Short answer
Increasingly, yes. Large private-sector buyers (SJP, insurers, retailers, professional-services firms) require supplier CE certification as part of third-party risk management. Many require CE Plus for Tier 1 suppliers.
Why this matters
Procurement questions matter because Cyber Essentials is often used as a supplier-risk filter. The buyer needs confidence that the certificate is valid, current, in the correct legal name, and sufficient for the contract requirement.
Public-sector requirements vary by contract. Some require Cyber Essentials, some require Cyber Essentials Plus, and defence suppliers may also need Defence Cyber Certification. Private-sector buyers increasingly use Cyber Essentials as a minimum supplier control, particularly where personal data or managed IT access is involved.
What to check next
- Read the bid wording before buying the wrong level of certification.
- Verify supplier certificates on the NCSC register.
- Keep renewal dates visible so certificates do not lapse during a contract period.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.