Navigating UK Public Sector Cyber Security frameworks in 2026.

The procurement framework you choose shapes the kind of cyber capability you can buy – and how fast it can be on-site. Most departments don't think about this until it's already a problem.

Public sector cyber procurement has changed faster than most departments realise. The framework landscape is maturing, the rules around off-payroll working have tightened, and central scrutiny on supplier compliance has stepped up sharply. For procurement leads and CISOs working inside central government, NHS trusts, local authorities and arms-length bodies, knowing which framework fits which engagement is no longer optional.

This is a practical guide. Not a legal one. We walk through the frameworks that matter most in 2026, what they're actually for, and where the common procurement mistakes happen.

The framework landscape, briefly

There are dozens of frameworks active across UK Public Sector procurement. For Cyber Security capability, four matter more than the rest:

• G-Cloud (current iteration RM1557.14) – the standing catalogue for cloud-hosted services. Useful for SaaS-style cyber tooling and hosted cyber services. Less suited to bespoke capability or embedded delivery.
• Digital Outcomes (current iteration via the Digital Marketplace) – the route for outcome-based digital and cyber engagements. The natural home for fixed-price Statement of Works delivery, embedded teams and capability programmes.
• RM6263 Public Sector Resourcing (PSR) – Crown Commercial Service's main route for contingent labour into central government, including specialist cyber resource. Tightly governed, IR35-aware.
• Local authority and NHS frameworks – ESPO MSTAR4, NEPRO, NHS WMP and others operate sector-specific routes for resourcing and managed services. Often the most efficient option for local government and health.

Each framework has its own rules on lot structure, evaluation criteria, off-payroll determination and call-off process. Choosing the wrong one rarely stops a procurement, but it usually slows it.

Match the framework to the engagement type

The most consistent procurement mistake we see is treating frameworks as interchangeable. They aren't. The right starting question is not "which framework do we have access to" but "what kind of engagement do we actually need".

• Need an outcome delivered – a SOC built, an architecture review completed, a Cyber Essentials Plus certification achieved? Use Digital Outcomes or a sector framework that supports outcome-based call-offs. Avoid contingent labour routes.
• Need named specialist resource embedded in your team for a defined period? Use RM6263 PSR or the equivalent sector framework. Set the off-payroll status determination up front.
• Need cyber tooling, hosting or a managed cyber service from a SaaS provider? G-Cloud is built for that. Don't try to buy people through it.

Off-payroll working: still the biggest trap

The Off-Payroll Working rules (IR35) have applied to Public Sector bodies since April 2017 under Chapter 10 of ITEPA 2003. Despite eight years of operation, IR35 missteps remain the largest source of unplanned tax exposure for departments. Recent HMRC enforcement has produced over £300m in tax bills against Public Sector bodies for non-compliance, with one departmental settlement alone reaching £87.9m.

Three practical points apply across every framework:

• The hiring department, not the agency, makes the Status Determination Statement. Ownership cannot be delegated.
• Once a determination is made, the fee-payer must operate via PAYE or PAYE umbrella where the worker is inside IR35. Use FCSA and SafeRec accredited umbrella providers, not unverified ones.
• Audit trails matter. Document the determination process, the role profile it was based on, and the supply chain that operated it.

Where direct procurement still makes sense

Frameworks are not the only route. For requirements below threshold, or for very specific specialist capability where framework lots don't fit, direct award under PCR 2015 (and from October 2024 the Procurement Act 2023) remains a legitimate route – provided the value is appropriate and the rationale is documented. For cleared cyber resource at DV level, direct award is often the only practical option, because the supply pool is too small for competitive framework processes to function meaningfully.

What to ask suppliers before call-off

A short checklist that filters out most of the avoidable problems:

• Are you on the framework lot we are calling off against, with current accreditation?
• Can you evidence ISO 9001 (or equivalent) for service delivery quality?
• Are your umbrella providers FCSA and SafeRec accredited? Can you produce the supply chain audit trail?
• Do you carry the insurance levels the framework requires (PI, PL, EL, cyber)?
• Can you supply a Carbon Reduction Plan and a CSR / Social Value position aligned with PPN 06/21 and PPN 06/20?
• Can you mobilise the role profile within the framework's expected timeframe, with cleared resource where required?

Suppliers that struggle to answer those questions cleanly are suppliers that will produce procurement issues later. Suppliers that answer them in twenty minutes are suppliers that have lived inside the framework rules long enough to operate without friction.

Discuss a Public Sector requirement →