Skip to content
All posts

NHS Supply Chain Cyber Security Requirements June 2026: What Suppliers Must Do Now

By  Craig Pepper  ·  4 minute read

NHS Supply Chain (NHSSC) has issued its latest cyber security guidance for suppliers in June, and the message is clear: the requirements are tightening, the expectations are more specific, and suppliers who have not yet acted need to start now.

The June 2026 update placed cyber security as its primary focus a reflection, NHSSC noted, of the growing risks facing healthcare supply chains. Cyber incidents within those chains have the potential to disrupt operations, affect product availability, and ultimately impact patient care. For health tech and MedTech suppliers, this update carries real commercial weight.

Do You Need Cyber Essentials Plus to Supply the NHS? 

The update confirmed that suppliers in the scope of Procurement Policy Note (PPN) 014 are expected to demonstrate compliance with Cyber Essentials Plus.

One important clarification was included: simply exchanging routine business emails with the NHS does not automatically bring a supplier into scope. The requirement applies where a supplier stores, processes, retains, or has ongoing access to personal data, including information relating to employees, patients, customers, or other individuals, as part of the service, system, or solution it provides.

For most health tech suppliers working with clinical or patient-facing solutions, this threshold will almost certainly be met.

The Baseline Controls NHSSC Expects to See

Alongside the formal certification requirement, the update set out the practical security measures suppliers should have in place. These are not advanced or aspirational;  they are the baseline that the NHS now considers standard:

  • Enabling multi-factor authentication
  • Training staff to recognise and report phishing emails
  • Using strong, unique passwords
  • Implementing conditional access policies
  • Maintaining business continuity and disaster recovery plans
  • Building a genuine cyber security culture through ongoing awareness and training

Taken together, these controls map closely to the Cyber Essentials framework, which is precisely why CE+ has become the vehicle through which NHSSC is formalising its expectations.

A New Supplier Management Structure

The June update also announced the formation of a new Supplier Management Team within NHSSC. This team consolidates supplier relationship management, supplier development, resilience, sustainability, performance, and risk functions into a single unit.

For suppliers, this signals a more integrated and systematic approach to how NHSSC monitors its supply base, including cyber risk. Expect more structured engagement and a more joined-up view of supplier performance across commercial, operational, and security dimensions.

Cyber Resilience for NHS Suppliers: Practical Steps

Certification is a milestone, not a destination. Achieving Cyber Essentials Plus demonstrates that your baseline technical controls are in place, but resilience goes further than passing an assessment. Here is what we advise suppliers to focus on beyond the certificate.

Treat resilience as an ongoing posture, not a point-in-time exercise. Cyber threats evolve continuously. The controls that passed your CE+ audit last year may not reflect how your environment looks today, with new staff, new devices, and new integrations. Build a rhythm of internal review, not just annual certification.

Know your attack surface. Many NHS suppliers underestimate how much of their environment is in scope. Cloud services, third-party integrations, remote access tools, and personal devices used for work all represent potential entry points. Map your assets and understand what connects to what before an attacker does it for you.

Phishing remains the primary vector. The vast majority of breaches begin with a user clicking something they shouldn't. Staff awareness training is not a nice-to-have; it is your most cost-effective line of defence. Make it regular, realistic, and relevant to the healthcare context your team works in.

Business continuity is a cyber issue. Too many organisations treat BCDR as an operational concern separate from their cyber programme. A ransomware attack or a supply chain compromise is a business continuity event. Your recovery plans should be tested against cyber scenarios, not just IT outages.

Document everything. NHS England is now requesting evidence, not self-declarations. If you cannot demonstrate your controls with documentation policies, configurations, test results, and incident logs, then, for the purposes of supplier assurance, they do not exist. Build the habit of evidencing your security posture as you go.

Think about your own supply chain. NHS England's focus on supply chain cyber risk applies equally to you as a supplier with your own third parties. If a subcontractor or software vendor is compromised and has access to systems you use to deliver NHS services, that is your risk to manage.

NHS England Is Already Contacting Suppliers About Cyber Security

This update does not sit in isolation. Since January 2026, NHS England has been running a programme of direct, proportionate engagement with suppliers under the NHS Cyber Improvement Programme. Under that programme, NHS England or the relevant contracting authority, can contact suppliers to discuss their cyber security controls and request supporting evidence, particularly where suppliers deliver services critical to patient care or where risk indicators suggest further assurance is needed.

NHSSC has also confirmed it has used risk analytics data to identify suppliers with elevated cyber-risk profiles, contacting them directly to confirm their protections and provide assurance that there is no onward threat to NHS systems.

The message from the June update is consistent with that trajectory: this is no longer a voluntary framework. It is becoming a condition of doing business with the NHS.

What NHS Suppliers Should Do Now

If you supply digital health tools, clinical software, medical devices, or any solution that involves NHS or patient data, here is where to focus:

  1. Determine your scope. If your solution stores, processes, or accesses personal data as part of the service, you are likely in scope for CE+.
  2. Get certified or close your gaps. CE+ certification is the primary mechanism through which NHSSC will assess compliance. If you are not certified, assess where you stand against the five technical controls.
  3. Document your controls. NHS England is requesting evidence, not just declarations. Make sure your security posture is auditable.
  4. Prepare for direct outreach. If you have not already been contacted as part of the Cyber Improvement Programme, you may be. Being ready means you can respond with confidence rather than scrambling.

How Periculo Can Help

Periculo is a CREST-accredited cybersecurity consultancy working exclusively with Defence and Health Tech suppliers. We help organisations achieve Cyber Essentials Plus, navigate DSPT compliance, and build the documented security posture that NHS procurement teams are increasingly demanding to see.

If the June NHSSC update has raised questions about where your organisation stands, we are here to help you answer them.

Contact Us

Related posts