New Cyber Essentials Requirements 2025: What Defence Contractors Need to Know

The latest changes to Cyber Essentials certification and what they mean for MoD suppliers and contractors.

David Broadbent

20 October 2025

ce-mod

Introduction

The Cyber Essentials scheme has undergone significant updates for 2024, with important implications for defence contractors and MoD suppliers. These changes reflect the evolving threat landscape and the increasing importance of robust cybersecurity measures in the defence supply chain.

This guide will break down the key changes and provide practical steps for ensuring your organisation remains compliant with the updated requirements.

What's Changed in Cyber Essentials 2025?

The 2021 updates to Cyber Essentials focus on three main areas:

1. Enhanced Mobile Device Security

With the increasing use of mobile devices in business operations, the new standards place greater emphasis on mobile device management (MDM) and bring-your-own-device (BYOD) policies. This reflects the growing recognition that mobile devices represent a significant attack vector.

Key changes include:

  • Stricter requirements for mobile device encryption

  • Enhanced app installation controls

  • Improved remote wipe capabilities

  • Better separation of personal and business data

2. Cloud Security Improvements

As businesses increasingly move to cloud-based systems, the 2024 standards include updated requirements for cloud security configurations and multi-factor authentication (MFA). These changes ensure that cloud environments are properly secured against common attack vectors.

Notable updates:

  • Mandatory MFA for all cloud-based email and productivity systems

  • Enhanced password policies for cloud accounts

  • Improved backup and recovery requirements for cloud data

  • Stricter access controls for cloud administrative accounts

3. Supply Chain Security Focus

The new standards include enhanced requirements for understanding and managing supply chain security risks. This reflects the growing recognition that attackers often target organisations through their suppliers and partners.

Impact on Defence Contractors

These changes have important implications for businesses in the defence supply chain:

Contract Eligibility

Many MoD contracts now require Cyber Essentials certification as a prerequisite. The updated standards mean that defence contractors must demonstrate compliance with these new requirements to maintain their eligibility for government contracts.

Cyber Essentials certification is no longer optional for defence contractors. It's become a fundamental requirement that demonstrates your commitment to protecting sensitive information and maintaining the security of the defence supply chain."

- Ministry of Defence Procurement Guidelines 2024

Timeline for Compliance

Existing Cyber Essentials certifications remain valid until their expiry date. However, when renewing, organisations will need to meet the new standards. It's recommended that defence contractors begin planning for these updates 3-6 months before their current certification expires.

Next Steps

If you're a defence contractor or MoD supplier, now is the time to:

  1. Assess your current security posture against the new requirements

  2. Plan your certification renewalwell in advance of expiry

  3. Implement necessary changes to meet the updated standards

  4. Document your compliance for contract submissions

The updated Cyber Essentials scheme represents an important step forward in protecting the defence supply chain. By staying ahead of these changes, defence contractors can ensure they remain competitive and compliant in an increasingly security-conscious marketplace.