Cyber Essentials 2025: A Health Tech Guide to Certification

For health tech and digital health companies, cybersecurity is not only about protecting patient data, it’s about proving compliance to the organisations you want to work with.

Whether you’re supplying to the NHS, integrating with clinical systems, or scaling internationally, certification frameworks like Cyber Essentials help demonstrate that your company meets baseline security standards.

In 2025, the Cyber Essentials scheme has been updated with stronger governance requirements. These changes make it an even more important part of the compliance toolkit for health tech firms.

Why Cyber Essentials Matters for NHS Supply Chain Compliance

The NHS is tightening expectations around supplier security. Winning NHS contracts often requires:

• Cyber Essentials certification as a minimum standard for suppliers handling data.

• Alignment with the Data Security and Protection Toolkit (DSPT), which references Cyber Essentials controls.

• Demonstrating board-level commitment to cybersecurity.

Without certification, health tech firms risk being excluded from tenders, delaying procurement, or losing credibility in competitive bid processes. Cyber Essentials provides an accessible way to prove to NHS procurement teams that you meet mandatory supply chain guidance on cybersecurity.

International Recognition: Beyond the NHS

While Cyber Essentials is a UK scheme, it plays a valuable role for digital health firms working across borders:

• European markets: Aligns with GDPR requirements for data protection and security.

• US healthcare buyers: Complements HIPAA expectations by showing you have baseline cyber hygiene in place.

• Global medtech and digital health partners: Certification demonstrates maturity, which can be a deciding factor in partnership and investment discussions.

In effect, Cyber Essentials offers a universal signal of cyber compliance — showing that your organisation takes security seriously, even before region-specific audits or frameworks.

What’s New in 2025: The Willow Requirements

From 28 April 2025, all Cyber Essentials certifications will use the Willow question set. This means:

• Board accountability is now mandatory — senior leadership must sign off on responses.

• Clearer scoping rules help prevent errors when deciding which systems fall under assessment.

• Organisations must confirm they have read and applied the updated Requirements for IT Infrastructure.

For digital health firms with complex environments (cloud platforms, APIs, connected devices, clinical integrations), these updates reduce ambiguity but raise the bar for preparation.

How Certification Helps You Prove Compliance

Cyber Essentials maps neatly onto wider compliance requirements:

• DSPT (UK) — Cyber Essentials helps evidence key sections around access control, patching, and malware protection.

• ISO 27001 — Certification complements your ISMS by demonstrating practical implementation of core controls.

• HIPAA (US) — While not equivalent, Cyber Essentials supports HIPAA’s technical safeguards for access, authentication, and malware prevention.

• MDR / IVDR (EU) — For digital health devices, certification supports Annex I security requirements around software and IT environments.

This means one certification can accelerate your ability to prove compliance in multiple regulatory conversations.

Why Aim for Cyber Essentials Plus

For NHS and other health systems, Cyber Essentials Plus provides stronger assurance. Unlike the self-assessment, Plus includes:

• Independent verification of your systems.

• Vulnerability scanning and hands-on technical testing.

• Greater credibility for contracts and international buyers.

For any digital health firm aiming to supply into regulated markets, Plus is the more strategic choice.

How Periculo Supports Health Tech Compliance

At Periculo, we help health tech and digital health companies achieve Cyber Essentials certification as part of a compliance-driven growth strategy. We:

• Map Cyber Essentials to DSPT, NHS supply chain guidance, and global regulatory frameworks.

• Support scoping, evidence collection, and preparation for the new Willow requirements.

• Provide technical remediation (patching, MFA, secure configurations) aligned with both certification and regulatory expectations.

• Guide boards and leadership teams on governance sign-off to avoid certification failure.

• Manage the process through Cyber Essentials Plus for maximum assurance.

Cyber Essentials 2025 is more than a cybersecurity baseline — it’s a compliance enabler. For health tech and digital health companies, certification demonstrates that you’re ready to work with the NHS, align with DSPT, and engage global buyers who expect robust cyber maturity.

By investing in certification, you’re not only protecting your systems, you’re protecting your market access.