Cybersecurity training for UK security teams: what enterprise buyers need to know
Before a platform reaches your analysts, it has to clear procurement, satisfy InfoSec, pass legal review, and in many organisations survive a finance sign-off that nobody budgeted for. For UK security teams, that process carries specific requirements.
Buying cyber security training for an enterprise security team is rarely just a training decision. Before a platform reaches your analysts, it has to clear procurement, satisfy InfoSec, pass legal review, and in many organisations survive a finance sign-off that nobody budgeted for.
For UK security teams, that process carries specific requirements. UK GDPR, the Data Protection Act 2018, internal vendor risk frameworks, and increasingly stringent supplier onboarding standards mean that where a vendor is incorporated, how they handle data, and what certifications they hold are legitimate blockers that can delay or kill a purchase entirely.
Does it matter if your cyber security training vendor is UK-incorporated?
For UK enterprise buyers, vendor jurisdiction has practical consequences that surface early in the procurement process.
A UK-incorporated vendor means contracts are governed by UK law. For legal and procurement teams, this removes the complexity of cross-jurisdictional agreements that can arise when buying from vendors incorporated elsewhere. There is no ambiguity about which country's law applies and no transatlantic redline cycles to manage.
UK VAT registration matters for finance teams. It means invoicing works exactly as it would with any other UK supplier, with no foreign currency conversion or withholding tax considerations to navigate.
When evaluating any cyber security training vendor, buyers should ask: where is the vendor incorporated, under which legal jurisdiction are contracts governed, and are they UK VAT registered?
TryHackMe Ltd is a private limited company incorporated in England and Wales in 2018. Contracts are governed by UK law. TryHackMe is UK VAT registered.
Does it matter where your cyber security training vendor hosts your data?
Yes. Data residency determines which data protection laws apply, whether personal data transfers are lawful, and how straightforward your Data Processing Agreement will be to sign off. It is one of the first questions a UK enterprise InfoSec or legal team will ask of any SaaS vendor.
For UK buyers, the key question is whether data is hosted within the UK or the EEA. Under the UK's post-Brexit adequacy regulations, the EEA remains an approved destination for personal data transfers from the UK, meaning no additional legal mechanism is required to justify the transfer.
For vendors hosting data outside the EEA, buyers should confirm what transfer mechanism the vendor relies on under UK GDPR, as this can add legal complexity and time to the procurement process.
Buyers should ask: where is data hosted, in which cloud region, and is that region within the UK or EEA?
TryHackMe hosts customer data on AWS in the eu-west-1 region, located in Dublin, Ireland. This sits within the EEA, meaning data transfers from the UK require no additional legal mechanism under current UK adequacy regulations.
What security certifications should a UK enterprise buyer require?
Security certifications give procurement and InfoSec teams independently verified evidence that a vendor manages information security to a recognised standard. For UK enterprise buyers specifically, two certifications are worth requiring.
The first is ISO/IEC 27001. This is an internationally recognised standard for information security management. Achieving certification requires an organisation to implement and maintain a documented security management system covering areas including data security, access control, incident management, and disaster recovery, and to have that system independently audited. Buyers should confirm that a vendor holds the current version of the standard, ISO/IEC 27001:2022, rather than an older iteration.
The second is Cyber Essentials. This is a UK government-backed certification scheme developed by the NCSC (National Cyber Security Centre), the UK's national authority on cyber security. It sets a baseline of cyber hygiene controls that organisations must demonstrate before they can be certified. Cyber Essentials carries particular weight for UK enterprise buyers because it is the standard the UK government requires of its own suppliers.
Buyers should ask: does the vendor hold ISO/IEC 27001:2022 certification, and are they Cyber Essentials certified?
TryHackMe holds ISO/IEC 27001:2022 certification and is Cyber Essentials certified.
What does genuine data protection compliance look like?
For UK enterprise buyers, data protection compliance determines whether your organisation can lawfully share employee data with a training vendor. Under UK GDPR, any vendor that processes personal data on your behalf must do so under a lawful basis, with appropriate technical and organisational measures in place, and under a signed Data Processing Agreement that sets out each party's obligations.
Buyers should understand what meaningful compliance looks like in practice. A vendor with documented data processing activities, a named Data Protection Officer, and a signed DPA is in a materially different position from one that lists GDPR compliance as a feature without supporting evidence.
Buyers should ask: is the vendor UK GDPR compliant, do they adhere to the Data Protection Act 2018, and is a Data Processing Agreement available to sign?
TryHackMe processes personal data in accordance with UK GDPR, the EU GDPR where applicable, and the Data Protection Act 2018. A Data Processing Agreement is available to sign as part of the standard procurement process.
Vendor evaluation criteria for UK enterprise buyers
| Criteria | What to look for | TryHackMe |
|---|---|---|
| Legal incorporation | UK-registered entity, UK governing law | UK Ltd, incorporated in England and Wales 2018 |
| VAT registration | UK VAT registered for clean invoicing | UK VAT registered |
| Data hosting | EEA or UK region | AWS eu-west-1, Dublin, Ireland |
| ISO 27001 | Current 2022 version | ISO/IEC 27001:2022 certified |
| Cyber Essentials | NCSC-backed UK government scheme | Cyber Essentials certified |
| UK GDPR compliance | UK GDPR and DPA 2018 | Confirmed compliant |
Do enterprises train on TryHackMe?
TryHackMe is used by over 1,000 security teams globally, including enterprise clients across technology, government, and financial services.
Want to turn theoretical cyber security training into proven capability? Explore TryHackMe for Business