Weekly Round Up Issue 16

The regulatory direction of travel got louder this week. The NCSC pulled back the curtain on 18 months of coordinated work with NHS England. The MHRA's new medical device registration fee regime went live. NHS England opened an investigation into GP websites linked to illicit content. And the Cyber Security Supply Chain Charter programme continued its shift from policy to direct engagement with suppliers. Taken together, these announcements describe a system tightening expectations of anyone who supplies, integrates with, or processes data for the NHS.

NCSC outlines a coordinated plan to boost NHS cyber resilience

On 17 April, the NCSC published a blog setting out how it has worked with NHS England, NHS Business Services Authority and NHS Scotland over the past 18 months to reduce cyber risk across the health system. The plan covers five areas: piloting tools through Active Cyber Defence 2.0, strengthening software supply chain security, coordinating vulnerability disclosure, improving visibility of the threat surface, and widening adoption of services such as the Early Warning service, Cyber Action Toolkit and Cyber Essentials.

Two details stand out for suppliers. First, the Government's Software Security Code of Practice is now being used in NHS procurement to assess supplier cyber maturity. Second, the NHS App has become the first government-sponsored platform to adopt passkeys , a tangible signal of where authentication standards are heading across the NHS estate.

Procurement teams are no longer relying solely on ticked-box self-assessments. If your product is being considered for NHS use, expect deeper questions on secure development practices, vulnerability disclosure, and dependency management grounded in the Software Security Code of Practice. Suppliers without a documented SDLC story will feel this first.

MHRA's new registration fee regime goes live

From 1 April, the MHRA introduced an annual registration fee for medical device manufacturers, calculated on the number of GMDN Level 2 categories under which devices are registered, at roughly £300 per category. The DORS portal closed for updates on 30 March before the new system went live, and updated guidance on device registration and clinical investigations was published on 10 April and 9 April, respectively, with further clarifications to DORS attributes and administrative charges.

The financial impact is manageable for most, but the administrative implications are larger. Manufacturers should audit their GMDN category listings; now unused or duplicated categories will translate directly into recurring fees. It also reflects the MHRA's post-market surveillance reforms, which bring clearer expectations around ongoing vigilance for devices on the UK market.

NHS England investigates compromised GP websites

NHS England has opened an investigation into multiple GP surgery websites that were found linking to adult content and illegal sports streams. Digital Health News named Poplars Medical Practice, St Thomas Medical Group, Earnswood Medical Centre, South Axholme Practice, North End Medical Centre, Parson Drove Surgery and Canterbury Medical Practice's legacy site among those affected. Early analysis from a former NHS cyber security engineer points to an unpatched WordPress site or plugin, or potentially the compromise of a maintainer with nationwide credentials, rather than a zero-day.

This is a textbook supply chain risk story. A single web maintainer, plugin vendor or CMS configuration gap can cascade across hundreds of practices. Suppliers that manage or host NHS-facing sites should use this moment to re-check patching cadence, plugin inventories, privileged access, and backup integrity. For commissioners, it is a reminder that website hygiene, often treated as marketing's problem, is also a DSPT and reputational issue.

Supply Chain Charter: engagement moves from policy to practice

Following the Cyber Security Supply Chain Charter published by NHS England and DHSC in May 2025, and direct engagement formally opening in January 2026, the April NHSSC supplier webinar outlined what suppliers can now expect: structured contact management via five core supplier contact categories, engagement on specific cyber security controls, and requests for supporting evidence. NHS England continues to emphasise that the approach is proportionate and coordinated, with an explicit aim of reducing duplicated assurance requests across trusts.

Suppliers should ensure their named cyber, data protection and commercial contacts are current in NHSSC records, and that the underlying evidence DSPT submission, Cyber Essentials Plus, ISO 27001 scope, penetration test summaries, and incident response playbooks are collated, consistent, and mapped against Charter expectations. Being asked is now a matter of when, not if.

Also worth noting

Six London NHS Trusts signed on 21 April to move enterprise imaging to Sectra's managed cloud service, citing cybersecurity as a driver. Digital Health reported that reader sentiment favoured reform rather than an overhaul of AI regulation in healthcare, a useful signal for founders tracking what comes next.

What to watch next

The DSPT 2025/26 independent audit window runs until June, with final submissions due 30 June. The Cyber Security and Resilience Bill continues through Parliament. And the Software Security Code of Practice is likely to feature in more procurement conversations over the coming quarter. The theme is consistent: assurance is becoming continuous, evidence-based and supplier-facing.

AI assurance is quickly becoming a central theme in how NHS suppliers are assessed, but for many teams, the question is still how to apply it in a way that is practical, proportionate and aligned with what regulators and buyers actually expect.

We are currently running a small number of in-person sessions with organisations looking to get ahead of this. These are designed to explore real-world approaches to AI governance, risk and evidencing trust, grounded in the same expectations now emerging across the NHS and wider regulatory landscape.

If AI assurance is on your roadmap, or even just a growing question internally, it is worth a conversation.

To find out more about the workshops or to express interest, contact us at Periculo.