Cyber Essentials is changing as of April 28th, 2025

Cyber Essentials is changing as of April 28th, 2025

Cyber Essentials, the government-backed cyber security certification scheme managed by the National Cyber Security Centre (NCSC) and the IASME Consortium, is introducing important updates to this scheme/standard from April 28th, 2025. These changes aim to strengthen the industry baseline for what is considered a strong cyber security policy, by providing further clarification for existing requirements, whilst adding new requirements to the standard that better address evolving modern cyber threats.

According to the UK Government’s Cyber Security Breaches Survey 2025, 50% of UK businesses reported a cyber attack or breach in the previous 12 months, despite this only 15% of UK businesses undertook a cyber health check or audit in that period leading to UK businesses being the target of more than 8.58 million cyber attacks, illustrating the need for enhanced measures to be taken by businesses throughout the UK.

What are the changes coming to Cyber Essentials (and Cyber Essentials Plus)?

Expanded Cloud Service Requirements

As businesses increasingly adopt cloud-based solutions, whether that be cloud storage, database management, or even cloud/remote desktop computing solutions, the scheme will now place greater emphasis on cloud security and monitoring controls. Businesses will need to demonstrate robust encryption practices, secure configurations of data management in line with the principle of least privileged access, and routine managed security patching across all cloud environments. Additionally, documentation proving compliance with these key requirements will be scrutinised more thoroughly than previous assessments.

Stricter Multi-Factor Authentication (MFA) Requirements

Multi-factor authentication, also known as MFA, is a proven and effective way of curbing the most common attacks against user accounts, such as dark web leaks, targeted brute force attacks, phishing and more. From April 2025 onwards, MFA must be implemented not only for administrator or privileged accounts but also for all user accounts with elevated access rights. This reduces the risk of credential-based attacks, such as brute force attacks and dark web leaks, which are noted by the NCSC (National Cyber Security Centre) as one of the most frequent causes of data breaches.

Enhanced Patch Management

To address known vulnerabilities and zero-day attacks swiftly, stricter patch management timelines will be introduced as part of the updated requirements. Critical patches will need to be applied on a faster schedule, limiting the window of opportunity for attackers to be able to exploit known threats.

Secure Remote Working Policies

As businesses and employees embrace hybrid and remote working, businesses will be required to demonstrate secure configurations for remote and/or personal devices, including showcasing how they protect these devices from unauthorised physical access, showcasing how they implement MFA and other account policies on devices, and hardware-based cyber threats such as a USB Rubber Ducky. Additionally, this will involve a stricter focus on device and cloud encryption.

Supply Chain Security

Changes will include a new requirement for businesses to examine the cyber security defence level of businesses within their supply chain, including documenting those who abide by Cyber Essentials and ISO27001 standards. Successful cyber attacks frequently exploit weaknesses in third-party suppliers, such as via targeted phishing attacks, as such Cyber Essentials’ demand for more stringent vetting of suppliers’ security processes is an essential part of a business cyber security strategy.

What do these changes mean for businesses seeking certification?

Businesses that are planning to gain or renew their Cyber Essentials certification should update their policies, procedures, training, and solutions to ensure that they are in line with these new guidelines. This will include a review of cloud practices and services, security patching schedules, and remote working set-ups and security solutions to ensure everything meets these stricter requirements. Regardless, we still feel that it is essential that business cyber security practices meet these evolving guidelines, which is why our minimum cyber defence level includes all of this and more. By doing so, businesses can demonstrate a proactive approach towards safeguarding critical business, customer and user data.

Why should you become Cyber Essentials Certified?

We have an article dedicated to the differences between Cyber Essentials, Cyber Essentials Plus and ISO27001. Whilst not all businesses require all of these certifications, some may, it is essential that businesses at minimum, follow the framework of Cyber Essentials to ensure that their business stays protected from cyber security threats. But why?

Strengthened Security

Cyber Essentials Certification is designed to provide businesses with a minimum requirement to protect them against common and developing cyber threats. Demonstrating compliance with these guidelines and controls significantly lowers the likelihood of data breaches associated with remaining insecure. With us, you can be secure in the knowledge that your business will adhere to these guidelines as our minimum cyber defence level for all clients is in line with the Cyber Essentials Certification.

Enhanced Credibility

Certification sends a clear message to customers, clients, partners and business stakeholders that you take cyber security, and by extension data security, seriously. Research shows that 96% of SMEs in the UK consider cyber security as a top priority for their business. However, only 15% of UK businesses undertook a cyber security vulnerability assessment in 2024. Many businesses working on government contracts, or indeed with other businesses who require partners, showcase a minimum cyber defence level, often even requiring Cyber Essentials or Cyber Essentials Plus certification. Ensuring your business is in line with, or certified, with Cyber Essentials is essential to remain competitive within your industry.

Improved Compliance Culture

Regular reassessments and updates, paired with ongoing employee training on wide-ranging cyber security topics, can lead to a culture that values ongoing security vigilance. Your employees will always be the weakest link in your cyber defence strategy. Ensuring that they remain educated and vigilant against ongoing and evolving threats can not only improve your overall defensive posture,

Future-Proofing your Business

Keeping pace with the cyber threat landscape is essential, especially seeing the drastic increase in attacks on UK businesses over the past few years. Attacks on UK businesses in 2022 numbered around 2.39 million over the year, whereas in 2024, this number reached 8.58 million. This is heavily influenced by cyber criminals adopting their own AI algorithms to be able to create polymorphic and metamorphic malware that creates entirely new malware signatures for every new system they infect, making them almost impossible to track for traditional cyber security solutions. 

That's why we use modern tools such as Endpoint Detection & Response and Application & Device Ringfencing and utilise AI and Machine Learning solutions. We do this to assess if unusual, malicious or suspicious activity is attempting to be performed, blocking it in its tracks. The new requirements under Cyber Essentials ensure that businesses remain prepared for the evolving cyber threat landscape, cutting down on risks and potentially costly incidents in the long term, which correlates with our cyber security standards.

Is your business prepared for the Cyber Essentials changes?

We highly recommend that all businesses, regardless of their size, ensure that their cyber defence level is in line with Cyber Essentials Certification. By following these industry guidelines, you can ensure that your business is protected from modern and evolving cyber threats. By gaining or renewing your certification, you are showcasing to clients and customers that you take your (and their) data security seriously, also giving you a competitive advantage in your industry against businesses that do not show this same level of competency.

We work with businesses throughout the UK to help them gain Cyber Essentials and Cyber Essentials Plus Certification, as well as working with trusted partners to help businesses who are looking to gain ISO27001 certification.

If you would like to find out more about Cyber Essentials, Cyber Essentials Plus, and ISO 27001 to see if your business should be considering these certifications, click here to find out more. Or book an appointment to speak with us about your business certification.