What is Changing in April 2025
The NCSC Cyber Essentials scheme undergoes its April 2025 update on 28 April, when the new Willow question set replaces the current Montpellier version. All certification applications filed on or after this date will follow the updated framework.
The good news for organisations currently certified or preparing for certification: the changes are relatively minor and focus primarily on terminology updates and clarifications rather than fundamental new requirements. The Cyber Essentials Plus Test Specification v3.2 provides the detailed technical requirements.
However, the updates do reflect important shifts in how organisations work and authenticate, particularly the formal acceptance of passwordless authentication and the expanded definition of remote working scenarios.
Passwordless Authentication Acceptance
Perhaps the most significant practical change is the formal inclusion of passwordless authentication as an approved method, defined equivalently to multi-factor authentication. The NCSC now states that passwordless authentication is "an authentication method that uses a factor other than user knowledge to establish identity."
Approved passwordless methods include:
Biometric authentication – Fingerprint, facial recognition, or iris scanning
Security keys and tokens – FIDO2/WebAuthn hardware keys like YubiKey
One-time codes – Time-based codes from authenticator apps
QR codes – Scan-to-authenticate mechanisms
Push notifications – Approve/deny prompts on trusted devices
This change legitimises modern authentication practices already adopted by many organisations using Microsoft Entra ID, Okta, or similar identity providers. Organisations no longer need to maintain password requirements solely for Cyber Essentials compliance if they have implemented robust passwordless solutions.
Vulnerability Fixes Terminology
The previous terminology of "patches and updates" has been replaced with "vulnerability fixes" as an umbrella term. This seemingly minor change has practical implications for how organisations demonstrate compliance.
Vulnerability fixes now explicitly include patches from vendors, software updates, registry fixes, configuration changes, scripts, and any other vendor-approved mechanism to address known vulnerabilities.
The core requirement remains unchanged: high and critical vulnerabilities must be remediated within 14 days of a fix becoming available. However, under the Willow scheme, all configuration-based and non-patch findings now come into scope. This means any high or critical vulnerabilities identified during device scans must be remediated if the fix has been available for over 14 days—regardless of whether the fix is a traditional patch.
Remote Working Scope Changes
The terminology has shifted from "home working" to "home and remote working" to acknowledge the reality of modern work patterns. The updated guidance explicitly recognises that working away from the company network includes untrusted networks such as cafes, hotels, trains, and other shared spaces.
This change requires organisations to consider a broader range of scenarios when assessing their security controls. VPN requirements, endpoint protection, and access policies must account for the full spectrum of locations where employees might work.
Similarly, the term "plugins" has been changed to "extensions" to more accurately reflect browser add-on terminology used by major browsers including Chrome, Edge, and Firefox.
Scoping and Verification Requirements
The Willow update introduces tighter requirements around assessment scoping and evidence retention. Key changes include:
Scope Matching – The Cyber Essentials Plus assessment scope must exactly match the Cyber Essentials self-assessment, with verification from the Assessor
Sample Size Verification – Assessors must confirm device sample sizes are calculated correctly using IASME's method
Evidence Retention – Certification Bodies must retain all verification evidence for the lifetime of the certificate
Segregation Verification – Where scope is not whole organisation, proper segregation between in-scope and out-of-scope networks must be verified
For organisations with partial scope certifications, this means demonstrating a firewall or equivalent physical/logical barrier between in-scope and out-of-scope networks.
Preparing for the Willow Update
Organisations approaching certification or recertification should take the following steps:
Review Authentication Methods
If you've implemented passwordless authentication, document how your solution meets the NCSC definition. Ensure all approved methods (biometric, security keys, push notifications) are properly configured and that fallback mechanisms also meet requirements.
Audit Vulnerability Management
Review your vulnerability management processes to ensure you're tracking all types of fixes, not just patches. Confirm that configuration-based vulnerabilities are being identified and remediated within the 14-day window.
Update Remote Working Policies
Ensure your security policies explicitly address remote working scenarios beyond home offices. Document the controls in place for staff working from cafes, hotels, or other untrusted networks.
Verify Scope Documentation
If your certification scope is less than whole organisation, ensure you can demonstrate proper network segregation with firewall or equivalent controls between in-scope and out-of-scope systems.
The IASME guidance provides additional detail on preparing for the Willow update, and Certification Bodies can advise on specific requirements for your organisation.
