What Are The Upcoming Cyber Essentials Changes?

The National Center for Cyber Security (NCSC) has revealed that the technical requirements for Cyber Essentials are changing in April 2023. 

The NCSC periodically reviews technical requirements for Cyber Essentials to ensure the scheme is effective in protecting UK organisations against cyber threats. 

In 2022, there was a major update to Cyber Essentials. Therefore, the changes for 2023 are set to be much lighter and focus more on clarification. 

What Changes Are Being Made to Cyber Essentials in 2023? 

In 2023, there are a handful of changes coming to Cyber Essentials which concern: 

  • User devices 
  • Firmware 
  • Third-party devices 
  • Device unlocking 
  • Malware protection 
  • Style and language 
  • Structure updates 
  • CE+ testing 

The below information has been taken from the NCSC website

User Devices 

From April 2023, you will only be required to declare the make and OS of your user devices, with no need to list the model. This change will take effect within the self-assessment questions, rather than the requirements document. 


All firmware is currently included in the definition of ‘software’, and so must be kept up to date and supported. Following feedback that this information can be difficult to find, we are changing this to include just router and firewall firmware. 

Third-Party Devices 

More information and a new table that clarify how third-party devices, such as a contractor or student devices, should be treated in your application. 

Device Unlocking 

We have made a change here to mitigate some issues around default settings in devices being unconfigurable (such as the number of unsuccessful login attempts before the device is locked). Where that is the case, it is now acceptable for applicants to use those default settings. 

Malware Protection 

Anti-malware software will no longer need to be signature-based and we have clarified which mechanism is suitable for different types of devices. Sandboxing is removed as an option. 

Style and Language 

Several language and format changes have been made to make the document easier to read. 

Structure Updated 

The technical controls have been reordered to align with the updated self-assessment question set. 

CE+ Testing 

The CE+ Illustrative Test Specification document has been updated to align with the requirements changes. The biggest change here is a refreshed set of Malware Protection tests, to simplify the process for both applicants and assessors. 

When Is The Update Due to Happen? 

These Cyber Essentials changes will take place from the 24th of April 2023. This means that any applications made on OR after this date will need to use the new requirements and questions set.  

Why Are These Changes Happening? 

To ensure the certification remains relevant and up-to-date, feedback from accessors, applicants and the NCSC is regularly reviewed.  

In addition to the changing requirements, IASME is producing more resources to help applicants understand the questions and certification process. Including a knowledge base, guides and articles.  

These will become available over the coming months.  

Do You Need Help with Cyber Essentials? 

As a Cyber Essential Plus certified business, we work with IASME and can help you achieve your CE and CE+ certifications.  

If you’re working towards your CE certification and need a helping hand, get in touch with us today via info@systemagic.co.uk or give us a call on 01225 426800.  

Back to our blog

Are you a looking for IT Support for your business?

Get in touch via our Contact form or call us on 01225 426 800

Business Directory
Business Directory listing for IT support provider Systemagic