Who Needs Cyber Essentials?

Key Takeaways

Point	Summary
Government contracts	Required for contracts handling personal data, ICT products/services, or defence information
NHS suppliers	Required for suppliers handling patient data or connected medical systems
Private sector	Increasingly expected in supply chain requirements and tenders
Insurance benefit	Certification includes cyber liability insurance coverage (up to £25,000) for eligible organisations
Basic vs Plus	Basic meets most contract requirements; Plus may be required for higher-security work

Quick Answer: You'll likely need Cyber Essentials if you bid on UK government contracts involving personal data or ICT services. NHS and MoD suppliers also typically require it. In the private sector, many enterprise customers and supply chain partners increasingly expect it as a baseline.

UK government contract requirements

Since 2014, the UK government has required Cyber Essentials for suppliers bidding on certain public sector contracts.

Where certification is required

Central government contracts involving:

• Handling personal information
• Providing certain ICT products or services
• Contracts above specified thresholds

Ministry of Defence contracts:

• All suppliers handling defence information
• Often extends to the entire supply chain

NHS contracts:

• Suppliers handling patient data
• Connected medical systems

Local government:

• Increasingly required for contracts, though requirements vary by council

Procurement Policy Note requirements

Under PPN 014 and subsequent updates, the requirements typically apply as follows:

Contract Type	Typical Requirement
Personal data handling	Cyber Essentials required
ICT products/services	Cyber Essentials required
Defence information	Cyber Essentials required
Connected systems	Cyber Essentials required
General low-risk contracts	May not require certification

Which level is typically required?

Scenario	Typical Requirement
Standard government contracts	Cyber Essentials (Basic)
High-risk or sensitive contracts	Cyber Essentials Plus
Defence contracts	Often Cyber Essentials Plus
NHS with patient data	Cyber Essentials Plus recommended

For most contracts, Basic certification is sufficient. Plus is typically specified only when the contract involves particularly sensitive data or systems.

Private sector expectations

Beyond government, Cyber Essentials is increasingly expected in B2B relationships:

Industry expectations

Industry	Cyber Essentials Status
Financial Services	Often required by partners
Healthcare (Private)	Increasingly expected
Legal Services	Growing requirement
Professional Services	Common client requirement
Manufacturing	Supply chain requirement
Technology	Expected baseline

Supply chain dynamics

Larger enterprises are increasingly pushing security requirements down through their supply chains:

Tier 1: Large enterprises

• Set security requirements for their suppliers
• May require ISO 27001 or Cyber Essentials
• Often audit key suppliers

Tier 2: Direct suppliers

• Must meet Tier 1 requirements
• Cyber Essentials often sufficient
• May pass requirements to their own suppliers

Tier 3: Sub-suppliers

• Inherited requirements
• Cyber Essentials typically acceptable
• May need to demonstrate compliance in questionnaires

This cascade effect means that even if your direct customers don't explicitly require certification, their customers might—and that requirement flows through.

Assessing whether certification makes sense for you

Self-assessment questions

Government work:

• Do you currently supply to UK government?
• Are you planning to bid on government contracts?
• Are you in the defence supply chain?
• Do you supply to NHS organisations?

Private sector:

• Do enterprise clients require security certification?
• Are you in a regulated industry?
• Do you handle sensitive customer data?
• Are you part of a larger supply chain?

General security:

• Do you want to demonstrate your security commitment externally?
• Are you looking for a structured security baseline?
• Do you need cyber insurance?
• Are you preparing for more comprehensive certifications later?

If you answered "yes" to any of these questions, certification is likely worth considering.

A practical decision framework

Do you supply to UK government?

• Yes → Cyber Essentials is likely required. Check specific contract requirements.

Do enterprise clients require security evidence?

• Yes → Cyber Essentials is recommended. It often satisfies supplier assessments.

Do you handle sensitive data?

• Yes → Cyber Essentials is recommended. It demonstrates due diligence.

Do you want baseline security assurance?

• Yes → Cyber Essentials can be beneficial as a starting point.

Which level?

• Standard business needs → Basic
• Higher security requirements → Plus
• Sensitive data handling → Plus
• Defence sector → Plus

Benefits of certification

Business benefits

Market access

• Government contract eligibility
• Enterprise vendor approval
• NHS supplier status
• Defence sector access

Competitive positioning

• Differentiator in tenders
• Trust signal to customers
• Partner confidence
• Supply chain acceptance

Risk management

• Approximately 80% of common attacks addressed
• Insurance requirements often satisfied
• Regulatory alignment demonstrated
• Potential reduction in breach costs

Included insurance

• UK organisations
• Under £20M turnover
• Up to £25,000 coverage
• Automatic with certification

Security benefits

Benefit	Impact
Attack prevention	Addresses approximately 80% of common cyber attacks
Gap identification	Assessment reveals security gaps
Security baseline	Foundation for further improvement
Employee awareness	Certification process often increases security awareness
Incident reduction	Fewer security events when controls are maintained

Thinking about costs and returns

Investment overview

Level	Direct Cost	Time Investment
Basic	£300-500	Varies based on readiness
Plus	£1,500-5,000+	Varies based on scope and readiness

Potential returns

Benefit	Potential Value
Government contract eligibility	Contract value varies
Enterprise sales access	Deal sizes vary
Included cyber insurance	Up to £25,000 coverage
Breach prevention	Average SMB breach costs around £8,460
Reputation protection	Difficult to quantify

For many organisations, a single government contract or enterprise deal can more than justify the certification investment. The included insurance alone provides tangible value.

Timing considerations

When to pursue certification

Scenario	Suggested Timing
Government tender upcoming	Begin 4-6 weeks before deadline
General business need	Plan 2-4 weeks depending on readiness
Currently bidding	As soon as possible
Annual renewal	Begin 1 month before expiry

Plus prerequisites

Requirement	Details
Basic certificate	Must be current
Time limit	Plus must be achieved within 90 days of Basic
Technical readiness	All controls must pass verification

If you're planning to pursue Plus, it's worth considering whether to begin the process shortly after achieving Basic to stay within the 90-day window.

How Bastion can help

We help organisations determine whether Cyber Essentials makes sense for their situation and guide them through the certification process.

Need	How We Help
Requirements assessment	We evaluate your specific situation and contract requirements
Gap analysis	We identify what's needed for certification in your environment
Implementation support	Our team brings additional hands to implement controls correctly the first time
Certification guidance	We navigate the process and avoid common pitfalls
Ongoing compliance	We help maintain certification and manage renewals

Working with a managed service partner means you're not navigating unfamiliar territory alone. We've helped many organisations through this process, and that experience means fewer false starts and costly rework.

---

Wondering if Cyber Essentials is right for you? Talk to our team