Cyber Security Blog

NHS Supplier Assurance in 2025-2026

Written by Craig Pepper | Feb 18, 2026 8:00:00 AM

If you supply the NHS or want to, the compliance bar just went up significantly. Between June 2024 and March 2025, two major ransomware attacks on NHS suppliers caused catastrophic service disruption, including one confirmed patient death. The ICO responded by issuing its first-ever fine against a data processor: £3.07 million to Advanced Computer Software Group. A second supplier, Capita, was fined £14 million in October 2025.

NHS England's message is clear: weak supplier security is no longer tolerable. New requirements now in force for 2025-26 mean that suppliers without the right certifications, controls, and evidence will lose contracts or be blocked from new ones.

This blog tells you exactly what you need to do, by when, and what happens if you don't.

Who This Applies To

You need to comply with NHS supplier requirements if you:

  • Process NHS patient data as a data processor
  • Provide IT systems, software, or digital health technologies to the NHS
  • Deliver pathology, diagnostics, or clinical support services
  • Access NHS networks (HSCN)
  • Supply medical devices with software components
  • Provide managed services, hosting, or cloud infrastructure to NHS organisations

This includes private companies, social enterprises, charities, and any subcontractors processing NHS data on your behalf.

The Five Mandatory Requirements

1. DSPT "Standards Met" Status

What it is: The Data Security and Protection Toolkit is an annual self-assessment proving you meet the National Data Guardian's 10 Data Security Standards.

Your deadline: 30 June 2026 for the 2025-26 assessment (DSPT Version 8)

Category 2 suppliers (large IT suppliers: 50+ staff or £10M+ turnover, classified as Operators of Essential Services under NIS):

  • Must complete DSPT using the Cyber Assessment Framework (CAF)
  • Must complete mandatory independent audit covering 11 assertions
  • Interim baseline submission required by 31 December 2025

Category 3 suppliers (smaller digital health companies, software providers, pharmacies):

  • Must complete 35 assertions and 42 mandatory evidence items
  • Must complete mandatory independent audit
  • Follow National Data Guardian's 10 Data Security Standards framework

Why it matters: DSPT "Standards Met" is a contractual requirement under NHS Standard Contract Clause 21.2. Without it, NHS organisations are in breach of contract if they continue using your services.

Action required:

  • Log into the DSPT portal and review your 2024-25 submission
  • Identify gaps against Version 8 requirements (released 1 September 2025)
  • Book your independent audit immediately—auditors are getting booked up fast
  • Assign internal ownership for each evidence area
  • For Category 2: complete interim baseline by 31 December 2025

2. Cyber Essentials Plus Certification

What it is: Government-backed certification proving you have technical controls against commodity cyber attacks.

Your deadline: Required now under Procurement Policy Note 014 (PPN 014) issued in 2024

What you must prove:

  • Firewalls configured correctly
  • Secure configuration of all systems
  • User access controls in place
  • Malware protection deployed
  • Patch management processes working
  • Independent technical verification (not just self-assessment)

Why it matters: NHS Supply Chain has stated explicitly: "ISO 27001 cannot be offered as an alternative." Without Cyber Essentials Plus, you'll face an Information Security Third Party Questionnaire from September 2025 onwards—and you may not pass it.

Action required:

  • Get certified through an IASME-accredited certification body
  • Budget 4-8 weeks for the process
  • Prepare for technical vulnerability scan and configuration review
  • Renew annually—certificates expire after 12 months

3. ISO 27001 Certification (Encouraged, Required for Some)

What it is: International standard for information security management systems.

Who must have it:

  • HSCN network service providers (mandatory, alongside ISO 9001)
  • Large IT suppliers (strongly encouraged as complementary to DSPT and CE+)

Why it matters: ISO 27001 demonstrates mature security governance and is increasingly requested in NHS procurement processes. While not universally mandatory, it significantly strengthens your position.

Action required:

  • If you're an HSCN provider, ensure UKAS-accredited certification is current
  • If you're a major supplier, consider ISO 27001 to complement DSPT and CE+
  • Budget 6-12 months for initial certification if starting from scratch

4. Digital Technology Assessment Criteria (DTAC)

What it is: Assessment framework for digital health technologies covering clinical safety, data protection, interoperability, and technical security.

Who must comply: All suppliers of apps, platforms, clinical systems, and digital therapeutics

What you must prove:

  • Clinical safety (DCB 0129/0160 compliance)
  • Data protection impact assessment completed
  • Interoperability standards met
  • Technical security controls in place
  • Penetration testing completed within the last 12 months

Action required:

  • Complete DTAC self-assessment via NHS Digital
  • Commission annual penetration test from CHECK-certified provider
  • Document all findings and remediation actions
  • Update clinical risk management file

5. NHS Cyber Security Supply Chain Charter

What it is: Eight mandatory expectations launched in May 2025 by NHS England and DHSC.

What you must demonstrate:

  1. Current patching: All systems patched within vendor timelines (critical patches within 14 days)
  2. DSPT Standards Met status: Maintained annually without lapse
  3. MFA across all systems: No exceptions for remote access or privileged accounts
  4. Immutable backups: Tested and verified, stored offline or in immutable cloud storage
  5. 24/7 cyber threat monitoring: SOC or MSSP monitoring all production systems
  6. Board-level incident response exercising: At least annually, with NHS participation
  7. Collaborative working during incidents: Commitment to share threat intelligence with NHS England
  8. Additional security requirements: Vulnerability scanning, secure software development, supply chain risk management

Why it matters: From early 2026, NHS England is proactively contacting suppliers to verify these controls. NHS Supply Chain is developing a process to flag "insecure" suppliers across the NHS procurement network.

Action required:

  • Conduct gap analysis against all eight expectations now
  • Implement missing controls before you're contacted
  • Document everything—expect to provide evidence on request
  • Ensure your board or senior leadership has reviewed and signed off
What Happens If You Don't Comply

Loss of Contracts

DSPT non-compliance is a breach of NHS Standard Contract. NHS organisations cannot lawfully continue using your services if you have "Standards Not Met" status. You will lose existing contracts.

Blocked from New Business

NHS Supply Chain has warned: "Not meeting the requirements could mean losing opportunities with the NHS." Procurement teams now check DSPT status, Cyber Essentials Plus, and Charter compliance before awarding contracts.

ICO Enforcement

The Advanced fine (£3.07M) and Capita fine (£14M) proved the ICO will fine data processors directly for security failures. You cannot hide behind "we're just a processor" anymore. Maximum fines under UK GDPR: £17.5 million or 4% of global turnover.

NIS Regulations Penalties

If you're an Operator of Essential Service, NIS penalties reach £17 million—and can be imposed for inadequate security measures alone, even without a breach.

Your Compliance Timeline

Now (February 2026)

  • Review DSPT Version 8 requirements and conduct gap analysis
  • Book an independent DSPT audit (If required)
  • Verify Cyber Essentials Plus is current (or start certification)
  • Commission penetration testing if the last test is older than 12 months
  • Conduct Charter gap analysis

March 2026

  • Complete all evidence gathering for DSPT
  • Implement missing Charter controls
  • Update all policies and procedures
  • Complete independent audit

April-May 2026

  • Finalise DSPT submission
  • Address any audit findings
  • Prepare for NHS England supplier engagement

By 30 June 2026

  • Submit final DSPT assessment
  • Publish "Standards Met" status

After June 2026

  • Maintain continuous compliance
  • Respond to NHS England supplier verification requests
  • Renew Cyber Essentials Plus annually
  • Monitor for DSPT Version 9 (expected September 2026)

What the Attacks Taught Us

Both the Advanced (August 2022) and Synnovis (June 2024) ransomware attacks succeeded because of the same failures:

  • No multi-factor authentication on remote access
  • No regular vulnerability scanning
  • Poor patch management (known vulnerabilities left unpatched)

The ICO and NHS England are now benchmarking supplier security against NCSC Cyber Essentials and ISO 27002. If you fall below these widely available standards, you have no credible defence.

Mike Fell, NHS England's cyber operations director, summarised it: "Time and again we see the absence of foundational controls being the root cause—the absence of multi-factor authentication, the absence of monitoring, and not hardening systems against known vulnerabilities."

The 2025-26 cycle is not business as usual. The ICO has proved it will fine processors directly. NHS England is actively investigating supplier security postures. The Cyber Security and Resilience Bill will create statutory enforcement powers with penalties that dwarf current fines.

For NHS suppliers, complacency is now the highest risk. Every requirement listed in this blog is achievable with the right planning and resources. The suppliers who act now will protect their market position. Those who delay will find themselves locked out of the largest healthcare procurement market in Europe.
View full post