Cyber Essentials vs Cyber Essentials Plus for Government Contracts (PPN 014)

If a public-sector tender names PPN 014, you are being told to certify before you can be awarded the contract. The live question is rarely “what is Cyber Essentials”; it is whether this contract needs the basic self-assessed certificate or the independently-audited Plus level, and how that obligation flows down to any subcontractor who touches the data. This guide answers the Cyber Essentials vs Cyber Essentials Plus question from the procurement side: when each is specified under PPN 014, who verifies what, and what an OFFICIAL or citizen-data contract changes.

Cyber Essentials vs Cyber Essentials Plus under PPN 014

PPN 014 (Procurement Policy Note 014) took effect on 24 February 2025 and is the current live note that makes Cyber Essentials a procurement gate for central-government departments, their agencies, arm’s-length bodies and NHS organisations. It replaced the earlier 09/23 and 09/14 notes, aligning the wording to the Procurement Act 2023. The core rule is simple: in-scope buyers must require proportionate cyber controls from suppliers, and the quickest recognised way to evidence them is a current Cyber Essentials or Cyber Essentials Plus certificate, held before award and renewed every twelve months.

Both levels certify against the same five technical controls: firewalls, secure configuration, user access control, malware protection and security update management. The distinction PPN 014 leans on is not the controls but the assurance. Cyber Essentials is self-assessed, with your answers independently verified by a certification body. Cyber Essentials Plus adds a hands-on technical audit, where a qualified assessor tests a sample of your real devices and cloud services rather than taking your declaration on trust. That is why a buyer specifies Plus when the contract carries more risk: the audit gives the authority more confidence that the controls hold in practice.

When a government contract needs CE Plus rather than basic CE

PPN 014 is deliberately risk-proportionate. Buyers are told not to take a blanket approach, so the contract notice or supplier questionnaire should tell you which level this procurement requires. Where it does not, the risk characteristics of the work are the signal. Basic Cyber Essentials tends to be accepted for lower-risk contracts without significant personal data or critical service delivery. Cyber Essentials Plus is specified for higher-risk contracts: larger volumes of citizen personal data, systems designed to store or process information classified at OFFICIAL, or services the authority treats as critical.

Contract characteristic	Typically accepts basic CE	Typically needs CE Plus
Personal / citizen data volume	Limited or none	Larger citizen-data volumes (addresses, payment, health)
Data classification	Below OFFICIAL	Systems storing or processing OFFICIAL information
Service criticality	Routine, non-critical	Critical government or NHS service delivery
Assurance the buyer wants	Self-assessment, independently verified	Independent hands-on technical audit

You will see a financial threshold quoted in some commentary, with higher-value work pushed toward Plus. We treat that as secondary and contract-specific rather than a hard national rule, because PPN 014 frames the decision around data sensitivity, OFFICIAL classification and criticality, not a single price point. If the authority is silent, assume the more demanding level applies whenever you handle citizen personal data or OFFICIAL ICT. For NHS-facing work, the same logic feeds the technical-security expectations of the NHS assessment process, covered in our selling software to the NHS security checklist.

Self-assessed versus independently audited: what the buyer actually sees

The practical gap between the two certificates is the evidence trail behind them. With basic Cyber Essentials, the authority sees a valid certificate backed by your declaration, checked by a certification body reviewing your answers. With Cyber Essentials Plus, the authority sees a certificate backed by an assessor who logged into a sample of your endpoints, ran an internal vulnerability scan, attempted the malware and email tests, and confirmed multi-factor authentication on your cloud accounts. For a contract handling citizen data, that difference is why some buyers accept only Plus.

This is also where buyers and suppliers sometimes confuse Cyber Essentials Plus with a penetration test. They are not the same. CE Plus is a pass or fail audit verifying that a defined baseline of controls holds across a device sample. A penetration test probes for exploitable weaknesses in depth and is priced on tester days. Many regulated suppliers hold CE Plus and also commission a separate test, because government assurance frameworks frequently expect both. What the audit covers, and where testing sits alongside it, is set out on our Cyber Essentials Plus penetration testing requirements page.

How the requirement flows down to subcontractors

PPN 014 does not stop at the prime supplier. Where a subcontractor processes personal data or OFFICIAL information on behalf of the contract, the certification expectation flows down to them too. A prime cannot win an in-scope contract, subcontract the data-handling part to an uncertified partner, and treat the gate as cleared. The authority’s supply-chain risk does not disappear because the work was delegated, so the same proportionate level, basic CE or CE Plus, applies to the parties that actually touch the data.

The same flow-down logic appears across the public-sector frameworks built on the scheme. On the cloud-buying framework, basic Cyber Essentials became mandatory across every lot, with CE Plus required for the infrastructure lots, and suppliers must ensure any subcontractor handling personal or OFFICIAL data is certified too. We unpack which lot needs which level, and the subcontractor obligation, in our guide to the G-Cloud 15 Cyber Essentials requirements. If you are bidding as a prime, map your data flows early and get certificates in motion across the chain before award.

A practical sequence for a tender that names PPN 014

When a public-sector opportunity references PPN 014 or Cyber Essentials, this short sequence keeps you on the right side of the gate without over-buying: certify at the correct level, in time, across everyone who needs it.

• Read the level out of the tender. If the authority has specified basic CE or CE Plus, that decision is made for you.
• Classify the data and service. If the wording is silent, judge it on the contract: citizen personal data, OFFICIAL information or a critical service points toward Plus; routine, low-data work points toward basic CE.
• Map the supply chain. List every subcontractor who will process in-scope personal or OFFICIAL data and confirm each can achieve the right level before award.
• Scope the estate for Plus. Count your in-scope devices, operating-system mix and cloud services early, because the audit scope and timeline scale with them.
• Build in renewal. Certificates last twelve months and must be current at award, so diarise recertification.

Where the contract sits in central-government or NHS digital-service delivery rather than a simple goods supply, expect penetration testing alongside the certificate, as an assurance artefact in its own right. Our public sector penetration testing page explains how that testing is scoped for government and NHS suppliers, and how it complements the certification gate.

Why EJN Labs for PPN 014 certification

EJN Labs is well placed to clear the PPN 014 gate in a single engagement because we sit on both sides of the technical-security evidence a government buyer asks for. We are a certification body for Cyber Essentials and Cyber Essentials Plus through our IASME relationship, so we assess and certify directly rather than handing you off, and we run the Plus audit as an organisation that holds the certificates itself. We are also a CREST member for penetration testing, and ISO 27001 and ISO 9001 certified, which matters when a public-sector or NHS contract wants the certificate and an independent test on the same timeline.

When we scope a CE Plus audit for a supplier bidding on government work, we first read the tender with you and confirm the level the authority has specified, then run a short readiness review against your device estate and cloud footprint, so you do not discover a missing multi-factor configuration on assessment day. Every audit and any related testing is delivered by senior and principal practitioners based in the UK; we never assign junior or associate testers. We are fluent in the NHS and health-tech supplier route, so we can line up the certificate, the supply-chain flow-down and any required penetration test as one coordinated engagement rather than three disconnected purchases. We do not hold NCSC CHECK and do not deliver CHECK ITHC testing; where a contract strictly requires CHECK, we will tell you plainly.

Frequently Asked Questions

What is the difference between Cyber Essentials vs Cyber Essentials Plus for government contracts?

For government contracts under PPN 014, both certify against the same five controls, but the assurance differs. Cyber Essentials is self-assessed and independently verified, and is accepted for lower-risk contracts. Cyber Essentials Plus adds a hands-on technical audit of a sample of your real devices and cloud services, and is specified for higher-risk work involving citizen personal data, OFFICIAL information or critical services. The contracting authority decides which level applies.

Does PPN 014 require Cyber Essentials or Cyber Essentials Plus?

PPN 014 is risk-proportionate, so it can require either. Basic Cyber Essentials is generally accepted for lower-risk contracts, while Cyber Essentials Plus is specified for higher-risk work involving larger volumes of citizen personal data, OFFICIAL information or critical service delivery. Read the tender wording: where it is silent, assume the more demanding level applies if you will handle personal or OFFICIAL data.

Do subcontractors need Cyber Essentials under PPN 014?

Yes, where they process personal data or OFFICIAL information on behalf of the contract. PPN 014 flows the certification expectation down the supply chain, so a prime cannot clear the gate by subcontracting the data-handling part to an uncertified partner. The same proportionate level applies to whichever parties actually touch in-scope data, so map your supply chain and get certificates in motion before award.

Is Cyber Essentials Plus the same as a penetration test for OFFICIAL data contracts?

No. Cyber Essentials Plus is a pass-or-fail audit confirming that the five controls hold across a device sample, while a penetration test probes for exploitable weaknesses in depth and is priced on tester days. Government assurance frameworks frequently expect both, so many suppliers handling OFFICIAL or citizen data hold CE Plus and commission a separate test. They answer different questions and are not interchangeable.

How much does Cyber Essentials Plus cost for a government bid?

The basic Cyber Essentials self-assessment fee is fixed nationally by IASME and banded by organisation size. The Cyber Essentials Plus audit fee is not fixed; it scales with your device count, operating-system mix and cloud footprint, so scope drives the price. Where a contract also requires a penetration test, that is priced separately on tester days at typical UK rates of around £1,200 to £1,300 per day. For an exact, scoped figure across certification and any testing, use our quote form.

Get a fixed-price Cyber Essentials quote for your government bid

Tell us which contract you are bidding for, whether the tender specifies Cyber Essentials or Cyber Essentials Plus, and the subcontractors who will touch the data, and we will return a fixed-price certification quote after a short scoping call. We will confirm the right level, run a readiness review so the Plus audit passes first time, and line up any penetration testing alongside it. No obligation, just a clear figure from a CREST member firm that is also a Cyber Essentials and Cyber Essentials Plus certification body, ISO 27001 and ISO 9001 certified.