Login Book a call
Search
Clear search icon

What PPN 014 means for your business

Rob S
PPN 014
Back to blog

Table of contents

Want to speak with sales?

Book a call

Procurement Policy Note (PPN) 014 changes the requirements for government and public sector body tenders in the UK. Here’s everything you need to know.

What is PPN 014?

PPN 014 is a government directive aimed at reducing cyber risk in public sector supply chains. Essentially, if your business supplies services or products to government departments or bodies, you’ll be required to prove you have basic cybersecurity controls in place. The simplest way to do this is to complete Cyber Essentials certification.

Why has PPN 014 been enacted?

Simply put, supply chain attacks pose a huge problem. More than 75% of software supply chains experienced cyberattacks in 2024, at a rate of one every two days. What’s more, supply chain attacks are projected to cost the global economy $138 billion (£108 billion) by 2031. 

At the same time, according to government research, UK businesses are ill-prepared for supply chain risks. Only one in ten businesses say they review supplier risk (11%, vs. 9% of charities). PPN 014 is an attempt to plug this gap.

Want to know more about the risks posed by supply chains? Check out our guide to supply chain attacks

History and timeframes

Since 2014, suppliers bidding for certain government contracts have been expected to demonstrate a minimum level of cybersecurity. Earlier PPNs ( PPN 09/14 and PPN 09/23) built this foundation and PPN 014 updates it in line with recent legislation such as the Procurement Act 2023 and Procurement Regulations 2024.

If you’re a business PPN 014 applies to (more on which in the next section) there are a couple of dates to bear in mind:

  1. 24th February 2025 – all procurements that begin on or after this date are subject to the new rules

2. Contracts awarded up to (and including) the 23rd February 2025 will continue to follow the earlier PPN 09/23  requirements

Who is in scope for PPN 014?

If you work with any of the following, you’ll be considered ‘in scope’ for PPN 014 the next time you bid for a contract: 

  • Central government departments and executive agencies
  • Non-departmental public bodies (NDPBs)
  • NHS bodies

To bid for any of these contracts you must be prepared to demonstrate that your cybersecurity meets the standards laid out by PPN 014.

What you need to do to meet PPN 014

Procurement requirements can appear daunting, especially if you’re new to thinking about your cybersecurity. However, the provisions of PPN 014 are actually quite simple and shouldn’t require wading through hours of paperwork or reinventing the wheel. Here’s what you should do.

1. Get Cyber Essentials certified

First things first, you need to complete Cyber Essentials or Cyber Essentials Plus certification. Cyber Essentials certification will help you put in place the five basic security controls required by PPN 014. 

Plus, it’ll protect your company. Cyber Essentials is proven to defend against 98.5% of the most common cyber threats. And, organisations with Cyber Essentials are 92% less likely to claim on cyber insurance policies.

All in all, it’s the easiest route to meeting PPN 014 requirements.

2. Check your certification scope

Once you’ve completed Cyber Essentials, you need to check the scope of your certificate. Does it cover the parts of your business that are relevant to the contract you’re bidding for?

If your operations are split across multiple locations, offices or areas you’ll need to clarify which parts are included. In most cases, this will have been something you tackled when undertaking the assessment. However, it’s always worth checking nothing has changed as it could invalidate your evidence if part of your operations fall outside the scope of your certificate.

3. Prepare documentation

Next, you’ll need to provide evidence of your certification when tendering. You should receive either a digital or physical certificate once you complete the assessment.

4. Keep an eye on your renewal date

Cyber Essentials is an annual certification so you’ll need to renew it once a year to account for any changes in your business. With this in mind, it’s worth keeping an eye on when your renewal date is coming up so you don’t become ineligible for government contracts.

How to prepare for PPN 014

1. Review the guidance

Visit the National Cyber Security Centre’s (NCSC) Cyber Essentials website and use the readiness toolkit to understand the requirements.

2. Understand your contractual requirements

Check tender documents carefully to confirm whether Cyber Essentials certification (or equivalent) is needed. If in doubt, you can always ask the contracting authority or your managed service provider for clarification.

3. Talk to CyberSmart

CyberSmart is dedicated to helping small businesses build Complete Cyber Confidence within their organisations. If you’re struggling with the requirements of PPN 014 or need to start the Cyber Essentials certification process, talk to us, we can help. We offer unlimited guidance and support, free 25k cyber insurance on completion, and we often get you certified in as little as 24 hours. 

If you already work with an MSP (Managed Service Provider) or IT company, let us know so we can speak with them to support you through the process.

How can Managed Service Providers help?

Of course, if you’re an MSP who works with government bodies you’ll need to comply with the requirements of PPN 014 yourself. If this is the case, you likely need a Cyber Essentials certification (something we recommend for all MSPs, regardless of who you work with).

However, you may also need to help your clients meet these requirements. Whether by managing their IT services, helping them complete Cyber Essentials, or advising on security best practices, you have a vital role to play.

Supporting your clients

There are a few key things you can do to support your clients with PPN 014, these are:

Subcontractor management

If you work with other vendors or subcontractors, make sure they meet the necessary cybersecurity standards. By far the simplest way to do this is to insist that anyone you work with has a valid Cyber Essentials certification as a minimum requirement.

Provide advice

Many businesses, particularly SMEs, won’t be aware that they need to complete Cyber Essentials to bid for government contracts. This is your chance to walk them through the process, offer advice on best practices and, ultimately, help them become more secure.

Offer pre-tender support

Offer assistance to clients in preparing tenders that require PPN 014 compliance by outlining the certification roadmap and available resources such as the NCSC’s Active Cyber Defence guidance.

Finally, if you need support, reach out to CyberSmart. We work with over 800 MSPs across the UK and beyond. Find out how partnering with CyberSmart could benefit your business here.

Supply chain CTA 2