What Do You Actually Need to Supply to the NHS? The Cyber Essentials Requirements Explained
If you supply products or services to the NHS, cyber security is no longer something you can address after winning a contract. It's a condition of being considered for one.
The key document driving this is Procurement Policy Note 014 (PPN 014) — UK Government guidance implemented by NHS Supply Chain that sets out mandatory cyber security requirements for suppliers. Understanding what it requires and why is now essential for any organisation in the NHS supply chain.
Who does PPN 014 apply to?
Not every supplier is in scope, but the criteria are broad. You'll need to demonstrate compliance if:
- You handle or process NHS Supply Chain personal data, including data relating to employees, customers or other suppliers
- You supply IT or digital products and services, including software, hosting, support or managed services
Routine email correspondence with NHS staff doesn't, on its own, trigger the requirement. But if you store, process, or have ongoing or privileged access to personal data as part of a service or system you provide, you're in scope.
What does compliance look like?
NHS Supply Chain's preferred route to compliance is Cyber Essentials Plus, the audited tier of the government-backed Cyber Essentials scheme. CE+ requires an independent external audit that verifies your security controls are actually working, not just claimed.
It's worth noting: ISO 27001 is not an accepted alternative. NHS Supply Chain is explicit on this, the two frameworks take different approaches, and ISO 27001 cannot be substituted for CE+.
If you don't yet hold CE+, NHS Supply Chain may ask you to complete an Information Security Third Party Questionnaire (ISTPQ) as an interim measure. This assesses whether equivalent controls are in place. But holding a valid CE+ certificate removes this requirement entirely.
Why these five controls specifically?
Cyber Essentials is built around five technical controls that the NCSC estimates would prevent around 80% of common internet-based cyber attacks. For the NHS supply chain, each one addresses a real and recurring risk:
Firewalls — your first line of defence against unauthorised access to your network. A misconfigured or absent firewall is one of the most exploited vulnerabilities in supply chain attacks.
Secure configuration — default settings on software and devices are frequently exploited. This control requires you to change default passwords, disable unnecessary services, and remove software you don't use.
User access control — limiting who can access what, and ensuring admin privileges are only held by those who genuinely need them. Over-privileged accounts are consistently one of the top causes of CE+ audit failures.
Malware protection — active, up-to-date anti-malware across all in-scope devices. The Synnovis ransomware attack in 2024 disrupted over 1,700 elective procedures and more than 10,000 outpatient appointments, with a claimed 400GB of patient data published on the dark web, a direct example of what happens when this fails across a connected healthcare ecosystem.
Patch management — keeping software and operating systems current. Unpatched vulnerabilities are the most common entry point for attackers, and CE+ requires critical updates to be applied within 14 days of release.
What happens if you're non-compliant?
NHS Supply Chain is developing a process with NHS England to flag suppliers whose products or services may increase cyber risk within NHS trusts. Where suppliers are in scope but lack certification, a risk-based decision will be made, but the direction of travel is clear. Non-certified suppliers are increasingly exposed to procurement delays, additional scrutiny, and potential exclusion from frameworks.
For new suppliers, compliance is assessed at the Supplier Questionnaire stage. For existing suppliers, NHS Supply Chain began issuing the ISTPQ from September 2025.
The practical takeaway
If you supply IT or digital services to the NHS, or handle any NHS personal data as part of your service, CE+ is effectively the minimum standard you should be working toward. It protects your ability to bid, reduces the administrative burden of additional questionnaires, and signals to NHS buyers that you take supply chain security seriously.
At Periculo, we're an IASME-accredited certification body. We work with NHS suppliers through the full CE and CE+ process, from scoping and gap analysis to certification. Book a call with our team or find out more about Cyber Essentials at Periculo.