Cyber Essentials for NHS Suppliers in 2026

As cybersecurity threats continue to evolve, NHS organisations are raising the bar for their suppliers. If you're providing services, software, or products to the NHS, you've likely encountered growing requirements around cybersecurity certifications, particularly Cyber Essentials.

This isn't just a box-ticking exercise. Following high-profile cyber incidents affecting NHS supply chains throughout 2024 and 2025, individual NHS trusts and Integrated Care Boards (ICBs) are strengthening their supplier security requirements. While Cyber Essentials isn't universally mandatory across all NHS contracts like the Data Security and Protection Toolkit (DSPT), its adoption is accelerating, especially for suppliers handling sensitive data or providing critical services.

If you're an NHS supplier wondering whether you need Cyber Essentials, what it involves, and how to get certified, this guide will walk you through everything you need to know.

What Is Cyber Essentials and Why Do NHS Organisations Require It?

Cyber Essentials is a UK Government-backed cybersecurity certification scheme designed to help organisations protect themselves against common cyber threats. There are two levels:

Cyber Essentials involves a self-assessment questionnaire covering five technical controls, which is then independently verified and certified by an accredited certification body.

Cyber Essentials Plus includes everything in the basic certification, plus hands-on technical verification through external vulnerability scanning and testing of your security controls.

The UK Government requires Cyber Essentials for central government contracts involving the handling of sensitive information. NHS organisations are increasingly adopting similar requirements. While the DSPT remains mandatory for organisations with direct access to NHS patient data and systems, Cyber Essentials provides additional independent verification of your cybersecurity baseline.

Current NHS Supply Chain Cybersecurity Landscape

Understanding where Cyber Essentials fits within NHS requirements is crucial:

The DSPT remains the primary mandatory standard for organisations accessing NHS patient data. However, Cyber Essentials is increasingly referenced in NHS Standard Contracts as either "desirable" or "required depending on risk assessment."

Individual NHS trusts and ICBs set their own supplier cybersecurity requirements, meaning there's no blanket NHS-wide mandate. Some organisations require Cyber Essentials, others require Cyber Essentials Plus, and many still rely solely on DSPT compliance.

Recent NHS cyber incidents have accelerated the focus on supply chain assurance, with NHS England and the National Cyber Security Centre (NCSC) reinforcing guidance on supply chain security throughout 2024-2025.

Who Does This Apply To?

Suppliers with direct access to NHS systems or patient data face the highest scrutiny. Software and SaaS vendors serving NHS organisations are commonly asked to demonstrate Cyber Essentials certification. Medical device manufacturers and suppliers may encounter these requirements in procurement processes. Third-party service providers offering IT support, hosting, or data processing services should be prepared for certification requests.

The key point to remember is that requirements vary by contract. Some NHS organisations require basic Cyber Essentials, others specifically request Cyber Essentials Plus, and many still rely solely on DSPT compliance. Always check your specific contract requirements.

What Cyber Essentials Certification Involves

Cyber Essentials

The basic certification involves completing a self-assessment questionnaire that covers five technical controls. An independent certification body reviews your responses and certifies your compliance.

The typical cost ranges from £300 to £500, and the process takes 1 to 3 weeks from start to finish. Your certificate is valid for 12 months, after which you'll need to recertify.

Cyber Essentials Plus

Cyber Essentials Plus includes all elements of the basic certification, plus external technical verification. This means an assessor will conduct hands-on testing of your security controls and perform external vulnerability scanning.

The cost typically ranges from £1,000 to £2,500 or more, depending on your organisation's size and complexity. The timeline extends to 3 to 6 weeks, and like the basic certification, it's valid for 12 months.

The Five Technical Controls

Both levels of certification assess your implementation of five fundamental technical controls:

1. Firewalls and internet gateways protect your network perimeter and control traffic between your systems and the internet.

2. Secure configuration ensures your systems, software, and devices are set up securely, with unnecessary functionality disabled and default passwords changed.

3. Access control verifies that only authorised individuals can access your systems and data, with appropriate user permissions in place.

4. Malware protection confirms you have antivirus and anti-malware solutions deployed and kept up to date.

5. Patch management demonstrates your process for identifying and applying security updates to operating systems, applications, and firmware in a timely manner.

How Cyber Essentials Relates to DSPT

Understanding the relationship between Cyber Essentials and the DSPT is important for NHS suppliers to know.

The DSPT is mandatory for organisations with access to NHS patient data and systems. The DSPT requires evidence of cybersecurity incident management processes and the implementation of appropriate cybersecurity controls across your organisation.

Cyber Essentials provides strong evidence to support your DSPT compliance, but it does not replace DSPT. Increasingly, some NHS contracts now require both DSPT and Cyber Essentials certification.

Think of Cyber Essentials as an independent third-party verification of the technical controls you're already implementing for DSPT compliance.

Practical Steps for NHS Suppliers

If you're an NHS supplier preparing for Cyber Essentials certification, follow these steps:

• Check your current contract requirements. Review your NHS Standard Contract schedules and any specific cybersecurity requirements. Don't assume—ask your NHS contacts directly what they expect.

• Assess your current cybersecurity posture. Conduct a gap analysis against the five Cyber Essentials controls to identify any deficiencies you need to address before pursuing certification.

• Choose the right certification level. Decide between basic Cyber Essentials and Cyber Essentials Plus based on your contract requirements, the sensitivity of data you handle, and the risk profile of your services.

• Engage an IASME-accredited certification body. Find accredited assessors at the IASME Consortium website.

• Prepare your evidence. Document your policies, system configurations, patch management processes, and other relevant security controls. Having this ready streamlines the assessment process.

• Plan for annual recertification. Certificates are valid for only 12 months, so factor in the time and cost for annual renewal from the start.

• Maintain controls year-round. Certification is a point-in-time verification. You must maintain these controls continuously, not just during the assessment period. NHS organisations may audit you at any time, and your DSPT compliance requires ongoing adherence.

Risks of Non-Compliance

Failing to obtain Cyber Essentials certification when required carries several risks that could significantly impact your business relationship with NHS organisations. You may be excluded from tender opportunities where Cyber Essentials is specified as mandatory or scored within the evaluation criteria, effectively locking you out of new business before you even get a chance to compete.

If Cyber Essentials is a contractual requirement and you haven't maintained certification, you could find yourself in breach of contract, potentially jeopardising existing relationships and revenue streams. During DSPT assessments, you may face increased scrutiny if you cannot demonstrate the technical controls that Cyber Essentials verifies, making the compliance process more challenging and time-consuming.

In a sector where cyber incidents are closely monitored and reported, lacking appropriate certifications carries reputational risk that can spread quickly through NHS procurement networks. Following cyber incidents, NHS organisations may review or terminate contracts with suppliers who haven't demonstrated adequate cybersecurity controls, as they seek to strengthen their supply chain security posture.

What to Do If You're Not Ready

If you're not yet ready for Cyber Essentials certification, transparency is key to maintaining trust with your NHS clients. Be open with your NHS clients about your timeline to certification—most NHS organisations would rather know your realistic plans than discover issues later during a contract review or incident investigation. Demonstrate proactive steps towards compliance by sharing your gap analysis and remediation plan, showing that you're taking concrete action rather than simply delaying.

Consider interim measures such as recent penetration testing results, ISO 27001 certification, or other security certifications that demonstrate your commitment to cybersecurity while you work towards Cyber Essentials. Document your existing cybersecurity controls and share evidence with clients to show you're taking security seriously, even if you're not yet formally certified.

Above all, prioritise implementing the five technical controls, as they align with DSPT requirements and represent fundamental good practice that will protect your organisation regardless of certification timelines.

Actionable Takeaways

To navigate Cyber Essentials requirements as an NHS supplier:

• Check your NHS contracts for specific Cyber Essentials requirements. Don't rely on assumptions—verify what your clients expect.

• Don't assume DSPT alone is sufficient. NHS organisations increasingly expect both.

• Start with a gap analysis against the five technical controls to understand what work you need to do.

• Budget for annual recertification. This isn't a one-time expense; plan for the recurring cost and effort.

• Maintain documentation year-round. This streamlines the renewal process and supports your DSPT compliance.

• Consider Cyber Essentials as baseline good practice, not just a compliance checkbox. The controls genuinely improve your security posture and protect your business as much as your NHS clients.

Cyber Essentials is becoming increasingly common in NHS supplier requirements throughout 2026. It provides independent verification of baseline cybersecurity controls that protect both your organisation and the NHS organisations you serve.

While not universally mandatory, Cyber Essentials demonstrates a proactive security posture that's becoming table stakes in NHS supply chains. With cyber incidents continuing to affect healthcare organisations, NHS trusts and ICBs are unlikely to relax these requirements—if anything, expect them to tighten further.

Early preparation reduces your risk, streamlines procurement processes, and positions your organisation as a trustworthy NHS partner committed to protecting patient data and critical healthcare services.

Need help with Cyber Essentials certification? Periculo specialises in cybersecurity assurance for health tech suppliers. Contact us to discuss how we can support your certification journey.