What You Need to Know: April 2025 Cyber Essentials Changes

Cyber Essentials is updating to version 3.2, effective from 28 April 2025. These changes will help your business effectively respond to evolving cybersecurity threats. Here's a detailed look at what’s changing and what actions your business should take.

1. Enhanced Cloud Security Requirements

What’s changing: The updated Cyber Essentials guidelines now explicitly cover cloud services, including Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS). This ensures robust security for all online data storage and cloud applications.

What you need to do:

• Review your current cloud services to ensure compliance with these updated standards.
• Verify that access controls and permissions for cloud applications are correctly set up.
• Ensure all cloud-stored data is encrypted, both when in transit and at rest.

2. Mandatory Multi-Factor Authentication (MFA)

What’s changing: Multi-factor authentication becomes mandatory for user accounts accessing cloud services and for remote network access.

What you need to do:

• Implement MFA across all cloud services and remote access points.
• Train your staff on how to use MFA effectively.
• Regularly check compliance to confirm MFA is enforced.

3. Regular Vulnerability Assessments Expanded

What’s changing: The term "vulnerability fixes" now includes not just patches but also configuration changes, registry edits, scripts, and other vendor-approved methods.

What you need to do:

• Update your vulnerability management processes to include a wider range of remediation techniques.
• Keep detailed records of all vulnerability fixes to easily demonstrate compliance.

4. Adoption of Passwordless Authentication Methods

What’s changing: Passwordless authentication methods, such as biometric verification and secure tokens, are now recognised and encouraged.

What you need to do:

• Evaluate the feasibility of introducing passwordless authentication methods in your organisation.
• Begin piloting these solutions in low-risk or non-critical systems first.

5. Broader Definition for Remote Working

What’s changing: The term "home working" has been updated to "home and remote working" to better reflect modern working practices from varied locations.

What you need to do:

• Update your remote access policies to cover various remote working scenarios comprehensively.
• Ensure secure connections, such as VPNs, are used consistently.
• Educate your remote staff about maintaining cybersecurity best practices.

6. Software Definitions and End-of-Life (EOL) Policies

What’s changing: The definition of "software" now includes operating systems, applications, extensions, scripts, and more. Additionally, the use of End-of-Life software is strictly prohibited.

What you need to do:

• Conduct regular inventories of all software your business uses.
• Plan upgrades or replacements for any software approaching EOL.
• Regularly monitor vendor updates to proactively address software lifecycle changes.

We're Here to Help

These updates are essential for maintaining your cybersecurity resilience. If you're uncertain about any of these changes or need support preparing for compliance, Forensic Control is here to help. Our expert team provides clear, straightforward guidance, ensuring your business is ready with minimal hassle.

Stay secure, stay compliant. Contact us today to ensure you're fully prepared for the Cyber Essentials changes on 28 April 2025.

‍