At the event, Security Minister Dan Jarvis announced a £90 million government investment in cyber resilience, formally launched the Cyber Resilience Pledge, and positioned Cyber Essentials as a central pillar in the government’s response to the growing cyber threat facing UK businesses.

At the same time, significant changes to Cyber Essentials came into force. The introduction of the new Danzell question set represents one of the most important updates to the scheme in recent years, changing how organisations are assessed and what is required to pass.

Taken together, these developments signal a clear direction. Cyber security is no longer just about individual organisations doing enough to protect themselves. It is about raising the standard across entire supply chains and ensuring resilience at every level.

What does the Pledge commit organisations to?

The Cyber Resilience Pledge is a set of clear, practical commitments that organisations are expected to act on and at its core, the pledge focuses on three key areas.

First, it requires cyber security to become a board-level responsibility. This means leadership teams must take ownership of cyber risk, embedding it into strategic decision-making rather than treating it purely as an IT issue.

Second, organisations are expected to engage with early warning systems, improving their ability to detect and respond to potential threats before they escalate. We advise all of our clients to sign up to Early Warning. Registering for the NCSC's Early Warning service which is free, takes around five minutes to set up, and flags potentially suspicious activity on the organisation's network. 

Third, and most significantly for many businesses, the pledge requires organisations to actively strengthen cyber security across their supply chains. This includes reviewing supplier security, increasing visibility, and raising expectations around baseline protections such as Cyber Essentials. [gov.uk]

The impact of this is far-reaching. As large organisations commit to the pledge, these expectations cascade down through their supply chains, influencing businesses of all sizes.

Danzell Explained

Alongside the pledge, the introduction of the Danzell question set has fundamentally tightened how Cyber Essentials is assessed.

While the five core security controls remain the same, the new version removes ambiguity and raises the bar in several important areas.

• MFA on cloud services. If MFA is available on a cloud service and has not been enabled, the assessment fails immediately. This applies whether MFA is free, included, or only available as a paid option. There is no partial credit for having it enabled on some services but not others.
• Patching operating systems and firmware. High-risk or critical updates must be applied within 14 days of release. Missing this is now an automatic failure.
• Patching applications. The same 14-day window applies to applications, including associated files and extensions.

In practice, this means Cyber Essentials has evolved from a basic checklist into a more robust reflection of an organisation’s real security posture.[smsbusinesscloud.com]

Glen Patrick has written a full breakdown of every change here.

Our Thoughts

For organisations trying to make sense of these changes, the key message is simple: the baseline has moved.

Cyber Essentials is no longer just a nice to have or a tick-box exercise. It is becoming a foundation for doing business, particularly for organisations working within regulated sectors or larger supply chains but still highly relevant and important for small businesses. 

The Danzell update shows how those expectations are being enforced and alongside the Pledge, together they highlight a clear shift towards accountability, standardisation, and measurable cyber resilience.

The organisations that respond early will be in a stronger position and will be better prepared for evolving requirements, more attractive to customers and partners, and more resilient in the face of growing cyber threats.

Those that wait may find themselves needing to meet these expectations quickly, often in response to client demands or contract requirements.

The immediate priority is to understand your current position, identify any gaps, and take practical steps to align with the new standard.

How we can help

We support our clients with the full certification process, CE and CE+ through trust and expert guidance. For more information on how to get certified, please contact us.