PROCUREMENT & TENDERS
Cyber Essentials for government suppliers — what PPN 014 means for your contract.
Procurement Policy Note 014 requires suppliers bidding for certain UK Government contracts to hold Cyber Essentials certification. Here is what the policy actually says, which contracts it applies to, and what you need to do.
What PPN 014 requires
Procurement Policy Note 014 (PPN 014) was introduced in 2014 and requires suppliers bidding for UK Government contracts that involve handling personal information or providing certain ICT products and services to hold Cyber Essentials certification.
The policy applies to central government departments and their executive agencies. It has also been adopted — with varying degrees of consistency — across local government, NHS procurement, and other public sector bodies.
Which contracts are in scope
PPN 014 applies to contracts where the supplier will be handling personal information of UK citizens, providing ICT products or services, or where the contracting authority has determined that cyber security risk is a relevant consideration. In practice, this covers a broad range of professional services, IT services, and any contract involving data processing.
The policy gives contracting authorities discretion to specify either Cyber Essentials or Cyber Essentials Plus. For higher-risk contracts — particularly those involving sensitive data or system integration — CE Plus is increasingly the default requirement.
What this means for your bid
If a tender document references PPN 014 or specifies Cyber Essentials as a requirement, you will typically need to hold a valid certificate at the point of contract award — not just a commitment to certify later. Some procurements allow a grace period for certification, but this is increasingly rare.
If you do not currently hold Cyber Essentials and are planning to bid for government work, begin the certification process now. Waiting until a specific tender appears and then trying to certify in time creates unnecessary pressure and risks missing deadlines.
Cyber Essentials or CE Plus for government contracts
The baseline PPN 014 requirement is Cyber Essentials. However, many contracting authorities are now specifying CE Plus for contracts involving sensitive data, system access, or higher-risk services. If the tender documentation does not specify which level is required, ask for clarification in writing before you bid.
CHECK THE TENDER DOCUMENTATION CAREFULLY
Do not assume that "Cyber Essentials" in a tender document means the baseline certification. Many government buyers now specify CE Plus as the minimum requirement. Read the specification carefully and ask for written clarification if the requirement is ambiguous.
Related guides
BIDDING FOR GOVERNMENT WORK?
Start with a conversation.
Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.