From today, the Cyber Essentials changes are officially in effect, with updates designed to strengthen the scheme, reduce ambiguity and make assessments more consistent. While the five core controls remain the same, several of the new rules will have a direct impact on how organisations prepare for certification.
The most significant change is the tougher approach to automatic failure criteria. Multi-factor authentication will now be mandatory for all cloud services where it is available, and organisations that do not enable it will fail the assessment automatically. On top of that, critical or high-risk security updates for operating systems, firewalls, routers and applications within the scope defined in the VSA, must be applied within 14 days of release.
There is also a stronger focus on scope clarity. Organisations will need to be more precise about what is in scope, what is excluded, and which legal entities are covered by the certification. This should improve transparency, especially for larger businesses with more complex environments.
For Cyber Essentials Plus, the assessment process is tightening too. Retesting after patching failures will include a new random sample, making it harder to remediate only the originally tested devices. If sample two reveals significantly different vulnerabilities from sample one, this indicates the issues may be more widespread across the organisation, and Cyber Essentials Plus will not be awarded. Organisations also won’t be able to revise their self-assessment answers once CE+ testing has started.
The message is clear: businesses planning certification or recertification should review their MFA deployment, patching timelines, cloud scope and entity structure now, rather than waiting until their next assessment window.
Need help understanding what the Cyber Essentials changes mean for your organisation? Get in touch with our team to review your readiness.
