Procurement intelligence
UK public sector cyber security market in 2026
Skim's read on the UK public sector cyber security market: how big it is, who wins, the frameworks that matter, and where an SME can realistically break in.
Figures distil Skim's analysis of UK public award notices on Contracts Finder and the Find a Tender Service carrying IT and security CPV codes (2019–2025), set alongside DSIT's Cyber Security Sectoral Analysis 2025 and published Procurement Act 2023 guidance. Award counts and values are as disclosed on the portals; framework details are from the Government Commercial Agency.

The market is growing, and it is reachable
Skim analysis of Contracts Finder and Find a Tender
Skim analysis (221 of 259 GBP-denominated awards)
Is the market actually growing?
Skim analysis, non-framework awards
| Year | Awards (excl. framework parents) | Distinct buyers | Disclosed value |
|---|---|---|---|
| 2019 | 1,437 | 442 | £5.4bn |
| 2020 | 2,102 | 532 | £9.0bn |
| 2021 | 2,584 | 625 | £7.8bn |
| 2022 | 2,664 | 636 | £6.1bn |
| 2023 | 2,555 | 687 | £7.4bn |
| 2024 | 2,437 | 683 | £8.5bn |
DSIT, Cyber Security Sectoral Analysis 2025
Where the spend sits, by buyer segment
| Buyer segment | Awards, 2022–24 | Distinct buyers | Disclosed value |
|---|---|---|---|
| Central government / ALBs | 4,018 | 598 | £14.3bn |
| Local government | 1,489 | 288 | £1.9bn |
| NHS / health | 957 | 221 | £3.1bn |
| MOD / defence | 448 | 10 | £921m |
| Education | 333 | 79 | £255m |
| Blue light | 197 | 65 | £561m |
- Central government dominates by both volume and value, with HMRC, the Home Office, DWP, DSIT and UKHSA among the most frequent buyers of IT security.
- NHS and health has the widest buyer base — 221 distinct buyers in three years — and trust-level procurements that typically land in the £250k–£5m range. It is the most realistic first segment for a smaller supplier.
- MOD and defence concentrates spend among very few buyers but at high individual values. Security-cleared suppliers, or those partnering with a cleared prime, have a structural advantage.
- Local government is the fastest-growing segment by number of buyers as councils catch up on modernisation, and cyber is increasingly a standalone line rather than an IT afterthought.
Which sub-sectors are hot, and which are flat
- Security consultancy and audit. Demand is driven by the NCSC's GovAssure programme, which is pushing security architecture reviews and risk assessments across central government.
- Security software. Data and file security categories are climbing as zero-trust architecture adoption spreads.
- Network and internet security. Fewer standalone awards, but larger ones, as departments consolidate network security into bigger consolidated contracts.
- AI security and machine-learning threat detection. Not yet its own contract category, but appearing more often in award descriptions as departments treat security as the foundation for wider AI adoption.
- Commodity managed IT (break-fix, desktop support), which is being absorbed into wider transformation contracts.
- On-premise network infrastructure, displaced by cloud.
- Standalone training and awareness, now usually bought through cloud call-offs rather than as separate procurements.
Who wins, and why SMEs win more than you would think
| Award size band | Share of pure-cyber awards |
|---|---|
| Under £2m | 85% |
| £2m–£10m | 8% |
| Over £10m | 7% |
“The contracts are small enough for an SME to deliver and numerous enough to build a public sector track record on. The hard part is timing the retender, not winning the work.”
The bias problem, and what the Procurement Act changes
- The Procurement Act 2023, in force since February 2025, places a duty on contracting authorities to consider SME participation, remove disproportionate barriers, and engage the market earlier.
- PPN 001, also from February 2025, requires central government bodies to set three-year SME spend targets from April 2025 and publish their progress — a buyer-side incentive to award to smaller suppliers that did not exist before.
- The National Procurement Policy Statement embeds Cyber Essentials controls as a supply-chain condition, effectively making certification a threshold for taking part.
- 30-day payment terms now apply through the public sector supply chain, easing the cash-flow penalty that fell hardest on SME subcontractors.
Frameworks: your route to market
| Framework | Reference | Type | What it covers | Admission |
|---|---|---|---|---|
| G-Cloud 15 | RM1557.15 | Open framework | Cloud hosting, SaaS and cloud support, including security-as-a-service | Closed for the first round (Jan 2026); reopens roughly 18 months after go-live |
| Cyber Security Services 3 | RM3764.3 | Dynamic purchasing system | NCSC-assured services: penetration testing, IT health checks, incident response, managed security, SOC | Open now — apply any time |
| Technology Services 4 | TS4 | Closed framework | IT consultancy, managed services, digital programmes | Closed; live from late 2025 |
Government Commercial Agency
How to win: a practical bid strategy
- Bid with discipline. Score each opportunity on buyer relationship, incumbent strength, the quality-versus-price weighting, and whether your framework and CPV profile actually match. A small team chasing everything wins nothing.
- Build prior-win evidence early. Central government buyers expect recent public sector case studies. One NHS trust win is credible evidence for the next trust; one council win opens the door to other councils. Start the library with your first small award.
- Treat social value as delivery, not narrative. Under the Procurement Act regime it is explicitly scored — typically 10–20% of the quality mark. For cyber that means apprenticeships, supply-chain SME spend, and community cyber awareness built into how you deliver.
- Get assured before you pursue. NCSC and CREST credentials are threshold conditions in most cyber further-competitions. Acquire them before you chase the work, not after you lose for the want of them.
- Time the expiry. Identify four or five contracts in your target segment expiring in 12–18 months, begin engagement 9–12 months out, and make sure you are on the relevant framework before the notice lands.
| Contract | Buyer | Value | Incumbent | Expiry |
|---|---|---|---|---|
| ICT managed workplace services | North Wales Police | £9m | CGI IT UK | Oct 2026 |
| Cyber security delivery partner | Companies House | £9m | Salus Cyber | Jun 2027 |
| Technical assurance support | NHS England | £40m | Qualitest | Apr 2027 |
| Digital service delivery partner | Pensions Regulator | £11.6m | Kainos | Jun 2027 |
| Dev/Ops L2 and L3 support | UKHSA | £9.5m | Burendo | Mar 2027 |
Who to partner with
- Partner with a listed prime. Large suppliers on G-Cloud or TS4 routinely need NCSC-specialist subcontractors. A subcontracting relationship today becomes your case study for a solo bid in eighteen months.
- Partner with complementary SMEs. Penetration-testing firms pair naturally with SOC and managed-detection providers; a consortium bid on RM3764.3 lets two or three SMEs meet a scope none could address alone.
- Line up your assurance partners. Budget three to six months for NCSC CHECK or CREST accreditation. It is the quality signal that most clearly separates a credible cyber specialist from a generalist IT supplier in a further-competition evaluation.
The 12–24 month outlook
- GovAssure is pushing security architecture and audit work across departments that have not yet completed their Cyber Assessment Framework reviews.
- The NHS cyber programme is reaching refresh cycles on endpoint detection, SIEM and incident response bought during the 2020–22 digitisation wave.
- Local authority cyber uplift continues, with councils under pressure from insurers and the NCSC to demonstrate baseline hygiene, often for the first time.
- AI security and model assurance is a nascent but fast-growing sub-market where early movers face little competition.
- The Cyber Security and Resilience Bill is expected to widen regulatory scope and mandatory incident reporting across critical national infrastructure, creating compliance-driven demand.
FAQ
Sources
- DSIT, Cyber Security Sectoral Analysis 2025
- Procurement Act 2023, legislation.gov.uk
- PPN 001 — SME and VCSE procurement spend targets, GOV.UK
- Government Commercial Agency, G-Cloud 15 (RM1557.15)
- Government Commercial Agency, Cyber Security Services 3 (RM3764.3)
- NCSC, Cyber Essentials
- Skim analysis of UK public award notices on Contracts Finder and the Find a Tender Service, IT and security CPV codes, 2019–2025
Download the full report
Submit the form below to access the full report.
Want this analysis run on your own pipeline?
Book a 15-minute call. We'll run your real opportunities through Skim and show you what the data says about your win chances.