For any UK organisation that works with the public sector — or aspires to — Cyber Essentials Plus certification has moved from a nice-to-have to a contractual necessity. Since October 2014, the UK Government has required suppliers bidding for certain contracts to hold Cyber Essentials certification. As the threat landscape has intensified and data protection requirements have grown more stringent, many government departments have raised the bar further, insisting on Cyber Essentials Plus — the independently verified level — for contracts involving sensitive or personal information.
This article explores the relationship between Cyber Essentials Plus and government contracts in detail, covering what is required, which contracts mandate certification, how to position your organisation for success, and the broader commercial benefits that flow from achieving this standard.
The Government's Cybersecurity Requirements
The UK Government's requirement for Cyber Essentials certification in its supply chain stems from a straightforward recognition: government data is only as secure as the weakest link in its supply chain. A government department might invest millions in its own cybersecurity, but if a supplier with access to its data or systems is compromised, the investment is undermined.
The policy, set out by the Cabinet Office and now administered through the Government Commercial Function, requires that suppliers bidding for government contracts demonstrate appropriate cybersecurity measures. For contracts that involve handling sensitive or personal information, or that require connection to government networks, Cyber Essentials certification is a minimum requirement.
In practice, many contracting authorities have gone beyond the minimum. Departments such as the Ministry of Defence (MoD), the Home Office, HMRC, and numerous NHS bodies routinely require Cyber Essentials Plus rather than the basic level. Local authorities, devolved administrations, and arm's-length bodies are following suit. The trend is clear: the basic level satisfies the minimum policy, but Plus is increasingly the practical standard for competitive bids.
Which Contracts Require Certification?
Understanding precisely which contracts require Cyber Essentials certification — and which require Plus specifically — helps you target your investment effectively. The requirements are not uniform across all government procurement; they depend on the nature of the contract and the sensitivity of the data or systems involved.
Contracts Requiring Basic Cyber Essentials
At a minimum, Cyber Essentials certification is required for government contracts that involve handling personal information of UK citizens, handling sensitive government data (classified or otherwise), providing certain ICT products and services, or connecting to government networks or systems. This covers a broad range of contracts across virtually every government department and public body. If your contract involves any form of data handling or IT service delivery, basic Cyber Essentials is almost certainly a requirement.
Contracts Requiring Cyber Essentials Plus
While the central policy specifies basic Cyber Essentials as the minimum, individual contracting authorities frequently require Plus for higher-sensitivity work. Contracts that typically require Cyber Essentials Plus include Ministry of Defence contracts involving defence information or connection to MoD networks, NHS contracts involving patient data or clinical systems, contracts with the intelligence services or law enforcement agencies, critical national infrastructure projects, IT managed service contracts where the supplier will have administrative access to government systems, and contracts explicitly requiring independently verified cybersecurity assurance.
Additionally, many framework agreements — such as those managed by Crown Commercial Service (CCS) — include Cyber Essentials Plus as a qualification criterion. Suppliers that do not hold the certification cannot join the framework, regardless of their other capabilities. Given that framework agreements account for a significant proportion of government IT procurement, this exclusion can be commercially devastating.
| Contract Type | Minimum Certification | Common Requirement |
|---|---|---|
| General IT services | Cyber Essentials | Cyber Essentials Plus |
| Data handling (personal data) | Cyber Essentials | Cyber Essentials Plus |
| Ministry of Defence | Cyber Essentials Plus | Cyber Essentials Plus + additional |
| NHS clinical systems | Cyber Essentials Plus | Cyber Essentials Plus + DSP Toolkit |
| CCS framework agreements | Varies by lot | Cyber Essentials Plus for IT lots |
| Local authority IT contracts | Cyber Essentials | Increasingly Cyber Essentials Plus |
| Critical infrastructure | Cyber Essentials Plus | Cyber Essentials Plus + sector standards |
How Certification Affects Your Bid
Understanding how Cyber Essentials Plus affects the procurement process helps you maximise its value. Certification typically comes into play at several stages of the bidding process.
Pre-Qualification
Many government procurement exercises include a pre-qualification stage (sometimes called a selection questionnaire or PQQ) that filters out suppliers who do not meet minimum requirements before the detailed evaluation begins. Cyber Essentials certification is frequently a pass/fail criterion at this stage — if you do not hold the required level, your bid is excluded regardless of its quality. Having Cyber Essentials Plus already in place before you bid ensures you clear this hurdle automatically.
Technical Evaluation
During the technical evaluation of bids, assessors scrutinise your proposed approach, including your cybersecurity measures. Holding Cyber Essentials Plus demonstrates that your security controls have been independently verified, which carries more weight than self-declared measures or generic policy statements. Some evaluation frameworks explicitly award additional marks for independently verified certifications.
Due Diligence
Before a contract is awarded, the contracting authority typically conducts due diligence on the preferred supplier. This often includes a review of cybersecurity credentials. Cyber Essentials Plus streamlines this process by providing a government-recognised, independently verified certification that satisfies standard due diligence requirements. Without it, you may face extensive additional security questionnaires and assessments that delay contract award.
The Ministry of Defence Connection
The Ministry of Defence deserves special attention because it represents one of the largest and most security-conscious government buyers. MoD contracts frequently require not just Cyber Essentials Plus but also compliance with the Defence Cyber Protection Partnership (DCPP) framework, which maps supplier cybersecurity requirements to the sensitivity of the information they handle.
Under the DCPP, suppliers are categorised into risk profiles based on the nature of their work and the data they access. Cyber Essentials Plus is typically the baseline requirement for suppliers handling information classified at OFFICIAL level or above. For higher classifications, additional security measures beyond Cyber Essentials may be required, but Plus certification remains a foundation upon which these additional requirements are built.
For organisations in the defence supply chain — from large prime contractors to small specialist suppliers — Cyber Essentials Plus is effectively non-negotiable. The MoD has been proactive in enforcing this requirement, and prime contractors are increasingly flowing the requirement down to their sub-contractors. If you operate at any level of the defence supply chain, achieving and maintaining Cyber Essentials Plus is a commercial imperative.
NHS and Healthcare Contracts
The NHS is another major public sector buyer where Cyber Essentials Plus has become essential. Following high-profile incidents such as the WannaCry attack in 2017 — which disrupted services across multiple NHS trusts — the healthcare sector has significantly strengthened its cybersecurity requirements for suppliers.
NHS organisations procuring IT systems, managed services, or any solution that handles patient data increasingly require Cyber Essentials Plus as a condition of contract. This requirement sits alongside the Data Security and Protection (DSP) Toolkit, which is the NHS's own assurance framework. While the DSP Toolkit covers broader information governance requirements, Cyber Essentials Plus provides the independently verified technical assurance that complements it.
For technology companies and service providers working with the NHS, holding Cyber Essentials Plus demonstrates a commitment to cybersecurity that resonates strongly with procurement teams and clinical stakeholders who are acutely aware of the consequences of a security breach in a healthcare setting.
When bidding for NHS contracts, check whether the requirement specifies Cyber Essentials Plus alongside the DSP Toolkit. Having both in place before you bid puts you in the strongest possible position and avoids delays in the procurement process. Many NHS procurement teams will not consider suppliers who cannot demonstrate both.
Local Government and Devolved Administrations
Local authorities across England, Scotland, Wales, and Northern Ireland are significant buyers of IT services, and their cybersecurity requirements are catching up with central government. While the adoption of Cyber Essentials Plus as a mandatory requirement varies by authority, the trend is firmly towards requiring it for IT-related contracts.
County councils, metropolitan boroughs, London boroughs, and unitary authorities all handle sensitive personal data — from social services records to council tax information — and they are increasingly recognising the need for robust supplier cybersecurity. Cyber Essentials Plus provides a convenient, standardised mechanism for verifying supplier security credentials without each authority needing to conduct its own assessment.
The devolved administrations — the Scottish Government, Welsh Government, and Northern Ireland Executive — have also adopted the Cyber Essentials framework within their procurement processes. While the specific requirements may vary, the direction of travel is consistent across all parts of the UK: towards independently verified cybersecurity certification as a standard procurement requirement.
Framework Agreements and Dynamic Purchasing Systems
Framework agreements managed by Crown Commercial Service (CCS) and other central purchasing bodies represent a significant channel for government procurement. Suppliers join these frameworks through a competitive process and are then available for call-off by government buyers. Frameworks such as G-Cloud, Digital Outcomes and Specialists, and Technology Products and Services collectively account for billions of pounds in annual government IT spending.
Many of these frameworks include Cyber Essentials certification — and increasingly Cyber Essentials Plus — as a qualification requirement. Suppliers that do not hold the required certification cannot join the framework, effectively excluding them from a large pool of government business. The cost of certification is trivial compared to the revenue potential of being listed on a major government framework.
Dynamic Purchasing Systems (DPS), which are increasingly used alongside traditional frameworks, often apply similar requirements. These are open to new suppliers joining throughout their lifetime, so achieving Cyber Essentials Plus can open up opportunities at any time, not just when a new framework is being established.
Positioning Your Organisation for Success
Simply holding Cyber Essentials Plus is not sufficient to win government contracts — but not holding it can certainly lose them. To maximise the commercial value of your certification, consider the following strategic approach.
Achieve certification proactively: Do not wait until a specific tender requires it. Having Cyber Essentials Plus in place before you see an opportunity means you can respond immediately without delays for certification. Given that the process takes four to eight weeks from start to finish, waiting until a tender is published can mean missing the deadline entirely.
Maintain continuous certification: Cyber Essentials Plus certificates are valid for 12 months. Allowing your certificate to lapse — even briefly — can exclude you from procurement exercises that check certification status at the point of bid submission. Plan your renewal well in advance to maintain unbroken certification.
Publicise your certification: Display your Cyber Essentials Plus badge on your website, in your corporate literature, and in your bid documents. Make it easy for procurement teams to verify your certification status. Include your certificate number and expiry date in your standard company information.
Use certification as a differentiator: In competitive bids, reference your Cyber Essentials Plus certification as evidence of your commitment to cybersecurity. Explain how the five controls are embedded in your operations. This demonstrates not just compliance but genuine security maturity.
The Broader Commercial Benefits
While this article focuses on government contracts, the commercial benefits of Cyber Essentials Plus extend well beyond the public sector. Large private sector organisations — particularly those in financial services, utilities, telecommunications, and retail — are increasingly requiring their suppliers to hold recognised cybersecurity certifications. Cyber Essentials Plus, as a government-backed, independently verified standard, satisfies these requirements in many cases.
Cyber insurance is another area where certification provides tangible commercial benefit. UK insurers are tightening their underwriting criteria, and holding Cyber Essentials Plus can improve your terms, reduce your premiums, and streamline the application process. Some Cyber Essentials certifications include a complimentary cyber insurance policy, providing additional value.
For organisations that operate in both the public and private sectors, Cyber Essentials Plus provides a single certification that satisfies multiple stakeholder requirements. This reduces the burden of managing multiple security assessments and questionnaires, freeing your team to focus on delivering value rather than repeatedly demonstrating compliance.
Looking Ahead
The trajectory of government cybersecurity requirements is unambiguously towards greater rigour. The Government Cyber Security Strategy 2022-2030 sets out ambitious goals for improving the resilience of government and its supply chain. Cyber Essentials Plus is a cornerstone of this strategy, and its role in government procurement is only going to grow.
Organisations that invest in achieving and maintaining Cyber Essentials Plus today are positioning themselves for sustained success in the government marketplace. Those that delay risk finding themselves excluded from an expanding range of opportunities as requirements tighten and enforcement becomes more consistent.
The investment is modest, the process is manageable, and the return — in terms of access to government contracts, commercial credibility, and genuine security improvement — is substantial. For any UK organisation with ambitions in the public sector, Cyber Essentials Plus is not optional. It is foundational.
Win Government Contracts with Confidence
Cloudswitched helps UK organisations achieve Cyber Essentials Plus certification to unlock government contract opportunities. From initial assessment through to certification and ongoing compliance, we ensure your cybersecurity credentials meet the demands of public sector procurement. Start positioning your organisation for success today.
Get Government-Ready Certification
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.