Skip to main content
SubComply
← Back to Guides

CDM Compliance: The Complete Guide for UK Contractors

By SubComply

Three subcontractors are starting on your site Monday morning. Can you confirm — right now — that every one of them has current employers' liability insurance, valid CSCS cards, and signed RAMS for the work they're about to do?

If that question made you uncomfortable, you're not alone. CDM compliance is the legal foundation of every UK construction project, but most principal contractors manage it with a patchwork of spreadsheets, email chains, and good intentions. This guide breaks down what CDM 2015 actually requires, who is responsible for what, and how to build a compliance process that doesn't fall apart when an auditor walks in.

What CDM compliance actually means

CDM stands for the Construction (Design and Management) Regulations 2015 (SI 2015/51). These regulations set out how every construction project in the UK must be planned, managed, and coordinated to protect workers and anyone affected by the work.

CDM 2015 replaced the earlier 2007 regulations on 6 April 2015. The key shift: responsibility moved earlier in the project lifecycle, particularly into the design and planning phases where risks can be eliminated before anyone sets foot on site.

CDM applies to all construction work in Great Britain — from a kitchen extension to a £100M infrastructure project. There is no minimum project size. If construction work is happening, CDM applies.

The five CDM duty holder roles

CDM 2015 assigns legal responsibilities to five categories of duty holder. Each role carries specific obligations, and on most commercial projects, several of these roles are active simultaneously.

1. Client

The organisation or individual for whom the construction work is carried out. Under CDM 2015, even domestic clients have duties (though these can transfer to the contractor or principal contractor — see HSE guidance on CDM 2015).

Commercial clients must:

  • Make suitable arrangements for managing the project (Regulation 4)
  • Appoint a principal designer and principal contractor on projects with more than one contractor (Regulation 5)
  • Ensure sufficient time and resources are allocated
  • Provide pre-construction information to designers and contractors

2. Principal designer

Appointed by the client on multi-contractor projects. The principal designer plans, manages, monitors, and coordinates health and safety during the pre-construction phase (Regulation 11). They identify, eliminate, and control foreseeable risks through design decisions.

3. Principal contractor

This is where most of the day-to-day compliance pressure lands. The principal contractor plans, manages, monitors, and coordinates health and safety during the construction phase (Regulation 13). On projects with more than one contractor, the client must appoint a principal contractor — and that appointment must happen before the construction phase begins.

4. Designer

Anyone who prepares or modifies designs for a construction project. Designers must eliminate, reduce, or control foreseeable risks that may arise during construction, maintenance, and use of the building (Regulation 9).

5. Contractor

Every contractor on a project has duties to plan, manage, and monitor their own work. On multi-contractor projects, contractors must comply with directions from the principal contractor and cooperate with the project team (Regulation 15).

Workers also have duties — they must take care of their own health and safety, cooperate with their employer, and report anything they believe is a danger.

For a plain-English overview of what CDM compliance means and what happens if you get it wrong, see What is CDM compliance?.

What principal contractors actually need to do

If you're a principal contractor, Regulations 8 and 13–15 define your core obligations. Here's what that looks like in practice.

Before work starts

  • Prepare a construction phase plan covering health and safety arrangements, site rules, and specific measures for high-risk work. This must be in place before the construction phase begins (Regulation 12).
  • Verify contractor competence. Every contractor appointed to the project must have the skills, knowledge, experience, and organisational capability to carry out their work safely (Regulation 8).
  • Check employers' liability insurance. This is a separate legal requirement under the Employers' Liability (Compulsory Insurance) Act 1969. The fine for operating without it is up to £2,500 for every day without cover. Minimum cover is £5M.
  • Collect subcontractor documentation: insurance certificates, CSCS cards, trade qualifications, RAMS, and method statements specific to the project work.

During the project

  • Coordinate all contractors working on site. This means active management — not filing paperwork. You need to know who is on site, what they're doing, and whether their work creates risks for others (Regulation 13).
  • Provide site-specific inductions for every worker before they start. Generic inductions don't satisfy CDM — the induction must cover the specific hazards and rules of that site.
  • Consult and engage workers about health, safety, and welfare matters. This is a legal requirement, not a nice-to-have (Regulation 14).
  • Prevent unauthorised access to the site.
  • Ensure welfare facilities are provided from day one and maintained throughout the project.
  • Monitor compliance throughout — not just at the start. Insurance certificates expire. CSCS cards lapse. RAMS become outdated as work scope changes.

At completion

  • Ensure the health and safety file is updated and handed to the client (Regulation 12).
  • Review and capture lessons learned for future projects.

Subcontractor compliance checklist

This covers the documentation and checks a principal contractor should complete for every subcontractor on a multi-contractor project. For a step-by-step process from pre-qualification through to ongoing monitoring, see our guide to managing subcontractors in construction. You can also generate a tailored compliance checklist for your specific project trades.

Before the subcontractor starts on site:

  • Valid employers' liability insurance certificate (minimum £5M cover, check expiry date)
  • Public liability insurance certificate (check cover level matches contract requirements)
  • Professional indemnity insurance (if applicable to the work type)
  • CSCS cards for all operatives (check card type matches the work they'll do)
  • CIS verification status with HMRC (for tax deduction purposes)
  • Company health and safety policy (legal requirement for firms with 5+ employees)
  • Risk assessments and method statements (RAMS) specific to the work on your project
  • Trade-specific qualifications and certifications (Gas Safe, NICEIC, IPAF, PASMA, etc.)
  • Evidence of CDM awareness training or competence

Ongoing checks during the project:

  • Monitor insurance and certification expiry dates — set reminders at 30, 14, and 7 days before expiry
  • Review and update RAMS when work scope changes
  • Confirm CSCS cards are still valid for operatives on site
  • Check CIS verification status hasn't changed (subcontractors can move between gross, net, and unverified)
  • Record site inductions for every new operative
  • Maintain a register of who is on site and when

Five compliance gaps that catch contractors out

1. Insurance certificates that expired months ago

The employers' liability cert was valid when the subcontractor started on site. That was 14 months ago. Nobody checked the renewal. Under the Employers' Liability (Compulsory Insurance) Act 1969, a subcontractor working without valid EL insurance faces a fine of up to £2,500 per day. Separately, expired insurance weakens the evidence you can point to when demonstrating CDM Regulation 8 compliance — that you took reasonable steps to assess competence.

2. CSCS cards that don't match the work

A subcontractor's operatives have CSCS cards, but they're labourer cards and the workers are doing skilled electrical work. CSCS card types indicate the level of competence assessed — a mismatch means the operative hasn't demonstrated competence for the work they're doing.

3. RAMS written for a different project

The subcontractor submitted RAMS, but they're generic templates with another project's name scratched out. Site-specific risk assessments are a CDM requirement. Generic documents that don't address the actual hazards on your site don't satisfy Regulation 13.

4. No system for tracking expiry dates

Most contractors track compliance in spreadsheets. Spreadsheets don't send reminders when an insurance certificate is about to expire. By the time someone notices, the subcontractor may have been working uninsured for weeks — and you've had an uninsured operative on your site without knowing it.

5. CIS verification drift

A subcontractor's CIS status can change between tax years — from gross payment to net payment, or to unverified. If you don't re-verify periodically with HMRC, you may be applying the wrong tax deduction rate, creating a liability for your business.

The Building Safety Act 2022: what's changing

The Building Safety Act 2022 is tightening competence requirements across the construction industry. While the Act primarily targets higher-risk buildings (residential buildings over 18 metres or 7 storeys), its competence framework is raising standards across the sector:

  • Duty holders must demonstrate competence — not just claim it. The Act expects documented evidence of skills, knowledge, experience, and organisational capability.
  • The Building Safety Regulator is promoting higher standards of competence for building control professionals and tradespeople across all building types.
  • Principal contractors and principal designers face increased scrutiny of their ability to manage building safety risks throughout design and construction.

For principal contractors managing subcontractors, the practical impact is clear: a signed declaration isn't enough. You need documented evidence of qualifications, training, and current insurance.

Building a compliance process that actually works

CDM compliance isn't a one-off check. The difference between contractors who manage it well and those who scramble during audits comes down to three things.

Centralise documentation. Every subcontractor's compliance documents should be in one place. When a client auditor or HSE inspector asks to see an insurance certificate, you shouldn't need to search through emails, WhatsApp messages, and shared drives with ambiguous filenames.

Automate expiry tracking. Set up alerts for insurance renewals, CSCS card expiry dates, and CIS verification checks. Manual diary entries get missed. Automated reminders at 30, 14, and 7 days before expiry give you time to chase renewals before cover lapses. Our free insurance expiry calculator can give you an instant snapshot of which subcontractors need attention.

Make it easy for subcontractors. The harder you make it for a subcontractor to submit their documents, the longer it takes and the more chasing you do. If a sub can photograph their cert on their phone and upload it in under a minute, your compliance records stay current. If they need to scan, email, and follow up, they'll put it off.

Frequently asked questions

Is CDM compliance a legal requirement?

Yes. The Construction (Design and Management) Regulations 2015 apply to all construction work in Great Britain. Non-compliance is a criminal offence enforceable by the HSE, with penalties including unlimited fines and imprisonment for serious breaches.

What are the CDM requirements for projects with only one contractor?

On single-contractor projects, the contractor takes on the duties of both contractor and principal contractor. The client must still ensure the project is managed safely, but does not need to appoint a separate principal designer or principal contractor.

What happens if you don't follow CDM regulations?

The HSE can issue improvement notices, prohibition notices (stopping work immediately), or prosecute. Penalties for health and safety offences can include unlimited fines. For serious breaches causing death or serious injury, individuals can face imprisonment.

Sources

This guide is for informational purposes and does not constitute legal advice. For project-specific CDM compliance questions, consult a qualified health and safety professional.

Last reviewed: 11 March 2026

Related articles

CDM Principal Contractor Duties: Your Complete Legal Guide

Every duty a principal contractor has under CDM 2015 — with regulation references, practical actions, and the specific steps required before, during, and after construction.

What Is CDM Compliance? Duties, Penalties, and Key Requirements for 2026

CDM compliance explained in plain English — what the regulations require, who is responsible, and what happens if you get it wrong.

How to Manage Subcontractors in Construction: A Compliance-First Approach

A step-by-step process for managing subcontractor compliance on UK construction projects — from pre-qualification to ongoing monitoring.

Stop chasing subcontractor paperwork

We're building SubComply to automate document collection, insurance tracking, and audit-ready compliance reports for UK contractors. Join the waitlist for early access.

No spam. Unsubscribe any time. Privacy policy