{"id":13040,"date":"2026-03-30T13:27:05","date_gmt":"2026-03-30T12:27:05","guid":{"rendered":"https:\/\/amtivo.com\/ie\/?post_type=resources-filter&#038;p=13040"},"modified":"2026-03-30T13:27:05","modified_gmt":"2026-03-30T12:27:05","slug":"cyber-essentials-regulation-updates","status":"publish","type":"resources-filter","link":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/","title":{"rendered":"Cyber Essentials: News and Regulation Updates"},"content":{"rendered":"<h2 id=\"y2026-april-scheduled-update\">2026: April Scheduled Update<\/h2>\r\n<h3>Cyber Essentials latest update<\/h3>\r\n<p><a href=\"https:\/\/iasme.co.uk\/\" target=\"_blank\" rel=\"noopener\">IASME<\/a> and the <a href=\"https:\/\/www.ncsc.gov.ie\/\" target=\"_blank\" rel=\"noopener\">National Cyber Security Centre (NCSC)<\/a> have confirmed the next scheduled update to the Cyber Essentials requirements. The updated <strong>Requirements for IT Infrastructure v3.3<\/strong> will take effect from <strong>27th April 2026<\/strong>.<\/p>\r\n<p>Organisations starting a Cyber Essentials assessment after this date will follow the new version. Assessments created before this cut-off will continue under the existing requirements, with up to six months to complete.<\/p>\r\n<p>This annual review focuses on improving clarity and consistency within the standard. It should be noted that the changes between the previous <strong>\u2018Willow\u2019<\/strong> questions and the newly titled <strong>\u2018Danzell\u2019<\/strong> questions are more significant compared with earlier scheme updates.<\/p>\r\n<p>There are key changes to the requirements for organisations seeking to certify at both Cyber Essentials and Cyber Essentials Plus level. Most updates refine definitions and scope rather than introduce new technical controls. However, some changes will be important for organisations preparing for certification.<\/p>\r\n<p>For full details, see the official announcement on the <a href=\"https:\/\/iasme.co.uk\/\" target=\"_blank\" rel=\"noopener\">IASME website<\/a>.<\/p>\r\n<h3>Summary of key changes<\/h3>\r\n<ul>\r\n\t<li><strong>Stronger MFA expectations:<\/strong> Multi-factor authentication (MFA) remains a core control. Under the updated marking criteria, where a cloud service supports MFA, it must be enabled. If available MFA options are not implemented, the assessment is likely to result in a failure. This change reinforces the importance of MFA in protecting systems and organisational data.<\/li>\r\n\t<li><strong>Cloud services defined and included in scope:<\/strong> The standard now includes a clear definition of what constitutes a cloud service. Any cloud-hosted tools or platforms used to store or process organisational data must be included within scope and cannot be excluded.<\/li>\r\n\t<li><strong>Simplified scope criteria:<\/strong> Language relating to internet connections has been clarified so that any device capable of connecting to the internet &#8211; whether through inbound or outbound connections &#8211; falls within scope. Where parts of an organisation are excluded from scope, applicants must clearly explain what has been excluded, why it has been excluded, and how it has been segregated from the rest of the network infrastructure.<\/li>\r\n\t<li><strong>Updated application development guidance:<\/strong> The former \u2018web applications\u2019 section has been renamed Application Development and now references the UK Government\u2019s Software Security Code of Practice. Commercially available web applications are in scope by default, while bespoke internal components are treated separately.<\/li>\r\n\t<li><strong>Greater emphasis on backups:<\/strong> Guidance on backups has been repositioned earlier in the requirements document to highlight their importance in supporting recovery following a cyber incident.<\/li>\r\n\t<li><strong>Updated user access control guidance:<\/strong> The user access control section places increased emphasis on modern authentication methods, particularly passwordless approaches such as passkeys and FIDO2 authenticators. These technologies provide secure alternatives to traditional passwords and are recognised as best practice.<\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<h2 id=\"what-this-means-for-organisations\">What This Means for Organisations<\/h2>\r\n<p>The April 2026 update is designed to remove ambiguity and strengthen the implementation of the core technical controls. Most businesses should find alignment straightforward. However, the revised approach to MFA assessment, particularly across cloud services, may require review to ensure full compliance.<\/p>\r\n<p>To prepare for the updated requirements, organisations should review their authentication controls, cloud service usage, and how their infrastructure is scoped.<\/p>\r\n<p><strong>What are the differences between Cyber Essentials before April 2026 and after the April 2026 update?<\/strong><\/p>\r\n<p>We are closely monitoring the April 2026 Cyber Essentials update and supporting organisations in understanding exactly what is changing and how it may affect their certification.<\/p>\r\n<div class=\"dcf-overflow-x-auto\" tabindex=\"0\">\r\n<table class=\"dcf-table dcf-table-bordered dcf-table-striped dcf-w-100%\" style=\"font-family: Montserrat;\">\r\n<thead>\r\n<tr>\r\n<th scope=\"col\">Area<\/th>\r\n<th scope=\"col\">Before April 2026<\/th>\r\n<th scope=\"col\">From April 2026 (Version 3.3)<\/th>\r\n<th scope=\"col\">What This May Mean for You<\/th>\r\n<\/tr>\r\n<\/thead>\r\n<tbody>\r\n<tr>\r\n<th scope=\"row\">Sample remediation requirements (CE Plus level only)<\/th>\r\n<td>An initial random sample set was selected e.g. 10 PC devices, based on the IASME sampling requirement. The sample was tested and iteratively remediated until compliance was achieved.<\/td>\r\n<td>An initial random sample set is selected; however, if remediations are required on the initial samples, instead of demonstrating remediation of those already selected devices, a new random sample of additional devices must be selected to demonstrate remediation of any issues.<\/td>\r\n<td>This increases the importance of having staff available at relatively short notice throughout the assessment and quick coordination in remediating issues found (particularly where 3rd party IT support is involved).<\/td>\r\n<\/tr>\r\n<tr>\r\n<th scope=\"row\">14-day critical updates marking<\/th>\r\n<td>The requirement to install high or critical risk updates was a non-compliance, not leading to an auto-fail.<\/td>\r\n<td>The requirement for organisations to update has become a failing issue. High-risk or critical security updates for operating systems, router and firewall firmware, and applications must be installed within 14 days of release.<\/td>\r\n<td><span class=\"TextRun SCXW124491721 BCX0\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW124491721 BCX0\">This requires organisations to<span>\u00a0<\/span><\/span><span class=\"NormalTextRun SCXW124491721 BCX0\">keep all software updated and to provide assessors with evidence (CE+).<\/span><\/span><span class=\"EOP SCXW124491721 BCX0\" data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/td>\r\n<\/tr>\r\n<tr>\r\n<th scope=\"row\">No changes are allowed to the CE report<\/th>\r\n<td>Changes could be made if a client had changed the CE basic certificate. If something was incorrectly stated (e.g. MFA), it could be amended.<\/td>\r\n<td>No changes can be made to the CE basic certificate or report during the CE+ process.<\/td>\r\n<td>\r\n<p><span data-contrast=\"auto\">This increases\u00a0the need for organisations to be aware of all infrastructure, devices, versions etc.\u00a0<\/span><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\r\n<p><span data-contrast=\"auto\">This will lead to clients needing to redo the CE basic to correct answers,\u00a0rather\u00a0than a CE plus assessor\u00a0retrospectively\u00a0updating the report.<\/span><span data-ccp-props=\"{&quot;335551550&quot;:2,&quot;335551620&quot;:2}\">\u00a0<\/span><\/p>\r\n<\/td>\r\n<\/tr>\r\n<tr>\r\n<th scope=\"row\">Multi-Factor Authentication (MFA)<\/th>\r\n<td>MFA was required, but ambiguity existed around cloud services where MFA was available but not enabled.<\/td>\r\n<td>If MFA is available on a cloud service (free or paid), it <strong>must be enabled<\/strong>. Not enabling it results in <strong>automatic failure<\/strong>.<\/td>\r\n<td><span class=\"TextRun SCXW113653320 BCX0\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW113653320 BCX0\">You<span>\u00a0<\/span><\/span><span class=\"NormalTextRun SCXW113653320 BCX0\">will<span>\u00a0<\/span><\/span><span class=\"NormalTextRun SCXW113653320 BCX0\">need<\/span><span class=\"NormalTextRun SCXW113653320 BCX0\"><span>\u00a0<\/span>to ensure MFA is switched on across all cloud systems (e.g. email, file storage, CRM). If it is available and not activated, you<span>\u00a0<\/span><\/span><span class=\"NormalTextRun SCXW113653320 BCX0\">will<\/span><span class=\"NormalTextRun SCXW113653320 BCX0\"><span>\u00a0<\/span>fail the assessment.<\/span><\/span><span class=\"EOP SCXW113653320 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/td>\r\n<\/tr>\r\n<tr>\r\n<th scope=\"row\">Cloud Services \u2013 Definition<\/th>\r\n<td>Cloud services were not clearly defined in the requirements.<\/td>\r\n<td>Cloud services are clearly defined as services accessed over the internet that store or process organisational data.<\/td>\r\n<td><span class=\"TextRun SCXW67417195 BCX0\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW67417195 BCX0\">There is less room for interpretation. Systems like Microsoft 365, Google Workspace, cloud accounting<span>\u00a0<\/span><\/span><span class=\"NormalTextRun SCXW67417195 BCX0\">platforms<\/span><span class=\"NormalTextRun SCXW67417195 BCX0\"><span>\u00a0<\/span>and CRMs clearly fall within scope.<\/span><\/span><span class=\"EOP SCXW67417195 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/td>\r\n<\/tr>\r\n<tr>\r\n<th scope=\"row\">Cloud Services \u2013 Scope<\/th>\r\n<td>Some organisations interpreted scope in ways that excluded certain cloud services.<\/td>\r\n<td>Cloud services storing or processing organisational data <strong>must be included in<\/strong> <strong>scope<\/strong> and cannot be excluded.<\/td>\r\n<td><span class=\"TextRun SCXW132046682 BCX0\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW132046682 BCX0\">You can no longer leave key cloud systems out of your assessment. Expect your assessor to require them to be included.<\/span><\/span><span class=\"EOP SCXW132046682 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/td>\r\n<\/tr>\r\n<tr>\r\n<th scope=\"row\">Scoping Clarity<\/th>\r\n<td>Terms such as \u201cuntrusted\u201d and \u201cuser-initiated\u201d allowed flexibility in defining scope.<\/td>\r\n<td>Terminology has been clarified. Devices and services connected to the internet handling organisational data are expected to be included unless properly segregated.<\/td>\r\n<td><span class=\"TextRun SCXW248225468 BCX0\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW248225468 BCX0\">If a device or system connects to the internet and is used for business purposes, it will<span>\u00a0<\/span><\/span><span class=\"NormalTextRun SCXW248225468 BCX0\">likely need<\/span><span class=\"NormalTextRun SCXW248225468 BCX0\"><span>\u00a0<\/span>to be included. Clear network segregation becomes more important if exclusions are claimed.<\/span><\/span><span class=\"EOP SCXW248225468 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/td>\r\n<\/tr>\r\n<tr>\r\n<th scope=\"row\">Backups<\/th>\r\n<td>Backup requirements were included but positioned later in the documentation.<\/td>\r\n<td>Backup guidance has been moved earlier to emphasise its importance.<\/td>\r\n<td>Greater emphasis on demonstrating recoverability from ransomware or data loss. Backups should be configured and regularly tested.<\/td>\r\n<\/tr>\r\n<tr>\r\n<th scope=\"row\">Application \/ Web Security Section<\/th>\r\n<td>The requirements referred to web applications.<\/td>\r\n<td>The section has been reframed as <strong>Application Development<\/strong>, aligning more clearly with secure development principles.<\/td>\r\n<td><span class=\"TextRun SCXW79144326 BCX0\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW79144326 BCX0\">If your business develops software or web applications, you may need clearer evidence of secure development practices.<\/span><\/span><span class=\"EOP SCXW79144326 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/td>\r\n<\/tr>\r\n<tr>\r\n<th scope=\"row\">Assessment Version Change<\/th>\r\n<td>Organisations are assessed against the version in place when their assessment account is created.<\/td>\r\n<td>Assessments created on or after 27 April 2026 will use Version 3.3. Earlier accounts can be completed under the previous version within six months.<\/td>\r\n<td><span class=\"TextRun SCXW165503068 BCX0\" data-contrast=\"auto\"><span class=\"NormalTextRun SCXW165503068 BCX0\">If you want to certify under the current rules, you must create your assessment account before 27 April 2026. After that, the new rules apply.<\/span><\/span><span class=\"EOP SCXW165503068 BCX0\" data-ccp-props=\"{}\">\u00a0<\/span><\/td>\r\n<\/tr>\r\n<\/tbody>\r\n<\/table>\r\n<p>&nbsp;<\/p>\r\n<\/div>\r\n<h2 id=\"y2025-terminology-update\">2025: Terminology Update<\/h2>\r\n<p><strong> Willow Question Set, Expanded Clarifications and Enhanced Security Protocols<\/strong><\/p>\r\n<p>IASME and NCSC have announced a new \u2018Willow\u2019 question set and related documentation (Requirements for IT Infrastructure v3.2), which took effect for all Cyber Essentials applications started on or after 28 April 2025.<\/p>\r\n<p>This update introduces minor clarifications primarily focused on definitions, alongside enhancements to security protocols.<\/p>\r\n<p>The update includes changes relating to:<\/p>\r\n<ul>\r\n\t<li><strong>Terminology:<\/strong> \u2018Plugins\u2019 are now called \u2018extensions\u2019, to align with industry usage and reduce ambiguity.<\/li>\r\n\t<li><strong>Remote work:<\/strong> The definition of \u2018remote working\u2019 now explicitly includes work from locations such as cafes, hotels, and public transport, and not just home offices.<\/li>\r\n\t<li><strong>Passwordless authentication:<\/strong> The scheme now accepts modern passwordless authentication methods, such as biometrics, security keys, and one-time codes, alongside traditional multi-factor authentication.<\/li>\r\n\t<li><strong>Vulnerability fixes:<\/strong> The terminology has broadened from \u2018patches and updates\u2019 to \u2018vulnerability fixes\u2019, encompassing a wider range of approved methods for addressing security issues, including non-patch technical measures like configuration changes or scripts.<\/li>\r\n\t<li><strong>Improved clarity:<\/strong> Various questions and guidance materials have been refined to help applicants understand and meet the requirements more effectively.<\/li>\r\n\t<li><strong>Security alignment:<\/strong> The Cyber Essentials scheme continues its annual review cycle to remain relevant to modern and evolving cyber threats.<\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<h2 id=\"y2024-minor-clarifications\">2024: Minor Clarifications<\/h2>\r\n<p><strong>Incremental Clarifications Strengthened Cyber Essentials\u00a0<\/strong><\/p>\r\n<p>Cyber Essentials updates in 2024 focused on minor clarifications and improvements to guidance.\u00a0New resources, including the Cyber Essentials Knowledge Hub, were introduced to provide more sector-specific advice and support to applicants and certification bodies.\u00a0<\/p>\r\n<p>Subtle refinements in documentation language made the application process clearer and more accessible, while all core technical controls and requirements remained unchanged.\u00a0<\/p>\r\n<p>&nbsp;<\/p>\r\n<h2 id=\"y2023-streamlining-security-compliance\">2023: Streamlining Security Compliance<\/h2>\r\n<p><strong>Introduction of the Montpellier Question Set and Targeted Clarifications<\/strong>\u00a0<\/p>\r\n<p>The Cyber Essentials scheme launched the new \u2018Montpellier\u2019 question set and several important clarifications to streamline security compliance for UK organisations.\u00a0<a href=\"https:\/\/iasme.co.uk\/articles\/what-are-the-changes-to-cyber-essentials-this-year\/\" target=\"_blank\" rel=\"noopener\">The update<\/a>\u00a0replaced the\u00a0previous\u00a0\u2018Evendine\u2019 question set and was effective on April 24th\u00a02023.\u00a0<\/p>\r\n<p>Key changes include:\u00a0<\/p>\r\n<ul>\r\n\t<li><strong>Simplified device documentation:<\/strong>\u00a0For assessment purposes, applicants only needed to declare the make and operating system of user devices in scope, and listing the model was no longer necessary (excluding network devices).\u00a0<\/li>\r\n\t<li><strong>Firmware scope refined:<\/strong>\u00a0The definition of \u2018firmware\u2019 was clarified. Only the firmware of firewalls and routers were in scope for update requirements, rather than all device firmware.\u00a0<\/li>\r\n\t<li><strong>Third-party device handling:<\/strong>\u00a0New guidance and a table clarified how to treat third-party devices (for example, those owned by contractors) within the assessment and scope.\u00a0<\/li>\r\n\t<li><strong>Device locking flexibility:<\/strong>\u00a0If a device\u2019s default settings for lockout after failed login were unchangeable, applicants could accept the manufacturer\u2019s default for more practical device management.\u00a0<\/li>\r\n\t<li><strong>Anti-malware flexibility:<\/strong>\u00a0Anti-malware protections no longer need to be signature-based,\u00a0and guidance covers protections for each device category. Sandboxing was no longer\u00a0an option.\u00a0<\/li>\r\n\t<li><strong>Zero Trust guidance added:<\/strong>\u00a0The update introduced guidance on Zero Trust Architecture and asset management, supporting the move towards stronger security frameworks.\u00a0<\/li>\r\n\t<li><strong>Language and structure update:<\/strong>\u00a0The requirements document had a style and language refresh, and technical controls were reordered to match the self-assessment structure.\u00a0<\/li>\r\n\t<li><strong>Cyber Essentials Plus:<\/strong>\u00a0The Illustrative Test Specification was updated to align with the changes, with a focus on refreshed malware protection tests for simplicity.\u00a0<\/li>\r\n<\/ul>\r\n<p>&nbsp;<\/p>\r\n<h2 id=\"y2022-significant-update\">2022: Significant Update<\/h2>\r\n<h3>Cyber Essentials certification \u2013 a guide to the 2022 update\u00a0<\/h3>\r\n<p>Cyber Essentials and Cyber Essentials Plus changed in 2022. New infrastructure requirements and amendments to technical controls announced by the\u00a0<a href=\"https:\/\/www.ncsc.gov.uk\/\" target=\"_blank\" rel=\"noopener\">National Cyber Security Centre (NCSC)<\/a>\u00a0came into force on January 24, 2022. If your\u00a0business\u00a0required\u00a0<a href=\"https:\/\/amtivo.com\/uk\/standards\/cyber-essentials\/certification\/\">Cyber Essentials certification<\/a>, you needed to know what the 2022 update meant and how it affected certification.\u00a0<\/p>\r\n<p>It was essential information for any organisation looking to become certified or work as a supplier to organisations such as the\u00a0<a href=\"https:\/\/www.gov.uk\/government\/organisations\/ministry-of-defence\" target=\"_blank\" rel=\"noopener\">Ministry of Defence (MoD)<\/a>\u00a0and the\u00a0<a href=\"https:\/\/www.nhs.uk\/\" target=\"_blank\" rel=\"noopener\">National Health Service (NHS)<\/a>.\u00a0<\/p>\r\n<h3>What was the Cyber Essentials 2022 update?\u00a0<\/h3>\r\n<p>The new Cyber Essentials question set \u2013 known as\u00a0Evendine\u00a0\u2013 launched on January 24, 2022. It was the most\u00a0significant change\u00a0to the standard since it was introduced. While new question sets had been released previously, there had been very few changes to the scheme requirements themselves. With the\u00a0Evendine\u00a0release, there were significant changes to the scope requirements and the controls that needed to be applied to the devices within that scope.\u00a0<\/p>\r\n<p>The changes were designed to modernise the scheme and\u00a0take into account\u00a0key technology trends and infrastructure changes that had become commonplace. Trends such as a move to greater home working and Bring Your Own Device (BYOD) were now part of the scheme.\u00a0<\/p>\r\n<p>The 2022 update included changes to Cyber Essentials relating to:\u00a0<\/p>\r\n<ul>\r\n\t<li>Cloud-based services such as Software as a Service (SaaS)\u00a0<\/li>\r\n\t<li>Passwords and two-factor authentication\u00a0<\/li>\r\n\t<li>Device declaration and BYOD\u00a0<\/li>\r\n\t<li>Thin clients\u00a0<\/li>\r\n\t<li>Homeworkers\u00a0<\/li>\r\n\t<li>Routers and firewalls\u00a0<\/li>\r\n<\/ul>\r\n<p>The\u00a0Cyber Essentials standard\u00a0was constantly evolving, and usually, there were annual updates to the question set. The reason behind these updates was that the threat landscape was continually evolving, too, and attacks that had been successfully thwarted in previous years might well have moved on in sophistication and delivery, ensuring success for criminals.\u00a0<\/p>\r\n<h3>Cloud service changes\u00a0<\/h3>\r\n<p>The\u00a0Evendine\u00a0update introduced significant changes to what must be included in scope, with the most noticeable being the inclusion of all cloud services. From the introduction of\u00a0Evendine, all cloud services were\u00a0required\u00a0to be within the scope of Cyber Essentials.\u00a0<\/p>\r\n<p><strong>Infrastructure as a Service (IaaS):<\/strong> was already in scope with Cyber Essentials and covered on-demand IT services such as storage and computing.\u00a0<\/p>\r\n<p><strong>Software as a Service (SaaS):<\/strong> previously regarded as out of scope, it now includes on-demand software services such as cloud-hosted business applications.\u00a0<\/p>\r\n<p><strong>Platform as a Service (PaaS):<\/strong> had been a grey area that\u00a0generally required\u00a0careful consideration as to whether the service should be in scope or not, and covered development and deployment platforms in the cloud, such as database management.\u00a0<\/p>\r\n<p>It was now impossible to certify only the cloud elements of the business or servers. The NCSC and\u00a0<a href=\"https:\/\/iasme.co.uk\/\">IASME<\/a>\u00a0clarified that end-user devices must also be in scope.\u00a0<\/p>\r\n<p>The 2022 update meant that:\u00a0<\/p>\r\n<ul>\r\n\t<li>It was no longer acceptable to descope all end-user devices.\u00a0<\/li>\r\n\t<li>It was not possible to descope cloud services used by the organisation.\u00a0<\/li>\r\n\t<li>All devices, software, and firmware in scope (including BYOD) had to be supported, with all controls applied.\u00a0<\/li>\r\n<\/ul>\r\n<h3>Password requirement changes\u00a0<\/h3>\r\n<p>There were also changes to passwords and 2-factor authentication (2FA) requirements.\u00a0<\/p>\r\n<p>From January 2024, all administrative users of cloud services had to have multi-factor authentication (MFA) applied, and all standard user accounts needed MFA when certifying in 2023.\u00a0<\/p>\r\n<p>In the meantime, user accounts needed either 12-character passwords or 8-character passwords when there was a technical control to deny bad passwords.\u00a0<\/p>\r\n<p>The NCSC requirements document described the new password controls as:\u00a0<\/p>\r\n<ul>\r\n\t<li>Workers had to be educated on how to avoid common or discoverable passwords, such as a pet\u2019s name, common keyboard patterns, or passwords they had used elsewhere. This could have included teaching people to use the password generator feature built into some password managers.\u00a0<\/li>\r\n\t<li>Encouraging people to choose longer passwords. This could have been done by promoting the use of multiple words (a minimum of three) to create a password (e.g., \u2018Three Random Words\u2019).\u00a0<\/li>\r\n\t<li>Providing usable secure storage for passwords (for example, a password manager or secure locked cabinet) with clear information about how and when it could be used.\u00a0<\/li>\r\n\t<li>Not enforcing regular password expiry and not enforcing password complexity requirements.\u00a0<\/li>\r\n\t<li>There had to be an established process to change passwords promptly if the applicant knew or suspected the password or account had been compromised.\u00a0<\/li>\r\n<\/ul>\r\n<h3>Requirements to declare devices and BYOD\u00a0<\/h3>\r\n<p>Servers and end-user device quantities had to be declared, and a change was that the make and model of the device, as well as the operating system, had to be declared. A common fault causing assessments to be sent back was that both edition and version numbers were\u00a0required.\u00a0<\/p>\r\n<p>It was recommended to\u00a0maintain\u00a0an up-to-date asset register, which had to include BYOD devices, to provide the required information.\u00a0<\/p>\r\n<p>As tracking BYOD devices could be complex, it was suggested to have a process for \u201con-boarding\u201d a BYOD device so that the owner\/make\/model\/OS could be documented whenever a staff member wished to use their own device to connect to company data.\u00a0<\/p>\r\n<p>Staff also needed to be prepared for the possibility that, if they chose to use a BYOD device, the device might need to be tested during Cyber Essentials Plus auditing, which should have been covered through employment contracts or internal policy. The recommendation was to cover this off with HR to ensure adequate coverage for BYOD.\u00a0<\/p>\r\n<p>All BYOD devices that accessed business data \u2013 including emails and cloud services \u2013 had to be regarded as being in scope and had to be fully declared. They also needed to have all the controls applied to them in the same way a corporate device would have.\u00a0<\/p>\r\n<p>If mobile devices were only being used to access a virtual desktop infrastructure (VDI) solution, this brought the device into scope in the same way as if it could access corporate emails.\u00a0<\/p>\r\n<p>If BYOD devices were only used for voice calls, SMS text messages, or as a platform to receive 2-factor authentication codes, then this did not bring them into scope.\u00a0<\/p>\r\n<p>It was necessary to assess whether BYOD devices were essential to the business.\u00a0<\/p>\r\n<p>Unless BYOD was treated in the same way as corporate mobiles, where all updates had to be applied, a minimum 6-character pin applied (with rate limiting and lockout in place), and the device was not jailbroken or rooted, then it was possible to fail Cyber Essentials and\/or Cyber Essentials Plus.\u00a0<\/p>\r\n<h3>Cyber Essentials 2022 \u2013 thin clients\u00a0<\/h3>\r\n<p>From 2023, all thin clients needed to be in support and receive security updates. The\u00a0Evendine\u00a0question set included questions around thin client use.\u00a0<\/p>\r\n<h3>Clarification around remote (home) workers\u00a0<\/h3>\r\n<p>There was clarification around organisations that employed home workers. If the home network used an ISP-provided router, this was seen as being out of scope. Should the organisation have provided a router for the home worker, then this was in scope.\u00a0<\/p>\r\n<p>Homeworker computers had to have the software\u00a0firewall\u00a0active on the device. If this was in place, then home networks were out of scope. In the interests of best practice, it was suggested to set the public\u00a0firewall\u00a0profile to deny all incoming traffic.\u00a0<\/p>\r\n<h3>Routers and firewalls requirements\u00a0<\/h3>\r\n<p>These had to have a minimum of an 8-character password and either 2FA in place or limit the login to internal addresses or a select few external whitelisted IP addresses.\u00a0<\/p>\r\n<p>This was also tested as part of Cyber Essentials Plus.\u00a0<\/p>\r\n<p>There were also some significant changes to the Cyber Essentials Plus testing and auditing process.\u00a0<\/p>\r\n<h3>What did the changes to Cyber Essentials Plus 2022 mean for an assessor?\u00a0<\/h3>\r\n<p>Cyber Essentials Plus Assessors saw many organisations fail the standard due to insufficient patching of operating systems and applications. Applying security updates within the mandated 14-day period presented a challenge to some organisations, and the changes only resulted in the bar being raised.\u00a0<\/p>\r\n<p>The reason behind this was that previously, they were allowed to discount some vulnerabilities that\u00a0required\u00a0methods of attack, such as local access to the machine or tricking a user into action. Additionally, the functionality of the attack had to be proven with a reasonable level of certainty.\u00a0<\/p>\r\n<p>In the new Cyber Essentials Plus, all critical and high vulnerabilities had to be remediated regardless of the attack vectors. This was a\u00a0significant change, and many organisations that Assessors had previously been able to pass would now fail under the new assessment.\u00a0<\/p>\r\n<p>A new test of all cloud services was introduced with\u00a0initial\u00a0checks that all administrator accounts had 2FA enabled. From 2023, all accounts, even standard user accounts, needed to have 2FA present.\u00a0<\/p>\r\n<p>There were further tests to ensure that administrators did not work on a day-to-day basis with admin privileges, which was often a contentious requirement for developers.\u00a0<\/p>\r\n<p>Even for developers, having admin privileges in the course of everyday work was prohibited.\u00a0<\/p>\r\n<p>For macOS\/Linux devices specifically, there had to be account separation between the user account (used for day-to-day work such as email\/web browsing) and the administrative account of the machine. It was not compliant for a user to be a part of the \u201csudo\u201d user group \u2013 there had to be complete separation.\u00a0<\/p>\r\n<p>&nbsp;<\/p>\r\n<h2 id=\"discover-cyber-essentials-certification\">Discover Cyber Essentials Certification<\/h2>\r\n<p>Help to protect your business from\u00a0cyber attacks\u00a0\u2013\u00a0find out more about <a href=\"\/ie\/security-certification\/cyber-essentials\/\">Cyber Essentials\u00a0and\u00a0Cyber Essentials Plus certification<\/a>.\u00a0<\/p>\r\n<p><a href=\"https:\/\/amtivo.com\/ie\/certification-quote\/\">Request a quote\u00a0today<\/a>\u00a0or\u00a0<a href=\"https:\/\/amtivo.com\/ie\/contact-us\/\">contact our team<\/a>\u00a0to discuss your needs.\u00a0<\/p>","protected":false},"excerpt":{"rendered":"Cyber Essentials is changing. Learn about the updates and how they affect your organisation.","protected":false},"author":59,"featured_media":13045,"template":"","resource":[35],"resource-tag":[149],"class_list":["post-13040","resources-filter","type-resources-filter","status-publish","has-post-thumbnail","hentry","resource-insights","resource-tag-cyber-essentials"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.3 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Cyber Essentials &amp; Plus - News &amp; Regulation Updates<\/title>\n<meta name=\"description\" content=\"Stay up to date with the latest Cyber Essentials scheme changes, updates and historic developments with expert insights and regulation highlights.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Cyber Essentials: News and Regulation Updates\" \/>\n<meta property=\"og:description\" content=\"Stay up to date with the latest Cyber Essentials scheme changes, updates and historic developments with expert insights and regulation highlights.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/\" \/>\n<meta property=\"og:site_name\" content=\"Amtivo Ireland\" \/>\n<meta property=\"og:image\" content=\"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2026\/03\/Cyber-Essentials-News-and-Updates-Thumbnail.png\" \/>\n\t<meta property=\"og:image:width\" content=\"600\" \/>\n\t<meta property=\"og:image:height\" content=\"367\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2025\/04\/testimonialImage-placeholder.jpg\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"15 minutes\" \/>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Cyber Essentials & Plus - News & Regulation Updates","description":"Stay up to date with the latest Cyber Essentials scheme changes, updates and historic developments with expert insights and regulation highlights.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/","og_locale":"en_GB","og_type":"article","og_title":"Cyber Essentials: News and Regulation Updates","og_description":"Stay up to date with the latest Cyber Essentials scheme changes, updates and historic developments with expert insights and regulation highlights.","og_url":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/","og_site_name":"Amtivo Ireland","og_image":[{"width":600,"height":367,"url":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2026\/03\/Cyber-Essentials-News-and-Updates-Thumbnail.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_image":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2025\/04\/testimonialImage-placeholder.jpg","twitter_misc":{"Estimated reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/#article","isPartOf":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/"},"author":{"name":"Gareth Parker","@id":"https:\/\/amtivo.com\/ie\/#\/schema\/person\/e4f7eac8bb3be1ec8d6635c6d5f0e754"},"headline":"Cyber Essentials: News and Regulation Updates","datePublished":"2026-03-30T12:27:05+00:00","mainEntityOfPage":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/"},"wordCount":3253,"publisher":{"@id":"https:\/\/amtivo.com\/ie\/#organization"},"image":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/#primaryimage"},"thumbnailUrl":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2026\/03\/Cyber-Essentials-News-and-Updates-Thumbnail.png","inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/","url":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/","name":"Cyber Essentials & Plus - News & Regulation Updates","isPartOf":{"@id":"https:\/\/amtivo.com\/ie\/#website"},"primaryImageOfPage":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/#primaryimage"},"image":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/#primaryimage"},"thumbnailUrl":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2026\/03\/Cyber-Essentials-News-and-Updates-Thumbnail.png","datePublished":"2026-03-30T12:27:05+00:00","description":"Stay up to date with the latest Cyber Essentials scheme changes, updates and historic developments with expert insights and regulation highlights.","breadcrumb":{"@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/#primaryimage","url":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2026\/03\/Cyber-Essentials-News-and-Updates-Thumbnail.png","contentUrl":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2026\/03\/Cyber-Essentials-News-and-Updates-Thumbnail.png","width":600,"height":367,"caption":"cyber essentials news and updates"},{"@type":"BreadcrumbList","@id":"https:\/\/amtivo.com\/ie\/resources\/insights\/cyber-essentials-regulation-updates\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/amtivo.com\/ie\/"},{"@type":"ListItem","position":2,"name":"Resources","item":"https:\/\/amtivo.com\/ie\/all-resources\/"},{"@type":"ListItem","position":3,"name":"Insights","item":"https:\/\/amtivo.com\/ie\/resources\/insights\/"},{"@type":"ListItem","position":4,"name":"Cyber Essentials: News and Regulation Updates"}]},{"@type":"WebSite","@id":"https:\/\/amtivo.com\/ie\/#website","url":"https:\/\/amtivo.com\/ie\/","name":"Amtivo","description":"","publisher":{"@id":"https:\/\/amtivo.com\/ie\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/amtivo.com\/ie\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/amtivo.com\/ie\/#organization","name":"Amtivo","url":"https:\/\/amtivo.com\/ie\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/ie\/#\/schema\/logo\/image\/","url":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2025\/06\/amtivo-logo-new.png","contentUrl":"https:\/\/amtivo.com\/ie\/wp-content\/uploads\/sites\/11\/2025\/06\/amtivo-logo-new.png","width":400,"height":331,"caption":"Amtivo"},"image":{"@id":"https:\/\/amtivo.com\/ie\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/amtivo.com\/ie\/#\/schema\/person\/e4f7eac8bb3be1ec8d6635c6d5f0e754","name":"Gareth Parker","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2026\/03\/gareth-parker_avatar-96x96.png","url":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2026\/03\/gareth-parker_avatar-96x96.png","contentUrl":"https:\/\/amtivo.com\/uk\/wp-content\/uploads\/sites\/20\/2026\/03\/gareth-parker_avatar-96x96.png","caption":"Gareth Parker"},"sameAs":["https:\/\/www.linkedin.com\/in\/gareth-p-3069a344\/"],"url":"https:\/\/amtivo.com\/ie\/technical-expert\/gareth\/"}]}},"_links":{"self":[{"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/resources-filter\/13040","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/resources-filter"}],"about":[{"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/types\/resources-filter"}],"author":[{"embeddable":true,"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/users\/59"}],"version-history":[{"count":10,"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/resources-filter\/13040\/revisions"}],"predecessor-version":[{"id":13051,"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/resources-filter\/13040\/revisions\/13051"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/media\/13045"}],"wp:attachment":[{"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/media?parent=13040"}],"wp:term":[{"taxonomy":"resource","embeddable":true,"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/resource?post=13040"},{"taxonomy":"resource-tag","embeddable":true,"href":"https:\/\/amtivo.com\/ie\/wp-json\/wp\/v2\/resource-tag?post=13040"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}