What’s changing in Cyber Essentials (Basic) this April? | Softcat
Skip to main content

Login to eCAT

Customer Support
Contact Sales
Blog

What’s changing in Cyber Essentials (Basic) this April?

We dive into the latest updates in the Cyber Essentials framework and explore how they may affect your business

Cyber Security

What's changing in Cyber Essentials

Preeti Nandal

Cyber Security Assessor

Cyber Essentials is evolving. From Monday 28 April 2025, key changes are coming to the UK’s government-backed cyber security certification. These updates reflect how cyber threats and the way we work have changed. If your organisation is certified or planning to be, here’s what you need to know.

First, let’s look at what the process looks like today, then break down what’s changing in clear terms.

The current Cyber Essentials process (before Monday 28 April 2025)

The Cyber Essentials scheme is built on five security control areas:

  • Firewalls
  • Secure configuration
  • User access control
  • Malware protection
  • Security update management

Organisations usually complete a self-assessment questionnaire called Montepellier (moving to Willow this April 2025) through IASME, the official certifying body. You define the scope—what devices, networks, and systems are covered—and then answer questions about how your organisation applies each control.

What’s changing from Monday 28 April 2025 onwards?

Here's what is being updated:

1. Passwordless login is now recognised

Cyber Essentials will now accept passwordless authentication methods. That includes biometrics (like face or fingerprint recognition), security keys, and one-time codes. This shift acknowledges that passwords alone aren’t enough anymore, and it encourages better, more secure access practices.

2. Remote work terminology updated

The scheme is replacing “home working” with “home and remote working.” Why? Because people work from more than just home now; think cafes, co-working spaces, and hotels. The update aims to cover the full range of modern remote environments, and organisations will need to show they secure devices in all of them.

3. “Patches” are now “vulnerability fixes"

Instead of just asking for “patches and updates”, Cyber Essentials now refers to “vulnerability fixes”. This broader term includes registry edits, scripts, or any vendor-approved method used to fix known issues, not just installing software updates.

4. Small terminology tweaks

“Plugins” are now called “extensions”. These changes won’t affect how secure your systems are, but they clean up the language and make requirements clearer.

Apart from these changes, there are updates in the self-assessment questionnaire too.

The focus of the updated questionnaire

Cloud services – the scope expands significantly
All cloud services used by the organisation will be in scope, whether infrastructure (IaaS), platform (PaaS), or software (SaaS). This includes third-party services where configurations may not be directly managed. Providers must show how they meet Cyber Essentials controls.

Multi-Factor Authentication (MFA) – mandatory for all users
MFA will be mandatory for all user accounts—admin and standard—across all systems and services in scope. This includes local apps, cloud platforms, remote access tools, and anything else used in daily operations.

Unsupported software – zero tolerance
Any unsupported or out-of-date software (including OS, applications, and mobile OS) will automatically fail the certification. Even if it's not internet-facing or is rarely used.

Bring Your Own Device (BYOD) – no longer optional
This includes any personal device that accesses organisational data or services in full scope. These devices must meet all Cyber Essentials controls, including secure configuration, patching, anti-malware, and lock settings.

How can you be prepared?

If you're already certified or plan to be, we recommend reviewing your processes now. Read through the new questions set carefully and determine if you have the right technical controls in place. Make sure your remote work setups are secure, your authentication methods are up-to-date, and your vulnerability management goes beyond just software patches. Start using MFA for cloud services and all users.

These changes aren’t huge, but they’re certainly important. They reflect a world where work is mobile, cyber threats are smarter, and compliance needs to keep up.

Softcat can support your organisation

Navigating the new Cyber Essentials Willow question set doesn’t have to be overwhelming. At Softcat, we specialise in helping businesses of all sizes meet the latest certification standards.

Whether you're a small team needing hands-on support or a larger organisation looking to streamline your processes, we offer:

  • Gap analysis and pre-assessments to pinpoint what’s missing
  • Technical guidance tailored to the 2025 requirements
  • One-on-one support from experienced cyber security consultants

From remote work risks to passwordless login setup, we’ll help you get compliant, stay protected, and earn your Cyber Essentials badge with confidence.

Reach out to your Softcat Account Management Team or email us at Cyberservicesteam@softcat.com, and let’s get your certification journey started faster, easier, and fully aligned with what’s coming this April.