Cyber Essentials is Changing: What You Need to Know

No less than 15 major changes were made to the Cyber Essentials scheme in 2022, driven partly by the COVID-19 pandemic, and partly by the growing sophistication of cyber attacks. 

The Cyber Essentials scheme from the National Cyber Security Centre was first launched in 2014. Its aim was simple: to help organisations protect themselves from the risks of a cyber attack. Over the past eight years, the programme has been instrumental in ensuring businesses are implementing best practices to build cyber resilience. But there has been a problem: the initiative hasn’t had any significant updates since it was initially introduced, leaving many to wonder about its relevance.

In January 2022 however, major updates were announced for the scheme. With the 12-month grace period about to come to an end, it’s important that businesses understand these changes, and are prepared to adapt in preparation for their next Cyber Essentials assessment. 

Why has Cyber Essentials changed?

No less than 15 major changes were made to the Cyber Essentials scheme in 2022, driven partly by the COVID-19 pandemic, and partly by the growing sophistication of cyber attacks. These changes have been made in response to real feedback from both businesses and assessors, and should ensure that organisations are continuing to protect themselves in the best way possible. 

Changes to Cyber Essentials include:

Cloud-based technologies

Previously, only infrastructure-as-a-service (IaaS) technologies had to be assessed under the Cyber Essentials scheme. The 2022 update has extended this to all cloud technologies, including software-as-a-service (SaaS) and platform-as-a-service (PaaS). This means that Cyber Essentials technical controls must be implemented for any and all cloud-based apps that you’re using. 


Cloud software users with administrator privileges must now use 2-factor authentication (2FA), and this is expected to be rolled out to all users in the future. Passwords for routers and firewalls must also be strong and secure, with a minimum of 8 characters, and use 2FA. If 2FA is not used, then only a very limited number of selected IP addresses must have access in order to minimise risk. 


While the number of end-user devices has always been a component of Cyber Essentials, under the changes businesses must also declare the make, model, and operating system of each device. This is perhaps one of the biggest changes for businesses in terms of workload, so it’s advised that organisations begin maintaining an up-to-date asset register to keep track of what devices are used. 

Home networks

With remote and hybrid working now considered to be the norm, there are some changes relating to home networks. An employee’s home router will need to be incorporated into the assessment if the router is provided by the business, rather than by the employee’s own internet service provider. Home networks are also ‘in scope’ if the employee’s computer does not have an active firewall. 

What these changes mean for you

If you have recently completed an assessment, then there’s nothing you need to do. All assessments undertaken since January 2022 will have been completed under the new guidelines. However, if your last assessment was prior to this date, you need to ensure that you are recertified under the new scheme before January 2023. Need help preparing? At Reliable Networks, that’s what we’re here for. 

Gregory Olczyk

Gregory Olczyk