Short answer
Cyber Essentials is certified per organisation, not per MSP. Your MSP can manage the assessment and remediation, but your organisation signs the attestation and holds the certificate. Fig supports MSP-delivered CE on our multi-tenant platform.
Why this matters
Procurement questions matter because Cyber Essentials is often used as a supplier-risk filter. The buyer needs confidence that the certificate is valid, current, in the correct legal name, and sufficient for the contract requirement.
Public-sector requirements vary by contract. Some require Cyber Essentials, some require Cyber Essentials Plus, and defence suppliers may also need Defence Cyber Certification. Private-sector buyers increasingly use Cyber Essentials as a minimum supplier control, particularly where personal data or managed IT access is involved.
What to check next
- Read the bid wording before buying the wrong level of certification.
- Verify supplier certificates on the NCSC register.
- Keep renewal dates visible so certificates do not lapse during a contract period.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.