Your technical standards are exacting; your contracts should be too. Free, production-ready legal templates built by a specialist cyber security lawyer.
Danzell v3.3 tightens Cyber Essentials from April 2026. New IASME schemes bring additional regulatory complexity. These templates cover all of it.
Compare them against your existing terms, take what works, and help us improve them for the benefit of UK cyber.
CMA authorisation is the obvious starting point, but it only addresses the criminal offences. Civil liability, third-party infrastructure, data protection, wireless interception, and AI tooling are each a distinct legal risk. Each needs its own control.
CMA authorisation for criminal offences under sections 1–3A. Separate contractual waiver for civil claims. Liability for out-of-scope testing routes back to the cap, not to the criminal law.
A vulnerability in third-party software exists in every instance of that software. It is not your client’s confidential information. You should be free to disclose, report, and publish.
Disclosure and human oversight requirements. No training on client data. Cross-engagement contamination controls. False positive warnings. Provisions for DPA 2018 and UK GDPR where AI processes personal data incidentally.
Premises access, tailgating, lock manipulation, device deployment. RFID/NFC badge cloning, rogue AP deployment, spectrum monitoring. Permitted pretexts, prohibited activities, named personnel, detention protocol, and letter of authorisation requirements.
MSA and SOW structure for recurring relationships. Drafted from the tester’s perspective.
A client fails CE, blames your assessor, and withholds payment. A failed certification stalls a procurement and the client wants a free reassessment. Your assessor recommends a configuration change, the client implements it, and their environment breaks. When any of these happen, your terms of business are the only thing that determines where the cost falls.
The standards are getting harder. Danzell (v3.3) introduces mandatory MFA, auto-fail marking criteria, and expanded cloud service scoping for Cyber Essentials from April 2026. DCC brings additional considerations around controlled technical information in the defence supply chain. Both will generate more disputes and more clients who need clear contractual boundaries.
These templates give you a
Standard Terms
and
Order Form
structure that handles the tripartite fee model, scheme-specific
regulatory obligations, and the hard edges of IASME’s own
T&Cs, including their discretion over assessment outcomes and right
to audit.
Three-component model (scheme fee, CB assessment fee, guidance fee) with support for nil-fee arrangements, bundled engagements, conditional payment triggers, and cross-referencing to separate retainers.
Separate schedules for each scheme. PSTI Act 2022 for IoT. Export control provisions for DCC. IMO alignment for Maritime. CMA authorisation and civil liability waiver for CE+.
CE and CE+ schedules reflect v3.3 requirements: mandatory MFA, expanded cloud service scoping, auto-fail marking criteria, and the VSA revocation warning for CE+ patching failures.
Assessment outcome discretion, audit cooperation, data sharing with IASME and HM Government, and the complaints procedure all reflected in the Standard Terms so your clients understand the framework before they engage.
Standard Terms published on your website. Order Form per engagement. Schedules for each scheme.
The templates are designed to cover the majority of commercial engagements. The following areas involve additional legal complexity and benefit from being worked through with someone who understands the regulatory context. If any of these apply to you, or if you want help integrating the templates into your existing terms, get in touch. An initial conversation is free.
Written by Richard Hanstock, a barrister specialising in cyber security, technology, and national security law. Founder of Deeptech Legal. Former government legal adviser on operational cyber, sanctions, and export controls.