Which Contracts Require Cyber Essentials? A Complete Guide for UK Organisations

Category: Cyber Essentials and CE+ Read time: ~10 min

If you've ever been asked to provide a Cyber Essentials certificate as part of a tender, or found yourself wondering whether your organisation needs one before bidding for a contract, you're not alone. It's one of the most common questions we're asked — and the honest answer is that the list of organisations and sectors requiring it is growing rapidly.

This article sets out, clearly and in plain English, where Cyber Essentials is currently a mandatory contractual requirement, where it is strongly expected, and where the direction of travel suggests it will become mandatory in the near future. We've drawn exclusively on published government policy, official procurement guidance, and primary sources — so you can rely on this information when making decisions about your certification.

The Foundation — Procurement Policy Note 014 (PPN 014)

Everything starts here. Procurement Policy Note 014 (PPN 014) is the UK Government's binding procurement policy on Cyber Essentials, which came into force on 24 February 2025, replacing its predecessors PPN 09/23 and PPN 09/14.

PPN 014 applies to:

• All central government departments

• Their executive agencies and non-departmental public bodies

• All NHS bodies in England

Under PPN 014, these organisations must require suppliers to hold Cyber Essentials or Cyber Essentials Plus certification before a contract can be awarded, where that contract involves any of the following:

• Handling citizen personal data — such as names, addresses, National Insurance numbers, bank details, or health records

• Handling government employee data — including HR records, payroll information, or security clearance information

• ICT systems or services operating at OFFICIAL classification or above

• Any contract assessed as being at higher risk of a cyber security threat

Certification must be renewed annually for the full duration of the contract — it is not a one-off requirement.

PPN 014 is the bedrock upon which most of the sector-specific requirements below are built. If you are supplying to any part of central government or the NHS in any capacity, this policy is the starting point for understanding your obligations.

📄 Read the full PPN 014 document: assets.publishing.service.gov.uk

Central Government and the Wider Public Sector Supply Chain

Cyber Essentials has been mandatory for certain UK Government contracts since October 2014. Today, under PPN 014, the requirement covers any central government contract falling within the risk characteristics described above.

This requirement also cascades through supply chains. If you are a sub-contractor or third-party supplier to a prime contractor working on a government contract — and your work involves handling relevant data or systems — you may also be required to hold certification, even if your contract is not directly with a government department.

The G-Cloud framework, used extensively across the entire public sector for the procurement of cloud-based technology services, now requires all suppliers to hold Cyber Essentials certification as a condition of participation — regardless of contract type.

Whether you need basic Cyber Essentials or the higher Cyber Essentials Plus will depend on the specific nature and risk profile of each contract. This will be stated in your contract documentation.

📄 Crown Commercial Service guidance for SME suppliers: gca.gov.uk

Ministry of Defence (MOD) and the Defence Supply Chain

Cyber Essentials has been mandatory for MOD contracts since 1 January 2016 — making defence one of the earliest sectors to adopt the requirement.

For suppliers working within the MOD supply chain, the standard required goes beyond basic Cyber Essentials. Under DEFCON 658, defence supply chain suppliers are required to hold Cyber Essentials Plus — the independently audited, technically verified level of certification. This requirement applies not only to prime contractors but cascades down through sub-contractors who handle relevant information or provide in-scope services.

For contracts involving information classified at OFFICIAL-SENSITIVE or above, requirements extend further still, under Defence Standard 05-138 (Cyber Security for Defence Suppliers), which sets out additional controls governing the handling of MOD information — including secure communications, data handling procedures, personnel security, and incident reporting specific to defence contexts.

If you are working within or seeking to enter the defence supply chain, confirm the exact level and type of certification required for your specific scope of supply directly with your contracting authority.

NHS and Health Sector Suppliers

NHS bodies fall squarely within the scope of PPN 014, meaning the government-wide requirements apply directly. However, the NHS has gone further in several important respects.

NHS Supply Chain — the body responsible for procuring goods and services on behalf of NHS trusts — has implemented PPN 014 and is requiring all in-scope suppliers to demonstrate compliance with Cyber Essentials Plus, not simply the basic level. Suppliers who do not yet hold CE+ may be asked to complete an Information Security Third Party Questionnaire (ISTPQ), but progressing to full CE+ certification is strongly recommended and increasingly a condition of ongoing supply.

📄 NHS Supply Chain cyber security expectations: supplychain.nhs.uk

For suppliers of digital health technology — including software, SaaS platforms, and apps used by NHS organisations — the Digital Technology Assessment Criteria (DTAC) explicitly requires a valid Cyber Essentials certificate within its technical security section. Without it, a supplier cannot achieve DTAC compliance and therefore cannot supply qualifying digital products or services to the NHS. This is an absolute requirement, not a recommendation.

Suppliers handling NHS patient data are also required to complete the Data Security and Protection Toolkit (DSPT) — a separate but complementary mandatory framework that sits alongside the Cyber Essentials requirement.

It is worth noting that individual NHS Trusts and Integrated Care Boards (ICBs) set their own supplier requirements, and standards vary across the country. However, following several significant cyber incidents affecting NHS supply chains in 2024 and 2025 — including the high-profile Synnovis ransomware attack — the direction of travel is unmistakable. The bar is rising, and organisations without Cyber Essentials certification are increasingly finding themselves excluded from NHS procurement frameworks before they have had the chance to compete.

Ministry of Justice, HM Prison and Probation Service (HMPPS), and the Justice Sector

As part of the Ministry of Justice (MoJ) family, HM Prison and Probation Service (HMPPS) contracts are subject to PPN 014. Suppliers providing goods, services, or professional services across prison and probation settings must meet the government's cyber security requirements.

Published procurement documentation from HMPPS makes these requirements explicit. For suppliers using company-owned devices and cloud storage, Cyber Essentials Plus is required at the supplier level. Where practitioners or sub-contractors use personal devices not owned by the company, each individual practitioner may instead be required to hold Cyber Essentials (basic) certification, with evidence provided to the contracting authority.

This means that organisations delivering services such as psychology, health, education, or professional support across prison and probation settings — as well as IT and technology suppliers to HMPPS — will need to understand which certification requirement applies to their specific delivery model.

📄 Example HMPPS tender with CE requirements: find-tender.service.gov.uk

Legal Aid Agency — Criminal Legal Aid Contracts

From 1 October 2025, the Legal Aid Agency (LAA) requires any practice holding a 2025 Standard Crime Contract to have a valid Cyber Essentials certificate in place as a condition of that contract. This covers organisations delivering publicly funded criminal legal aid services in England and Wales — including criminal investigations, criminal proceedings, prison law, and appeals and reviews.

This is a contractual requirement, not a recommendation. Organisations delivering criminal legal aid services without a valid certificate risk being unable to renew or maintain their contracts.

📄 LAA data security requirements: gov.uk/government/publications/legal-aid-agency-data-security-requirements

Solicitors and Law Firms — The Wider Legal Sector

The Legal Aid Agency requirement is the clearest mandatory requirement for the legal sector, but it is far from the only pressure on law firms to achieve certification.

The Law Society's Lexcel accreditation — the quality mark for legal practice management — expects Cyber Essentials certification as part of its information security expectations. Firms holding or pursuing Lexcel accreditation should factor this into their planning.

The Solicitors Regulation Authority (SRA) strongly recommends Cyber Essentials and has highlighted it repeatedly as best practice in guidance issued to regulated firms. The SRA's Standards and Regulations require solicitors and firms to take appropriate steps to protect client data — and Cyber Essentials is a recognised, demonstrable way of evidencing compliance with that obligation. The SRA reported a 37% increase in cyber-related reports from regulated firms between 2023 and 2025, and in 2024–2025 alone intervened in 47 practices citing IT security failures as a primary or contributing factor.

Beyond regulatory expectations, the commercial reality for law firms is shifting quickly:

• Many professional indemnity insurers now require Cyber Essentials as a condition of cover, or offer measurable premium reductions for certified firms

• Corporate clients conducting due diligence on their legal advisers are increasingly asking for evidence of certification

• Government and public sector clients will require it as part of their own supply chain obligations under PPN 014

Whilst Cyber Essentials is not yet a universal mandatory requirement across the entire legal sector under SRA rules, the direction of travel is clear — and the commercial and reputational risk of not holding certification is growing year on year.

Scottish and Welsh Public Sector

Cyber Essentials is widely treated as a standard requirement across the Scottish public sector. Scottish Government agencies, local authorities, and housing associations increasingly expect certification as part of supplier onboarding, and many Scottish public sector procurements make it an explicit requirement.

For Welsh public sector procurement, Welsh Procurement Policy Note WPPN 08/21 mirrors the UK Government's requirements, meaning suppliers working with Welsh public bodies face closely aligned obligations.

Where Certification Is Increasingly Expected

Even where Cyber Essentials is not yet a formal contractual requirement, the following sectors are actively moving in that direction. Organisations in these sectors that achieve certification now will be ahead of the curve when formal requirements arrive:

Charities and the Third Sector Many grant-making bodies and funders now expect or require Cyber Essentials as evidence of responsible stewardship of donor and beneficiary data. Charities handling personal data are also expected under UK GDPR to implement appropriate technical measures — and Cyber Essentials is a recognised way of evidencing compliance.

Housing Associations and Social Landlords The social housing sector is seeing growing adoption of Cyber Essentials requirements within procurement frameworks, particularly for IT and digital service suppliers.

Education — Schools and Universities Increasingly adopted across the education sector, particularly for institutions involved in public sector frameworks or handling significant volumes of student data.

Financial Services Six major UK banks — Barclays, Lloyds Banking Group, Nationwide, NatWest, Santander UK, and TSB — have publicly committed to requiring Cyber Essentials from their suppliers, following a joint statement issued alongside the NCSC in March 2025 to mark the scheme's tenth anniversary. Cyber Essentials is also increasingly expected as part of financial services supplier onboarding and due diligence.

Which Level Do I Need — Cyber Essentials or Cyber Essentials Plus?

As a general guide:

The specific level required will always be stated in your contract documentation. If in any doubt, Cyber Essentials Plus always satisfies any requirement that basic Cyber Essentials satisfies — and more. Where you have the option, Plus is the more future-proof choice.

Ready to Get Certified?

Whether you need Cyber Essentials to fulfil an existing contract requirement, are preparing for an upcoming tender, or simply want to get ahead of requirements in your sector, Get Cyber Certified is here to help.

We have been marking Cyber Essentials and Cyber Assurance assessments on behalf of IASME and the NCSC since 2015. Our team of accredited assessors will guide you through the process from start to finish — and no client who has taken our Supported service and followed our guidance has ever failed their assessment.

• 🛒 View our services and pricing: getcybercertified.co.uk/category/all-products

• 📅 Book a meeting with your assessor: Click here to arrange a time

• 📧 Email us: team@getcybercertified.co.uk

• 📞 Call us: 0333 339 0383

This article was written by the team at Get Cyber Certified (Data Security and Compliance Services Ltd), accredited assessors for Cyber Essentials and Cyber Assurance on behalf of IASME and the UK Government's NCSC. All information is drawn from published government policy and official guidance and is correct as of May 2026.