Skip to contentAbout Fig Group
Compliance

Cyber Essentials for Government Contracts: The Complete Guide

Cyber Essentials is mandatory for UK government contracts involving sensitive data. This guide covers the requirements, which level you need, and how to get certified quickly for tender deadlines.

Author

Jay Hopkins

Editor

Edited by Jack Wickham

Published

Last reviewed

Read time

9 min read

Share

Section 01

Cyber Essentials for Government Contracts: The Complete Guide

Since 2014, Cyber Essentials certification has been a baseline requirement for suppliers bidding on UK central government contracts that involve handling sensitive or personal information - a Cabinet Office procurement policy that has been reaffirmed repeatedly since, and which now sits inside the wider procurement regime governed by the Procurement Act 2023 (in force 24 February 2025). If you supply goods or services to the public sector, this guide explains what you need to know. It reflects the position as of July 2026.

Section 02

The Requirement

The UK government's procurement policy requires that all suppliers demonstrate a minimum level of cybersecurity before being awarded contracts involving:

  • Sensitive information - classified, commercially sensitive, or security-relevant data
  • Personal information - any data covered by UK GDPR or the Data Protection Act 2018
  • IT products or services - technology supplied directly to government departments

This is not optional. Without Cyber Essentials certification, your bid will be non-compliant and may be rejected outright.

Section 03

Which Level Do I Need?

Cyber Essentials is the minimum requirement for most government contracts. It demonstrates that your organisation has implemented the five core security controls through a self-assessed questionnaire.

Cyber Essentials Plus is increasingly preferred or mandated for:

  • Higher-value contracts (typically above £50,000-£100,000, though thresholds vary by department)
  • Contracts involving access to government systems or networks
  • Contracts classified at OFFICIAL-SENSITIVE or above
  • Contracts where the department has assessed elevated cyber risk

If the tender documentation does not specify Plus, Cyber Essentials is sufficient. However, if you are bidding on multiple government contracts, Plus provides a competitive advantage and avoids the risk of being asked to upgrade mid-process.

Section 04

Tender Deadlines and Same-Day Certification

Government tender deadlines are fixed. Missing the deadline because you do not have Cyber Essentials is not an acceptable excuse in procurement.

If you are facing an imminent deadline, Fig offers same-day Cyber Essentials certification:

1. Purchase before 12:00 midday

2. Complete the self-assessment questionnaire

3. Receive your certificate the same working day

This process has been specifically designed for time-sensitive procurement scenarios. Fig provides structured feedback up to three times on your submission, so minor gaps can be corrected and resubmitted without waiting.

For Plus certification, allow 1-3 working days for the third-party audit. If your tender requires Plus, start the process as early as possible.

Section 05

Framework Agreements and Dynamic Purchasing Systems

Many government contracts are procured through framework agreements (such as G-Cloud, Digital Outcomes and Specialists, or Crown Commercial Service frameworks). These frameworks often require Cyber Essentials as a precondition for being listed.

If you are applying to join a framework, check the supplier requirements carefully. Some frameworks require certification at the time of application, while others require it at the time of contract award.

Section 06

Subcontractors and Supply Chain

The Cyber Essentials requirement can flow down through supply chains. If you are a subcontractor to a prime contractor on a government contract, the prime may require you to hold Cyber Essentials as a condition of your subcontract.

This is increasingly common in defence, healthcare, and critical infrastructure supply chains. If you supply services to companies that work with government, expect to be asked for Cyber Essentials certification.

Section 07

MoD and defence contracts: Cyber Essentials plus Defence Cyber Certification

Defence is the clearest example of requirements stacking on top of Cyber Essentials. For Ministry of Defence contracts, supplier cyber posture is assessed against DEFSTAN 05-138, and under DEFCON 658 a supplier can evidence compliance through Defence Cyber Certification (DCC) at the level set by the contract's Cyber Risk Profile (Industry Security Notice 2026/02).

On top of that, the MOD has asked all industry partners to achieve DCC Level 0 by 31 December 2026, which explicitly includes obtaining Cyber Essentials for all applicable business-critical systems (MOD Defence Digital blog, 8 May 2026). For defence suppliers, in other words, Cyber Essentials is the foundation and DCC is the layer built on top of it.

If you supply the MOD or sit in a defence supply chain, read our companion guides on whether you need DCC for MOD contracts and DEFSTAN 05-138 explained, or start with the Defence Cyber Certification overview.

Section 08

Beyond Compliance: Competitive Advantage

While Cyber Essentials is a minimum requirement, holding certification - particularly Plus - signals to procurement teams that your organisation takes cybersecurity seriously. In competitive tenders where multiple bidders meet the technical requirements, the depth of your security credentials can differentiate your bid.

Some departments now score cybersecurity credentials as part of the quality evaluation. Having Plus rather than just Cyber Essentials can earn additional points.

Section 09

Getting Started

If you are bidding on government contracts and need Cyber Essentials certification:

1. Check the tender requirements - Determine whether Cyber Essentials or Plus is required

2. Run the readiness checker - Use Fig's free readiness tool to assess your current position

3. Fix any gaps - Address issues before purchasing your assessment

4. Purchase and certify - Visit Fig's pricing page and certify same-day for Cyber Essentials

For ongoing government suppliers, maintain your certification year-round. Do not let it lapse between contracts - renew before expiry to maintain continuous coverage.

Section 10

Frequently asked questions

Do you need Cyber Essentials for government contracts?

For most UK central government contracts that involve handling personal or sensitive information, yes - Cyber Essentials is a baseline requirement, and bidding without it can make your tender non-compliant. Some contracts require the independently audited Cyber Essentials Plus.

Is Cyber Essentials mandatory for public sector tenders?

It is mandatory wherever the tender or framework specifies it, which is the case for most central government and many wider public-sector procurements that involve data. Always check the specific tender and framework requirements.

Which Cyber Essentials level do I need for a government contract?

Cyber Essentials (self-assessment) is the minimum for most contracts. Cyber Essentials Plus (independently audited) is increasingly required for higher-value contracts, access to government systems or networks, or OFFICIAL-SENSITIVE work. The tender documentation tells you which.

Do MoD contracts need Cyber Essentials or DCC?

Both, in effect. Cyber Essentials is the foundation, and MoD contracts are assessed against DEFSTAN 05-138 through Defence Cyber Certification (DCC) under DEFCON 658. DCC Level 0 - which the MOD has asked all suppliers to achieve by 31 December 2026 - includes obtaining Cyber Essentials for business-critical systems.

How quickly can I get certified for a tender deadline?

Fig issues Cyber Essentials the same working day for compliant submissions ordered before midday. Cyber Essentials Plus takes 1-3 working days for the audit, so start Plus as early as possible.

Get Cyber Essentials certified for your next tender

About the author

Jay Hopkins

Jay Hopkins

Managing Director, Fig Group

IASME-licensed Cyber Essentials AssessorIASME Cyber Assurance Assessor

Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.

Next step

Want to see how Fig handles this?

Explore how Fig automates compliance mapping, evidence collection, and framework alignment across 65+ standards.

Request a demo

Related solutions

Continue exploring Fig