NHS & HEALTHCARE

Cyber Essentials for NHS suppliers — what NHS Supply Chain and PPN 014 require.

NHS Supply Chain is requiring Cyber Essentials Plus from in-scope suppliers as part of its implementation of PPN 014. If you supply to the NHS, here is what you need to know and what you need to do.

What NHS Supply Chain is requiring

NHS Supply Chain has been implementing the requirements of PPN 014 across its supplier base, requiring in-scope suppliers to hold Cyber Essentials Plus certification as a condition of continued supply. This is part of a broader UK Government push to raise the baseline security posture of public sector supply chains.

The requirement is not uniform across all NHS suppliers. Whether it applies to your organisation depends on the nature of your contract, the data you handle, and the systems you connect to. However, the direction of travel is clear — NHS procurement is moving toward mandatory cyber certification for a wider range of suppliers, and the standard being applied is Cyber Essentials Plus, not just Cyber Essentials.

The difference between what NHS suppliers need and what most clients ask for

Most client contractual requirements are satisfied by Cyber Essentials — the self-assessed baseline certification. NHS Supply Chain and other NHS procurement bodies are specifying Cyber Essentials Plus — the independently verified version.

That distinction matters significantly in terms of the work involved. CE Plus requires a hands-on technical assessment of your actual systems by an accredited assessor. You cannot proceed to CE Plus without first passing Cyber Essentials. The combined process typically takes six to ten weeks from start to certification for an organisation with a well-maintained IT environment.

What about the DSPT

The Data Security and Protection Toolkit is a separate requirement for NHS organisations themselves. Suppliers are not required to complete the DSPT — but NHS organisations are required to assess the security posture of their key suppliers as part of their own DSPT submission.

Holding Cyber Essentials Plus gives your NHS counterpart a verifiable, standardised evidence point for that assessment. It reduces the friction in their compliance process and demonstrates that your organisation has been independently assessed against a recognised baseline standard.

What healthcare and health tech suppliers should do now

If you supply to NHS Supply Chain, review your current contract documentation to understand whether a cyber certification requirement has been communicated. If it has, begin the certification process now — the timeline for CE Plus is longer than most organisations expect.

If you supply to NHS trusts, ICBs, or other NHS bodies directly, review your contract or pre-qualification questionnaire. Cyber Essentials requirements are increasingly embedded in NHS procurement documentation at all levels.

Related guides

SUPPLYING TO THE NHS?

Start with a conversation.

Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.