Is Cyber Essentials a legal requirement?
No - Cyber Essentials is not a legal requirement for UK businesses in general. It is a voluntary NCSC-backed certification. However, it is contractually mandatory for UK central government contracts handling personal or sensitive information, MOD sub-contracting, and many regulated supply chains.
Is Cyber Essentials a legal requirement?
No - Cyber Essentials is not a legal requirement for UK businesses in general. It is a voluntary NCSC-backed certification scheme. However, it is contractually mandatory for many UK central government contracts, for MOD sub-contracting, for St. James's Place partner practices, and for a growing number of regulated supply chains.
Where Cyber Essentials is contractually mandatory
UK central government. Cabinet Office PPN 09/23 requires suppliers to hold Cyber Essentials for contracts handling personal data or certain sensitive information above defined thresholds.
MOD sub-contracting. MOD DefStan 05-138 and the new Defence Cyber Certification framework cascade CE and CE Plus through the defence supply chain.
NHS supplier frameworks. Many NHS procurement frameworks - including those operated through NHS Shared Business Services - reference CE or Plus in supplier-onboarding requirements.
SJP partner practices. St. James's Place requires CE Plus from all partner practices.
Insurance. Many UK cyber-insurance and PI policies reference CE in underwriting - not legally mandatory, but commercially very close to it for firms facing PI renewal cycles.
Where Cyber Essentials is strongly expected but not legally mandated
SRA-regulated law firms. The SRA does not prescribe CE but refers to appropriate technical controls; the profession has coalesced around CE as the expected baseline.
FCA-regulated firms. Similar position - appropriate technical measures expected; CE is the practical baseline.
UK GDPR Article 32. The ICO does not mandate CE but recognises it as evidence of "appropriate technical and organisational measures." See Does Cyber Essentials cover GDPR?.
Where Cyber Essentials is not legally required
Most B2B and B2C UK SMEs outside regulated supply chains have no legal obligation to hold Cyber Essentials. The commercial case - insurance, tender eligibility, client-due-diligence signals, the free £25,000 bundled cyber liability cover - is the reason it is nevertheless almost universally recommended.
Will Cyber Essentials become a legal requirement?
There is active UK policy conversation about making baseline cyber certification a legal requirement for larger organisations holding critical-national-infrastructure designations, but no general mandate has been introduced at the time of writing. The UK Cyber Security and Resilience Bill (CS&R), in its current drafts, references existing certification schemes rather than creating new legal thresholds.
Bottom line
Cyber Essentials is not a general legal requirement in the UK, but it is contractually mandatory for central government, MOD, and many regulated supply chains - and commercially near-universal for UK SMEs seeking procurement eligibility, insurance, and tender competitiveness.
Start Cyber Essentials from £299.99 + VAT | Free readiness check | Cyber Essentials for government contracts
About the author
Jay Hopkins
Managing Director, Fig Group
Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.
Next step
Want to see how Fig handles this?
Discover how Fig helps organisations prepare for security assessments and maintain ongoing compliance.
Request a demo