
I put up a post earlier this week about cyber essentials, how effective it is and how it should be viewed. There have been some interesting posts recently on this subject and the main argument was that it should be viewed as a base line standard, not a total panacea. Adherence to it provides a good platform on which to stand your protections and provides a basic understanding of the issues involved, which many SMEs don’t fully grasp.
Cyber threats don’t just target enterprises anymore and SMEs are increasingly in the crosshairs, often without the resources to defend themselves effectively. But it remains important to keep in mind that for many UK SMEs, cybersecurity is no longer just about protection, it’s about winning business. It’s important to think in terms of simplicity rather than complexity. Cyber security doesn’t have to be complicated or expensive.
My post talked about what happens after a company has achieved compliance to CE? The requirement now is to certify that they will maintain that compliance throughout the 12-month period of the certification. That is why H2 has researched a service that can be provided to SMEs at a reasonable cost, that helps simplify that journey by providing an all-in-one cybersecurity platform with continuous monitoring aligned to Cyber Essentials requirements. It helps identify security gaps, strengthen your cyber posture, and keep your business on track for compliance, while protecting your users, devices, email, and cloud environment.
We did think however that perhaps a more detailed view might be worth publishing, and here it is.
NCSC has published v3.3 (Danzell) requirements effective from April 2026, which further tighten areas such as MFA and cloud-service requirements. Organisations that have only just adapted to last years changes (Willow) should already be reviewing the next revision to avoid another compliance scramble when renewal comes around.
What changed in the Danzell question set?
The five Cyber Essentials control areas remain the same:
However, Danzell asks more detailed and specific questions about how these controls are implemented and evidenced.
Key themes covered by the Danzell questions
Multi-Factor Authentication (MFA)
The questionnaire now requires organisations to identify all cloud services in use and confirm MFA is enabled where available. Missing MFA on supported cloud services can result in an automatic failure.
Typical questions include:
Cloud Service Scope
Danzell explicitly brings cloud services into scope, including:
Organisations must declare these services and demonstrate appropriate security controls.
Typical questions include:
User Access Control
The questionnaire places greater emphasis on:
Typically, questions include:
Industry discussions indicate auditors are applying the separate-admin-account requirement strictly.
Security Update Management
Danzell asks for clearer evidence regarding:
Applicants need to be able to identify:
The 14-day patching requirement is now a critical assessment point.
Password and Authentication Controls
Questions now focus on:
Cyber Essentials v3.3 introduced a minimum 12-character password requirement in many scenarios.
The effects of these changes will differ from company to company of course, many will already have much of this covered and some won’t. Many will require guidance and assistance in making sure that they are prepared to what is now required, and that guidance will need to focus on how they need to change to meet the requirement.
But arguably the biggest operational issue is that CE now requires Owners/CEOs/Boards to certify that they will maintain the standard through its 12-month lifecycle, and not just at the point of certification. That means monitoring their estate to maintain compliance, constantly, which in turn means having the means and resource to do it. Not easy for many SMEs and they will be worried about cost.
The obvious answer though is a managed service. SMEs often outsource their IT environment and see benefits in terms of cost and operational efficiency. The same can be said for Cyber Security and monitoring, but the mindset tends to be different. There is still the thought that their IT outsourcing company has this covered, or that cyber is a bit of black art and it will be expensive.
How does the H2 Service Help?
So, what does this service do that is so special? Well, it will audit the 5 Cyber Essentials control areas, in some detail but it goes further. Managing cyber security internally is a challenge. With one out of two SMEs experiencing attacks, it’s clear that modern security requires continuous attention, as does cyber essentials compliance. Threats can change daily and software needs continual updates. Users need protection without friction and policies need to be enforced consistently. Alerts need to be monitored, recognised and acted upon in real time.
Trying to manage all this internally means adding complexity, workload and risk. Security should not compete with running a business and that is where a managed services makes a difference; by taking full operational ownership of cybersecurity, not just offering advice or tools.

The service manages:


An added bonus is that it comes with phishing simulations to help train staff, and a comprehensive, automated, cyber awareness training package.
The system is powered by Agentic AI, although it has a human element, with the AI taking away the number crunching and hard work, leaving the human to identify what is, and what is not, real. Using AI in this way enables us to keep the costs low, something very important to SMEs.