Cyber Essentials
Accounting Firms
Cyber Security

Cyber Essentials is Changing Again (2025–2026): What It Really Means for Accountants

Cyber Essentials is evolving again. And if you are an accounting firm, payroll bureau or bookkeeping practice, the practical impact is bigger than the phrase “minor update” suggests.

Cyber Essentials for accountants is no longer just about getting through a questionnaire. Between the 2025 Willow update and the changes due from April 2026, firms are being pushed toward better asset visibility, stronger MFA enforcement, clearer scoping, broader vulnerability management and more realistic treatment of remote working. For practices handling payroll, tax, client financial data and cloud-based bookkeeping platforms, that matters a great deal.

Written by: Sal Nasser
Role: Founder, Prime PC Services (PPCS)
Also: AIGAS Founder

The bar is rising.
The margin for error is shrinking, and particularly under Cyber Essentials Plus, scope and evidence are being treated more seriously than many firms are used to.

On this page

What is Cyber Essentials and why it still matters

Cyber Essentials remains the UK Government-backed baseline for cyber security. It is built around five core technical controls designed to reduce exposure to the most common internet-based attacks.

1. Firewalls
2. Secure configuration
3. User access control
4. Malware protection
5. Patch and vulnerability management

It still matters because it works. IASME says insurance data shows that organisations certified under Cyber Essentials are 92% less likely to make a claim on their cyber insurance compared to those without certification. For firms that want a practical baseline rather than vague security intentions, that is significant.

For accountants handling client financial data, payroll data, tax records, remote access, email systems and cloud platforms, Cyber Essentials has moved well beyond “nice to have”. It is increasingly part of what clients, insurers and supply chains expect. If your firm also needs Cyber Essentials for accountants in a more guided format, PPCS already provides structured support specifically for UK practices.

The big shift: “Willow” (2025) and beyond

In April 2025, Cyber Essentials introduced the Willow question set, replacing Montpellier for new assessment accounts. IASME described many of the wording changes as “fairly minor”, but the practical impact is more important than that label suggests.

Willow did not rewrite the five controls from scratch. What it did do was modernise the language around how firms actually work today: cloud services, passwordless authentication, broader vulnerability fixes, and home and remote working outside trusted office networks.

That matters because accounting firms now run on a mixture of cloud bookkeeping, email, payroll, laptops, remote access, BYOD habits and software sprawl. Cyber Essentials is gradually becoming less tolerant of vague answers and more aligned to the operational reality firms should already be managing.

Key changes you need to know

1. Asset management is now effectively non-negotiable

The newer question sets push firms toward much better visibility over devices, software, services and in-scope infrastructure. In practice, if you do not know what devices, cloud services and network equipment are in use, it becomes much harder to answer accurately and much easier to fail later under scrutiny.

2. “Patching” has become broader vulnerability fixing

Under Willow, the language moved from patches and updates to vulnerability fixes. That is broader than many firms realise. It includes not only patches and updates, but also registry fixes, scripts, configuration changes and other vendor-approved ways of resolving known vulnerabilities.

3. Firmware and network devices matter more than many SMEs assume

If your routers, firewalls and other edge devices are ignored, you are leaving obvious gaps. For smaller accounting firms, these are often the least well-documented parts of the environment, especially where an old business router or third-party managed firewall has simply been left running.

4. MFA is becoming a true fail point

IASME has confirmed that from the 2026 update, where a cloud service offers MFA and you have not implemented it, that can result in an automatic failure. For accountants using email, cloud bookkeeping, payroll tools and remote access, this is one of the most important practical changes in the whole update cycle.

5. Passwordless authentication is now recognised properly

Cyber Essentials is catching up with modern authentication. Passwordless methods including passkeys, FIDO2 authenticators, biometrics, security keys, push approvals and one-time codes are now explicitly recognised. That is helpful, but it also means firms need to understand what they have actually deployed rather than just saying “we use Microsoft logins”.

6. Remote working is no longer framed as just “working from home”

The wording now refers to home and remote working, which better reflects the reality of staff working from trains, hotels, cafes, client sites and other untrusted networks. For accounting practices, that shift is overdue and highly relevant.

7. Cyber Essentials Plus is leaning further toward verification

IASME’s 2025 changes to the Plus test specification made it clearer that assessors must verify scope alignment, verify segregation where partial scope is used, calculate device sample size correctly, and retain verification evidence for the life of the certificate. In plain English: for Plus, evidence matters more than many firms think.

What the 2026 update changes in practice

The April 2026 update does not reinvent Cyber Essentials, but it does tighten some important areas. IASME has already confirmed several points that accounting firms should pay attention to now rather than later.

  • Cloud services are now defined more clearly and cannot simply be excluded from scope if they store or process your organisation’s data.
  • If parts of your environment are excluded from scope, you will need to justify why and explain how they have been segregated.
  • The language around internet connectivity is being simplified so fewer firms can rely on technical ambiguity.
  • MFA becomes more punitive where available cloud MFA is not enabled.
  • Passwordless authentication and passkeys receive greater emphasis.
  • Backups are being given stronger prominence in the requirements guidance, underlining the operational resilience side of cyber security.

That combination makes Cyber Essentials feel more operational and less theoretical. For good firms, that is sensible. For disorganised firms, it is where the pain starts.

So… has Cyber Essentials actually become harder?

The honest answer is yes — but not because the five controls have suddenly become wildly more complicated.

Before

  • Fill in the questionnaire
  • Be broadly compliant
  • Hope your interpretation matches the assessor’s

Now

  • Maintain proper asset visibility
  • Treat cloud services as real scope items
  • Enforce MFA consistently
  • Understand vulnerability fixing beyond simple patching
  • Be able to justify exclusions
  • Expect more verification where evidence is required

In other words, Cyber Essentials has become harder mainly for firms whose security is informal, undocumented or inconsistent. If your estate is visible, your MFA is enforced, your devices are controlled and your remote working is properly thought through, the scheme is still very manageable.

Why this hits accounting firms harder

Accounting firms are not generic SMEs. You hold highly sensitive information, operate under professional expectations, and increasingly rely on cloud-heavy stacks that introduce both efficiency and exposure.

1. You handle high-risk dataPayroll data, NI numbers, salaries, client financials, tax data and communications that can all be targeted or abused.
2. You run cloud-heavy environmentsMany firms now depend on Xero,
QuickBooks,
Sage, payroll portals, email, document storage, practice management tools and remote access.
3. AI is already entering the stackThat creates a second governance challenge. If your firm is also trying to get ahead of AI risk, practical AI governance for accounting firms is increasingly relevant alongside core cyber controls.

That combination is exactly why accounting firms feel the Cyber Essentials changes more acutely than many other small businesses. Weak device visibility, inconsistent MFA or misunderstood scope can now create real certification friction.

And from what we see at PPCS, many firms are still dealing with the same underlying issues: no asset register, inconsistent remote access discipline, unknown personal devices, shadow IT, and patching that is assumed rather than genuinely managed.

The reality: most firms are not ready

❌ No proper asset register
❌ Inconsistent MFA across cloud platforms
❌ Unknown devices accessing systems
❌ Weak tracking of vulnerabilities and remediation
❌ Shadow IT and ad-hoc cloud adoption

Where PPCS is different and ahead of the curve

At PPCS, we are not reacting late to these changes. The direction of travel has been clear for a while: better visibility, stronger control, fewer assumptions and more accountability.

👉 Structured asset visibility
👉 Full MFA enforcement
👉 Accounting-specific policy frameworks
👉 Support aligned to Cyber Essentials, ISO 27001 and, where relevant, support with ISO 42001 for accountants

In other words, we are already working at the level many firms now need to reach. If your practice wants a practical route rather than a vague security lecture, that is exactly what our Cyber Essentials support for accounting firms is designed to provide.

What you should do next: practical steps

1. Build an asset register

You cannot secure what you cannot see.

2. Enforce MFA everywhere

No exceptions. Especially for email, cloud platforms and remote access.

3. Review remote access properly

Assume your users are outside the office network and design around that reality.

4. Improve your vulnerability process

Do not treat it as just “Windows Update is on”. Understand configuration fixes, vendor advisories and network device updates too.

5. Get a real gap assessment before attempting certification

That is nearly always cheaper than discovering weak controls during the process.

If you want to go deeper, you can review PPCS pricing, explore our Cyber Essentials packages for accountants, or use our free AI register if your firm is also trying to get visibility over AI-enabled systems.

For firms where cyber security and AI governance are starting to overlap, our free AI governance check can also be a useful first step into a practical route to AIGAS.

External resources worth checking

Final thoughts

Cyber Essentials has not suddenly become impossible. But it has become more real, more enforceable and less forgiving of weak operational discipline.

For accounting firms adopting cloud tools quickly and, increasingly, AI-enabled systems too, this is a turning point. The firms that treat Cyber Essentials as a tick-box exercise will struggle. The firms that treat it as operational security will pass more cleanly and win greater trust.

If you want help getting there, that is exactly what we do at PPCS.

— Sal Nasser
Founder, Prime PC Services (PPCS)

Frequently Asked Questions

Has Cyber Essentials become harder in 2025 and 2026?

In practice, yes. Not because the core controls are unrecognisable, but because the wording is clearer, cloud scope is treated more seriously, MFA expectations are tougher, and firms need better operational discipline to answer accurately.

What is the Willow update in Cyber Essentials?

Willow is the Cyber Essentials question set introduced from April 2025 for new assessment accounts. It modernised definitions around passwordless authentication, vulnerability fixes, and home and remote working, and it also sharpened aspects of the Plus verification process.

Do accountants need MFA everywhere now?

You should assume yes for all important cloud services. IASME has confirmed that where a cloud service offers MFA and it is not implemented, that can result in an automatic failure under the 2026 update.

What does “vulnerability fixing” mean in Cyber Essentials?

It means more than just installing patches. It includes any vendor-approved fix for a known vulnerability, such as updates, registry changes, scripts, configuration changes or other corrective mechanisms.

Can we exclude cloud services from Cyber Essentials scope?

The 2026 update makes this much clearer: if your organisation’s data or services are hosted on cloud services, those services must be in scope. They cannot simply be excluded because they are hosted by someone else.

Why are accounting firms especially exposed?

Because they handle sensitive financial and payroll data, rely heavily on cloud software, and often support hybrid or remote working. That combination means weak MFA, poor asset visibility or misunderstood scope can quickly become real risk.

How can PPCS help?

PPCS helps accounting firms prepare for Cyber Essentials with gap assessments, structured remediation guidance, practical implementation support and a broader route into cyber security and AI governance where needed.