Cyber Essentials assessor and the Lead Assessor at Net Sec Group, based in the UK with Royal Marines (veteran) and CREST (Council of Registered Ethical Security Testers) professional backgrounds, and his full public profile is available at netsecgroup.io for anyone who would like to verify the credentials before reading any further.
Publisher. Net Sec Group Ltd, registered in England and listed on the IASME Certification Body register.
Feedback and corrections. Factual corrections are welcome via monitor@danzell.co.uk. We publish corrections in the following month's update with full attribution.
Subscribe
Quarterly deep report
The Q1 2026 Danzell Monitor deep report ships the week of 26 May 2026, after we've collected four weeks of live Danzell-era field data. It will contain sector breakdowns (NHS supply chain, MOD contractors, financial services, education, charities), extended commentary, and a printable readiness checklist. Subscribers are notified by email on publication.
The Q1 2026 Deep Report is not yet published. Subscribe above to be notified when it lands.
Archive
Monthly updates are archived in place below the current month, each inside a collapsible details block. There is no separate archive URL: this is a single-page publication on purpose.
Month 0 is the first edition, so there's nothing to archive yet.
Disclaimer
The Danzell Monitor is an independent field report on the UK Cyber Essentials Danzell question set (Cyber Essentials Requirements for IT Infrastructure version 3.3). It is published by Net Sec Group Ltd, an IASME-accredited Cyber Essentials Certification Body. All data is aggregated from Net Sec Group's own assessment practice, anonymised, and presented as patterns only. Individual organisations and assessment outcomes are never disclosed under any framing.
This report is not affiliated with, endorsed by, or operated on behalf of IASME Consortium Ltd, the National Cyber Security Centre, the Cabinet Office, or any UK government body whatsoever. "Cyber Essentials" and "IASME" are trademarks of their respective owners and are referenced here for editorial purposes only. The information published in this monthly report is provided for general reference and does not constitute professional advice for any specific organisation. For commercial Cyber Essentials assessment services, please contact Net Sec Group at netsecgroup.io directly through the booking page on the main website.
Published by Net Sec Group Ltd, an IASME-accredited Cyber Essentials Certification Body. Editor: Daniel Phillips, Lead Assessor. Book a Danzell assessment at netsecgroup.io