Last updated 2 July 2026
Cyber Essentials Tender Requirements: What PPN 014 Means for Your Bid
What PPN 014 requires for UK government tenders, when Cyber Essentials Plus is demanded, how buyers verify certificates on the official register, and how to answer the security section from your own records.
If a tender or supplier questionnaire has just asked you for Cyber Essentials, you are in the most common route into the scheme. Government buyers are required to ask for it on certain contracts, larger private customers copy the same wording, and the deadline is rarely generous. This article explains what the rule actually says, how buyers verify a certificate, and how to stop the security section of every future bid starting from a blank page.
The rule buyers are following: PPN 014
Procurement Policy Note 014 is the UK government's current instruction to contracting authorities on Cyber Essentials. In-scope organisations were told to apply it from 24 February 2025, and it replaces the earlier PPN 09/23 and PPN 09/14 notes using the terminology of the Procurement Act 2023. The full text is on GOV.UK: PPN 014: Cyber Essentials scheme.
The practical content for a supplier is short:
- Contracting authorities must require Cyber Essentials or Cyber Essentials Plus in procurements that involve handling citizen personal data, government employee data, or ICT systems handling information at OFFICIAL classification or above.
- Evidence of holding the certificate (or equivalent) is required before contract award, not before bidding.
- The requirement must be stated in the tender notice, so you can see exactly which level is demanded before you commit to a bid.
Private-sector supply chains are not bound by PPN 014, but many large customers, and sectors such as health and defence, ask for the same certificate in their supplier questionnaires because it is a recognisable, independently verifiable baseline.
Basic or Plus: read the tender notice, not the folklore
The tender notice wording decides. Cyber Essentials (the self-assessed certificate) satisfies most requirements; Cyber Essentials Plus (the independently tested version) is demanded where the buyer judges the risk higher. Do not buy Plus on assumption — it is quote-based and materially more expensive — and equally do not bid on a Plus requirement with only Basic in hand and hope. If the notice is ambiguous, ask the buyer through the tender's clarification route and keep the answer.
How buyers check: the certificate register
Cyber Essentials certificates are verifiable by anyone on the NCSC Certificate Search hosted by IASME. It can be searched by organisation name or certificate number and lists certificates issued in the last 12 months.
Three practical consequences:
- Your legal name matters. If you certified under a different trading name than the one on your bid, the buyer's search may come up empty. Certify under the entity that signs contracts.
- Expiry dates matter. Certificates last 12 months. If yours lapses between bid submission and contract award, the evidence-before-award check can fail at the worst possible moment. Check the expiry against the procurement timetable before you bid.
- You do not need to prove anything exotic. Quote your certificate number and level, and point the buyer at the register. An independently checkable claim is stronger than any PDF you could attach.
The part nobody budgets for: the security questionnaire
The certificate is usually only one line of the security section. The same tender typically asks you to describe your patch management, access control, MFA position, and malware protection in your own words. Suppliers who prepared Cyber Essentials properly already wrote all of this down once — the waste is writing it again from memory for every bid, slightly differently each time, with no dates behind any claim.
The fix is boring and effective: keep the record you built for certification as a living working record. When you know which question set answer covers "describe your patch management process", the security section becomes an exercise in copying your own evidenced answers rather than drafting under deadline.
If you are not certified yet and a tender is live
Be honest with the timeline. Certification requires preparing and submitting the self-assessment and having it assessed, and preparation is the long part for most small organisations — the self-assessment questions are previewable, and there are over a hundred of them. Since evidence is required before award rather than at bid submission, a live procurement can still be biddable if you start preparation immediately and the timetable is realistic. Some buyers also accept a clear written statement of where you are in the certification process; if the tender allows it, say precisely what is done, what is open, and when you will submit — and never claim the certificate before it is issued.
Keep the certificate worth more each year
A tender lane is annual by nature: the certificate expires after 12 months, and the next bid always asks the same questions. Organisations that keep last year's answers, evidence context, and certificate history under their own control renew faster and answer supplier questionnaires from records instead of memory. The ones that start from a blank page every year pay the preparation cost every year.
FAQ
- Do I need Cyber Essentials to bid for government contracts?
- For in-scope procurements under PPN 014, contracting authorities must require Cyber Essentials or Cyber Essentials Plus, with evidence before contract award rather than at bid submission. The tender notice states the requirement, so read it before assuming either way.
- Do tenders need Cyber Essentials Plus or just Cyber Essentials?
- The tender notice decides. Basic self-assessed certification satisfies many requirements; Plus is demanded where the buyer judges the risk higher. If the wording is ambiguous, use the tender's clarification route and keep the buyer's answer.
- How do buyers check a Cyber Essentials certificate is real?
- On the NCSC Certificate Search hosted by IASME, which anyone can search by organisation name or certificate number. It lists certificates issued in the last 12 months, so an expired certificate will not appear.
- Can I bid while my certification is still in progress?
- Often yes, because PPN 014 requires evidence before contract award rather than at submission. Be precise about your current status and planned submission date if the tender asks, and never claim the certificate before it is issued.
RightCyber
Prepare the evidence behind the answers.
RightCyber keeps your Cyber Essentials answers, evidence context, and certificate history in a local workspace, so the security section of the next tender is answered from your own records instead of a blank page.
Last reviewed against official sources
Reviewed 2 July 2026 against current IASME, NCSC, or UK government sources. Official sources remain authoritative if requirements change.
RightCyber is an independent preparation tool and is not affiliated with or endorsed by IASME or the NCSC. This article is general guidance, not legal or professional advice.