For any UK organisation that works with the public sector — or aspires to — Cyber Essentials Plus certification has moved from a nice-to-have to a contractual necessity. Since October 2014, the UK Government has required suppliers bidding for certain contracts to hold Cyber Essentials certification. As the threat landscape has intensified and data protection requirements have grown more stringent, many government departments have raised the bar further, insisting on Cyber Essentials Plus — the independently verified level — for contracts involving sensitive or personal information.
This article explores the relationship between Cyber Essentials Plus and government contracts in detail, covering what is required, which contracts mandate certification, how to position your organisation for success, and the broader commercial benefits that flow from achieving this standard.
The Government's Cybersecurity Requirements
The UK Government's requirement for Cyber Essentials certification in its supply chain stems from a straightforward recognition: government data is only as secure as the weakest link in its supply chain. A government department might invest millions in its own cybersecurity, but if a supplier with access to its data or systems is compromised, the investment is undermined.
The policy, set out by the Cabinet Office and now administered through the Government Commercial Function, requires that suppliers bidding for government contracts demonstrate appropriate cybersecurity measures. For contracts that involve handling sensitive or personal information, or that require connection to government networks, Cyber Essentials certification is a minimum requirement.
In practice, many contracting authorities have gone beyond the minimum. Departments such as the Ministry of Defence (MoD), the Home Office, HMRC, and numerous NHS bodies routinely require Cyber Essentials Plus rather than the basic level. Local authorities, devolved administrations, and arm's-length bodies are following suit. The trend is clear: the basic level satisfies the minimum policy, but Plus is increasingly the practical standard for competitive bids.
Which Contracts Require Certification?
Understanding precisely which contracts require Cyber Essentials certification — and which require Plus specifically — helps you target your investment effectively. The requirements are not uniform across all government procurement; they depend on the nature of the contract and the sensitivity of the data or systems involved.
Contracts Requiring Basic Cyber Essentials
At a minimum, Cyber Essentials certification is required for government contracts that involve handling personal information of UK citizens, handling sensitive government data (classified or otherwise), providing certain ICT products and services, or connecting to government networks or systems. This covers a broad range of contracts across virtually every government department and public body. If your contract involves any form of data handling or IT service delivery, basic Cyber Essentials is almost certainly a requirement.
Contracts Requiring Cyber Essentials Plus
While the central policy specifies basic Cyber Essentials as the minimum, individual contracting authorities frequently require Plus for higher-sensitivity work. Contracts that typically require Cyber Essentials Plus include Ministry of Defence contracts involving defence information or connection to MoD networks, NHS contracts involving patient data or clinical systems, contracts with the intelligence services or law enforcement agencies, critical national infrastructure projects, IT managed service contracts where the supplier will have administrative access to government systems, and contracts explicitly requiring independently verified cybersecurity assurance.
Additionally, many framework agreements — such as those managed by Crown Commercial Service (CCS) — include Cyber Essentials Plus as a qualification criterion. Suppliers that do not hold the certification cannot join the framework, regardless of their other capabilities. Given that framework agreements account for a significant proportion of government IT procurement, this exclusion can be commercially devastating.
| Contract Type | Minimum Certification | Common Requirement |
|---|---|---|
| General IT services | Cyber Essentials | Cyber Essentials Plus |
| Data handling (personal data) | Cyber Essentials | Cyber Essentials Plus |
| Ministry of Defence | Cyber Essentials Plus | Cyber Essentials Plus + additional |
| NHS clinical systems | Cyber Essentials Plus | Cyber Essentials Plus + DSP Toolkit |
| CCS framework agreements | Varies by lot | Cyber Essentials Plus for IT lots |
| Local authority IT contracts | Cyber Essentials | Increasingly Cyber Essentials Plus |
| Critical infrastructure | Cyber Essentials Plus | Cyber Essentials Plus + sector standards |
How Certification Affects Your Bid
Understanding how Cyber Essentials Plus affects the procurement process helps you maximise its value. Certification typically comes into play at several stages of the bidding process.
Pre-Qualification
Many government procurement exercises include a pre-qualification stage (sometimes called a selection questionnaire or PQQ) that filters out suppliers who do not meet minimum requirements before the detailed evaluation begins. Cyber Essentials certification is frequently a pass/fail criterion at this stage — if you do not hold the required level, your bid is excluded regardless of its quality. Having Cyber Essentials Plus already in place before you bid ensures you clear this hurdle automatically.
Technical Evaluation
During the technical evaluation of bids, assessors scrutinise your proposed approach, including your cybersecurity measures. Holding Cyber Essentials Plus demonstrates that your security controls have been independently verified, which carries more weight than self-declared measures or generic policy statements. Some evaluation frameworks explicitly award additional marks for independently verified certifications.
Due Diligence
Before a contract is awarded, the contracting authority typically conducts due diligence on the preferred supplier. This often includes a review of cybersecurity credentials. Cyber Essentials Plus streamlines this process by providing a government-recognised, independently verified certification that satisfies standard due diligence requirements. Without it, you may face extensive additional security questionnaires and assessments that delay contract award.
The Ministry of Defence Connection
The Ministry of Defence deserves special attention because it represents one of the largest and most security-conscious government buyers. MoD contracts frequently require not just Cyber Essentials Plus but also compliance with the Defence Cyber Protection Partnership (DCPP) framework, which maps supplier cybersecurity requirements to the sensitivity of the information they handle.
Under the DCPP, suppliers are categorised into risk profiles based on the nature of their work and the data they access. Cyber Essentials Plus is typically the baseline requirement for suppliers handling information classified at OFFICIAL level or above. For higher classifications, additional security measures beyond Cyber Essentials may be required, but Plus certification remains a foundation upon which these additional requirements are built.
For organisations in the defence supply chain — from large prime contractors to small specialist suppliers — Cyber Essentials Plus is effectively non-negotiable. The MoD has been proactive in enforcing this requirement, and prime contractors are increasingly flowing the requirement down to their sub-contractors. If you operate at any level of the defence supply chain, achieving and maintaining Cyber Essentials Plus is a commercial imperative.
The defence supply chain also illustrates a broader principle that applies across all government procurement: the cascading effect of certification requirements. When a prime contractor holds Cyber Essentials Plus certification and is contractually required to ensure its supply chain meets equivalent standards, the requirement naturally flows down to sub-contractors at every tier. A small specialist engineering firm that provides components to a defence prime contractor may find itself needing Cyber Essentials Plus certification even though it has no direct contract with the MoD. This cascading effect significantly expands the pool of organisations for whom certification is a commercial necessity, extending far beyond the relatively small number of firms that contract directly with government departments.
Furthermore, the Defence and Security Industrial Strategy published by the UK Government has reinforced the importance of cybersecurity resilience across the entire defence supply chain. The strategy explicitly calls for strengthened cybersecurity requirements for all tiers of suppliers, and Cyber Essentials Plus is positioned as a foundational element of this strengthened posture. Organisations that understand their certification within this broader strategic context — rather than viewing it as an isolated compliance exercise — are better equipped to articulate their security credentials in a way that resonates with defence procurement teams who are evaluating suppliers against these strategic objectives.
NHS and Healthcare Contracts
The NHS is another major public sector buyer where Cyber Essentials Plus has become essential. Following high-profile incidents such as the WannaCry attack in 2017 — which disrupted services across multiple NHS trusts — the healthcare sector has significantly strengthened its cybersecurity requirements for suppliers.
NHS organisations procuring IT systems, managed services, or any solution that handles patient data increasingly require Cyber Essentials Plus as a condition of contract. This requirement sits alongside the Data Security and Protection (DSP) Toolkit, which is the NHS's own assurance framework. While the DSP Toolkit covers broader information governance requirements, Cyber Essentials Plus provides the independently verified technical assurance that complements it.
For technology companies and service providers working with the NHS, holding Cyber Essentials Plus demonstrates a commitment to cybersecurity that resonates strongly with procurement teams and clinical stakeholders who are acutely aware of the consequences of a security breach in a healthcare setting.
When bidding for NHS contracts, check whether the requirement specifies Cyber Essentials Plus alongside the DSP Toolkit. Having both in place before you bid puts you in the strongest possible position and avoids delays in the procurement process. Many NHS procurement teams will not consider suppliers who cannot demonstrate both.
Local Government and Devolved Administrations
Local authorities across England, Scotland, Wales, and Northern Ireland are significant buyers of IT services, and their cybersecurity requirements are catching up with central government. While the adoption of Cyber Essentials Plus as a mandatory requirement varies by authority, the trend is firmly towards requiring it for IT-related contracts.
County councils, metropolitan boroughs, London boroughs, and unitary authorities all handle sensitive personal data — from social services records to council tax information — and they are increasingly recognising the need for robust supplier cybersecurity. Cyber Essentials Plus provides a convenient, standardised mechanism for verifying supplier security credentials without each authority needing to conduct its own assessment.
The devolved administrations — the Scottish Government, Welsh Government, and Northern Ireland Executive — have also adopted the Cyber Essentials framework within their procurement processes. While the specific requirements may vary, the direction of travel is consistent across all parts of the UK: towards independently verified cybersecurity certification as a standard procurement requirement.
Framework Agreements and Dynamic Purchasing Systems
Framework agreements managed by Crown Commercial Service (CCS) and other central purchasing bodies represent a significant channel for government procurement. Suppliers join these frameworks through a competitive process and are then available for call-off by government buyers. Frameworks such as G-Cloud, Digital Outcomes and Specialists, and Technology Products and Services collectively account for billions of pounds in annual government IT spending.
Many of these frameworks include Cyber Essentials certification — and increasingly Cyber Essentials Plus — as a qualification requirement. Suppliers that do not hold the required certification cannot join the framework, effectively excluding them from a large pool of government business. The cost of certification is trivial compared to the revenue potential of being listed on a major government framework.
Dynamic Purchasing Systems (DPS), which are increasingly used alongside traditional frameworks, often apply similar requirements. These are open to new suppliers joining throughout their lifetime, so achieving Cyber Essentials Plus can open up opportunities at any time, not just when a new framework is being established.
Comparing Certification Levels for Government Bidding
When deciding whether to pursue basic Cyber Essentials or Cyber Essentials Plus for government work, the choice becomes clear when you examine how each certification level is treated in real procurement exercises. Basic Cyber Essentials satisfies the minimum policy requirement established by the Cabinet Office, but Cyber Essentials Plus provides the independently verified assurance that procurement teams increasingly demand. The distinction is not merely administrative — it reflects a fundamental difference in how your security credentials are perceived by the decision-makers who award contracts.
Procurement evaluators understand that a self-assessment questionnaire, while useful, does not carry the same weight as an independent technical assessment conducted by a qualified assessor. When two suppliers submit otherwise comparable bids, the one holding Cyber Essentials Plus has a demonstrable advantage in the security evaluation criteria. This advantage compounds across multiple procurement exercises, making Plus certification a strategic investment rather than a one-off expense.
Cyber Essentials Plus
Basic Cyber Essentials Only
The gap between basic and Plus certification is particularly pronounced in competitive procurements where multiple qualified suppliers are vying for the same contract. In these situations, every point of differentiation matters, and Cyber Essentials Plus provides a clear, verifiable point of superiority that evaluators can reference in their scoring rationale. For organisations that regularly compete for government work, the additional investment in Plus certification typically pays for itself within the first successful bid.
Positioning Your Organisation for Success
Simply holding Cyber Essentials Plus is not sufficient to win government contracts — but not holding it can certainly lose them. To maximise the commercial value of your certification, consider the following strategic approach.
Achieve certification proactively: Do not wait until a specific tender requires it. Having Cyber Essentials Plus in place before you see an opportunity means you can respond immediately without delays for certification. Given that the process takes four to eight weeks from start to finish, waiting until a tender is published can mean missing the deadline entirely.
Maintain continuous certification: Cyber Essentials Plus certificates are valid for 12 months. Allowing your certificate to lapse — even briefly — can exclude you from procurement exercises that check certification status at the point of bid submission. Plan your renewal well in advance to maintain unbroken certification.
Publicise your certification: Display your Cyber Essentials Plus badge on your website, in your corporate literature, and in your bid documents. Make it easy for procurement teams to verify your certification status. Include your certificate number and expiry date in your standard company information.
Use certification as a differentiator: In competitive bids, reference your Cyber Essentials Plus certification as evidence of your commitment to cybersecurity. Explain how the five controls are embedded in your operations. This demonstrates not just compliance but genuine security maturity.
For organisations considering whether to invest in Cyber Essentials Plus certification, it is worth understanding how the government procurement landscape has evolved in recent years. Five years ago, Cyber Essentials requirements were applied inconsistently, with some contracting authorities taking a flexible approach and accepting alternative evidence of cybersecurity maturity. That flexibility has largely disappeared. Today, the requirement is applied as a binary criterion in most procurement exercises: you either hold the required certification or you do not. Alternative certifications, such as ISO 27001, are respected but are generally not accepted as substitutes for Cyber Essentials Plus where the latter is specifically mandated. This means that even organisations with sophisticated cybersecurity programmes and higher-level certifications still need Cyber Essentials Plus to participate in certain government procurement exercises.
The emergence of social value requirements in government procurement has also created an interesting intersection with cybersecurity certification. Under the Social Value Act and subsequent procurement policy notes, government contracts now evaluate suppliers partly on their social value contribution, which includes their approach to supply chain resilience and responsible business practices. Demonstrating robust cybersecurity through Cyber Essentials Plus certification can be leveraged within social value responses, as protecting customer and citizen data is increasingly recognised as a core element of responsible business practice. Forward-thinking organisations are learning to articulate their cybersecurity investment not just as a technical compliance measure but as part of their broader commitment to social value and responsible supply chain management.
It is also worth noting the growing importance of cyber resilience in the context of international supply chains. As UK government departments increasingly collaborate with allied nations on defence, security, and infrastructure projects, the cybersecurity credentials of their supply chains come under scrutiny not only from domestic procurement teams but also from international partners. Cyber Essentials Plus, as a government-backed standard with clear technical requirements and independent verification, provides a recognisable baseline that international partners can understand and accept. For organisations working on cross-border government programmes, this international credibility adds further value to the certification investment.
The Broader Commercial Benefits
While this article focuses on government contracts, the commercial benefits of Cyber Essentials Plus extend well beyond the public sector. Large private sector organisations — particularly those in financial services, utilities, telecommunications, and retail — are increasingly requiring their suppliers to hold recognised cybersecurity certifications. Cyber Essentials Plus, as a government-backed, independently verified standard, satisfies these requirements in many cases.
Cyber insurance is another area where certification provides tangible commercial benefit. UK insurers are tightening their underwriting criteria, and holding Cyber Essentials Plus can improve your terms, reduce your premiums, and streamline the application process. Some Cyber Essentials certifications include a complimentary cyber insurance policy, providing additional value.
For organisations that operate in both the public and private sectors, Cyber Essentials Plus provides a single certification that satisfies multiple stakeholder requirements. This reduces the burden of managing multiple security assessments and questionnaires, freeing your team to focus on delivering value rather than repeatedly demonstrating compliance.
Government Procurement Readiness Scorecard
Based on our experience working with hundreds of organisations preparing for government procurement, the following readiness scores reflect typical compliance levels across the key areas that contracting authorities assess. These scores represent the average state of organisations before they undertake a structured certification programme, and they highlight precisely where the gaps tend to be.
These figures reveal a consistent pattern: most organisations have reasonable malware protection and firewall configurations in place, but fall short on device hardening, access control, and most critically, patch management. The patch management gap is particularly concerning because unpatched vulnerabilities are the single most exploited attack vector in cyber incidents affecting UK organisations. The independent verification process of Cyber Essentials Plus is specifically designed to identify and close these gaps before they can be exploited by malicious actors targeting government supply chains.
Organisations that proactively identify and address these gaps — rather than waiting until an assessment reveals them — significantly reduce both the time and cost required to achieve certification. A structured pre-assessment review, conducted well before the formal Cyber Essentials Plus assessment, allows you to remediate issues methodically rather than scrambling to fix problems under time pressure. This approach also minimises the risk of failing the independent assessment, which can introduce delays and additional costs that undermine the business case for certification.
Looking Ahead
The trajectory of government cybersecurity requirements is unambiguously towards greater rigour. The Government Cyber Security Strategy 2022-2030 sets out ambitious goals for improving the resilience of government and its supply chain. Cyber Essentials Plus is a cornerstone of this strategy, and its role in government procurement is only going to grow.
Organisations that invest in achieving and maintaining Cyber Essentials Plus today are positioning themselves for sustained success in the government marketplace. Those that delay risk finding themselves excluded from an expanding range of opportunities as requirements tighten and enforcement becomes more consistent.
The investment is modest, the process is manageable, and the return — in terms of access to government contracts, commercial credibility, and genuine security improvement — is substantial. For any UK organisation with ambitions in the public sector, Cyber Essentials Plus is not optional. It is foundational.
Win Government Contracts with Confidence
Cloudswitched helps UK organisations achieve Cyber Essentials Plus certification to unlock government contract opportunities. From initial assessment through to certification and ongoing compliance, we ensure your cybersecurity credentials meet the demands of public sector procurement. Start positioning your organisation for success today.
Explore Cyber Essentials Certification
CloudSwitched
London-based managed IT services provider offering support, cloud solutions and cybersecurity for SMEs.
