G-Cloud 15: Cyber Essentials Will Be Required for All Suppliers
G-Cloud 15: Cyber Essentials Will Be Required for All Suppliers
G-Cloud 15, the next iteration of the UK government's cloud procurement framework, makes Cyber Essentials certification mandatory for all suppliers. The framework is currently in procurement, with supplier applications having closed on 30 January 2026 and awards expected by September 2026. Suppliers on or applying to the Digital Marketplace for cloud services need to understand what this means now.
What Is Changing in G-Cloud 15
G-Cloud 14, the current live framework since October 2024, recommends but does not require Cyber Essentials. G-Cloud 15 changes that: CE is mandatory for all lots.
The Invitation to Tender for G-Cloud 15 opened on 23 October 2025 and closed on 30 January 2026. Crown Commercial Service (CCS) confirmed on 5 December 2025 that Cyber Essentials is now a mandatory requirement across all lots. Awards are expected in September 2026, at which point G-Cloud 15 goes live.
G-Cloud 15 also restructures the lots from four to five categories:
| Lot | Description | CE Requirement | Deadline |
|---|---|---|---|
| 1a: Core IaaS/PaaS | General cloud hosting | CE+ mandatory | At application |
| 1b: Classified Hosting | Hosting above OFFICIAL level | CE+ mandatory | At application |
| 2a: Infrastructure SaaS (ISaaS) | Infrastructure software services | CE mandatory | Within 12 months of award |
| 2b: Software-as-a-Service (SaaS) | Application software services | CE mandatory | Within 12 months of award |
| 3: Cloud Support | Cloud consultancy and support | CE mandatory | Within 12 months of award |
Suppliers in Lots 2a, 2b, and 3 who do not already hold CE certification have a 12-month grace period from contract award. After that, failure to certify results in suspension from the framework. Suspended suppliers can be reinstated once they provide valid certification.
Why This Matters
G-Cloud is one of the largest digital procurement frameworks in the UK. Over 4,000 suppliers are listed on the current G-Cloud 14 framework, with around 90% being Small and Medium Enterprises (SMEs). For many cloud service providers, G-Cloud is their primary route to government contracts.
Bottom line, if you supply cloud services to government and don't hold CE, you're locked out of G-Cloud 15. The shift from recommended to mandatory means suppliers who have operated without certification will need to certify before migrating to the new framework or face exclusion.
Who This Affects
- Current G-Cloud 14 suppliers without CE - must obtain certification before G-Cloud 15 migration or when their current agreement renews
- Suppliers awarded on G-Cloud 15 - must demonstrate CE (or CE+ for hosting lots) per the framework terms
- Cloud hosting providers - face the higher Cyber Essentials Plus (CE+) requirement, which involves independent technical testing
- Subcontractors - prime contractors must ensure their subcontractors meet the same CE requirements
The Government Procurement Context
G-Cloud 15 does not exist in isolation. It sits alongside: (consistent with the 2024 baseline evaluation criteria).
- Procurement Policy Note (PPN) 014 (effective 24 February 2025): Makes CE mandatory across all central government procurements involving data or Information and Communications Technology (ICT)
- Technology Services 4 (RM6190): CE mandatory throughout (Schedule 9)
- Digital Specialists and Programmes (RM6263): CE compliance required for bidders
The direction is clear: the UK government is systematically requiring Cyber Essentials across every digital procurement framework. Suppliers without certification are being excluded from an expanding range of opportunities.
Getting Certified for G-Cloud
CE Basic (Lots 2a, 2b, and 3)
Cyber Essentials Basic is a self-assessment against five technical controls. You complete a questionnaire about your organisation's security posture, which is then reviewed by an accredited assessor.
For cloud software and support providers, the assessment covers your corporate infrastructure and the systems you use to deliver services. Your cloud platform itself (AWS, Azure, GCP) is typically out of scope unless you manage the underlying infrastructure.
CE+ (Lots 1a and 1b)
CE+ adds independent technical verification on top of the self-assessment, where an assessor tests your systems against the same five controls. This includes vulnerability scanning and configuration checks against your live environment.
For cloud hosting providers, this is more rigorous because your infrastructure directly hosts government data. The assessor verifies that your hosting environment meets the five controls.
Timeline
Net Sec Group delivers CE certification in 48 hours standard, with 12-hour fast-track for urgent deadlines. CE+ typically takes 3-5 working days including the technical assessment.
G-Cloud 15 awards are expected in September 2026. Suppliers who certify now avoid competing for assessment slots closer to the deadline when demand will increase.
Related articles
- PPN 014: Which Government Contracts Require Cyber Essentials?
- NHS Suppliers: Cyber Essentials and CE+ Are Now Mandatory
- Defence Condition (DEFCON) 658: Cyber Essentials Requirements for the Defence Supply Chain
- The Full Cyber Security Journey: CE Basic to Pen Testing
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Bank Suppliers and Cyber Essentials: The Six-Bank Commitment and FSQS
Six major UK banks have committed to requiring Cyber Essentials from suppliers. 61% prefer CE-certified suppliers and 33% plan to mandate it. Here's what the banking supply chain commitment means for your business.
DEFCON 658: Cyber Essentials Requirements for the Defence Supply Chain
MOD DEFCON 658 requires Cyber Essentials across the entire defence supply chain. CE minimum for all contracts, CE+ for most risk levels. Here's how it works, who it applies to, and what DEF STAN 05-138 means for suppliers.
NHS Suppliers: Cyber Essentials and CE+ Are Now Mandatory
NHS supply chain organisations handling patient data must now hold Cyber Essentials and CE+ certification. Here's what changed, who it affects, and how to get certified in under a week.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.