Do You Need Cyber Essentials to Work with the NHS?
Cyber Essentials has been a baseline requirement for NHS suppliers for several years, embedded across frameworks including DTAC (Digital Technology Assessment Criteria) and NHS Supply Chain procurement. It also formally overlaps with the Data Security and Protection Toolkit (DSPT): holding a valid CE certificate automatically satisfies several DSPT technical assertions, significantly reducing the evidence burden of your annual submission. But as the NHS tightens its approach to supply chain security, the question isn't just whether you have it, it's whether what you have is still enough.
What is Cyber Essentials?
Cyber Essentials is a UK Government-backed certification scheme designed to verify that an organisation has the fundamental security controls in place to defend against the most common cyber threats. It's endorsed by the National Cyber Security Centre (NCSC) as the minimum standard for digital security, and the NHS has embedded it as a baseline requirement across its procurement processes.
The certification is built around five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. Organisations complete a self-assessment questionnaire covering each area, which is then reviewed by an accredited certification body. The resulting certificate is valid for 12 months.
Why the NHS requires Cyber Essentials
Healthcare is one of the most targeted sectors for cyber attacks, and the NHS has experienced the consequences first-hand. The 2024 ransomware attack on Synnovis resulted in 1,710 elective procedures and over 10,000 outpatient appointments being postponed across King's College Hospital and Guy's and St Thomas' NHS Foundation Trusts, with 400GB of patient data subsequently published on the dark web. The NCSC regards a major cyber incident affecting the NHS as a matter of when, not if.
The NHS supply chain amplifies that risk. Digital health suppliers, even those whose products aren't directly patient-facing, are integrated into clinical systems, share data across networks, and form part of the infrastructure that care delivery depends on. A vulnerability in one supplier can have cascading effects across the ecosystem.
Cyber Essentials addresses the most common attack vectors. The NCSC estimates that the five controls it covers would prevent around 80% of common internet-based cyber attacks. For the NHS, it serves as a baseline signal that a supplier has taken at least the minimum steps to protect the systems they connect to.
How requirements have changed
The NHS Cyber Security Charter, updated in January 2026, marks a significant shift in how the NHS engages with supplier security. Where previously suppliers could self-declare compliance, the charter now empowers NHS England and contracting authorities to request documented evidence of controls, particularly where services are critical to patient care or operational continuity.
Integrated Care Boards (ICBs) have increasingly written Cyber Essentials into their procurement criteria, and NHS Supply Chain has published explicit cybersecurity expectations for suppliers across its frameworks. For suppliers with AI or machine learning components in their products, Cyber Essentials Plus, the audited version, is now frequently expected as standard.
What this means in practice
For most digital health organisations, Cyber Essentials is already a contractual requirement. The practical question is whether your certification is current, whether it covers the right scope, and whether you're on track for the more rigorous CE+ standard that NHS buyers are beginning to expect.
Organisations that let certification lapse, or that hold CE without progressing to CE+, are increasingly finding themselves at a disadvantage during procurement, not because they've failed any test, but because they don't meet the documented expectations that NHS buyers are now applying to the market.
Ready to get certified? Book a call with our team or find out more about Cyber Essentials at Periculo.