๐ด New Auto-Fail
MFA on cloud services โ if MFA is available on any cloud platform and you haven't enabled it, assessment fails immediately. Cost is not an excuse.
๐ด New Auto-Fail
14-day patching (A6.4 & A6.5) โ missing the window for OS/firmware or application fixes is now immediate failure. Previous tolerance removed.
โ ๏ธ Changed
Password minimum โ 12 characters (up from 8). MFA or passwordless authentication satisfies this independently.
โ ๏ธ Changed
Point-in-time = certificate issue date โ your systems must be compliant on the day the certificate is issued, not submission day.
โฆ Clarified
Passkeys are now the NCSC's preferred auth method. FIDO2, biometrics, OTPs, security keys and push notifications all formally accepted.
โฆ Clarified
Cloud services formally defined for the first time โ they cannot be excluded from scope. Scope descriptions are now unlimited in length on certificates.
โฆ Clarified
Director declaration updated โ now includes explicit acknowledgement of responsibility for maintaining CE compliance throughout the full certification period.
โ ๏ธ CE+ Only
Self-assessment locked before CE+ audit โ VSA responses cannot be amended after testing begins. "Selective patching" workaround closed.