The Willow Update, a major revision to Cyber Essentials (CE), was introduced in April 2025. The transition marks one of the most significant updates to the scheme, reshaping how organisations approach core areas of cyber hygiene and compliance.

Whether you’re currently CE certified, or considering certification for the first time, understanding the Willow update is essential. We’ve put together an article to guide you through the changes and help you navigate the transition as seamlessly as possible.

Why the Willow Update Matters

The Cyber Essentials regulatory system has long been a foundational part of UK cyber security policy, particularly for SMEs and public sector suppliers. It offers a clear, practical framework to protect against common cyber threats. However, with the dramatic rise in remote and hybrid working, growing reliance on cloud services, and increasingly sophisticated cyber attacks, some of the original controls began to feel out of step with the reality of today.

The update was developed in response to these shifts, reflecting a more modern view of business operations, especially in dispersed, cloud-based environments. It also aims to remove ambiguity, simplify the assessment process and bring more clarity to organisations applying the scheme in complex IT setups.

What’s Changed in the Willow Update?

One of the most notable changes are the requirements around multi-factor authentication (MFA). While MFA was previously mandatory for administrator accounts on cloud services, the new update broadens this requirement to include all user accounts. This reflects the growing consensus across the cyber security industry that MFA is a basic but highly effective control that should be universally applied. 

There’s also a shift in the requirements for home networks and remote working. Under previous versions, home routers were often considered within scope (if bought by the employing organisation), which created confusion and complexity for businesses. The Willow update now refines this approach by focusing on the devices themselves, rather than the entire network, recognising that employees often use personal or unmanaged routers.

Another important change is the modernisation of password policies. Traditional rules, like regular password changes, password expiry, or enforcing complex character combinations, have been shown to encourage insecure behaviours, such as storage of handwritten password records.  The Willow update encourages organisations to adopt passphrases and support them with lockout and throttling mechanisms, rather than relying on outdated complexity requirements.

More clarity has also been introduced around the use of third-party services and devices. If your business relies on contractors, freelancers, or cloud-hosted infrastructure, the updated guidance offers more detail on when these elements fall within the scope of certification. This helps ensure that organisations applying the controls can do so realistically and effectively, without making assumptions.

What Do These Changes Mean for You?

If your business was certified under the Cyber Essentials scheme, before April 28 2025, your existing certification remains valid until it expires. However, any renewals or new certifications from April 28, 2025 onward will need to meet the new Willow requirements.

This means it’s time to take stock. You’ll need to review your existing systems and processes against the updated criteria, particularly around MFA, user authentication, cloud services, and how you handle remote work. In some cases, changes may be more straightforward, such as enabling MFA across all accounts, but in others, they may require updates to your policies or additional investment in secure tooling. For Naq users, tasks like policy generation can be automated, helping to streamline the process. 

The update also brings with it a more risk-based approach to compliance. Rather than enforcing rigid, one-size-fits-all policies, it offers greater flexibility and clearer guidance for organisations with complex or hybrid environments. This is a welcome development, particularly for SMEs operating with limited in-house expertise.

How Naq Can Support You Through The Transition

Managing updates can feel daunting, especially if you’re unsure where to start or how the new requirements apply to your specific setup. That’s where Naq comes in.

Our automated compliance platform offers an end-to-end solution that goes beyond box-ticking. Naq equips your organisation with all the tools it needs to stay continuously compliant with the frameworks necessary to operate securely and confidently.

From automated compliance tracking and real-time non-compliance alerts to risk management tools, training, and more, Naq makes it simple to implement, scale, and maintain your compliance obligations.

Book a call with one of our compliance specialists today and find out how we can help you navigate the Willow Update, or, explore how we can support your Cyber Essentials journey here.