If you supply technology, software, or services to the NHS, Cyber Essentials Plus is no longer optional it’s becoming a minimum requirement for doing business.
Both NHS Supply Chain and Public Procurement Notice (PPN) 014 are now driving suppliers toward this enhanced certification. The goal is clear: safeguard sensitive health data, reduce the risk of cyberattacks, and ensure consistent security standards across all NHS partners.
Cyber Essentials Plus builds on the baseline Cyber Essentials scheme, but adds an independent technical audit to verify that the controls actually work in practice.
The Cyber Essentials Plus audit tests your systems for real-world vulnerabilities. It includes:
External vulnerability scan — testing your internet-facing systems for weaknesses.
Internal assessment — checking patching, endpoint protection, and system configurations.
User device testing — verifying security settings on workstations, laptops, and mobiles.
Simulated attack scenarios — assessing how your systems would resist basic cyber intrusion.
You’ll need to show that your five technical controls are properly implemented:
Firewalls and internet gateways
Secure configuration
User access control
Malware protection
Patch management
The NHS Supply Chain framework and the Department for Health and Social Care (DHSC) have both made Cyber Essentials Plus part of their security baseline.
Under PPN 014/21, suppliers handling data classified as “Official” — which includes most NHS information — are expected to achieve Cyber Essentials Plus before contract award.
For many framework renewals in 2025, failing to demonstrate certification could exclude your organisation from tenders. NHS Digital has made it clear: security compliance is now a condition of trust.
Beyond ticking a procurement box, Cyber Essentials Plus offers tangible advantages:
Proof of security assurance — demonstrating due diligence to clients and regulators.
Reduced cyber insurance premiums — many insurers now require or reward certification.
Operational resilience — identifying misconfigurations before attackers exploit them.
Competitive edge — signalling maturity in security to NHS buyers and partners.
Achieving Cyber Essentials Plus is straightforward with a structured approach:
Start with a gap analysis. Identify where your current setup falls short of Cyber Essentials controls.
Fix vulnerabilities early. Apply critical patches, enforce multi-factor authentication, and review admin privileges.
Undertake a Cyber Essentials self-assessment. This forms the foundation for the Plus audit.
Choose an accredited certification body. Only IASME-approved assessors can issue the certificate.
Schedule your audit. Expect both remote and on-site technical testing.
Maintain your compliance. The certification lasts 12 months — continuous monitoring ensures easier renewals.
Periculo’s Cyber Essentials Plus readiness service helps NHS suppliers meet the new PPN 014 and NHS Supply Chain expectations quickly.
We provide:
Pre-audit readiness assessments
Remediation guidance
Support through the certification process
With the 2025 procurement cycle approaching, now’s the time to act.
Get in touch to start your Cyber Essentials Plus journey.