Blog
NHS Supply Chain updates cyber security requirements
Cyber security is a critical part of delivering safe, reliable healthcare. In response to the ever growing and evolving threat of cyber attacks across the public sector, NHS Supply Chain has strengthened its cyber security requirements for suppliers, placing a clearer emphasis on Cyber Essentials Plus (CE+) for organisations that supply goods or services to the NHS.
What is Cyber Essentials Plus?
Cyber Essentials Plus is a UK Government‑backed certification scheme designed to protect organisations against the most common cyber threats. Unlike standard Cyber Essentials, Cyber Essentials Plus includes an independent technical audit, providing stronger assurance that controls are working in practice.
Cyber Essentials
What you need to know
Do you know what the five security protocols are?
Find out in our comprehensive guide on Cyber Essentials providing you with all the information you need, from what Cyber Essentials is, to the key benefits of having it!
Why is NHS Supply Chain now requiring Cyber Essentials Plus?
The NHS relies on thousands of suppliers, from IT and digital service providers to logistics, estates, and professional services. A cyber incident affecting just one supplier can have serious knock‑on effects, potentially disrupting healthcare services or exposing sensitive personal data.
High‑profile attacks such as the WannaCry ransomware incident demonstrated how vulnerable healthcare systems can be and why supply‑chain resilience is so important. Since then, NHS bodies have aligned more closely with National Cyber Security Centre (NCSC) guidance and central government procurement policy.
Who will be impacted by this change?
All suppliers that are in-scope of Procurement Policy Note 014 will be required to have Cyber Essentials Plus, you are likely to be in scope if your organisation:
- Handles or processes NHS Supply Chain personal data, including data relating to staff, customers or other suppliers.
- Supplies IT, digital products or services, including software, hosting, support or managed services.
Other NHS Supply Chain requirements are not changing
This newly defined Cyber Essentials Plus requirement does not replace other NHS data protection obligations. Organisations that access/process NHS patient data must complete the Data Security and Protection Toolkit every year and NHS England encourages suppliers to align with the Cyber Security Charter for NHS suppliers.
Altogether, these measures form a more robust and consistent cyber assurance framework across the NHS supply chain.
What should you do?
To stay compliant and competitive, suppliers to the NHS should:
- Confirm whether they are in scope
- Assess readiness for Cyber Essentials Plus
- Plan for certification and annual renewal
- Align Cyber Essentials Plus with the Data Security and Protection Toolkit.
Russell Gower-Leech
Cybersecurity Manager
Russell Gower-Leech is the Cybersecurity Manager at Select Technology, leading the delivery of robust, standards-led cybersecurity strategies for organisations across Kent and the South East.
He works closely with business leaders to strengthen security posture, reduce cyber risk, and embed effective security practices that protect operations, data, and people. Russell is known for cutting through complexity, translating technical risk into clear, actionable guidance that supports confident decision-making.
A certified assessor for Cyber Essentials, Russell brings over 18 years’ experience in technical solutions architecture and cybersecurity leadership. He actively monitors the evolving threat landscape and emerging technologies to ensure clients remain resilient against modern cyber threats. His areas of expertise include cybersecurity strategy, Microsoft 365 security, cloud platforms, information security, and IT governance.