What are the changes to Cyber Essentials Certification in the April 2025 update?

This article will provide a headline guide to the changes to Cyber Essentials in 2025. This will assist organisations seeking the Cyber Essentials certification in understanding any planned updates to the scheme.

The UK’s Cyber Essentials certification will see several important updates coming into effect from April 28, 2025. These changes are designed to enhance cybersecurity resilience, particularly for small businesses keeping pace with evolving cyber threats.

Key Changes:

• Terminology Adjustments: The term "plugins" has been replaced with "extensions," ensuring the criteria cover a wider range of software, such as browser add-ons. The scope for remote work has expanded. Previously limited to "home working," it now includes all remote working scenarios, reflecting the growing trend of working from untrusted networks (e.g., cafes, hotels)​
• Passwordless Authentication: The certification now officially supports passwordless authentication, allowing businesses to use biometric systems, security keys, or push notifications for enhanced security
• Vulnerability Management: The section on security updates has been broadened to include configuration and registry changes, not just software patches. Businesses must now address all vulnerabilities, not just install updates, which could increase the complexity of maintaining compliance​
• Least Privilege Access: A stronger emphasis on least privilege access is introduced, ensuring employees have only the necessary access to perform their tasks, minimizing potential damage in case of a breach​(

Impact on Small Businesses:

SMEs may face additional operational overheads to meet these new standards. Particularly, the shift toward comprehensive vulnerability fixes means SMEs will need to actively manage not just software updates, but also perform technical configurations. For many, the adoption of passwordless authentication will likely require investment in new hardware or systems (such as biometric readers or security tokens).

Preparation Tips for SMEs:

1. Review Current Infrastructure: Audit your network equipment and ensure that routers, firewalls, and other key devices are well-documented.
2. Evaluate Authentication Methods: Explore passwordless authentication options if not already in place, and ensure that all remote working systems adhere to the updated requirements.
3. Enhance Patch Management: Develop a robust process for handling all security vulnerabilities, including registry and configuration changes, to avoid non-compliance.
4. Staff Training: Educate your workforce on least privilege principles and ensure access rights are continually updated as roles change.

By taking these steps, small businesses can ensure they are well-prepared to meet the 2025 Cyber Essentials criteria.

Further guidance can be found by visiting the Government’s National Cyber Security Centre