Since cybersecurity policy updates in 2025, anyone that sells cloud, SaaS or technology services through G-Cloud 15 has needed to be Cyber Essentials certified to win certain public sector contracts - though with a few important caveats depending on the type of cloud supplier you are.
It means Cyber Essentials is now applicable to main cloud software, SaaS and cloud support categories. Hosting suppliers are increasingly being asked to hold Cyber Essentials Plus, too, among other cloud and information security standards.
That said, not every supplier is in the same position. What applies to you depends on your service offering, whether you host infrastructure, whether you support buyer environments and whether your service involves public sector data.
Aside from compliance demands, you’re more likely to have a prominent position in G-Cloud’s searchable catalogue – the one buyers use regularly – if you’re able to demonstrate you have Cyber Essentials or Cyber Essentials Plus.
Quick Links:
What's changed for G-Cloud 15 suppliers?
If you work in supply chains or use subcontractors
If you handle public sector data
Where else can Cyber Essentials help?
Procurement teams in the public sector are tightening supplier assurance checks generally, and many cloud suppliers are feeling it first. Before award, renewal or onboarding, the majority of buyers want to know that basic cyber controls are in place as a condition of the contract.
G-Cloud 15 groups the main services needed by public sector buyers into three categories: hosting, cloud software and support.
Cyber Essentials is the shortcut buyers use to check that baseline without auditing every supplier line by line. It covers the fundamentals like configuration, firewalls, security updates, malware protection and user access - basic, everyday controls, but the kind that protect you from the common routes attackers exploit.
Here's how it breaks down by lot, including which ones need certifying upfront versus within 12 months of award.
|
Lot |
What it covers |
CE requirement |
When it's needed |
|
1a — Cloud hosting (IaaS/PaaS) |
General cloud hosting |
Cyber Essentials Plus |
Required upfront, no grace period |
|
1b — Classified hosting |
Hosting above OFFICIAL |
Cyber Essentials Plus |
Required upfront, no grace period |
|
2a — Infrastructure software |
Infrastructure-as-a-service |
Cyber Essentials |
Within 12 months of award |
|
2b — Cloud software (SaaS) |
Application software services |
Cyber Essentials |
Within 12 months of award |
|
3 — Cloud support |
Consultancy and support services |
Cyber Essentials |
Within 12 months of award |
|
Subcontractors |
Processing personal or OFFICIAL data |
Cyber Essentials |
Within 12 months of award |
Hosting suppliers should generally expect closer scrutiny than others.
If you provide hosting, infrastructure or platform services through G-Cloud 15, it's likely that Cyber Essentials Plus will be the relevant level for you, rather than the standard certification. You may also be asked to evidence other recognised standards, such as ISO 9001, ISO 20000-1 and ISO 27001, depending on the scope of what you provide.
If you offer public cloud services, there may be expectations around how personal data is protected, like evidence of UK data residency or extra safeguards under UK GDPR. If you're private cloud-only, that requirement may not carry the same weight, but you'll still need to show that your systems are well-managed.
Essentially, G-Cloud 15 suppliers need to demonstrate protections that cover more than their products and services. The infrastructure, controls and governance around them form just as much of the buyer’s decision – and both considerations now fall under the purview of G-Cloud 15's procurement compliance requirements.
Anyone who offers migration, implementation, configuration, consultancy, training or ongoing support for cloud services is affected, too - even if you don't host anything yourself.
Despite not having access to their full platform, you may still have access to things like admin permissions, configuration control, remote support, or day-to-day work inside live environments. From a buyer's point of view, that’s an added risk they need to account for, hosting or not.
Cyber Essentials helps with this, as it gives procurement teams and other stakeholders a quick, recognisable signal that you've covered the basics before stepping into someone else's environment.
The G-Cloud 15 framework stipulates that subcontractors and delivery partners also need to hold their own Cyber Essentials certificate for their involvement to be viable.
That means your wider supply chain - including hosting or implementation partners, outsourced support teams, or other subcontractors - is a determining factor in certification too, especially in tightly regulated environments. That’s when buyer scrutiny will extend across your entire supply chain.
The simplest way to cover your bases is to think of their assurance position as your own, but particularly wherever subcontractors help with hands-on service delivery or have direct access to buyer systems and data.
Cyber Essentials is the baseline, but for some contracts, it’s just a starting point.
For those who store, process or support access to public sector data, buyers may want more detail about how they’re protected, which could mean where it's held, who can access it and how incidents are managed.
As a general rule, the more sensitive the data involved, the more assurance you should expect to provide.
This is why it's worth getting ahead of things early. Certification typically runs more smoothly when controls are built into how your business operates, rather than pulled together at buyer onboarding.
Cyber Essentials is also a useful – and increasingly mandatory - asset for cloud, SaaS and IT support suppliers working alongside procurement.
Getting certified can open doors for suppliers who want to bid on contracts with central government, local authorities, NHS bodies, education providers and wider public sector organisations. Beyond this, it also means you’re more able to supply into organisations with stricter onboarding, such as legal services, financial services, outsourced public services, or any organisation handling citizen data.
These buyers won't always be G-Cloud suppliers themselves, but Cyber Essentials can still make you an easier supplier to approve.
Along with standard insurance, financial and social value checks, Cyber Essentials is increasingly part of what it means for G-Cloud 15 suppliers to be procurement-ready.
As a rule of thumb, if you offer cloud software, SaaS or cloud support, Cyber Essentials is the baseline, and if you provide cloud hosting, expect Cyber Essentials Plus and some additional security evidence to come into play.
Leaving certification until contract award, renewal or onboarding can cause avoidable delays that some forward planning could resolve.
The reassuring part is this is all manageable. Cyber Tec can talk you through which level of certification applies to your cloud business and help you prepare for assessment every step of the way.
Yes, it applies across every lot. Which level you need depends on which lot you're bidding on.
Cloud software, SaaS and cloud support lots need basic Cyber Essentials, while cloud hosting lots need Cyber Essentials Plus.
Yes, if they process personal or OFFICIAL data on your behalf — their certification gets factored into yours.