NHS suppliers required to prove cyber security compliance
- 26 January 2026
- NHS England and DHSC have issued an open letter to NHS suppliers outlining the need for direct engagement to build on the Cyber Security Supply Chain Charter
- From January 2026, a new programme of ādirect, proportionate engagement with suppliersā is beginning to help reduce cyber risk
- Suppliers will be contacted to discuss cyber security controls and may be requested to provide evidence of compliance
NHS England and the Department of Health and Social Care (DHSC) have issued an open letter to NHS suppliers outlining the need for direct engagement to build on the Cyber Security Supply Chain Charter.
NHS suppliers were urged to sign the charter of cyber security best practice in May 2025 to show their commitment to being trusted and secure partners to the health system.
An open letter, published on 21 January 2026, from Phil Huggins, national chief information security officer for health and care at the DHSC, and Mike Fell, executive director of national cyber operations at NHSE, announces a new programme which will “build on that voluntary commitment through more direct, proportionate engagement with suppliers to safeguard essential services”.
From January 2026, NHSE, or the relevant contracting authority, may contact suppliers to discuss cyber security controls, including those set out in the Supply Chain Charter.
NHSE may also ārequest supporting information or evidence where appropriateā, such as when āthe supplier delivers services that are critical to patient care or operational continuity, or where early discussions or risk indicators suggest that further assurance would be helpfulā.
“This aims to strengthen cyber resilience across the sector and reduce the likelihood and impact of cyber incidents on patient care.
“It will be prioritised and proportionate, reflecting the diversity of the supply chain and the varying types of services suppliers provide,” the letter states.
Suppliers are advised to begin preparing by reviewing the expectations set out in the Cyber Security Supply Chain Charter, including keeping systems patched and supported, maintaining āstandards metā in the Data Security and Protection Toolkit, applying multi-factor authentication, monitoring and logging critical infrastructure, and conducting board-level exercising.
āThis is not an audit, and it is not a pass or fail exercise. This programme is about identifying risk and working in partnership to agree proportionate remediation activity, that strengthens resilience for everyone,” the letter states.
In November 2025, theĀ Cyber Security and Resilience Bill was introduced in Parliament to help protect the public sector and prevent cyber attacks like the Synnovis ransomware attackĀ in June 2024 which disrupted NHS services in London andĀ contributed to a patient death.
The government’s Cyber Action PlanĀ was also published earlier this month, backed by more than Ā£210 million, to help meet online threats as the government increasingly digitises public services.
It is intended to enable clearer visibility of risks, stronger central action on the toughest challenges, faster response to threats and incidents, and high resilience across government.
Recent NHS cyber incidents have included attacks on Barts Health NHS Trust and NHS GP supplier DXS which is used by around 2,000 GP in the UK.
You can read our latest Insights Report on cyber resilience and recovery in the NHS here.
