TUPE, COSHH, SIA and DBS show up on almost every UK soft FM tender. Each one is a hard pass or fail at SQ stage. Miss any and your bid is binned before anyone reads it. This guide covers what each acronym is, what evidence buyers actually score, and where soft FM SMEs most often lose marks.
- TUPE: staff transfer on the same terms when a contract changes hands. Price the schedule, not your existing rates.
- COSHH: mandatory risk assessments and safety data sheets for any chemical use. HSE-enforceable.
- SIA: licences individual security officers. ACS adds company-level accreditation, mandatory for most public-sector security.
- DBS: criminal record checks for staff working with children, NHS patients, care residents and prisoners. Enhanced DBS for regulated activity.
- All four turn up in Part 3 of the Standard Selection Questionnaire. Evidence is required from the winning bidder before contract signing.
- From 1 April 2026, the National Living Wage is £12.71 per hour. Most TUPE-impacted soft FM staff are at or near this floor.
What's in this guide¶
- TUPE in 90 seconds (full guide linked)
- COSHH for cleaning, grounds, catering and pest control
- SIA licensing and the Approved Contractor Scheme
- DBS checks and the Update Service
- Where each acronym shows up in tender packs
- Compliance evidence checklist
- Common gaps that bin bids
TUPE in 90 seconds¶
TUPE stands for the Transfer of Undertakings (Protection of Employment) Regulations 2006. When a UK service contract changes hands, the staff currently delivering that service transfer to the new supplier on the same pay, hours and terms. For a soft FM bidder, TUPE is the single biggest pricing risk in any retender. The buyer publishes a TUPE schedule (anonymised) in the tender pack. Price your bid against the schedule rates plus on-costs (Employer NI, holiday, pension, supervision), not against your existing rates.
For the full TUPE deep-dive including pricing tables, on-costs and the recent EAT case law on pay disparity, see the dedicated TUPE regulations for soft FM contracts guide.
COSHH: chemicals, cleaning, grounds and catering¶
COSHH stands for the Control of Substances Hazardous to Health Regulations 2002. It is the law that requires UK employers to assess and control workplace exposure to hazardous substances. For soft FM, that means almost everything: cleaning chemicals, pesticides used on grounds, food allergens in catering, biocidal products in pest control, and dust from waste handling.
What COSHH compliance looks like in practice.
| Document | What it shows | Renewal cycle |
|---|---|---|
| COSHH Risk Assessments | One per substance or task. Identifies hazards, exposure routes, controls. | Reviewed annually or when substances or tasks change. |
| Safety Data Sheets (SDS) | Manufacturer's chemical hazard data. Held for every substance in use. | Updated when manufacturer issues new SDS, typically every 2-3 years. |
| Staff Training Records | Evidence each operative has been trained on the chemicals they use. | Refresher annually. Re-training when new substances introduced. |
| Health Surveillance Records | Where required (high-exposure roles), records of medical monitoring. | As specified by occupational health. |
| PPE Issue and Fit Testing | Records of personal protective equipment issued. Face-fit tests for RPE. | Annual fit-testing. PPE replacement on wear or damage. |
| COSHH Policy | Company-wide policy describing how COSHH is managed. | Reviewed annually, signed by a director. |
What buyers want to see for COSHH compliance in soft FM tenders.
HSE figures from 2024/25 set the context. 1.9 million UK workers suffered work-related illness. About 13,000 deaths a year are linked to past exposure to chemicals or dust. 40.1 million working days lost to work-related ill-health. The Health and Safety Executive enforces COSHH. They can issue Improvement Notices, Prohibition Notices, and prosecute for breach.
Sector-specific watch points. In cleaning, biocides and disinfectants are in scope. In grounds, glyphosate (Roundup) and other pesticides are tightening. Many councils now ban glyphosate and require pesticide-free alternatives. In catering, allergen control under Natasha's Law (PPDS labelling, in force since October 2021) overlaps with COSHH for ingredient handling. In pest control, biocidal product authorisation under the GB BPR is a separate legal regime that COSHH risk assessments must reference.
SIA: licences, ACS, and Martyn's Law¶
SIA stands for the Security Industry Authority. It regulates the UK private security industry. Two layers of SIA compliance matter for soft FM tenders.
| Layer | What it is | Who holds it |
|---|---|---|
| SIA licence | Mandatory licence for individuals doing licensable activities (manned guarding, door supervision, CCTV operation, close protection). | Each individual security officer holds their own licence. Renewable every 3 years. |
| Approved Contractor Scheme (ACS) | Voluntary company-level accreditation. Demonstrates the company meets a higher operational standard. | The company. ACS membership is required by most UK public-sector security tenders. |
Two layers of SIA compliance for security and other regulated activities.
SIA scale data from 2024/25. 507,000+ active SIA licences in circulation. 748 Approved Contractors on the ACS register. The SIA processed 173,000 new licence applications in the year. From April 2026, the SIA raised the ACS minimum score required to reach the top 15% (the ACS Pacesetters tier), which means tougher quality bars for ACS holders.
Martyn's Law (the Terrorism Protection of Premises Act 2025) received Royal Assent in April 2025. It introduces mandatory venue security procedures for premises with 200+ capacity and stricter requirements above 800. Enforcement begins April 2027. For SIA-regulated security suppliers, this means new statutory requirements at venue level, and more public-sector security tenders will reference Martyn's Law obligations from late 2026 onwards.
For sector-specific bid plays in security tendering, see the how to bid for security contracts in the UK guide.
Standards alongside SIA: BS 7858, BS 7499, BS 7984¶
| Standard | What it covers | When it applies |
|---|---|---|
| BS 7858 | Pre-employment vetting for security staff | Required where staff have access to sensitive sites, government buildings or NHS premises. |
| BS 7499 | Static site guarding standard | The operational benchmark for manned guarding. ACS holders are expected to meet it. |
| BS 7984 | Keyholder and mobile patrol services | Mobile patrol contracts and out-of-hours keyholder services. |
British Standards that show up alongside SIA on security tenders.
DBS: criminal record checks for soft FM staff¶
DBS stands for the Disclosure and Barring Service. It runs criminal record checks on UK workers in roles that involve trust, sensitive sites or vulnerable people. For soft FM, DBS checks come up most often in cleaning, catering and security where staff have access to schools, NHS sites, care homes or prisons.
| Level | What it shows | When it's required |
|---|---|---|
| Basic | Unspent convictions only. | Lower-risk roles. Routine office cleaning where there is no patient or pupil contact. |
| Standard | Spent and unspent convictions, cautions, reprimands, final warnings. | Roles with regular access to children or vulnerable adults but not engaged in 'regulated activity'. |
| Enhanced | Standard plus any additional information held by police forces. | Regulated activity with children or vulnerable adults. Schools, NHS clinical areas, care homes, prisons. |
| Enhanced with barred-list check | Enhanced plus a check against the children's or adults' barred list. | Specific regulated activity roles where the law requires it. |
Levels of DBS check and when each applies.
Three things to know for tender purposes. First, the DBS Update Service costs £13 a year per individual and lets you keep checking the same person's status without redoing the full check. Most soft FM employers running multi-site contracts use it. Second, DBS checks expire in practice when staff move between roles, since the check is role-specific. Many buyers ask for DBS to have been completed within the last 12 months. Third, DBS is for the United Kingdom. Northern Ireland uses AccessNI. Scotland uses Disclosure Scotland. The principles are similar but the certificates are different.
Where each acronym shows up in tender packs¶
| Acronym | Where it shows up | What's asked |
|---|---|---|
| TUPE | TUPE Schedule (separate document) and Pricing Schedule. | Anonymised staff list with rates, hours, holiday, pension, length of service. Price your bid against this. |
| COSHH | SQ Part 3 (H&S section) and Specification. | COSHH policy, risk assessments, SDS, training records. Sector-specific products called out in spec. |
| SIA / ACS | SQ Part 3 (Selection Criteria) and Specification. | ACS membership certificate, BS 7858 vetting evidence, individual licence numbers for key staff. |
| DBS | SQ Part 3 (Selection Criteria) and Specification. | DBS policy, sample DBS certificates, Update Service usage, level-of-check matrix per role. |
Where TUPE, COSHH, SIA and DBS appear in a typical UK soft FM tender pack.
For the full breakdown of the Standard Selection Questionnaire, see Standard Selection Questionnaire (SQ) Explained. For where these documents sit alongside the rest of a tender pack, see what are tender documents.
Compliance evidence checklist¶
Hold all of the following on file before submitting any UK soft FM SQ. Update each one against the renewal cycles above.
- TUPE: standard process for receiving and reviewing TUPE schedules. Pricing model that adds Employer NI, holiday, pension and supervision to schedule rates.
- COSHH Policy signed by a director, dated within 12 months.
- COSHH Risk Assessments for every chemical and high-risk task in your service portfolio.
- Safety Data Sheets (SDS) library, current within 2-3 years per substance.
- Operative training records, with refresher dates inside 12 months.
- PPE issue records and face-fit test certificates where RPE is used.
- SIA licence numbers and renewal dates for every licensed individual.
- ACS membership certificate (security firms) with annual audit completed.
- BS 7858 vetting records for security staff on sensitive sites.
- DBS policy and procedure document.
- DBS certificates per role, level matched to the regulated activity status.
- DBS Update Service evidence where used.
- Anti-modern-slavery statement (recommended for all bidders, mandatory for 50+ staff).
- GDPR / Data Protection policy with ICO registration.
- Equality and Diversity policy signed and dated.
Common gaps that bin bids¶
- COSHH risk assessments not site-specific. Generic templates fail. Buyers want assessments tailored to the substances and tasks at the contract sites.
- Out-of-date Safety Data Sheets. Manufacturer SDS get reissued. The 5-year-old SDS in your file is a fail.
- ACS expired or in renewal. Most buyers require live ACS at submission. A renewal in progress is not a substitute.
- Wrong DBS level for the role. Standard DBS where Enhanced is required. Enhanced without barred-list check where required.
- DBS certificates older than 12 months on a tender that asks for fresh checks.
- TUPE-pricing your existing rates instead of schedule rates. Most common pricing failure on a winning bid.
- No COSHH training refresher in the last 12 months on file for operatives doing chemical work.
- BS 7858 vetting incomplete on staff who have transferred to your firm with TUPE. Re-verify on transfer.
- PPE fit-testing missing for RPE users. Required annually for face-fitting respiratory protection.
- Modern Slavery Statement missing on a 50+ staff bidder, even though every other compliance doc is present.
One last thing¶
TUPE, COSHH, SIA and DBS are not bid-writing problems. They are operations problems that surface inside bid writing. The firms that score well at SQ are the ones who run their operations to a standard above the audit, then use the existing records as bid evidence. The firms that scramble at submission are the ones who only think about compliance when a tender pack lands. Build the records as you go, and bid day is paperwork, not panic.
For every other procurement and FM compliance acronym you'll see in a tender pack, the procurement acronyms cheat sheet has the lot.
Sources
- Transfer of Undertakings (Protection of Employment) Regulations 2006 · Primary UK regulations on service provision changes.
- Control of Substances Hazardous to Health Regulations 2002 (HSE) · HSE statutory guidance on COSHH compliance.
- HSE statistics 2024/25 · Source for workplace ill-health figures cited above.
- Security Industry Authority (SIA) · SIA licensing, ACS scheme and annual reports.
- Terrorism (Protection of Premises) Act 2025 (Martyn's Law) · Mandatory venue security procedures, enforced from April 2027.
- Disclosure and Barring Service (DBS) · Levels of DBS check, Update Service, sample certificates.
FAQs
Frequently asked questions
- TUPE stands for the Transfer of Undertakings (Protection of Employment) Regulations 2006. It is UK law that protects employees when the business or service they work for changes hands. In soft FM, TUPE means staff transfer to the new supplier on the same pay, hours, holiday and length-of-service terms. The new supplier inherits both the workforce and their employment conditions, and cannot drop pay or terms after the transfer.
- COSHH stands for the Control of Substances Hazardous to Health Regulations 2002. It requires UK employers to assess workplace exposure to hazardous substances and put controls in place. For soft FM, COSHH covers cleaning chemicals, pesticides, food allergens, biocides used in pest control and dusts in waste handling. Compliance means written risk assessments per substance or task, current Safety Data Sheets, staff training records, PPE provision and an annual policy review.
- The SIA Approved Contractor Scheme (ACS) is a company-level accreditation for security firms. It demonstrates the company meets higher operational standards than the basic SIA licensing system. ACS is voluntary in law, but it is required by approximately 90% of UK public-sector security tenders. Without ACS, you are not a viable bidder for council, NHS or housing-association security work. There were 748 ACS-registered companies on the SIA register in 2024/25.
- It depends on the role. Basic DBS shows unspent convictions only and is fine for routine office cleaning with no sensitive-site access. Standard DBS adds spent convictions and cautions, used for roles with regular access to children or vulnerable adults but not 'regulated activity'. Enhanced DBS adds police-held information and is required for regulated activity roles in schools, NHS clinical areas, care homes and prisons. Enhanced with a barred-list check is the highest level, required where the law specifically demands it.
- Strictly, a DBS certificate is a snapshot of the day it was issued. It does not 'expire' but most public-sector buyers want one issued in the last 12 months. The DBS Update Service costs £13 per year per individual and lets employers keep checking status without redoing the full check. For multi-site soft FM contracts, the Update Service is the standard way to keep the DBS evidence current.
- Yes. Grounds maintenance involves pesticides (where used), fuels, lubricants, cleaning products and biological hazards. COSHH risk assessments are required for each substance and task. Many UK councils have now restricted or banned glyphosate (Roundup) and require pesticide-free alternatives in their tender specifications. Where pesticides are still permitted, the operative needs an NPTC PA1 / PA6 certificate alongside COSHH risk assessments for the specific products.
- Martyn's Law is the colloquial name for the Terrorism Protection of Premises Act 2025, which received Royal Assent in April 2025. It introduces mandatory venue security procedures for premises with 200+ capacity, with stricter requirements above 800. Enforcement begins April 2027. For UK security suppliers, expect public-sector tenders from late 2026 onwards to reference Martyn's Law obligations explicitly, with extra emphasis on incident response plans, staff training and venue risk assessments.
- No. NHS cleaning contracts require DBS-checked staff for any access to clinical or patient-care areas. The level depends on the role: Enhanced DBS for staff working in regulated activity (clinical wards, paediatrics, mental health), Standard DBS for non-clinical NHS sites. The buyer will ask for a DBS policy at SQ stage and may verify a sample of certificates before contract signing. Run the checks before bidding, not after winning.
- When staff transfer to you under TUPE, their existing DBS certificates do not automatically transfer with them in a fully usable form. The certificate was issued for their old employer. You should ask them to register on the DBS Update Service (if they are not already) so you can check status, or run a fresh DBS check appropriate to their role under your contract. Run this in parallel with the TUPE consultation period so the new contract starts with valid DBS evidence in place.
- Generic COSHH policies and product-level Safety Data Sheets transfer with the substances. But site-specific risk assessments do not transfer cleanly. Each contract's sites have their own ventilation, surfaces, occupancy patterns and exposure routes. Re-do the site-specific COSHH risk assessments at contract mobilisation and keep the records on file. Most public-sector buyers expect site-specific assessments to be in place within four weeks of contract start.