Cyber Essentials in 2025: What's Changed and Why Every SMB Should Care

The NCSC made significant updates to the Cyber Essentials scheme, the UK government's flagship cybersecurity certification programme, and if your business holds the certification (or is planning to), you need to know what changed.

More importantly: if you've been putting off getting Cyber Essentials because it felt like a bureaucratic box-ticking exercise, the updated scheme is genuinely worth another look. The requirements are more comprehensive now, but so is the protection they provide.

What Is Cyber Essentials?

Cyber Essentials is an NCSC-backed certification that sets a baseline of security controls proven to defend against around 80% of common cyber attacks. There are two tiers:

• Cyber Essentials: A self-assessed questionnaire, verified by a certification body.
• Cyber Essentials Plus: The self-assessment, plus an independent technical audit of your systems.

For government contracts, NHS supply chain work, and increasingly private sector procurement, Cyber Essentials is becoming a minimum requirement, not a nice-to-have.

What Changed in the Latest Update?

The most significant changes in the updated technical controls include:

• Cloud services are now in scope. Your Microsoft 365 tenant, AWS environment, or hosted services now need to meet the same standards as your on-premise systems. This catches many businesses out.
• Home working devices are in scope. If employees use personal or company-issued devices at home, those devices need to meet the requirements. This was ambiguous before; it's not anymore.
• MFA is now required for all cloud services. Basic multi-factor authentication was recommended; it's now mandatory for any cloud-based service where users authenticate.
• Automatic patching timelines have tightened. High-severity vulnerabilities must be patched within 14 days. Critical vulnerabilities require even faster response.
• Firmware is now explicitly in scope. Router and firewall firmware must be supported and up-to-date.

Why Should Your Business Care?

Beyond the contractual requirement angle, Cyber Essentials genuinely works. The NCSC's own data shows that organisations with Cyber Essentials certification are significantly less likely to make an insurance claim for a cyber incident. The five control areas (firewalls, secure configuration, access control, malware protection, and patch management) are the same controls that block the vast majority of commodity attacks.

For SMBs without a dedicated security team, Cyber Essentials is a practical, cost-effective way to implement a defensible baseline and get independent verification that you've done it properly.

How Netix Digital Helps

We manage the Cyber Essentials process end-to-end for our clients:

• Pre-assessment gap analysis against the current requirements
• Remediation of any controls that aren't in place
• Guidance through the self-assessment questionnaire
• Technical verification support for CE+ assessments
• Ongoing maintenance to keep controls in place at renewal

For most of our managed IT clients, Cyber Essentials certification is included as part of our Managed plan, because maintaining the controls is part of what we do anyway.