What PPN 014/21 says

Procurement Policy Note 014/21, issued by the Cabinet Office in 2021 and still in force in 2026, sets out the cyber-security baseline that central government contracting authorities must require from suppliers when those suppliers will handle personal data, supply ICT systems, or otherwise touch government information assets. The policy note is short, but its operational consequences are wide. It says that for relevant contracts, the contracting authority must ask suppliers to demonstrate either a current Cyber Essentials certificate or a clearly-justified equivalent.

PPN 014/21 sits alongside a wider stack of UK public-sector cyber requirements: the Government Functional Standard for Security (GovS 007), the Cyber Assessment Framework where appropriate, and the procurement reform delivered by the Procurement Act 2023 (in force from October 2024). Together these define a minimum cyber-hygiene bar that every supplier to central government is expected to clear. PPN 014/21 is the most concrete and the most uniformly applied of those rules. If a buyer asks you for one piece of cyber paperwork, in 95% of cases it will be your Cyber Essentials certificate.

Who's in scope

Three things determine whether PPN 014/21 applies to a given procurement: the contracting authority, the nature of the contract, and the position in the supply chain.

On the contracting-authority side, PPN 014/21 directly applies to:

  • Central government departments and their executive agencies (e.g. DfE, DWP, MoJ, HM Treasury and their delivery bodies).
  • Non-departmental public bodies (NDPBs) such as the Environment Agency, the Office for Students and the Health and Safety Executive.
  • Crown Commercial Service framework agreements, including G-Cloud (currently G-Cloud 14), the Digital Outcomes and Specialists framework (DOS 6 / DOS 7), Cyber Security Services, and the new technology-enabled framework families.

On the contract side, the obligation is triggered when the supplier will:

  • Process, store or transmit UK government personal data, including HR data of civil servants, citizen-facing service data and sensitive operational data.
  • Provide ICT services, hosting, cloud workloads, software development or managed-service operations.
  • Connect to a government network, manage credentials for government users, or manage devices used to access government systems.

On the supply-chain side, the obligation cascades. A prime contractor who must hold Cyber Essentials is expected to flow the same requirement down to any subcontractor that will touch the same data, and to retain evidence that they have done so. A subcontractor who has been working without Cyber Essentials because "we're a sub, not a prime" is going to be asked, sooner rather than later, by a prime that does not want to lose the contract.

Local government, the NHS, devolved administrations and emergency services are not all bound by PPN 014/21 in the same way as central government, but a large and growing number have adopted equivalent requirements in their own commercial frameworks. The Department of Health and Social Care, NHS Digital and the Greater London Authority all expect Cyber Essentials, in practice, on most ICT and personal-data contracts.

What evidence buyers actually want

The "minimum acceptable evidence" question is where many otherwise-strong bids get rejected. PPN 014/21 itself is short on prescriptive detail, but procurement teams have converged on a fairly uniform expectation set:

  • A current Cyber Essentials certificate issued by an IASME-licensed Certification Body, valid at the date of bid submission. The 12-month validity rule is enforced strictly, a certificate that lapses on day one of the contract is not acceptable, even if it is current at bid date.
  • The certificate scope must match the bidding entity. If the bid is from a UK trading subsidiary of a global group, the certificate must cover that subsidiary by registered company number, not the parent. This is the single most common reason for an evidence rejection.
  • Cyber Essentials Plus where the contract is higher-risk. "Higher risk" generally means handling sensitive personal data (special category data under UK GDPR, NHS data, MoJ data, child data) or holding administrative access to government environments. CE+ adds an on-site or video-conference technical audit on top of the self-assessment.
  • Equivalent certifications may be accepted on a case-by-case basis. ISO/IEC 27001 with explicit mapping to NCSC's 10 Steps to Cyber Security is the most commonly accepted equivalent, but you must volunteer the mapping document, buyers will not infer equivalence from the bare ISO certificate.
  • A short cyber narrative. Many recent buyers ask for a 1-2 page statement covering the supplier's incident-response plan, MFA enforcement, patch cadence, third-party access controls and the named senior individual responsible for security. The certificate alone is no longer always enough to clear technical evaluation.

Common rejection reasons

From our work with SME suppliers in 2024-2026, the dominant reasons that an otherwise-strong bid is rejected on cyber grounds are, in descending order:

  1. Expired certificate. Bidder's CE certificate lapsed three weeks before the bid deadline. Auto-rejection.
  2. Scope mismatch. Certificate is in the parent group's name; bid is from a wholly-owned UK subsidiary; buyer rejects.
  3. Missing CE+ on a contract that required it. The bidder held CE but the contract specifically called for CE+ because of sensitive personal data; the bidder ignored the line in the spec.
  4. Equivalent claimed but not evidenced. Bidder claimed ISO 27001 as equivalent, did not provide the NCSC 10 Steps mapping, and did not provide the certificate scope.
  5. Subcontractor non-coverage. Prime had CE+, named subcontractor did not, and the same data flowed to the subcontractor. Buyer asked for sub's certificate; sub did not have one.

Each of these is preventable with a simple tracker that monitors certificate expiry, scope, supplier and contract-by-contract evidence requirements. Without one, even good suppliers slip up.

How CrowAgent helps

Two CrowAgent products combine to make PPN 014/21 a non-event for SME suppliers. CrowCyber manages the certificate side: it walks you through the Cyber Essentials self-assessment against the current v3.3 (Danzell) requirements, organises your evidence into the IASME-aligned categories, tracks your renewal date and emails you 90, 60 and 30 days before the certificate expires. When a bid lands, CrowCyber bundles your current certificate, scope statement, evidence pack and cyber narrative into a single PDF you can attach to your tender response.

CrowMark handles the social-value side of the same bid - PPN 002 is almost always also in scope on the same contracts that trigger PPN 014/21. CrowMark turns the contract brief into a TOMs-aligned social-value submission with Oxford Social Value Bank proxy values stored in our database (not hardcoded), AI-drafted narrative and an evidence tracker for the post-award delivery period.

Note: PPN 014/21 is the cyber-security policy note. PPN 002 is the social-value policy note. They are different policies and they each require different evidence, but they are very often cited in the same Invitation to Tender. Bidding teams who handle both with one platform see meaningfully higher win rates.

Win more public-sector work

Cyber + Social Value, one platform

CrowCyber gets you Cyber Essentials certified for PPN 014. CrowMark scores your PPN 002 social value submission. Both 14-day free trial, no card required.

See CrowCyber → See CrowMark →
Share article