NHS Cyber Security Open Letter: What Does it Mean for Suppliers?

Beginning in January 2026, NHS England or a relevant contracting authority may reach out to an NHS supplier to discuss its cyber security controls, including measures outlined in the Supply Chain Charter.  They may also request additional details or evidence if extra assurance is required, such as when a supplier supports critical or when early conversations or risk indicators suggest that further assurance would be beneficial.

Whilst this remains voluntary, it highlights the NHS’ increasing scrutiny on the cyber security and resilience of its supply chain.

Cyber attacks now represent one of the most persistent and damaging risks facing organisations across every sector, and the UK is experiencing a steep escalation in both frequency and severity of incidents.  Healthcare is no exception, with recent years having seen a number of NHS suppliers and healthcare organisations suffer major attacks.  

For this reason, organisations should now approach cyber attacks as a matter of when, not if, ensuring the implementation of appropriate security and resilience measures to protect against, detect, respond to and recover from cyber incidents.  Implementing the controls in the NHS Supply Chain Charter should therefore be seen as a minimum standard, not only to strengthen NHS confidence in your organisation, but also to protect your own systems, data, services and operational continuity.

In its letter, the NHS recommended that suppliers review the expectations defined in the Supply Chain Charter to prepare for these discussions.  These expectations include:

• Ensuring systems are patched against known vulnerabilities
• Meeting all mandatory requirements of the Data Security and Protection Toolkit (DSPT)
• Applying Multi-Factor Authentication (MFA) and enabling it on NHS-facing products where appropriate
• Deploying effective continuous monitoring and logging of critical IT infrastructure
• Ensuring backups that cannot be changed, and having tested recovery plans
• Conducting board-level exercising to ensure cyber attacks can be responded to
• Following the Department for Science, Innovation and Technology (DSIT) and National Cyber Security Centre (NCSC) Software Code of Practice when supplying software.

‍

The DSPT is an online self-assessment tool that enables suppliers to the NHS to publish their performance against ten data security standards.

1. Personal confidential data
2. Staff responsibilities
3. Staff training
4. Managing data access
5. Process reviews
6. Responding to incidents
7. Continuity planning
8. Unsupported systems
9. IT protection
10. Accountable suppliers

To ensure these standards are being met, it is important to gain a thorough understanding of what specifically is being asked of your organisation.  For example, one of the elements required to meet standard 6 (Responding to incidents), is to have antivirus or malware protection installed.

Once your organisation understands the exact measures that need to be in place, you can then conduct an audit or gap analysis to determine which requirements are already being met, and what actions are required to implement outstanding requirements.

The letter from the NHS, along with the overarching Government Cyber Action Plan, reinforces the UK Government’s ongoing commitment to increase the cyber resilience of the supply chain, with a particular focus on the resilience of the health sector.  As the UK Government moves towards direct engagement with suppliers to discuss controls and request evidence, the direction of cyber resilience expectations is clear: suppliers should be demonstrating stronger, more mature security practices as a routine aspect of their work with the NHS.