Which businesses is Cyber Essentials mandatory for?

Cyber Essentials is the UK Government-backed scheme that aims to help organisations protect themselves against common cyber threats. Organisations who achieve Cyber Essentials demonstrate they have considered and committed to bolstering their defences against common threats of cybercrime and reduce vulnerabilities of businesses to an accredited government standard. Backed by the UK Government, the Cyber Essentials scheme is not mandatory for everyone.

The European Union’s GDPR has been enacted into UK law and its regulations and requirements are mandatory on all businesses regardless of size.

Cyber Essentials scheme is not covered by binding regulation, instead, it offers organisations and businesses a means to demonstrate their commitment towards addressing cybersecurity by achieving an accredited and registered certification standard.

However, for certain businesses Cyber Essentials is a mandatory requirement in order to secure contracts and in this blog post we describe the conditions under which certification can be necessary.

Government Contracts

Cyber Essentials is mandatory for businesses looking for specific government contracts.

Unless your business achieves Cyber Essentials, you will not be able to bid for such contracts at all. In general, these contracts will involve the handling of personal information or delivering certain IT products and services.

Essentially all government contracts where your business will be required to:

  • Handle the personal information of any UK citizens; i.e. bank details or home addresses.
  • Handle the personal information of any government employees, ministers, or advisors; i.e. payroll or expenses information.
  • Deliver IT products or services designed to store, process, or transfer data at an official level.

Cyber Essentials certification is mandated for businesses entering into these contracts and demonstrates that they have achieved the standards and meet the technical requirements defined in by the scheme.

For all businesses looking to bid for government contracts that involve one of the above characteristics, it makes business sense to consider achieving Cyber Essential certification first and not waiting to the last minute.

Ministry of Defence Contracts

The UK Ministry of Defence (MOD) places further emphasis on businesses being Cyber Essentials certified and requires all its suppliers to comply with the Cyber Essentials scheme.

The MOD stated in its announcement that this requirement must flow down to the supply chain, effectively mandating that both organisations directly conducting business with the MOD, as well as organisations delivering to the MOD supply chain must be Cyber Essentials certified to carry on doing their business or to win contracts for businesses going forward.

Importance of Cyber Essentials

Should your business get a Cyber Essentials certification even if it is not mandatory for your business?


Cyber Essentials is an increasingly important certification to achieve for all businesses of all sizes in the UK. Even where not mandatory, the rise of consumer and client awareness of the impacts of cyber attacks or the consequences of personal data breaches, have rightly seen an increased demand for evidence that your business takes its responsibilities seriously and invests in cyber protection.

Be prepared to be asked by your clients to prove that you are committed to maintaining cybersecurity and with Cyber Essentials certification being able to quickly respond to prove it.

There are additional benefits to achieving Cyber Essentials, other than bidding for a government or MOD contracts. For SMEs with little or no IT support or expertise, it provides a basic first step towards cybersecurity. Most SMEs lack adequate cybersecurity measures because they mistakenly feel that they will not be targeted. This is a misconception:

  • More than 60% of SMEs suffered a breach in 2016.
  • The average cost of a breach to these UK-based SMEs was £16,264.

It makes good business sense to invest the minor cost of certification to reduce this risk and mitigate any losses by achieving Cyber Essentials certification.


The Cyber Essentials scheme is mandatory for businesses and suppliers looking to bid for certain government contracts and all Ministry of Defence contracts. If you are a business that deals with the government or major industries in the UK, then it is essential you consider getting certified and maintaining your annual re-certification to keep the business contract.

For all other businesses, demonstrating to clients and customers that you have taken the essential steps to achieve basic cybersecurity, by being Cyber Essentials Certified, makes sound business sense.

CyberSmart is a cybersecurity service provider that helps organisations secure their systems and become Cyber Essentials certified. If you would like to discuss further on whether Cyber Essentials is mandatory for your business, contact us right away.