At Manx Technology Group (MTG), we’ve always viewed cybersecurity as a core component of our IT-as-a-Service (ITaaS) model. As we look toward April 2026, the National Cyber Security Centre (NCSC) and IASME are introducing the most significant updates to the Cyber Essentials (CE) scheme in years.
The “Danzell” update (v3.3) introduces strict auto-fail criteria that could leave many unprepared firms uncertifiable. Whether you use Cyber Essentials as a badge of trust or simply follow its framework as a baseline for your security, these changes represent the new “gold standard” for small and mid-sized businesses.
Quick Navigation:
What’s Changing? The New “Auto-Fail” Reality
The fundamental five controls remain, but the marking criteria have been “weaponised” to ensure businesses are following best practices, rather than just ticking boxes. These changes are set out on the IASME website.
- No More “Selective Patching” for CE+: For those undergoing the technical audit (Cyber Essentials Plus), assessors will now test a new random sample of devices if the first one fails. This ensures you haven’t just “fixed the ones they caught” but have implemented patching across your entire estate.
- MFA is Non-Negotiable: Multi-Factor Authentication is now mandatory for all cloud services where it is available. If a service offers MFA – even as a paid add-on – and you haven’t enabled it, it is an automatic failure.
- The 14-Day Patching Rule: Two new “auto-fail” questions focus on update management. All high-risk or critical security updates for operating systems, firewalls, and applications must be installed within 14 days.
Improved Transparency and Scoping
The update also brings much-needed clarity to how businesses define their digital boundaries:
- Detailed Scope Descriptions: You can now provide unlimited scope descriptions on your digital certificate to show exactly what is protected.
- Legal Entity Clarity: You can now specify all legal entities included in an assessment – perfect for larger groups or multi-site operations.
- Cloud is Always In-Scope: A new, clearer definition makes it impossible to exclude cloud services that store or process your organisational data.
Security by Default
As an ITaaS provider, we don’t treat security as an “optional extra.” Our model is built to align with these standards automatically. For our clients, the move to Danzell v3.3 won’t be a scramble; it’s simply a validation of the governance we already provide.
By standardising your infrastructure – from 24/7 patching to enforced MFA policies – we ensure your business isn’t just compliant on the day of the audit, but resilient every day of the year. Microsoft rolled out Security Defaults some time ago which mandates the use of MFA.
Note for Isle of Man Businesses: > While Cyber Essentials isn’t yet as widely adopted in the Isle of Man as it is in the UK, local businesses should take note. As the Island’s regulatory landscape evolves and more Manx firms trade globally, this certification is fast becoming a prerequisite for insurance, tenders, and supply chain trust.
