PPN 09/14 Compliance Guide: How UK Suppliers Meet the Cabinet Office Cyber Essentials Floor

‍​‌‌​‌‌​​‌‌‌‌​‌‌‌​‌​‌​​‌​​‌​‌​‌‌‌​​​​​‌‌​​‌‌​‌​​‌‌‌‌‌​‌​‌​‌​​​‌‌‌‍Procurement Policy Note 09/14 has set the cyber compliance floor for UK central government supplier procurement since 2014. UK suppliers bidding on contracts that handle personal data or provide certain ICT products and services must hold a current Cyber Essentials certificate. The PPN is the framework. Cyber Essentials Plus is what most central government bid questionnaires now expect by default.

This article walks through what PPN 09/14 actually requires, how the Basic-vs-Plus level is set per contract, where the framework applies beyond central government itself, and how suppliers practically satisfy the cyber section of the bid questionnaire.

What PPN 09/14 actually requires

The Cabinet Office issued Procurement Policy Note 09/14 in October 2014, requiring suppliers bidding on central government contracts to hold Cyber Essentials where the contract met defined scope criteria. The PPN's stated purpose was to ensure the central government supply chain met a baseline cyber security standard, reducing the risk of supplier-side incidents affecting government data and services.

The PPN scope criteria cover two broad categories:

The first is contracts where the supplier will handle, store, transmit, or process personal information held by government. This catches a wide range of suppliers: HR and payroll outsourcers, citizen-facing service operators, contact centres, data analytics firms, document management providers, and many more.

The second is contracts providing ICT products or services that meet the scope thresholds. This catches IT outsourcing providers, software vendors selling into government, cloud and hosting providers, network service providers, and increasingly any tech supplier whose service holds or processes data on behalf of the contracting authority.

Where the PPN applies, the supplier must hold a current Cyber Essentials certificate. The PPN sets the floor at Cyber Essentials Basic. Contracting authorities have discretion to specify Cyber Essentials Plus where the contract risk profile warrants it. In practice, most central government contracts touching OFFICIAL data, sensitive personal data, or systems with significant operational impact now specify Plus by default.

Where the framework applies beyond central government

PPN 09/14 technically applies to central government procurement. Local government, devolved administrations, NHS, and arm's-length bodies operate their own procurement frameworks, which often reference PPN 09/14 or align to its requirements.

In practice the cyber requirement has spread:

• Crown Commercial Service (CCS) framework agreements reference Cyber Essentials in supplier qualification questions for the public-sector frameworks suppliers call off from.
• NHS procurement (NHS England, NHS Trusts, NHS Digital) operates its own frameworks but aligns to and often exceeds the PPN floor (NHS frameworks now generally expect Cyber Essentials Plus for clinical or NHS-integrated IT services).
• MoD supply-chain expectations under the Defence Cyber Protection Partnership framework run separately but in parallel, also expecting Cyber Essentials with most contracts touching MoD Identifiable Information now requiring Plus.
• Local authorities and combined authorities increasingly reference PPN 09/14 or Cyber Essentials directly in their supplier qualification questions.

The practical effect: a UK supplier bidding into any layer of UK public-sector procurement should expect a Cyber Essentials requirement somewhere in the qualification process. The level (Basic vs Plus) varies by contract.

How the Basic-vs-Plus level is set

The PPN itself sets the floor at Cyber Essentials Basic. The contracting authority (the central government department running the procurement) specifies the level required for the specific contract.

Three patterns recur:

CE Basic accepted: lower-risk contracts where the supplier's interaction with government data is limited or the service is well-segmented from sensitive systems. Some grant administration, low-volume document services, and similar fall here.

CE Plus required: contracts touching OFFICIAL data, sensitive personal data, or systems with significant operational impact. Most ICT outsourcing, cloud hosting, citizen-facing service operations, NHS-supplier contracts, and MoD-adjacent supply chain.

CE Plus preferred or weighted: some contracts technically accept Basic but weight Plus higher in the bid evaluation. The supplier holding Plus has a competitive advantage even where Basic is the formal minimum.

Reading the bid documentation is the authoritative answer for any specific tender. Suppliers without a current certificate cannot complete the cyber section of the qualification questionnaire without flagging the gap, which is visible to the procurement evaluator.

How suppliers practically satisfy the cyber section

The cyber section of a typical central government bid questionnaire asks for:

• Confirmation of current Cyber Essentials certificate (Basic or Plus)
• Certificate number and issuing certification body
• Certificate expiry date
• Description of the firm's incident-response process and named contact
• Description of the firm's supplier-management approach (the firm's own IT vendors)
• Confirmation of multi-factor authentication on accounts with access to government data

A current Cyber Essentials Plus certificate answers the first three questions in one document. The certificate is verifiable on the IASME registry, which procurement teams check directly. The remaining questions are answered in the qualification questionnaire alongside.

For suppliers without a certificate, the cyber section becomes a long-form security questionnaire that the contracting authority's cyber team reviews. The evaluation timeline extends. The procurement risk increases.

How CE Plus and Cyber 365 fit together for central government suppliers

A CE Plus certificate is valid for 12 months. Central government procurement cycles run on their own calendar. Bids land without warning. The cyber requirement is continuous: a supplier whose certificate has lapsed cannot bid until renewed.

That continuous posture is what the Cyber 365 programme is for. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The next renewal becomes a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift.

For a central government supplier facing PPN 09/14 and downstream contract requirements, the combination is the closer fit. The certificate proves the controls were in place on assessment day. The continuous discipline proves they have stayed in place since. (consistent with the 2024 telemetry evaluation criteria).

The Danzell scheme update from April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. The continuous-posture expectation that PPN 09/14 already implied has now been written into the scheme rules the certificate sits inside.

Where to start

Book a 30-minute scoping call. We need the supplier's device count, the bid scope (which central government contract or framework you are pursuing), the current patching arrangement, whether multi-factor authentication is enabled across all accounts including any account that interacts with government systems, and the bid deadline if you have one. We come back with a written quote covering the CE Plus engagement and, if the supplier wants the year-round discipline added, the Cyber 365 programme alongside it.

For suppliers with a tight bid deadline, the 4-day fast-track path demonstrates the fast-engagement shape (the same pattern works for non-NHS central government bids). For suppliers wanting the full hands-off engagement, the hands-off path covers the broader scope. For suppliers wanting both the certificate and the year-round discipline wrapped together, the CE+ Assured Programme bundles the CE Basic and CE Plus assessments with Cyber 365 into one monthly subscription.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified supplier and IASME. NetSec does not bundle, broker, or upsell it.

PPN 09/14 places the responsibility on the supplier for the cyber posture protecting government data and government-side integration points. Cyber Essentials Plus produces the dated, externally-verified evidence that posture was in place on assessment day. Cyber 365 produces the continuous discipline the procurement framework expects between assessment days.

netsec-canary-91eb9604f0dc.