Blog | 3-minute Read

Cyber Essentials updates April 2025: What you need to know

Anna Webb

Head of Global Security Operations

Published: 17 March 2025

The latest Cyber Essentials updates take effect from April 2025. Here’s what’s changing and how Kocho’s security team can help your organisation.

Cyber Essentials (CE) and Cyber Essentials Plus (CE+) are evolving. From April 2025, updates will be introduced to keep the certifications aligned with modern cybersecurity challenges, but what do these changes mean for your business?

Let’s break it down.

Why are Cyber Essentials updates happening?

For the uninitiated, Cyber Essentials is a government-backed scheme that helps organisations achieve a level of cybersecurity that’s robust enough to defend against modern threats.

And you probably don’t need us to tell you how much these threats are advancing.

Here’s what the 2024 Microsoft Digital Defence Report has to say about the current global threat picture:

The malign actors of the world are becoming better resourced and better prepared, with increasingly sophisticated tactics, techniques, and tools that challenge even the world’s best cybersecurity defenders.

Microsoft Digital Defence Report 2024

To stay relevant and effective, Cyber Essentials needs to keep pace. The 2025 updates aim to:

Address weaknesses in outdated security methods, like traditional password-based authentication.
Reflect modern working practices, especially remote work.
Broaden the range of acceptable remediation methods.
Strengthen the certification process to ensure it holds more weight.

What’s being updated

Here’s a breakdown of the most notable changes that you need to be aware of:

Passwordless authentication

Passwords remain a weak link. They’re easily reused, guessed, or phished.

Multi-factor authentication (MFA) became a requirement in 2022, but the 2025 update goes a step further by introducing passwordless alternatives. This includes biometrics, one-time codes, security tokens, QR codes, and push notifications, offering stronger, more user-friendly ways to secure access.

Redefining remote work

The term ‘home working’ is being replaced with ‘home and remote working.’ It’s more than just a wording tweak. It reflects the reality that employees now log in from hotels, cafes, or even trains.

With this change, businesses will need to ensure data remains secure across any untrusted location. Cloud security configurations will also face mandatory assessment.

Expanded definition of vulnerability fixes

The updated framework includes a clearer, more comprehensive definition of vulnerability fixes. It’s not just about patches anymore.

Fixes can now include configuration changes, registry tweaks, scripts, and other vendor-approved methods. This ensures businesses stay proactive in closing security gaps quickly.

Closer alignment with global standards

Cyber Essentials will align more closely with international cybersecurity frameworks, including those set by the National Institute of Standards and Technology (NIST) in the US. This helps UK businesses demonstrate their cybersecurity credentials to global clients and partners more easily, boosting credibility and trust.

What this means for your business

The updates are designed to strengthen your organisation’s defences and enhance the credibility of your certification.

These include:

Enhanced security: Passwordless authentication and improved vulnerability fixes reduce exposure to attacks.
Better remote access security: Stronger safeguards for remote work improve resilience against evolving threats.
Global credibility: Closer alignment with international standards helps win the trust of clients and partners, at home and abroad.

How Kocho can help

Navigating the changes to Cyber Essentials doesn’t have to be a challenge.

Our security experts have vast experience in helping our clients achieve and maintain Cyber Essentials and Cyber Essentials Plus certifications. Supporting them to meet the requirements without unnecessary complexity.

From setting a strong cybersecurity foundation to guiding you through the CE+ journey, we’ll help you embed better security practices, improve resilience, and strengthen your compliance posture.

Get in touch with Kocho’s cybersecurity team to start your journey to a Cyber Essentials-certified future.

Key takeaways

Passwordless methods like biometrics and push notifications will replace traditional passwords for stronger, user-friendly security.
Remote work security now covers all untrusted locations, with mandatory cloud configuration checks.
Vulnerability fixes now include configuration changes, scripts, and other vendor-approved methods, not just patches.
Cyber Essentials will align with global standards like NIST, boosting credibility with international clients.
Kocho’s cybersecurity experts simplify certification, helping you meet requirements and strengthen security.

Let's talk!

30-day free trials and flexible contracts

Book a free Discovery Call and learn more about our AI-powered security operations service, XDR Rapid Protect.

Get more information on:

30-day free trials for new partnerships
Flexible, 30-day contracts (no lock-in)
Microsoft-funded proof of concepts

Next steps

Like this guide? Then don’t forget to share it with your followers.

Great protection starts here

Keep pace with the latest security threats

You’ll get:

Notifications of critical vulnerabilities
Recommendations to reduce your risk level
Expert advice to defend against new threats

Author

Anna Webb

Head of Global Security Operations

Anna has over 20 years’ experience in operations management, major incident management, and cyber security. CISSP qualified, Anna is officially a Security Changemaker (Microsoft Security Excellence Awards).