G-Cloud 15: Cyber Essentials Will Be Required for All Suppliers
G-Cloud 15: Cyber Essentials Will Be Required for All Suppliers
G-Cloud 15, the next iteration of the UK government's cloud procurement framework, makes Cyber Essentials certification mandatory for all suppliers. The framework is currently in procurement, with supplier applications having closed on 30 January 2026 and awards expected by September 2026. Suppliers on or applying to the Digital Marketplace for cloud services need to understand what this means now.
What Is Changing in G-Cloud 15
G-Cloud 14, the current live framework since October 2024, recommends but does not require Cyber Essentials. G-Cloud 15 changes that: CE is mandatory for all lots.
The Invitation to Tender for G-Cloud 15 opened on 23 October 2025 and closed on 30 January 2026. Crown Commercial Service (CCS) confirmed on 5 December 2025 that Cyber Essentials is now a mandatory requirement across all lots. Awards are expected in September 2026, at which point G-Cloud 15 goes live.
G-Cloud 15 also restructures the lots from four to five categories:
| Lot | Description | CE Requirement | Deadline |
|---|---|---|---|
| 1a: Core IaaS/PaaS | General cloud hosting | CE+ mandatory | At application |
| 1b: Classified Hosting | Hosting above OFFICIAL level | CE+ mandatory | At application |
| 2a: Infrastructure SaaS (ISaaS) | Infrastructure software services | CE mandatory | Within 12 months of award |
| 2b: Software-as-a-Service (SaaS) | Application software services | CE mandatory | Within 12 months of award |
| 3: Cloud Support | Cloud consultancy and support | CE mandatory | Within 12 months of award |
Suppliers in Lots 2a, 2b, and 3 who do not already hold CE certification have a 12-month grace period from contract award. After that, failure to certify results in suspension from the framework. Suspended suppliers can be reinstated once they provide valid certification.
Why This Matters
G-Cloud is one of the largest digital procurement frameworks in the UK. Over 4,000 suppliers are listed on the current G-Cloud 14 framework, with around 90% being Small and Medium Enterprises (SMEs). For many cloud service providers, G-Cloud is their primary route to government contracts.
Bottom line, if you supply cloud services to government and don't hold CE, you're locked out of G-Cloud 15. The shift from recommended to mandatory means suppliers who have operated without certification will need to certify before migrating to the new framework or face exclusion.
Who This Affects
- Current G-Cloud 14 suppliers without CE - must obtain certification before G-Cloud 15 migration or when their current agreement renews
- Suppliers awarded on G-Cloud 15 - must demonstrate CE (or CE+ for hosting lots) per the framework terms
- Cloud hosting providers - face the higher Cyber Essentials Plus (CE+) requirement, which involves independent technical testing
- Subcontractors - prime contractors must ensure their subcontractors meet the same CE requirements
The Government Procurement Context
G-Cloud 15 does not exist in isolation. It sits alongside: (consistent with the 2024 baseline evaluation criteria).
- Procurement Policy Note (PPN) 014 (effective 24 February 2025): Makes CE mandatory across all central government procurements involving data or Information and Communications Technology (ICT)
- Technology Services 4 (RM6190): CE mandatory throughout (Schedule 9)
- Digital Specialists and Programmes (RM6263): CE compliance required for bidders
The direction is clear: the UK government is systematically requiring Cyber Essentials across every digital procurement framework. Suppliers without certification are being excluded from an expanding range of opportunities.
Getting Certified for G-Cloud
CE Basic (Lots 2a, 2b, and 3)
Cyber Essentials Basic is a self-assessment against five technical controls. You complete a questionnaire about your organisation's security posture, which is then reviewed by an accredited assessor.
For cloud software and support providers, the assessment covers your corporate infrastructure and the systems you use to deliver services. Your cloud platform itself (AWS, Azure, GCP) is typically out of scope unless you manage the underlying infrastructure.
CE+ (Lots 1a and 1b)
CE+ adds independent technical verification on top of the self-assessment, where an assessor tests your systems against the same five controls. This includes vulnerability scanning and configuration checks against your live environment.
For cloud hosting providers, this is more rigorous because your infrastructure directly hosts government data. The assessor verifies that your hosting environment meets the five controls.
Timeline
Net Sec Group delivers CE certification in 48 hours standard, with 12-hour fast-track for urgent deadlines. CE+ typically takes 3-5 working days including the technical assessment.
G-Cloud 15 awards are expected in September 2026. Suppliers who certify now avoid competing for assessment slots closer to the deadline when demand will increase.
Related articles
- PPN 014: Which Government Contracts Require Cyber Essentials?
- NHS Suppliers: Cyber Essentials and CE+ Are Now Mandatory
- Defence Condition (DEFCON) 658: Cyber Essentials Requirements for the Defence Supply Chain
- The Full Cyber Security Journey: CE Basic to Pen Testing
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Bank Suppliers and Cyber Essentials: The Six-Bank Commitment and FSQS
Six major UK banks have committed to requiring Cyber Essentials from suppliers. 61% prefer CE-certified suppliers and 33% plan to mandate it. Here's what the banking supply chain commitment means for your business.
DEFCON 658: Cyber Essentials Requirements for the Defence Supply Chain
MOD DEFCON 658 requires Cyber Essentials across the entire defence supply chain. CE minimum for all contracts, CE+ for most risk levels. Here's how it works, who it applies to, and what DEF STAN 05-138 means for suppliers.
NHS Suppliers: Cyber Essentials and CE+ Are Now Mandatory
NHS supply chain organisations handling patient data must now hold Cyber Essentials and CE+ certification. Here's what changed, who it affects, and how to get certified in under a week.
PPN 014: Which Government Contracts Require Cyber Essentials?
Procurement Policy Note 014 makes Cyber Essentials mandatory for government contracts involving data or ICT. Here's which contracts are affected and what suppliers must do.
What the Cyber Security and Resilience Bill Means for MSPs
The CSRB brings medium and large managed service providers under NIS regulation for the first time. Here's what it requires, when it takes effect, and what MSPs should do now.
Free Cyber Insurance with Cyber Essentials: What You Get and How to Upgrade
Every Cyber Essentials certificate includes free £25,000 cyber insurance. Five major UK insurers use CE as a baseline. Here's exactly what's covered, the 80% claims reduction, and how to upgrade to £100K or £250K.
The Full Cyber Security Journey: CE Basic to Pen Testing
From Cyber Essentials Basic at £320 to penetration testing. The complete path through CE Plus, Cyber 365, and beyond, with pricing at each stage and why each step matters.
Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
How Net Sec Group delivered Cyber Essentials and CE Plus certification to an NHS Wales contractor in 5 days to meet a contract deadline. The full process from scoping to certification.
The 6 Things Cyber Essentials Doesn't Cover
CE covers Protect. Here are the five NIST functions it misses, with real consequences for each gap.
The Cost of Not Having an Incident Response Plan
Synnovis: GBP 32.7M. British Library: GBP 6-7M. Both had security controls. Neither had a tested response plan. Here's what that cost them.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.