Skip to content
Contact Us
All posts

NHS Supplier Cyber Security: What You Need to Know About New NHS Supply Chain Expectations

By  Craig Pepper  ·  3 minute read

The NHS Supply Chain has updated its cybersecurity requirements for suppliers. These changes are designed to protect the NHS from growing cyber threats and to make sure suppliers play their part in keeping patient services safe.

If you currently supply to the NHS or hope to in the future, you’ll need to understand what’s required. From Cyber Essentials Plus certification to the Data Security and Protection Toolkit (DSPT), suppliers now face stricter checks. In this blog, we’ll break down the new expectations in plain language, explain who’s affected, and share practical steps you can take to stay compliant.

Let’s take a look...

Why Cyber Security Matters for NHS Suppliers

The NHS relies on thousands of suppliers – from IT and digital providers to equipment manufacturers and service companies. If any one supplier suffers a cyber-attack, it can have a knock-on effect on hospitals and patient safety.

By meeting the NHS Supply Chain’s cyber security requirements, you not only protect your own business but also play a part in safeguarding essential healthcare services.

New NHS Cyber Security Requirements

Under Procurement Policy Note (PPN) 014, NHS Supply Chain is implementing stricter standards. Here are the key points suppliers need to know:

Who is affected?

You are considered “in scope” if:

  • You handle NHS Supply Chain personal data (for staff, customers, or suppliers).

  • You supply IT or digital products and services as part of your contract.

Cyber Essentials Plus certification

In-scope suppliers are expected to hold Cyber Essentials Plus (CE+) or prove equivalent protections. This government-backed certification focuses on five core security controls:

  • Prompt software updates

  • User access controls

  • Secure configuration

  • Malware protection

  • Firewalls

Cyber Essentials Plus requires annual renewal and independent auditing, giving the NHS confidence that your defences are tested and up to date.

Alternative evidence

If you don’t yet hold CE+, you may need to complete an Information Security Third Party Questionnaire (ISTPQ) to show your current security measures. However, working towards CE+ is strongly recommended.

Data Security and Protection Toolkit (DSPT)

If your organisation handles NHS patient data, you must also complete the Data Security and Protection Toolkit (DSPT).

This annual self-assessment demonstrates compliance with the National Data Guardian’s 10 data security standards, covering issues like staff training, encryption, and incident reporting. Completing the DSPT reassures the NHS that you manage patient information responsibly and securely.

What If You’re Not Certified Yet?

Don’t panic if you don’t currently have Cyber Essentials Plus or a DSPT submission. NHS Supply Chain recognises this may take time.

  • New suppliers will encounter cyber questions during the Supplier Questionnaire stage.

  • Existing suppliers may be contacted from September 2025 to complete the ISTPQ if they cannot provide certification.

  • Certified suppliers can skip the questionnaire – their CE+ certificate is proof enough.

Ultimately, suppliers are expected to achieve and maintain certification. Using interim measures will only get you so far.

Consequences of Non-Compliance

Failing to meet these requirements could put your NHS contracts at risk. NHS Supply Chain, working with NHS England, will make risk-based decisions on whether to continue using products or services from suppliers without the right protections in place.

In short, not meeting the requirements could mean losing opportunities with the NHS.

Common Questions Answered

  • Cyber Essentials vs Cyber Essentials Plus: Basic Cyber Essentials may be accepted temporarily with evidence, but CE+ is the gold standard.

  • Cyber Assessment Framework (CAF): Useful for guidance but not a substitute for CE+.

  • Overseas suppliers: Expected to meet the same CE+ requirements as UK suppliers.

  • ISO 27001: Valuable but not accepted as an alternative to CE+.

Tips for Meeting NHS Cyber Security Expectations

  1. Do a gap analysis – Review your current practices against the Cyber Essentials controls.

  2. Start with Cyber Essentials – Even the basic level helps prepare for CE+.

  3. Plan for CE+ – Budget time and resources to achieve certification, including arranging an external audit.

  4. Engage with DSPT early – If handling patient data, register and complete the toolkit annually.

  5. Train your staff – Human error is often the weakest link. Run phishing awareness and data protection training.

  6. Stay informed – Monitor updates from NHS Supply Chain, NHS England, and the National Cyber Security Centre.

Meeting NHS cyber security requirements is no longer optional – it’s a condition of being a trusted supplier. By achieving Cyber Essentials Plus, completing the DSP Toolkit where needed, and embedding strong cyber practices into your organisation, you’ll not only protect your business but also help safeguard the NHS and its patients.

 

Find Out More

Schedule a call with our team or contact us to get tailored guidance, practical recommendations, and support for achieving certification.