Cyber Essentials, Defence Supply Chain and Procurement: What Engineering Firms Need to Know

The regulatory and contractual framework driving cyber security requirements in the engineering and consulting sector has become considerably more complex over the past three years. What was previously a recommendation has become a requirement — and the requirement has spread from direct government contracts into the commercial supply chains of major organisations across defence, infrastructure, utilities, and public services. This post maps the full picture of what is required, by whom, and what demonstrating compliance looks like.

UK Government Procurement: Cyber Essentials as a Baseline

Procurement Policy Note (PPN) 09/14, updated and reinforced through subsequent guidance, requires all central government suppliers handling personal data or providing certain ICT products and services to hold Cyber Essentials certification. This applies to contracts across all government departments, agencies, and arm's-length bodies. It is not optional and it is not negotiable — a supplier without Cyber Essentials certification cannot qualify for affected contracts.

The requirement extends to subcontractors in the supply chain. A prime contractor that holds Cyber Essentials will frequently include it as a requirement in their own supply chain contracts — meaning that an engineering consultancy working as a sub-tier supplier to a prime on a government contract may be contractually required to hold the certification by their direct client, not just by the end customer.

For contracts involving handling of sensitive or classified government information, Cyber Essentials Plus — the technically verified version — may be required rather than the standard self-assessment. Firms working in or adjacent to the classified space should confirm the specific requirement with their client rather than assuming standard Cyber Essentials is sufficient.

The Defence Cyber Protection Partnership

The DCPP is a collaboration between the Ministry of Defence and the defence industry to improve cyber security across the defence supply chain. Its guidance explicitly requires that all organisations in the defence supply chain hold Cyber Essentials certification as a minimum baseline. The DCPP's risk methodology categorises suppliers by the sensitivity of the information and systems they access, with higher categories requiring more extensive security controls beyond the Cyber Essentials minimum.

Defence primes — BAE Systems, Leonardo, Babcock, Rolls-Royce, QinetiQ, Thales, and others — include DCPP-aligned security requirements in their supply chain contracts. An engineering firm subcontracting to any of these organisations is likely to face a Cyber Essentials requirement (and potentially more) as a condition of their subcontract. Firms that have not checked their existing subcontracts for these requirements should do so — non-compliance may be a contractual breach that has existed since the requirement was introduced.

Infrastructure and Utilities Sector Requirements

The Network and Information Systems (NIS) Regulations 2018 — and their updated replacement, the UK Cyber Security and Resilience Act expected to come into force during 2025–26 — impose cyber security obligations on operators of essential services including energy, transport, water, and digital infrastructure. These operators are required to implement appropriate security measures and to manage the risks posed by their supply chains.

Engineering consultancies and contractors working in these sectors face the security requirements of their clients cascading into their own procurement practices. An engineering firm engaged by a water utility on an infrastructure project may be required to demonstrate security controls that satisfy the utility's own regulatory obligations under NIS/CSRA — because the engineering firm's systems and staff are part of the utility's operational environment during the project.

Pre-Qualification Questionnaires

PQQ responses for framework agreements, preferred supplier lists, and major project procurements across both public and private sector now routinely include cyber security questions. The specific questions vary but commonly cover: Cyber Essentials certification status, whether a formal information security management system is in place, whether staff receive security awareness training, what incident response capability exists, and what the firm's patch management process is.

Firms that cannot answer these questions with evidence — not assertions — are marked down or excluded at the PQQ stage, before ever reaching the technical or commercial evaluation. The investment in Cyber Essentials certification and a documented security programme is recoverable over the lifetime of one contract it enables. The cost of failing PQQ at scale — across multiple framework bids — is not.

ISO 27001 and Beyond Cyber Essentials

For firms competing for the highest-value contracts, particularly in the defence and nuclear sectors, Cyber Essentials may be the floor rather than the ceiling of what is required. ISO 27001 certification — which requires an independently audited Information Security Management System — is increasingly requested by tier-one primes and by some government bodies for higher-risk supplier categories.

ISO 27001 is a significantly more substantial undertaking than Cyber Essentials, requiring the development and maintenance of a comprehensive ISMS, regular internal audits, a management review process, and periodic external surveillance audits. For firms for whom ISO 27001 is a genuine competitive requirement, the path from Cyber Essentials to ISO 27001 is sequential: Cyber Essentials establishes the technical controls; ISO 27001 builds the management system around them.

The Monitoring Requirement Hidden in Plain Sight

Many of the frameworks above include a requirement that is less visible than the certification requirement: the ability to detect and respond to incidents. Standard 6 of the DSPT, the NIS Regulations, DCPP guidance, and the NCSC's own supply chain security guidance all reference the need for detection capability, not just protective controls.

Cyber Essentials addresses prevention — firewalls, patching, access control, malware protection, configuration. It does not address detection. An organisation that holds Cyber Essentials but has no monitoring capability is compliant with the certification requirement but non-compliant with the broader frameworks that ask about incident detection. Continuous monitoring fills this gap — and provides the ongoing evidence of active security management that a certificate-only approach cannot.