Cyber Essentials v3.3: Your Badge Might Already Be Lying for You
That Cyber Essentials badge on your website. When did you last check whether it was still telling the truth?
Not whether the certificate was in date. Whether the IT estate you certified against still matches the one you're actually running. Whether your scope includes the cloud services your business runs on. Whether you could explain the difference between the Willow and Danzell question sets to a customer without going pale.
Because on 26th April 2026, the scheme moves. And if you're not ready, that badge stops being a credential and starts being a liability.
What Season 2 Episode 10 Covers
This week on The Small Business Cyber Security Guy podcast, I sat down with Graham Falkner and Lucy Harper to decode exactly what changes with Cyber Essentials v3.3, what stays the same, and what you need to do before the switchover date.
Lucy, fresh back from maternity leave, brought the accountability angle: what does it actually mean for a small business if your certification has quietly drifted away from reality? Graham brought the implementation lens: what does "getting ready for v3.3" look like in practical terms, this week, on your actual systems?
Here's what we covered.
Willow, Danzell, and the Bit Everyone Bodges
The first thing to understand is that the Requirements document and the question sets are not the same thing, and confusing them is where most people come unstuck.
The Requirements document is the actual standard. It defines what you must be doing across the five controls: firewalls, secure configuration, security update management, user access control, and malware protection. The current version is v3.2, moving to v3.3.
The question sets are the forms you fill in when you apply. Right now there are two: Willow and Danzell. Willow is the set you use if you're purchasing certification before 26th April 2026. Danzell is for purchases on or after that date.
Same five themes. Worded to match the relevant Requirements version.
If you're planning to certify before 26th April, you prepare using Willow and v3.2 Requirements. If you're going after that date, you use Danzell and v3.3. IASME, who deliver the scheme for NCSC, let you download the question set in advance and do your preparation in a spreadsheet before you pay for the portal. Which is civilised. Until you use the wrong version and waste everyone's time.
The Material Changes in v3.3
The headlines haven't changed. The five controls are the same. But the expectations are sharper in three areas that matter for most UK SMBs.
Cloud scoping is now non-negotiable. v3.3 makes it explicit: cloud services cannot be excluded from scope. If your data or services live in Microsoft 365, Google Workspace, a CRM, or any IaaS platform, those services are in scope. The old "oh, that's SaaS, that's their problem" line is dead. If your data is there, you are responsible for the controls around how people access it.
MFA coverage has to be broader. The User Access Control requirements now say clearly that authentication to cloud services must always use MFA. Not just for your IT manager. Not just for finance. Everyone using those services. If you've been running MFA for admins only and telling yourself that's fine, you've got work to do before April.
The 14-day rule applies to more than patches. Security Update Management requires that anything fixing a vulnerability rated critical or high, or CVSS v3 score 7 or above, must be applied within 14 days. That includes configuration changes and registry tweaks prescribed by the vendor, not just software updates. If your vendor says "apply this config change to mitigate a critical bug", that falls under the 14-day expectation.
What This Means If You're Already Certified
If you passed Cyber Essentials under v3.2 with the Willow question set, you are not starting from zero. The bones are there. Most of the heavy lifting is already done.
What v3.3 forces you to tighten is scope honesty. The new wording removes the ambiguity that let people quietly exclude the messy bits. Home workers, BYOD devices used for work email or files, cloud services where your data lives. If you hand a contractor a corporate device, it's in scope. If a staff member's personal phone receives work email, it's in scope.
The trick now is to make sure your documented scope reflects your actual IT estate, not the tidy version you'd like to have.
Be a Gazelle not a Sloth..
Here's the thing that gets missed in every "compliance checklist" conversation: CE v3.3 done properly is not just a box-tick exercise. It's a differentiator.
Supply chain vetting is intensifying. Larger organisations are asking harder questions of their smaller suppliers. A current, accurate Cyber Essentials certification, one where you can actually explain your scope and controls, answers those questions before they're asked.
Cyber insurance underwriters are paying attention. Policies are increasingly tied to specific security controls. MFA on cloud services, patching within defined windows, documented scope. These are exactly what v3.3 validates. Getting certified properly may directly affect your premiums.
Your competitors are not ready. Most UK SMBs with CE certification are not tracking the Willow-to-Danzell transition. The businesses that move early, understand the changes, and can articulate their compliance posture to customers and insurers will stand out.
Getting extract blood from a stone…
If you're an IT manager trying to get budget and time for a CE v3.3 readiness project, these are the arguments that land:
The legal exposure is real. A lapsed or inaccurate certification claim on your website is not a minor oversight. Post-breach, solicitors and insurers will ask: certified when, against what, with which scope. The phrase "creative writing" will not help you in that conversation.
Government contracts require it. Any contract with central government requires Cyber Essentials as a minimum. If your cert lapses or your scope has drifted, you are putting bids at risk. Not hypothetically. Actively.
The cost of getting it wrong dwarfs the cost of getting it right. Cyber Essentials certification costs a few hundred pounds. An ICO investigation following a breach at a business that was claiming certification it couldn't actually substantiate costs considerably more.
What to Do This Week
Before anything else: find your current certificate. Check the expiry date. Check the scope document. Ask yourself, honestly, whether the scope still matches your actual IT estate.
Then pull down the Danzell question set from the IASME website. If your renewal falls after 26th April, that's what you'll be assessed against. Read it before you need it, not during a last-minute portal session.
Tuesday's deep-dive on this site goes through every change in v3.3 in detail. Thursday, Graham walks through the 30-60 day readiness plan step by step.