Quick answer
Cyber Essentials is a UK government-backed certification scheme that demonstrates a supplier meets baseline cybersecurity controls, and is increasingly mandated as a minimum selection requirement in public sector ICT procurement, particularly for contracts involving handling of government or personal data.
Cyber Essentials is a UK government-backed cybersecurity certification scheme administered by the National Cyber Security Centre (NCSC). It defines five foundational technical controls that organisations must implement to protect against the most common cyber threats: firewalls, secure configuration, user access control, malware protection, and patch management. In public sector procurement, Cyber Essentials (and its more rigorous variant, Cyber Essentials Plus) has moved from a desirable attribute to a mandatory selection criterion for a wide range of ICT procurement contracts.
What is the Cyber Essentials procurement requirement?
The UK government mandated Cyber Essentials certification for all central government suppliers handling personal information or providing certain technical products and services from 2014 onward. The requirement has since expanded: the G-Cloud framework requires Cyber Essentials certification for cloud software and hosting suppliers, the NHS Data Security and Protection Toolkit references it, and many local authorities and arm's length bodies have adopted it as a standard selection criterion in their procurement documentation.
Cyber Essentials involves a self-assessed questionnaire verified by a certification body. Cyber Essentials Plus adds an independent technical audit, including vulnerability scanning and configuration testing. For higher-assurance government contracts, particularly those involving sensitive or classified data, the GovAssure (cyber assessment) in procurement framework provides a more comprehensive evaluation aligned to NCSC's Cyber Assessment Framework (CAF).
For software as a service (SaaS) procurement and cloud hosting procurement, buyers typically require Cyber Essentials Plus as a minimum, because the nature of cloud services means that a supplier's security posture directly affects the buyer's data. Suppliers without the certification will be excluded at the selection stage regardless of other qualities.
Why it matters for bidders
For technology suppliers targeting UK public sector contracts, obtaining and maintaining Cyber Essentials certification is effectively a market-entry requirement rather than a differentiator. Certificates must be renewed annually, so suppliers should track renewal dates and build recertification into their operations calendar. Failing to hold a current certificate when a procurement deadline arrives will result in exclusion.
Suppliers should also note that Cyber Essentials covers the certifying organisation's own IT environment, not necessarily the systems used to deliver the contract. For cloud or managed service suppliers, buyers will expect the Cyber Essentials scope to include the production systems and infrastructure used to deliver the service, not just internal corporate IT.
Internationally, EU member states have equivalent national frameworks. Germany uses BSI IT-Grundschutz, France uses ANSSI certification tiers, and the Netherlands references the NCSC.NL baseline. Suppliers operating across European markets should map Cyber Essentials controls against these equivalents to streamline multi-market qualification. GDPR compliance in procurement is a related but separate requirement that applies across all EU and UK member states.
Example
A UK local authority runs a procurement for a digital case management system. The selection criteria include Cyber Essentials Plus as a pass/fail gateway question. A supplier with an expired certificate submits a bid but is excluded at the selection stage before evaluation. A second supplier, with a current Cyber Essentials Plus certificate covering the system used to deliver the service, passes the gateway and proceeds to evaluation.
Frequently Asked Questions
Is Cyber Essentials mandatory for all public sector contracts?
No. The mandate applies specifically to central government contracts where the supplier handles personal information or provides technical products and services. However, many other public bodies (NHS, local government, universities) have adopted it as a standard requirement in their own procurement policies, making it effectively near-universal in UK public sector ICT procurement.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is self-assessed against a questionnaire and verified by a certification body without independent testing. Cyber Essentials Plus involves the same questionnaire plus an independent technical audit including vulnerability scanning and configuration verification. Plus certification provides higher assurance and is increasingly required for contracts involving sensitive data.
Do EU suppliers need Cyber Essentials to win UK contracts?
Yes, if the contract requires it. Cyber Essentials is a UK scheme and does not have direct EU equivalents, but the certification is available to any organisation regardless of country of incorporation. EU-based suppliers bidding for UK public sector contracts must obtain Cyber Essentials certification in the same way as UK-based suppliers.
How Bidovate helps
Bidovate puts Cyber Essentials (Procurement Requirement) to work inside your capture and proposal workflow.
Tender discoverySee Bidovate in action
Book a demo and we will show you the platform using your actual contract data.
Related terms
GovAssure (Cyber Assessment) in Procurement
GovAssure is a UK government cyber resilience programme that requires central government departments and their critical suppliers to complete structured assessments against the NCSC Cyber Assessment Framework, providing a more rigorous evaluation of cyber risk than Cyber Essentials for high-assurance procurement contexts.
ViewGDPR Compliance in Procurement
GDPR compliance in procurement requires contracting authorities across EU member states and the UK to embed data protection obligations into technology contracts, including data processing agreements, controller/processor role definitions, sub-processor controls, and breach notification requirements, before any personal data is processed.
ViewICT Procurement
ICT procurement covers the purchase of information and communications technology goods and services by public sector organisations, encompassing hardware, software, cloud services, telecommunications, and associated support, governed by EU Directive 2014/24/EU and national implementing legislation across European member states.
ViewSoftware as a Service (SaaS) Procurement
Software as a Service (SaaS) procurement covers the purchase of cloud-delivered software applications accessed over the internet on a subscription basis, where the supplier manages infrastructure, updates, and security, requiring public sector buyers to evaluate vendor lock-in, data residency, and GDPR compliance alongside functionality.
ViewCloud Hosting Procurement
Cloud hosting procurement covers the purchase of infrastructure-as-a-service and platform-as-a-service resources from commercial cloud providers, requiring public sector buyers to assess data sovereignty, security accreditation, exit costs, and compliance with national and EU cloud policy before contracting.
View