Overview
This PPN applies to all central government departments, their executive agencies and non-departmental public bodies, and NHS bodies (collectively referred to as ‘in-scope organisations’) when awarding public contracts for goods, and or services, and or works, other than special regime contracts. Other public sector bodies may wish to apply the approach set out in this PPN.
This PPN sets out government guidance on ensuring effective cyber security controls are in place for certain types of contract considered to be at a higher risk of cyber security threats; or with certain characteristics that would require them to have a greater regard to cyber security concerns.
In particular, this PPN requires that suppliers bidding for these types of contract must demonstrate prior to the award of the contract that they hold Cyber Essentials or Cyber Essentials Plus certification (or demonstrate that equivalent controls are in place).
In-scope organisations should note that there may be cases where a higher level of security controls are required, and should specify these requirements accordingly.
Note: This PPN replaces PPN 09/23 for procurements commencing on or after 24 February 2025.