From the 27th April, updates to the UK’s flagship cyber security scheme, Cyber Essentials, will come into force. These changes reflect how organisations actually operate today: cloud-first, device-diverse and increasingly remote. They bring the Cyber Essentials scheme into alignment with the National Cyber Security Centre’s recommended best practice.

For small and medium-sized businesses, this is more than a framework refresh. It is a reminder that cyber security is no longer an IT concern alone – it is a business survival issue.

What Cyber Essentials is and why it matters

Cyber Essentials is a UK Government-backed scheme designed to help organisations defend against the most common cyber-attacks. It focuses on practical safeguards like secure configuration, access control, patching and malware protection.

The scheme is delivered by IASME Consortium on behalf of the UK Government and has become a recognised benchmark for baseline cyber maturity.

For many organisations, certification supports three key outcomes:

• Reducing risk – blocking the most common opportunistic attack routes
• Winning business – many public sector and supply chain contracts require it
• Building trust – customers increasingly expect proof of data protection

Put simply, Cyber Essentials shows your organisation takes security seriously, even without a dedicated internal IT team.

Why SMEs cannot afford to ignore it

Cyber criminals do not just target global enterprises. In reality, smaller organisations are often easier targets because they lack security resources. One compromised account, outdated device or poorly configured cloud service can lead to downtime, financial loss or reputational damage. For growing businesses, the impact can be disproportionate.

Cyber Essentials helps close these gaps by ensuring organisations get the fundamentals right before incidents occur.

What is changing in April

The April update does not reinvent the framework. Instead, it modernises it to match real-world working practices and attacker behaviour.

Here are 5 key changes:

1. Protecting user identities, not just devices

There is a stronger emphasis on identity security.  Historically, security frameworks focused on laptops, servers and networks. The updated guidance recognises that attackers increasingly target people and login credentials instead of hardware.

Organisations must now pay closer attention to authentication methods, access controls and identity platforms. Once attackers gain account access, device security alone may not stop them.

2. Stronger expectations around multi-factor authentication

Multi-factor authentication (MFA) is no longer optional.  If MFA is available but not enabled, the result will be automatic failure.

This reflects the reality that stolen passwords remain one of the most common causes of breaches. MFA dramatically reduces the likelihood of unauthorised access and remains one of the simplest, highest-impact improvements an organisation can make.

3. 14-day rule for high and critical security patching

High or critical security updates must now be applied within 14 days of release across:

• Operating systems
• Applications
• Firewalls and routers
• Internet-facing systems
• Servers, laptops and desktops

This change reflects how quickly attackers exploit newly disclosed vulnerabilities. Delayed patching is one of the most common causes of breaches, and this update makes expectations explicit.

4. Cloud services must be properly included in scope

The updated scheme makes it clear that cloud services storing or processing organisational data must be included in the structure to be scoped.  This covers identity providers (verification of user credentials), SaaS platforms and hosted infrastructure.

The update recognises that most organisations no longer operate inside a single network boundary. Security responsibility is shared with cloud providers, but it is never fully outsourced.

5. Clearer expectations about what is in scope

The update also removes long-standing confusion around scoping. Remote working devices, internet-connected equipment and third-party access routes must now be considered unless there is a valid reason to exclude them. Scope is not just an admin exercise, it defines the boundary of your risk. This update ensures certification reflects the real environment – not an idealised one.

Why these updates matter in simple terms

These changes mirror how cyber-attacks actually happen today.

• Attackers target accounts, not just machines
  Stolen credentials allow attackers to appear legitimate. Identity protection stops this.
• Most data lives outside the office
  Cloud systems hold critical information and must be treated as part of the security perimeter.
• Businesses are more connected than ever
  Remote workers, suppliers and third-party tools all create new entry points.
• Vulnerabilities are exploited faster than ever
  Rapid patching reduces the window attackers have to compromise systems.

In short, the scheme is evolving so certification remains relevant to modern day threats.

Final thoughts: security as a driver of business growth

Cyber security is no longer just about avoiding disasters. It is increasingly a growth enabler, offering the opportunity for competitive advantage.

Organisations that demonstrate strong security controls:

• Win more contracts and partnerships
• Inspire greater customer confidence
• Reduce the risk of costly disruption
• Enable safer digital transformation

If you need clarification on how these new changes may affect your recertification, or if you’re looking to become Cyber Essentials accredited for the first time, get in touch with us and book your free 2-hour (no-obligation) consultation: info@comprendo.co.uk / 0345 527 4394.