The Upcoming Changes to Cyber Essentials in April 2025: A Glimpse Into the Future

Technology continues to advance rapidly, and cybersecurity requirements must evolve to keep pace. The UK government’s Cyber Essentials certification scheme has been a vital framework for organisations looking to defend against the most common cyber threats. In April 2025, the Cyber Essentials requirements will undergo important updates aimed at enhancing security while reflecting the changing landscape of technology. Let’s explore what these changes will involve.

Key Updates to Cyber Essentials Requirements for IT Infrastructure (Version 3.2)

The upcoming Version 3.2 of the Cyber Essentials Requirements for IT Infrastructure, to be released in April 2025, will focus on making minor adjustments, primarily to terminology and definitions, to improve clarity and relevance. These changes reflect ongoing trends in technology and security practices, including updates to how certain terms are understood and how remote working is defined.

What's New in This Version Willow:

• Added guidance on passwordless authentication in User Access Control.
• Updated the definition of software.
• Introduced a definition for vulnerability fixes.
• Included a description of passwordless authentication.
• Updated security update management to cover fixes applied manually.
• Changed references from ‘home working’ to ‘home and remote working’.

Passwordless Authentication: A New Standard

One of the most anticipated changes in Cyber Essentials is the inclusion of passwordless authentication. This development addresses the growing adoption of authentication technologies that eliminate passwords altogether. Passwords have long been a staple of cyber security, but their weaknesses—such as being easily guessed, forgotten, or stolen—are well-documented.

Passwordless authentication uses multiple factors to establish identity, such as:

• Biometric authentication (e.g., fingerprints or facial recognition),
• Security keys or tokens (e.g., physical USB devices),
• One-time codes (e.g., sent via email or mobile apps), and
• Push notifications (e.g., approvals via smartphone prompts).

In the updated Cyber Essentials framework, passwordless authentication will be defined similarly to multi-factor authentication (MFA), with both focusing on securing access using methods beyond just user knowledge.

Terminology Refinement: Plugins to Extensions

In response to industry standards, the term "plugins" will be replaced with "extensions" to ensure greater accuracy. This small but meaningful change is part of the effort to align Cyber Essentials with common software and web development terminology.

A New Approach to Patching: Vulnerability Fixes

To streamline security management, the April 2025 update will introduce a broader term, “vulnerability fixes”, to replace “patches and updates.” This change acknowledges that addressing software vulnerabilities isn’t limited to traditional patches and updates but also includes registry fixes, configuration changes, and vendor-provided scripts. Under the new requirements, organisations must ensure that all vulnerability fixes are applied promptly to minimise the risk of exploitation by cybercriminals.

A Broader View of Working Locations: Home and Remote Working

The term “home working” will be broadened to “home and remote working” to encompass various working environments. Remote working includes any location outside of a company network, such as public spaces like cafés, hotels, and trains, where employees may access sensitive data on untrusted networks. This change recognises the evolving nature of workspaces in today’s world and ensures that Cyber Essentials addresses the security risks associated with working outside traditional office environments.

Conclusion

The upcoming changes to Cyber Essentials in April 2025 reflect a continued commitment to making security best practices both comprehensive and applicable to today’s evolving technology landscape. These updates, though minor in scope, signal an ongoing effort to maintain the scheme's relevance, ensuring that organisations are equipped to tackle current and emerging cyber threats. Whether it’s the adoption of passwordless authentication or ensuring rapid application of vulnerability fixes, these changes aim to bolster the security of businesses across the UK.

As a Cyber Essentials applicant, it’s your responsibility to make sure your organisation meets all the requirements. You may also need to provide evidence before your Certification Body can approve your certification.

Here’s what to do first:

• Define the boundary of which parts of your organisation will be included in the Cyber Essentials assessment. It is strongly recommended that you do this in consultation with a qualified Cyber Essentials assessor from an approved certification body, as it's easy to get this wrong and fail the assessment if not done correctly.
• Review the five key security areas and the specific requirements for each.
• Take the necessary steps to ensure your organisation meets all the requirements within the defined scope.

If you would like a gap assessment or support to help you achieve Cyber Essentials Plus certification, Meta Defence Labs Ltd as a authorised certification body can guide you through the process.

Stay informed, stay secure, and be ready for the 2025 updates!