The NHS supply chain is under a growing cyber threat. In May 2025, NHS England and the Department of Health and Social Care urged all current and prospective NHS suppliers to sign the new Cyber Security Charter. Ransomware attacks on healthcare have become endemic, disrupting patient care and supply chains.
The Charter signals a shift from tick-box compliance to proactive cybersecurity. NHS leaders are calling on suppliers to go beyond the DSPT or DTAC and embrace a culture of shared responsibility. For suppliers, it’s a chance to prove you’re a trusted, resilient partner — not just compliant, but genuinely cyber-ready.
The Charter is a voluntary commitment asking NHS technology suppliers to uphold best-practice security standards. It was launched by NHS England’s cyber leadership to strengthen resilience across the supply chain.
Suppliers signing the Charter pledge to meet eight core principles — covering patching, access control, incident reporting, and software assurance. While not yet mandatory, these principles are set to become the baseline for doing business with the NHS in the near future.
Suppliers signing the Charter agree to:
Keep systems up to date: Ensure all systems and software used for NHS services are supported and regularly patched.
Meet DSPT standards: Maintain at least “Standards Met” status in the NHS Data Security and Protection Toolkit.
Use MFA: Enforce multi-factor authentication across your organisation and products used by NHS customers.
Provide 24/7 monitoring: Implement continuous threat detection and logging for your critical systems.
Maintain immutable backups: Keep tamper-proof, tested backups of critical data and software.
Exercise your board: Conduct cyber incident simulations at board level to build leadership readiness.
Report incidents quickly: Notify NHS customers promptly after any breach and work openly with NHS England.
Secure your software: Follow the government’s Software Code of Practice to embed security in your development lifecycle.
These commitments go well beyond compliance. They focus on building long-term resilience, transparency, and continuous improvement.
NHS England has been clear: today’s voluntary principles will shape tomorrow’s contract clauses and assurance checks. Meanwhile, the forthcoming Cyber Security and Resilience Bill is expected to tighten obligations on suppliers across critical sectors.
Aligning early with the Charter shows your organisation is proactive, trustworthy, and ready for the next regulatory wave. It’s also a competitive advantage — NHS buyers increasingly look for suppliers who can prove their security maturity, not just their compliance paperwork.
Here are five practical steps to prepare:
Assess your gaps: Compare your security posture against the Charter’s eight principles.
Patch and protect: Maintain DSPT “Standards Met” status and close any outstanding vulnerabilities.
Enable MFA & monitoring: Roll out multi-factor authentication and establish 24/7 threat detection.
Prepare for incidents: Test your backups and run board-level cyber exercises.
Show transparency: Establish clear reporting processes to notify NHS clients of incidents quickly.
Early adopters will be ready when NHS England introduces its self-assessment and sign-up process, expected later this year.
Getting Charter-ready can seem daunting, especially for smaller suppliers. Periculo helps NHS vendors strengthen security and demonstrate readiness.
We provide:
DSPT & Cyber Essentials support to meet baseline compliance.
24/7 threat monitoring and incident response.
Immutable backup solutions and ransomware recovery planning.
Penetration testing and secure development guidance.
Board-level training and incident exercise facilitation.
Periculo’s approach makes cybersecurity practical and achievable, aligning your operations with NHS expectations and helping you confidently sign the Charter.
If you’d like to assess your organisation’s readiness or discuss how to meet the Charter’s standards, contact Periculo today.