Skip to content

Procurement intelligence

UK public sector cyber security market in 2026

Skim's read on the UK public sector cyber security market: how big it is, who wins, the frameworks that matter, and where an SME can realistically break in.

Skim · Skim procurement intelligence30 June 202611 min read

Figures distil Skim's analysis of UK public award notices on Contracts Finder and the Find a Tender Service carrying IT and security CPV codes (2019–2025), set alongside DSIT's Cyber Security Sectoral Analysis 2025 and published Procurement Act 2023 guidance. Award counts and values are as disclosed on the portals; framework details are from the Government Commercial Agency.

UK public sector cyber security market in 2026 — report cover

The market is growing, and it is reachable

The UK public sector is buying more cyber security than ever, and most of what it buys is small enough for a specialist SME to deliver. Skim's analysis of award notices on Contracts Finder and the Find a Tender Service shows IT and security contract activity at its highest level on record in 2024, and the pure-cyber slice of that spend is overwhelmingly made up of contracts under £2m.
That is the headline, and it cuts against the usual assumption that government cyber work is the preserve of a handful of large system integrators. The integrators win the biggest contracts. They do not win the most contracts. The route in for a smaller supplier is real, but it runs through two frameworks, a baseline certification, and one piece of intelligence most bidders never assemble: knowing when the contract you want comes up for renewal.
£8.5bn
Disclosed UK public sector IT and security contract value in 2024

Skim analysis of Contracts Finder and Find a Tender

85%
Pure-cyber awards in 2024 that were under £2m — within SME delivery range

Skim analysis (221 of 259 GBP-denominated awards)

To compete you need to be on G-Cloud 15 or Cyber Security Services 3, hold at least Cyber Essentials, build one credible public sector reference, and track contract expiries in your target segment. The rest of this report is the detail behind each of those moves.

Is the market actually growing?

Yes. Award volumes for IT and security work have risen by roughly 70% since 2019, and total disclosed value is up by more than half over the same period. The shape of the trend matters as much as the total: a pandemic-driven spike in 2020, a plateau through 2022–23, and a broad-based recovery in 2024 spread across more distinct buyers than any year except the 2020 peak.
+70%
Growth in annual IT and security award volume since 2019

Skim analysis, non-framework awards

YearAwards (excl. framework parents)Distinct buyersDisclosed value
20191,437442£5.4bn
20202,102532£9.0bn
20212,584625£7.8bn
20222,664636£6.1bn
20232,555687£7.4bn
20242,437683£8.5bn
The 2024 figure of 2,437 awards across 683 distinct buyers is the second-highest buyer count on record, which suggests the market has broadened rather than simply concentrated. For pure-cyber services specifically, the direction is confirmed by DSIT's Cyber Security Sectoral Analysis 2025, which records 942 cyber contracts worth a provisional £931m in 2024, with a further uplift expected as late notices publish. The whole UK cyber security industry generated £13.2bn in revenue in 2024, up 12% on the year, employing 67,300 people.
£13.2bn
UK cyber security sector revenue in 2024, up 12% year on year

DSIT, Cyber Security Sectoral Analysis 2025

Where the spend sits, by buyer segment

Central government and its arm's-length bodies account for the majority of disclosed IT and security activity, but the broadest buyer base — and the most reachable work for an SME — sits in NHS and health.
Buyer segmentAwards, 2022–24Distinct buyersDisclosed value
Central government / ALBs4,018598£14.3bn
Local government1,489288£1.9bn
NHS / health957221£3.1bn
MOD / defence44810£921m
Education33379£255m
Blue light19765£561m
Across 2022–24 that is 7,442 awards in total, with central government taking roughly 54% of the volume. The detail underneath is where the targeting decisions live:
  • Central government dominates by both volume and value, with HMRC, the Home Office, DWP, DSIT and UKHSA among the most frequent buyers of IT security.
  • NHS and health has the widest buyer base — 221 distinct buyers in three years — and trust-level procurements that typically land in the £250k–£5m range. It is the most realistic first segment for a smaller supplier.
  • MOD and defence concentrates spend among very few buyers but at high individual values. Security-cleared suppliers, or those partnering with a cleared prime, have a structural advantage.
  • Local government is the fastest-growing segment by number of buyers as councils catch up on modernisation, and cyber is increasingly a standalone line rather than an IT afterthought.

Which sub-sectors are hot, and which are flat

Skim's award-count data points to security consultancy and security software growing fastest, while commodity managed IT flattens.
Growing:
  • Security consultancy and audit. Demand is driven by the NCSC's GovAssure programme, which is pushing security architecture reviews and risk assessments across central government.
  • Security software. Data and file security categories are climbing as zero-trust architecture adoption spreads.
  • Network and internet security. Fewer standalone awards, but larger ones, as departments consolidate network security into bigger consolidated contracts.
  • AI security and machine-learning threat detection. Not yet its own contract category, but appearing more often in award descriptions as departments treat security as the foundation for wider AI adoption.
Flat or declining:
  • Commodity managed IT (break-fix, desktop support), which is being absorbed into wider transformation contracts.
  • On-premise network infrastructure, displaced by cloud.
  • Standalone training and awareness, now usually bought through cloud call-offs rather than as separate procurements.

Who wins, and why SMEs win more than you would think

The market is bifurcated. Large integrators take the value; SMEs take the volume. Across 2021–24, the overwhelming majority of pure-cyber awards fell into the smallest size band.
Award size bandShare of pure-cyber awards
Under £2m85%
£2m–£10m8%
Over £10m7%
The big contracts go to familiar names — CGI, IBM, Cognizant, Kainos, BAE Systems Applied Intelligence and BJSS all appear repeatedly across central government IT and security awards. But below roughly £2m the field opens up, and that is where an SME competes on equal terms. The structural fact worth holding onto: smaller suppliers already hold around one in three public sector cyber contracts, and that share is rising under the new spend rules described below.

The contracts are small enough for an SME to deliver and numerous enough to build a public sector track record on. The hard part is timing the retender, not winning the work.

The bias problem, and what the Procurement Act changes

Three things make this market harder than the raw numbers suggest: incumbency, framework concentration, and the gap between how central and local buyers procure. Skim's data consistently shows that a large majority of IT and cyber retenders are won by the incumbent or a close affiliate, and that most central government cyber spend flows through a handful of frameworks — so a supplier without framework presence is shut out of most above-threshold demand before a bid is even written.
That picture is now shifting in the SME's favour:
  • The Procurement Act 2023, in force since February 2025, places a duty on contracting authorities to consider SME participation, remove disproportionate barriers, and engage the market earlier.
  • PPN 001, also from February 2025, requires central government bodies to set three-year SME spend targets from April 2025 and publish their progress — a buyer-side incentive to award to smaller suppliers that did not exist before.
  • The National Procurement Policy Statement embeds Cyber Essentials controls as a supply-chain condition, effectively making certification a threshold for taking part.
  • 30-day payment terms now apply through the public sector supply chain, easing the cash-flow penalty that fell hardest on SME subcontractors.

Frameworks: your route to market

Two frameworks matter most for a cyber SME. Get on both: one for products, one for services.
FrameworkReferenceTypeWhat it coversAdmission
G-Cloud 15RM1557.15Open frameworkCloud hosting, SaaS and cloud support, including security-as-a-serviceClosed for the first round (Jan 2026); reopens roughly 18 months after go-live
Cyber Security Services 3RM3764.3Dynamic purchasing systemNCSC-assured services: penetration testing, IT health checks, incident response, managed security, SOCOpen now — apply any time
Technology Services 4TS4Closed frameworkIT consultancy, managed services, digital programmesClosed; live from late 2025
G-Cloud 15 is the first G-Cloud let under the Procurement Act and is due to go live in autumn 2026. The compliance bar has risen: Cyber Essentials is now mandatory for every lot, and Cyber Essentials Plus is required for the cloud-hosting lots (1a and 1b). As an open framework it reopens to new suppliers periodically, so a missed deadline is no longer a multi-year lockout.
Cyber Security Services 3 is a dynamic purchasing system, which means it admits new suppliers year-round with no waiting for a re-tender cycle. It is the official route to NCSC-assured services, and buyers cannot direct-award through it — every call-off runs as a mini-competition among shortlisted suppliers. For a credible SME, that levels the field.
Open now
Cyber Security Services 3 (RM3764.3) admits new suppliers year-round

Government Commercial Agency

How to win: a practical bid strategy

The single most powerful SME advantage is not a better proposal. It is knowing when a contract comes up for renewal, and starting buyer engagement before the retender is published.
  • Bid with discipline. Score each opportunity on buyer relationship, incumbent strength, the quality-versus-price weighting, and whether your framework and CPV profile actually match. A small team chasing everything wins nothing.
  • Build prior-win evidence early. Central government buyers expect recent public sector case studies. One NHS trust win is credible evidence for the next trust; one council win opens the door to other councils. Start the library with your first small award.
  • Treat social value as delivery, not narrative. Under the Procurement Act regime it is explicitly scored — typically 10–20% of the quality mark. For cyber that means apprenticeships, supply-chain SME spend, and community cyber awareness built into how you deliver.
  • Get assured before you pursue. NCSC and CREST credentials are threshold conditions in most cyber further-competitions. Acquire them before you chase the work, not after you lose for the want of them.
  • Time the expiry. Identify four or five contracts in your target segment expiring in 12–18 months, begin engagement 9–12 months out, and make sure you are on the relevant framework before the notice lands.
Skim's expiry radar exists to make that last point operational. As an illustration, the table below is a representative sample of higher-value UK cyber and IT contracts approaching their rebid window — the kind of signal that turns a cold bid into a planned one.
ContractBuyerValueIncumbentExpiry
ICT managed workplace servicesNorth Wales Police£9mCGI IT UKOct 2026
Cyber security delivery partnerCompanies House£9mSalus CyberJun 2027
Technical assurance supportNHS England£40mQualitestApr 2027
Digital service delivery partnerPensions Regulator£11.6mKainosJun 2027
Dev/Ops L2 and L3 supportUKHSA£9.5mBurendoMar 2027

Who to partner with

Partnering is the fastest path to framework presence and a first reference, not a sign of weakness.
  • Partner with a listed prime. Large suppliers on G-Cloud or TS4 routinely need NCSC-specialist subcontractors. A subcontracting relationship today becomes your case study for a solo bid in eighteen months.
  • Partner with complementary SMEs. Penetration-testing firms pair naturally with SOC and managed-detection providers; a consortium bid on RM3764.3 lets two or three SMEs meet a scope none could address alone.
  • Line up your assurance partners. Budget three to six months for NCSC CHECK or CREST accreditation. It is the quality signal that most clearly separates a credible cyber specialist from a generalist IT supplier in a further-competition evaluation.

The 12–24 month outlook

The structural case is strong, and several specific drivers are landing in the window that matters:
  • GovAssure is pushing security architecture and audit work across departments that have not yet completed their Cyber Assessment Framework reviews.
  • The NHS cyber programme is reaching refresh cycles on endpoint detection, SIEM and incident response bought during the 2020–22 digitisation wave.
  • Local authority cyber uplift continues, with councils under pressure from insurers and the NCSC to demonstrate baseline hygiene, often for the first time.
  • AI security and model assurance is a nascent but fast-growing sub-market where early movers face little competition.
  • The Cyber Security and Resilience Bill is expected to widen regulatory scope and mandatory incident reporting across critical national infrastructure, creating compliance-driven demand.
On the public-procurement record specifically, a reasonable read for 2025–26 is £1–1.2bn a year in disclosed cyber-specific contract value, with the broader IT and security market continuing to track north of £8bn annually.

FAQ

Does a company need Cyber Essentials to bid for UK government cyber work?
For contracts involving sensitive, personal or classified data, or IT products and services, Cyber Essentials has been a baseline requirement since 2014, and G-Cloud 15 has extended it to every cloud lot, with Cyber Essentials Plus required for the hosting lots. Self-assessed certification starts at around £300; the independently assessed Plus tier typically runs into the low thousands. See the NCSC's Cyber Essentials overview.
What is the difference between G-Cloud 15 and Cyber Security Services 3?
G-Cloud is for cloud-based products and services — hosted SIEM, cloud endpoint protection, SaaS security tools. Cyber Security Services 3 is for professional cyber services — penetration testing, assessments, incident response, managed security. Most cyber SMEs should be on both: G-Cloud for the product, RM3764.3 for the service.
Can an SME with no public sector track record break in?
Yes, but not through blind bidding. Join RM3764.3, which is open now with no track-record requirement at the admission stage, then pursue a sub-£250k award from a council or NHS trust using an open procedure, and build that into a case study. A few wins of that kind are enough to compete in further competitions for larger work.
How big is the UK public sector cyber security market?
Skim records over £8.5bn of disclosed IT and security contract value in 2024 across the public sector. For the pure-cyber slice, DSIT's Cyber Security Sectoral Analysis 2025 cites 942 contracts worth a provisional £931m, and puts total UK cyber sector revenue at £13.2bn, up 12% on the year.
What is GovAssure, and does it create opportunities?
GovAssure is the NCSC's Cyber Assessment Framework programme, requiring central government departments to assess and improve their cyber resilience. Departments yet to complete their assessment commission architecture reviews, risk assessments and remediation — a growing category of advisory work for suppliers with the right credentials.
How does a dynamic purchasing system differ from a closed framework?
A dynamic purchasing system such as RM3764.3 is permanently open: a supplier can apply at any point and compete in further competitions soon after admission. A closed framework only opens at set application windows, so missing one can mean a multi-year wait.

Sources

Download the full report

Submit the form below to access the full report.

Want this analysis run on your own pipeline?

Book a 15-minute call. We'll run your real opportunities through Skim and show you what the data says about your win chances.