It has been a significant week for anyone supplying digital products or services to the NHS. The headlines are political, with ministers defending the Federated Data Platform, and a fresh debate about digital exclusion. Cyber controls are tightening, supplier expectations are rising, and the regulatory perimeter around connected health technology is being redrawn. Here is what mattered, and why it should be on your risk register.
NHS England has issued internal guidance instructing staff that all source-code repositories must be private by default, with the change taking effect on Monday, 11 May. The decision, first reported by Digital Health News, has been framed as a response to concerns that AI model providers are scraping public NHSE code and could expose sensitive context about how internal systems are built and configured.
The shift signals a maturing view of "shadow data" risk inside NHSE. For suppliers, it is a quiet but useful tell — internal teams are being asked to reason about exposure, attack surface and AI training risk in ways they were not twelve months ago. Expect the same questions to roll downhill into supplier reviews and DSPT audit conversations.
Cyber and compliance implications: Healthtechs should treat this as a prompt to audit their own public repositories, container registries and developer documentation. If you ship anything into the NHS estate, anything indexable on GitHub or HuggingFace is now a credible question in due diligence.
On 7 May, the responsible minister told Parliament that the NHS Federated Data Platform, the £330m Palantir-built system, is performing well, with NISTA reportedly rating delivery "green" and projected benefits at around £777m. NHSE has separately confirmed plans to expand FDP into AI-driven theatre scheduling, triage and discharge tools.
The European Commission's public feedback window on the proposed MDR/IVDR revisions closes on 8 May. The draft explicitly integrates cybersecurity into the medtech General Safety and Performance Requirements, introduces a 30-day notification window for severe incidents and vulnerabilities to CSIRTs and ENISA, and tightens software classification rules.
UK manufacturers placing devices on the EU market will inherit the obligations regardless of post-Brexit divergence. Final adoption is expected mid-to-late 2026, with practical effect in 2027–28.
Cyber and compliance implication: Now is the moment to map your existing vulnerability disclosure process against the proposed 30-day clock and to confirm your conformity documentation references EN IEC 81001-5-1. The MHRA is still expected to publish its own SaMD cybersecurity guidance and an AI medical device framework later this year.
With submission due by 30 June 2026, Category 3 organisations are being reminded of the new Version 8 obligations: a digital asset register covering hardware and software, formal accountability for system administrators, and a senior officer who actively owns the security approach. IT suppliers must now complete an independent audit covering 11 cybersecurity and governance areas.
DSPT remains the single most consequential compliance gate for selling into the NHS. The shift to independent audit is the most material change in years for IT suppliers and is not something to leave to June.
Cyber and compliance implications: If you have not booked an auditor or scoped the 11 control areas, that is now urgent. The audit is also a useful forcing function for asset register hygiene, joiners-movers-leavers controls and evidence collection ahead of contract renewals.
Following last year's letter to NHS supplier CEOs about the "endemic" ransomware threat, NHS England (or the relevant contracting authority) has begun reaching out to suppliers to discuss cyber controls and may request supporting evidence. The recommended baseline is familiar but worth restating: supported and patched systems, "Standards Met" on DSPT, and MFA across the estate.
This is the practical operationalisation of the NHS's supplier risk strategy. Expect questions to become more specific over the year, patch SLAs, backup integrity testing, and segmentation evidence rather than tick-box compliance.
The Bill cleared the committee stage in February and is awaiting Report Stage in the Commons. Healthcare is explicitly named as a priority sector. Among other measures, the Bill broadens the scope of regulated entities, introduces a faster two-stage incident reporting model, and strengthens supply chain oversight.
Royal Assent is expected this year, with phased commencement potentially extending into 2028. NHS trusts and any organisation supplying technology into the healthcare sector should be reading the Policy Statement now and aligning incident playbooks to a two-stage reporting model.
Healthcare cybersecurity regulation is no longer moving in theory; it is becoming operational. From NHS England restricting public code repositories and increasing supplier scrutiny, to DSPT v8 audits, MDR cybersecurity reforms and the upcoming Cyber Security and Resilience Bill, the direction is clear: healthcare organisations and suppliers will be expected to demonstrate stronger governance, clearer accountability and faster incident response.
For digital health and medtech companies, the organisations that prepare now will be in a far stronger position when these requirements become enforceable through procurement, audits and regulatory oversight.
If your organisation needs support preparing for DSPT v8, reviewing cyber controls, assessing AI and software risk, or aligning with upcoming NHS and EU cybersecurity requirements, contact us to discuss how we can help.