Cyber Essentials for Government Contracts: The Complete Guide

Since 2014, Cyber Essentials certification has been mandatory for suppliers bidding on UK central government contracts that involve handling sensitive or personal information. If you supply goods or services to the public sector, this guide explains what you need to know.

The Requirement

The UK government's procurement policy requires that all suppliers demonstrate a minimum level of cybersecurity before being awarded contracts involving:

This is not optional. Without Cyber Essentials certification, your bid will be non-compliant and may be rejected outright.

Which Level Do I Need?

Cyber Essentials is the minimum requirement for most government contracts. It demonstrates that your organisation has implemented the five core security controls through a self-assessed questionnaire.

Cyber Essentials Plus is increasingly preferred or mandated for:

If the tender documentation does not specify Plus, Cyber Essentials is sufficient. However, if you are bidding on multiple government contracts, Plus provides a competitive advantage and avoids the risk of being asked to upgrade mid-process.

Tender Deadlines and Same-Day Certification

Government tender deadlines are fixed. Missing the deadline because you do not have Cyber Essentials is not an acceptable excuse in procurement.

If you are facing an imminent deadline, Fig offers same-day Cyber Essentials certification:

1. Purchase before 12:00 midday

2. Complete the self-assessment questionnaire

3. Receive your certificate the same working day

This process has been specifically designed for time-sensitive procurement scenarios. Fig provides structured feedback up to three times on your submission, so minor gaps can be corrected and resubmitted without waiting.

For Plus certification, allow 1–3 working days for the third-party audit. If your tender requires Plus, start the process as early as possible.

Framework Agreements and Dynamic Purchasing Systems

Many government contracts are procured through framework agreements (such as G-Cloud, Digital Outcomes and Specialists, or Crown Commercial Service frameworks). These frameworks often require Cyber Essentials as a precondition for being listed.

If you are applying to join a framework, check the supplier requirements carefully. Some frameworks require certification at the time of application, while others require it at the time of contract award.

Subcontractors and Supply Chain

The Cyber Essentials requirement can flow down through supply chains. If you are a subcontractor to a prime contractor on a government contract, the prime may require you to hold Cyber Essentials as a condition of your subcontract.

This is increasingly common in defence, healthcare, and critical infrastructure supply chains. If you supply services to companies that work with government, expect to be asked for Cyber Essentials certification.

Beyond Compliance: Competitive Advantage

While Cyber Essentials is a minimum requirement, holding certification – particularly Plus – signals to procurement teams that your organisation takes cybersecurity seriously. In competitive tenders where multiple bidders meet the technical requirements, the depth of your security credentials can differentiate your bid.

Some departments now score cybersecurity credentials as part of the quality evaluation. Having Plus rather than just Cyber Essentials can earn additional points.

Getting Started

If you are bidding on government contracts and need Cyber Essentials certification:

1. Check the tender requirements – Determine whether Cyber Essentials or Plus is required

2. Run the readiness checker – Use Fig's free readiness tool to assess your current position

3. Fix any gaps – Address issues before purchasing your assessment

4. Purchase and certify – Visit Fig's pricing page and certify same-day for Cyber Essentials

For ongoing government suppliers, maintain your certification year-round. Do not let it lapse between contracts – renew before expiry to maintain continuous coverage.

Get Cyber Essentials certified for your next tender