For years, the Cyber Essentials scheme has served as the baseline for digital security in the United Kingdom. However, the goalposts have shifted. Starting in 2026, the new Version 3.3 (Danzell) requirements come into force, representing the most significant tightening of the rules in recent memory. For universities and colleges, this is not just a minor paperwork update. It is a fundamental change in how cloud services and user identities must be managed to maintain certification.
The most critical change in the 2026 update is the absolute mandate for Multi Factor Authentication. In previous years, there was some room for interpretation, but the Danzell update makes it clear: if a cloud service offers MFA—whether it is a free feature or a paid add-on—it must be enabled for all users. Failure to do so results in an automatic failure of the entire assessment. This applies to every cloud service that stores or processes institutional data, from your primary email system to the smallest niche research tool.
The NCSC and IASME have introduced these stricter measures because they recognise that identity is the new perimeter. In an era of hybrid learning and global research collaborations, the traditional firewall is no longer enough to protect a campus. By enforcing mandatory MFA and encouraging the move toward passwordless technologies like passkeys, the 2026 standards aim to neutralise the threat of stolen credentials, which remains the primary way that ransomware enters the education sector.
The Auto Fail Rule: MFA or Nothing
In previous years, an institution might have argued that certain cloud tools were not in scope or that MFA was too difficult to deploy for some user groups. From April 2026, those arguments will no longer hold weight. The Danzell update introduces a binary marking system: if a cloud service offers Multi Factor Authentication, and you have not turned it on for every user, you fail.
This rule applies regardless of whether the MFA feature is free or requires a paid license. The NCSC is sending a clear message that cost or complexity are no longer valid excuses for leaving accounts unprotected. For a university managing thousands of student and staff identities, this means:
- No More Exceptions: Every admin account and every standard user account must be protected by at least two factors.
- Beyond Push Notifications: While any MFA is better than none, the 2026 standard explicitly encourages the move toward FIDO2 and passkeys to combat the rise of AI driven phishing attacks that can bypass traditional SMS or app based codes.
- IP Allowlisting is Dead: The new version confirms that simply trusting a login because it comes from a campus IP address is no longer an acceptable form of MFA.
Redefining the Scope: Total Internet Visibility
Another major shift in the Danzell update is the removal of the terms untrusted and user initiated. These words often caused confusion during audits, leading to critical devices being left out of the security assessment. The new scoping rule is much simpler and much wider:
- Direct Connectivity: If a device can accept a connection from the internet, it is in scope.
- Outbound Activity: If a device initiates a connection to the internet, it is in scope.
- Data Routing: Any device that manages or routes data between the internet and your internal network—such as firewalls and routers—is in scope.
For universities, this means that almost every laptop, server, and smartphone that touches institutional data is now under the microscope. If you want to exclude a specific research network or a student lab, you must now provide documented evidence of network segmentation, proving that these areas are physically or logically separated from the rest of your infrastructure.
The 14 Day Patching Race
The 2026 update reinforces the strict 14 day rule for vulnerability fixes. Any vulnerability that has a CVSS score of 7 or above, or is described by the vendor as critical or high risk, must be patched within two weeks of the fix being released.
In a university environment with legacy research software and complex server estates, hitting a 14 day target across every device is a significant challenge. This is why automated patch management and centralized identity control are becoming essential tools for compliance. Without a way to verify the patch status of a device at the point of login, staying compliant with Cyber Essentials 2026 will be almost impossible for larger institutions.
Application Development: A New Level of Rigour
One of the most significant shifts in the 2026 update is the transition from the old Web Applications section to a much broader category called Application Development. This change reflects the reality that institutions are no longer just hosting websites; they are developing and deploying complex software across cloud, mobile, and on-premises environments.
To maintain compliance from April 2026, any application that is developed in house or custom built by a third party for your institution must align with the UK Government Software Security Code of Practice. This means:
- Secure by Design: Security must be integrated at the start of the development process, not added as an afterthought. This includes using secure coding frameworks that prevent common vulnerabilities like injection attacks.
- Rigorous Testing: Every new release or significant update must undergo security testing before it is deployed to a production environment. This ensures that a single line of bad code does not open a backdoor into the wider university network.
- Component Management: Developers must keep a clear record of any third party libraries or open source components used in their software. These components must be monitored and patched just as strictly as the main application code.
Continuous Compliance: The Path to April 2026
The Danzell update marks a move away from the idea that cybersecurity is a once a year event. Because the 2026 standards are so closely tied to live cloud configurations and rapid patching cycles, staying compliant requires a permanent shift in how IT services are managed.
Achieving and maintaining Cyber Essentials 2026 certification is a powerful way to demonstrate to students, parents, and research partners that your institution takes its digital responsibilities seriously. It provides a proven framework for neutralising eighty percent of common cyber attacks, allowing your staff to focus on teaching and innovation rather than crisis management.
At Overt Software Solutions, we are already helping our partners prepare for the transition to Version 3.3. Our managed identity services are built with these 2026 standards at their core, ensuring that your MFA policies, cloud configurations, and device governance are always audit ready. Do not wait for the April deadline to find the gaps in your security. Contact Overt Software Solutions today for a comprehensive gap analysis and let us help you lead the way in 2026 compliance.
