.png)
![New Nav Bar - New Tag [Suppliers] PNG](https://www.tussell.com/hubfs/New%20Nav%20Bar%20-%20New%20Tag%20%5BSuppliers%5D%20PNG.png)
%20v1.png)
Cyber Essentials is becoming an increasingly important requirement for suppliers selling into the public sector - especially in technology, data, digital services and outsourced delivery.
For some contracts, Cyber Essentials is mandatory. For others, it is not needed at all. In some cases, suppliers may be able to demonstrate equivalent cyber controls instead. And in higher-risk procurements, buyers may require Cyber Essentials Plus, which provides a higher level of assurance through independent technical testing.
But the rules are not always straightforward. Requirements vary by buyer, framework, contract type and risk profile. That means firms need to understand not only what Cyber Essentials is, but when it is required, which level may be needed, and how certification affects their ability to bid.
This guide explains what Cyber Essentials means for public sector suppliers - including when it is required, how it applies to frameworks and subcontractors, the difference between Cyber Essentials and Cyber Essentials Plus, and how much certification can cost.
Skip ahead to uncover:
- What is Cyber Essentials?
- Do I need Cyber Essentials to bid for public contracts?
- Do I need Cyber Essentials to join technology frameworks?
- Do subcontractors need Cyber Essentials?
- What is the difference between Cyber Essentials and Cyber Essentials Plus?
- Do I need Cyber Essentials or Cyber Essentials Plus?
- How much does Cyber Essentials cost?
- How often do I need to recertify?
- Conclusion and next steps
***
What is Cyber Essentials?
Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against the most common cyber threats.
It focuses on five core technical controls:
- Firewalls
- Secure configuration
- User access control
- Malware protection
- Security update management
There are two levels:
- Cyber Essentials (CE): A self-assessment verified by an external certification body
- Cyber Essentials Plus (CE+): Includes independent technical testing of systems
Despite the branding, Cyber Essentials is not a comprehensive security standard. It is a minimum baseline intended to reduce exposure to commodity attacks such as phishing, credential theft, and basic malware.
.png?width=815&height=200&name=TUSSELL_Demo_CTA_Banners%20(6).png)
%20v2.png?width=600&height=120&name=Supplier%20Logo%20Row%20PNG%20-%20Jan%202025%20B%26W%20(Cropped)%20v2.png)
Do I need Cyber Essentials to win public contracts?
Often - but not always.
Cyber Essentials is often required for higher-risk public contracts, particularly where suppliers handle personal data, government employee data, ICT systems, OFFICIAL-level information, or information related to government operations, service delivery or public finances.
However, PPN 014, which applies to Central Government and NHS procurement, makes clear that buyers may require Cyber Essentials, Cyber Essentials Plus, or evidence of equivalent cyber controls.
So, while Cyber Essentials is required for many technology contracts, suppliers may be able to meet the requirement through equivalent cybersecurity measures in others.
Local authorities are also increasingly adopting similar standards, particularly for contracts involving sensitive data or digital services. To check whether Cyber Essentials is required for a specific opportunity, prospective bidders should review the tender documents carefully.
NOTE: even when certification is not mandatory, Cyber Essentials can help firms demonstrate a baseline level of cybersecurity to public sector buyers!
Do I need Cyber Essentials to join technology frameworks?
Not all public sector technology procurement frameworks require suppliers to have Cyber Essentials, but many of the largest do. So, once you've used Tussell to uncover which frameworks are key to unlocking opportunities in your market, suppliers should review the relevant tender documents carefully.
Firms should also take note that some frameworks require certification at the time of application, whilst others require it only at the time of contract award.
G-Cloud 15 is a useful example. It introduced Cyber Essentials requirements across the framework, with higher assurance requirements for some lots. For suppliers targeting the public sector cloud market, this means Cyber Essentials is no longer just a “nice to have”.
I don't sell directly to government - do I still need Cyber Essentials?
If you are a subcontractor, you may also be required to hold a Cyber Essentials certification to pass the security requirements down the supply chain - this is particularly true if your firm will deal with classified information or personal data.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials Plus builds on the standard Cyber Essentials assessment. Suppliers still complete the verified self-assessment questionnaire, but Cyber Essentials Plus also includes independent technical testing to check that the required controls are actually in place. For this reason, it is typically more expensive than Cyber Essentials
This testing usually includes internal and external vulnerability scans, as well as checks on a sample of user devices, internet gateways and internet-facing servers. The assessor will test a representative sample of systems and decide whether further testing is needed.
The underlying controls for Cyber Essentials and Cyber Essentials Plus are the same. The difference is the level of assurance. Cyber Essentials relies on verified self-assessment, while Cyber Essentials Plus provides stronger assurance because the controls are independently tested by a third party.
Do I need Cyber Essentials or Cyber Essentials Plus?
It depends on the level of cyber risk involved in the contracts you're going after.
The easiest way to know which certification level to go for is to go through the tender documents of recent procurements in your sector and see which level of accreditation was required.
Once you've found the key frameworks your target buyers are actually using in your market, you can also check their criteria to see which (if any) certifications are required for framework access.
How much does it cost to get certified with Cyber Essentials?
IASME lists the official Cyber Essentials assessment fees on its website, although these vary by company size.
Cyber Essentials certification is annual, so treat this as a recurring cost rather than a one-off.
(Below prices are as of May 2026 and may change over time).
| Organisation size | Employees |
Cost |
| Micro | 0–9 | £320 + VAT |
| Small | 10–49 | £440 + VAT |
| Medium | 50–249 | £500 + VAT |
| Large | 250+ | £600 + VAT |
Two caveats:
-
This is certification-only pricing. If you need consultancy, remediation, policy work, MFA setup, device management, or help completing the questionnaire, the actual cost can be higher.
-
Cyber Essentials Plus is different. It includes technical verification/testing and is usually materially more expensive; there is no single fixed official national price. Typical market pricing is often in the low thousands, depending on organisation size and complexity.
.png?width=815&height=200&name=TUSSELL_Demo_CTA_Banners%20(3).png)
How often do I need to get recertified with Cyber Essentials?
You need to recertify every 12 months to keep Cyber Essentials active.
And, the scheme itself is updated annually; IASME published changes in April 2026 to the Cyber Essentials requirements, so the answers/control evidence may not be identical year to year.
For this reason, it's recommended to start recertification before the expiry date, ideally at least several weeks ahead, to make time for any necessary adjustments.
🌅 Conclusion and next steps
Cyber Essentials is not required for every public contract. But for suppliers selling technology, data or digitally enabled services into the public sector, it is increasingly difficult to ignore.
At a minimum, Cyber Essentials can help demonstrate a baseline level of cybersecurity to public sector buyers. In higher-risk markets, Cyber Essentials Plus may be needed to meet buyer expectations or framework requirements. And for subcontractors, certification may still be required where cybersecurity obligations are passed down the supply chain.
The key is to avoid guessing. Suppliers should check tender documents, review the frameworks their target buyers use, and look at recent procurements in their market to understand which certifications are actually being requested.
Not sure where to start?
Tussell's market intelligence platform gives firms a data-led view of their market's key frameworks, buyers and live & upcoming opportunities.
Book a chat with the Tussell team to discover how our market intelligence platform can help you find the right frameworks and opportunities to grow your business (whether or not Cyber Essentials is right for you).
