Short answer
Under PPN 014/21 it is required for central government contracts that handle sensitive or personal information. The specific requirement varies by contract; some require CE, some require CE Plus. Always check the bid documentation.
Why this matters
Procurement questions matter because Cyber Essentials is often used as a supplier-risk filter. The buyer needs confidence that the certificate is valid, current, in the correct legal name, and sufficient for the contract requirement.
Public-sector requirements vary by contract. Some require Cyber Essentials, some require Cyber Essentials Plus, and defence suppliers may also need Defence Cyber Certification. Private-sector buyers increasingly use Cyber Essentials as a minimum supplier control, particularly where personal data or managed IT access is involved.
What to check next
- Read the bid wording before buying the wrong level of certification.
- Verify supplier certificates on the NCSC register.
- Keep renewal dates visible so certificates do not lapse during a contract period.
Official sources and related Fig guidance
For scheme-level confirmation, use the official NCSC and IASME resources rather than relying on a supplier claim alone. Fig Group links to these sources because Cyber Essentials buyers should be able to verify the scheme, the administrator, and the certificate record independently.