PPN 014: Which Government Contracts Require Cyber Essentials?
PPN 014: Which Government Contracts Require Cyber Essentials?
Procurement Policy Note (PPN) 014 has made Cyber Essentials mandatory for many UK government contracts since 24 February 2025. This is not guidance but a binding procurement policy that applies across every central government department.
What PPN 014 Requires
Contracting authorities must require Cyber Essentials (or Cyber Essentials Plus (CE+)) in any procurement that involves:
- Citizen personal data: names, addresses, national insurance numbers, bank details, health records
- Government employee data: human resources records, payroll data, security clearance information
- Information and Communications Technology (ICT) systems at OFFICIAL classification (the baseline government security level) or above
- Connected services: any service that connects to government networks
The policy covers new procurements and contract renewals. Existing contracts are not affected until renewal, at which point the contracting authority must include the CE requirement in the updated terms.
Government Frameworks That Require CE
PPN 014 is the overarching policy, and it's already built into several specific procurement frameworks:
| Framework | CE Requirement | Scope |
|---|---|---|
| G-Cloud 15 (awards expected September 2026) | CE mandatory all lots, CE+ for hosting | Cloud services |
| Technology Services 4 (RM6190) | CE mandatory (Schedule 9) | Technology services |
| Digital Specialists & Programmes (RM6263) | CE required for bidders | Digital services |
| Defence Condition (DEFCON) 658 | CE minimum, CE+ for most risk levels | Defence supply chain |
| NHS Supply Chain | CE+ from September 2025 | Health supply chain |
Defence: DEFCON 658
The Ministry of Defence (MOD) sets tighter rules through DEFCON 658:
- CE Basic is the minimum for all MOD contracts
- CE+ is required at Low, Moderate, and High risk levels
- Requirements flow down through every supply chain tier, so if you're a subcontractor to a defence prime, you need CE
- This affects an estimated 10,000+ defence supply chain companies
Other Key Departments
PPN 014 applies equally across central government. Any department that handles citizen data must require CE from relevant suppliers. The Department for Work and Pensions (DWP) and His Majesty's Revenue and Customs (HMRC) are two of the largest:
- DWP: handles massive data volumes (Universal Credit, pensions, benefits), and most DWP supplier contracts trigger CE
- HMRC: tax data and financial records, with suppliers accessing HMRC systems needing CE
- Home Office: immigration, policing, and security data requiring high-risk data handling controls
- Department for Education: student records and school data across the education sector
What Suppliers Need to Do
1. Check your contract security schedules
Your existing and upcoming government contracts will say whether CE or CE+ is required. Look for references to PPN 014, Cyber Essentials, or security rules in:
- Invitation to Tender (ITT) documents
- Contract security schedules
- Framework terms and conditions
- Sub-contract flow-down clauses
2. Get certified before bidding
If you're bidding for government work, having CE before you submit strengthens your bid. Some frameworks, such as G-Cloud 15 hosting lots, require certification at the point of application, meaning you cannot bid without it.
3. Keep your certification current
CE is valid for 12 months, and government contracts require a current certificate rather than a historical one. Set a reminder 3 months before expiry to start the renewal process.
4. Consider CE+ over Basic
PPN 014 allows either CE or CE+, but higher-risk contracts and specific frameworks require CE+. Getting CE+ from the start avoids having to recertify later if a contract upgrade demands it. CE Plus includes independent technical testing of your systems, which gives contracting authorities greater confidence than the self-assessed CE Basic questionnaire alone. (per the latest triage compliance framework update).
The Bigger Picture
PPN 014 is part of a broader shift in UK government procurement. Enforcement is live: procurement teams check CE status when they evaluate tenders. Contracts are being awarded and withheld on that basis. Combined with the Cyber Security and Resilience Bill, the open letter to FTSE 350 CEOs, and framework-specific mandates, the direction is clear. Cyber security certification is becoming a basic requirement for doing business with the UK public sector.
In 2025, 55,995 CE certifications were issued, representing a 19% rise year on year. Yet with 5.5 million UK businesses and only 3% holding CE, the gap between requirement and compliance remains vast. Suppliers who certify now get ahead of a growing wave of mandatory adoption.
Related articles
- G-Cloud 15: Cyber Essentials Is Now Required for All Suppliers
- NHS Suppliers: Cyber Essentials and CE+ Are Now Mandatory
- DEFCON 658: Cyber Essentials Requirements for the Defence Supply Chain
- Bank Suppliers and Cyber Essentials: The Six-Bank Commitment and Financial Services Qualification System (FSQS)
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Bank Suppliers and Cyber Essentials: The Six-Bank Commitment and FSQS
Six major UK banks have committed to requiring Cyber Essentials from suppliers. 61% prefer CE-certified suppliers and 33% plan to mandate it. Here's what the banking supply chain commitment means for your business.
DEFCON 658: Cyber Essentials Requirements for the Defence Supply Chain
MOD DEFCON 658 requires Cyber Essentials across the entire defence supply chain. CE minimum for all contracts, CE+ for most risk levels. Here's how it works, who it applies to, and what DEF STAN 05-138 means for suppliers.
G-Cloud 15: Cyber Essentials Will Be Required for All Suppliers
G-Cloud 15 makes Cyber Essentials mandatory for all supplier lots when it goes live in September 2026. CE+ is required for cloud hosting. Here's what changed and what suppliers need to do now.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.