From April 2025, new changes will be made to Cyber Essentials and Cyber Essentials Plus to ensure their continuing relevance. These changes are fairly modest, with many relating to updated terminology, but in this blog, we’ll take a closer look and break down their main implications.
Why are changes being made to Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials and Cyber Essentials Plus are intended to help businesses protect their digital assets and provide a certain standard of cybersecurity; the former is designed to provide a baseline level of security and safeguard organisations against the most common cyber threats.
The 2025 updates to Cyber Essentials and Cyber Essentials Plus have a number of objectives, including:
- Addressing vulnerabilities in existing cybersecurity methods and frameworks, such as password-based authentication.
- Reflecting the realities of modern working practices, including remote working.
- Broadening the scope of acceptable remediation methods for cybersecurity vulnerabilities.
- Enhancing the overall robustness of certification assessments.
Key updates to Cyber Essentials and Cyber Essentials Plus in 2025
Here are the most important changes to Cyber Essentials and Cyber Essentials Plus, which are set to come into effect from April 2025.
- Passwordless authentication: Traditional passwords are increasingly seen as weak links due to their susceptibility to attacks and user errors. Multi-factor authentication was added to Cyber Essentials and Cyber Essentials Plus in 2022, but the 2025 update also includes additional password-free forms of authentication, such as biometrics, one-time codes, QR codes, security tokens, and push notifications. These methods of gaining access enhance security by reducing the risks associated with password reuse and phishing.
- Updating terminology for remote work: The term ‘home working’ will be replaced with ‘home and remote working’. While this might seem like a mere semantic update, it reflects a recognition that employees often access company systems from various untrusted locations, including hotels, bars and cafes, and public transport. Organisations will be expected to implement robust measures to ensure that data accessed remotely remains secure, while cloud security configurations will be subject to a mandatory assessment.
- Vulnerability fixes: The new update adds a definition of vulnerability fixes, which involves the identification and rectification of potential security weaknesses in software systems and devices. This involves more than just patches and updates. It also encompasses registry fixes, configuration changes, scripts and other vendor-approved mechanisms to fix known vulnerabilities. This broader definition helps to ensure the timely resolution of vulnerabilities, thus reducing the risk of exploitation.
- Closer alignment with international standards: The updated Cyber Essentials framework is designed to be more closely aligned with global cybersecurity standards, including those set by the National Institute of Standards and Technology (NIST) in the United States. The objective of this is to make it easier for Cyber Essentials-certified UK firms to prove to their clients and partners – both domestic and overseas – that certain fundamental cybersecurity protections are in place, thereby providing extra reassurance and credibility.
What do these changes mean for businesses?
The April 2025 updates to Cyber Essentials and Cyber Essentials Plus reflect a commitment to strengthening cybersecurity in a rapidly changing digital landscape, ensuring that these certifications remain fit for purpose. Key takeaways for businesses include:
- Adopting passwordless authentication and enhanced vulnerability fixes reduces exposure to cybersecurity threats and helps keep sensitive data out of the wrong hands.
- Securing remote access to data from various locations strengthens your organisation’s resilience against online security threats.
- Closer alignment with international standards builds greater trust and confidence in Cyber Essentials and Cyber Essentials Plus certification, which in turn helps organisations forge stronger relationships with customers, partners and other key stakeholders both at home and abroad.
Conclusion
This year’s changes to Cyber Essentials and Cyber Essentials Plus are designed to enhance their relevance and effectiveness in addressing the cybersecurity challenges facing organisations in 2025 and beyond. Early preparation and understanding of these changes in practical terms can help your business strengthen its defences and streamline the certification process.
Cyber Tec Security is driven by a passion for making robust cybersecurity accessible and affordable to businesses of all sizes, particularly SMEs. To find out more about how we can help you achieve Cyber Essentials or Cyber Essentials Plus certification, contact our friendly, helpful team of cybersecurity experts today.
Get Certified. Get Secure. Be Compliant.
