Cyber Essentials 2025: Updates and changes 

The Cyber Essentials scheme, the UK’s government-backed cyber security certification, undergoes regular reviews and updates to ensure its effectiveness in the ever-evolving threat landscape. The most recent update (28 April 2025) introduces the following changes:

1. New self-assessment questionnaire

The new “Willow” self-assessment questionnaire has replaced the “Montpellier” version. The key dates for any business that started an application under Montpellier (pre-27 April 2025) are as follows:

• Last day to complete Montpellier Assessments: 27 October 2025
• Last day to complete Montpellier CE+ Assessments: 27 January 2026

2. Three working days’ notice period for audits

Certification bodies will provide a maximum of three working days’ notice before audits. This change reinforces the expectation that organisations should maintain continuous compliance rather than prepare specifically for assessment.

3. Passwordless authentication now recognised

The certification will accept modern authentication methods, including biometrics, authenticator apps and security keys. This shift acknowledges that passwords remain a weak point in many security systems.

4. Updated terminology

To make the requirements of the scheme clearer, the language has been refreshed as follows:

• “Plugins” will become “extensions” to align with modern terminology
• “Home working” will expand to “home and remote working” to reflect flexible work arrangements

We recommend updating your documentation to reflect these changes.

5. Broader approach to vulnerability management

The description that used to be “patches and updates” has changed to “vulnerability fixes” as an umbrella term for all the different methods, including:

• Registry changes
• Scripts
• Configuration adjustments
• Any vendor-approved remediation method

This change acknowledges that addressing vulnerabilities often requires more than standard updates.

6. Tighter scope verification for Plus certification

For Cyber Essentials Plus, technical assessors will verify that the self-assessment scope matches the actual environment. Any declared system subsets must be technically segregated, not just administratively separated.

What do these changes mean for businesses?

Whether you’re recertifying or planning to achieve certification for the first time, now is a great time to review your current processes. Carefully examine the new question set and assess whether your technical controls are sufficient. Ensure your remote work environments are secure, authentication methods are current, and vulnerability management extends beyond software patching.

How can SilvaTech help?

We understand the challenges organisations face when preparing for Cyber Essentials certification and recertification. Our comprehensive subscription service reduces the stress and uncertainty around compliance. With our ongoing support, you’ll reduce the risk of failing certification, improve your overall security posture, and enjoy peace of mind knowing you’re always prepared for assessment. To find out more, please get in touch.

Return to all Insights