If you’re a business owner, you’ve likely heard about Cyber Essentials, the UK government-backed scheme that helps protect organisations from common cyber threats. But did you know the standard changed in April 2025?
On 28 April 2025, Cyber Essentials introduced a new set of rules, known as the ‘Willow’ update, replacing the previous ‘Montpellier’ standard. If your business wants to stay certified (or get certified for the first time), it’s important to understand how these changes affect you, especially if you handle customer data or want to win government contracts.
What’s changed under the new ‘Willow’ standard?
The 2025 ‘Willow’ update brings tighter security requirements in three main areas:
1.Software Scope
All software that connects to your work systems—yes, even browser extensions and small desktop tools—must now be supported and updated regularly. Outdated or unsupported software could now make you ineligible for certification.
2.Remote Working
Whether your staff work from home full-time or just check emails on the go, you now need to show that those devices are properly secured. That includes managed firewalls, up-to-date antivirus software, and secure access controls.
3.Vulnerability Management
Instead of waiting for problems to pop up, businesses now need to actively scan for security issues—and fix them quickly. This is a step towards being proactive, not reactive.
What does this mean for your business?
The impact of the new standard depends on when your certification was last renewed.
If your business renewed before April 2025, you’re still operating under the older ‘Montpellier’ rules. While you’re not expected to make immediate changes, your next renewal will require compliance with the stricter ‘Willow’ criteria. Now is a good time to start auditing your software tools, reviewing remote work policies, and setting up basic vulnerability scans. Waiting until the last minute could mean scrambling to get certified or worse, letting your certification lapse.
On the other hand, if you’ve already renewed after April 2025, you’re in the clear. Your current setup is already aligned with the new standards, and your focus should be on maintaining good habits; regular updates, secure device policies, and a clear process for managing risk. You’ve already done the hard work of upgrading; now it’s about staying consistent.
No matter where your business falls, it’s worth checking that everyone from leadership to frontline staff understands the new expectations. Cyber Essentials isn’t just a checkbox anymore. It’s a living framework that will continue evolving with the threat landscape.
Are you Considering Renewing Cyber Essentials Certification?
At Lucidica, we simplify the certification process. We have in-house Cyber Essentials assessors who work directly with IASME, the official certifying body. That means we can guide you through the new requirements without needing to bring in an external partner.
Whether you’re already certified or starting fresh, we’ll help you:
- Save time
- Reduce costs
- Get fully prepared for the more rigorous audits under the new ‘Willow’ framework
Ready to get compliant without the stress? Let’s talk.
