Important Updates to Cyber Essentials Starting April 28, 2025

Cyber Essentials, the UK’s government-backed cyber security certification scheme managed by the National Cyber Security Centre (NCSC) and IASME Consortium, is undergoing significant updates effective April 28, 2025. These changes are designed to strengthen the foundational standards of cyber security policies, addressing both evolving threats and modern business practices. Now more than ever, maintaining strong cyber security is essential for businesses to protect their operations and data from increasingly sophisticated threats.

Nemark can help you navigate these changes, to ease the attainment of CE Certification or, of course, make the annual renewal process that much easier.

Do we need to care about these changes, really?

The UK Government’s 2025 Cyber Security Breaches Survey highlights a stark reality: 50% of UK businesses experienced a cyber attack or breach in the past year. Alarmingly, only 15% of businesses conducted a cyber health check or audit during this time, leaving them vulnerable to over 8.58 million cyber attacks. These statistics emphasise the urgent need for businesses to adopt robust cyber security measures.

Key Updates to Cyber Essentials (and Cyber Essentials Plus)

1. Expanded Cloud Service Requirements

With the growing adoption of cloud-based solutions, Cyber Essentials now demands greater accountability for cloud security. Businesses must:

• Implement robust encryption and secure configurations.
• Follow the principle of least-privilege for data access, meaning that users are only granted the minimum security clearances necessary to perform their function within the organisation.
• Regularly patch and monitor cloud environments.
• Provide comprehensive documentation to demonstrate compliance.

2. Stricter Multi-Factor Authentication (MFA) Requirements

MFA, a proven method to combat account compromise, is now mandatory for all user accounts with elevated access rights, not just administrative accounts. This measure significantly reduces the risk of breaches caused by credential theft, phishing, and brute force attacks.

3. Enhanced Patch Management

Businesses must adopt stricter timelines for applying critical patches to minimise exposure to known vulnerabilities and zero-day exploits. Rapid patch deployment is essential to closing security gaps before attackers can exploit them.

4. Secure Remote Working Policies

With hybrid and remote work now commonplace, Cyber Essentials requires:

• Secure configurations for remote and personal devices.
• Measures to prevent unauthorised physical and digital access.
• Robust encryption and device protection against hardware-based threats like malicious USB devices.

5. Supply Chain Security

Recognising the risks associated with third-party suppliers, the updated scheme includes requirements to:

• Vet suppliers for adherence to security standards like Cyber Essentials and ISO27001.
• Document supplier compliance as part of the business’s overall cyber security strategy.

Preparing for Certification

To meet these enhanced standards, businesses seeking Cyber Essentials or Cyber Essentials Plus certification must update their policies, procedures, and training. Key areas for review include:

• Cloud services and security configurations.
• Patching processes and schedules.
• Remote working infrastructure and device management.
• Supply chain vetting and documentation.

Adopting these measures not only aligns with certification requirements but also demonstrates a proactive approach to safeguarding critical business, customer, and user data.

Why Certification Matters

Strengthened Security

Cyber Essentials Certification establishes a baseline to defend against common threats. Compliance significantly reduces the likelihood of breaches, ensuring that businesses are prepared to face modern challenges.

Enhanced Credibility

Certification signals to clients, partners, and stakeholders that your business prioritises data protection. In competitive industries and government contracts, demonstrating compliance often sets businesses apart.

Improved Compliance Culture

Ongoing training and regular security updates foster a culture of vigilance. Employees remain informed about emerging threats, enhancing your overall defensive posture.

Future-proofing your business

As cyber threats evolve—including the rise of AI-driven attacks and malware—Cyber Essentials helps to ensure that businesses are equipped to handle these challenges. Tools like Endpoint Detection & Response and AI-based solutions further strengthen your defenses, aligning with the updated standards.

Are You Ready for the Changes?

We encourage all businesses, regardless of size, to align their cyber security practices with the updated Cyber Essentials standards. Certification not only protects your business from evolving threats but also underscores your commitment to data security for clients and stakeholders.

Our team supports businesses across the UK in achieving Cyber Essentials and Cyber Essentials Plus certification. We also collaborate with trusted partners for ISO27001 certification needs.

If you’d like to learn more or schedule a consultation to prepare for certification, please contact us today. Together, we can ensure your business is ready to tackle the challenges of the modern cyber landscape.