Cyber Essentials Plus for the NHS Supply Chain

The National Health Service is one of the largest and most complex organisations in the world, serving over 65 million patients across England, Scotland, Wales, and Northern Ireland. Behind the frontline care lies a vast supply chain of thousands of companies — from medical device manufacturers and pharmaceutical distributors to IT service providers, cleaning contractors, and facilities management firms. If your organisation supplies goods or services to the NHS, understanding and achieving Cyber Essentials Plus certification is no longer optional — it is rapidly becoming a fundamental requirement for doing business.

This comprehensive guide explains why the NHS supply chain demands Cyber Essentials Plus, what the certification involves, and how your organisation can achieve it efficiently with the right support.

Why the NHS Requires Cyber Essentials Plus

The NHS has been the target of some of the most devastating cyber attacks in UK history. The WannaCry ransomware attack in 2017 crippled hospital systems across the country, causing cancelled operations, diverted ambulances, and an estimated £92 million in damages. Since then, NHS England and the Department of Health and Social Care have dramatically tightened cyber security requirements across the entire supply chain.

The NHS Data Security and Protection Toolkit (DSPT) now references Cyber Essentials as a baseline expectation. Many NHS trusts and integrated care boards have gone further, making Cyber Essentials Plus — the verified, hands-on version — a mandatory requirement within procurement frameworks. The reasoning is straightforward: if a supplier handles patient data, connects to NHS systems, or provides technology that touches clinical workflows, they must demonstrate robust cyber hygiene.

NHS Digital published guidance in 2023 clarifying that suppliers accessing NHS networks or patient data should hold Cyber Essentials Plus as a minimum. This aligns with the broader UK government mandate requiring Cyber Essentials for all central government contracts involving the handling of sensitive information.

Understanding NHS Procurement Frameworks

Several key procurement frameworks govern how the NHS purchases goods and services, and many now include explicit cyber security requirements.

The NHS Shared Business Services (NHS SBS) framework is one of the largest purchasing vehicles for NHS organisations. Suppliers bidding for contracts through NHS SBS increasingly face questions about their cyber security posture, with Cyber Essentials Plus listed as a preferred or mandatory certification depending on the contract category.

The Crown Commercial Service (CCS) G-Cloud framework, used extensively by NHS trusts for cloud-based IT services, requires suppliers to hold Cyber Essentials certification. For contracts involving sensitive patient data or direct network connectivity, Cyber Essentials Plus is specified as the expected standard.

The Health Systems Support Framework (HSSF), managed by NHS England, covers a wide range of consultancy and support services. Successful applicants must demonstrate compliance with data security standards, and Cyber Essentials Plus is explicitly referenced within the framework documentation.

The Five Technical Controls Assessed

Cyber Essentials Plus tests five fundamental technical controls that, when properly implemented, protect against approximately 80% of common cyber attacks. For NHS suppliers, these controls are critical because they directly address the attack vectors most commonly exploited in healthcare-related breaches.

Firewalls and internet gateways form the first line of defence. The assessment verifies that your organisation has properly configured boundary devices — whether hardware firewalls, software firewalls on individual machines, or cloud-based security groups. Default firewall rules must block inbound connections unless explicitly required, and administrative interfaces must not be exposed to the internet.

Secure configuration examines whether devices and software are configured to reduce unnecessary attack surface. Default passwords must be changed, unnecessary services disabled, and auto-run features turned off. For NHS suppliers, this is particularly relevant for medical devices, embedded systems, and specialist healthcare software that may ship with insecure defaults.

User access control ensures that only authorised personnel have access to systems and data, and that each user has the minimum level of access required for their role. Administrative accounts must be limited to those who genuinely need them, and multi-factor authentication is expected for cloud services and remote access.

Malware protection requires organisations to deploy at least one of the following: anti-malware software, application whitelisting, or sandboxing. All malware signatures and definitions must be kept current, and real-time scanning should be enabled.

Patch management is arguably the most operationally challenging control. All software must be patched within 14 days of a security update being released. Unsupported software that no longer receives security patches must be removed or isolated from the network. For NHS suppliers running legacy healthcare applications, this can present significant challenges.

The Difference Between Cyber Essentials and Cyber Essentials Plus

It is important to understand why the NHS increasingly specifies Cyber Essentials Plus rather than the basic Cyber Essentials certification. The standard Cyber Essentials is a self-assessed questionnaire — the organisation completes a series of questions about its security controls and submits them for review. While valuable as a starting point, it relies on honest and accurate self-reporting.

Cyber Essentials Plus adds a critical verification layer. An accredited assessor conducts a hands-on technical assessment of your systems, including external vulnerability scanning, internal device checks, and simulated phishing tests. The assessor physically or remotely examines a representative sample of your devices to confirm that the controls described in your self-assessment are actually in place and functioning correctly.

For the NHS, this distinction matters enormously. Patient safety depends on the integrity of supply chain systems. A supplier claiming to have secure configurations but actually running unpatched software could introduce vulnerabilities that propagate across NHS networks. The technical verification of Cyber Essentials Plus provides the NHS with genuine assurance that suppliers have implemented the claimed controls.

Common Challenges for NHS Suppliers

Achieving Cyber Essentials Plus is straightforward in principle, but NHS suppliers often face specific challenges that other organisations do not encounter.

Legacy systems and specialist software are widespread in the healthcare supply chain. Medical device manufacturers may rely on older operating systems for regulatory compliance reasons. Pharmaceutical distribution software may not receive timely patches from vendors. These situations require careful planning — organisations must either obtain vendor confirmation that patches are current or implement network segmentation to isolate legacy systems from the assessment scope.

Multi-site operations present another challenge. NHS suppliers frequently operate from multiple locations, including warehouses, manufacturing facilities, offices, and remote worker environments. The Cyber Essentials Plus assessment requires that all in-scope devices across all locations meet the required standards. This demands consistent policy enforcement and configuration management across the entire estate.

Third-party access and data sharing add complexity. Many NHS suppliers work with sub-contractors who themselves handle patient data or connect to NHS systems. The supply chain security model means that your organisation may need to demonstrate not only its own compliance but also its approach to managing supplier risk downstream.

Data Processing Agreements (DPAs) with NHS organisations often include specific clauses about cyber security certifications. Failure to maintain Cyber Essentials Plus certification can trigger contract review clauses or, in severe cases, contract termination. Organisations must therefore treat certification renewal as a critical business process, not a one-off exercise.

The Assessment Process for NHS Suppliers

The Cyber Essentials Plus assessment process follows a structured approach that typically takes between one and four weeks, depending on the size and complexity of your organisation.

Step one involves completing the standard Cyber Essentials self-assessment questionnaire. This establishes the baseline scope and confirms that you understand the required controls. The questionnaire covers your network architecture, device inventory, software versions, and security policies.

Step two is the technical assessment itself. An accredited assessor will conduct external vulnerability scans against your internet-facing IP addresses, checking for unpatched services, open ports, and configuration weaknesses. They will then examine a representative sample of devices — typically including Windows workstations, laptops, mobile devices, and servers — to verify secure configuration, patch levels, and malware protection.

Step three involves simulated phishing tests. The assessor will send test phishing emails to a sample of users to verify that email filtering and malware protection controls are functioning. This tests both the technical controls and the organisation's ability to prevent malicious content from reaching users.

Step four is the reporting and certification phase. If your organisation passes all elements, the certification body issues a Cyber Essentials Plus certificate valid for 12 months. If issues are identified, you typically receive a remediation window to address them before a re-test.

Benefits Beyond NHS Compliance

While NHS procurement requirements may be the primary driver for seeking Cyber Essentials Plus, the benefits extend well beyond ticking a compliance box.

Reduced insurance premiums are increasingly available to organisations holding Cyber Essentials Plus. Several UK cyber insurance providers offer discounted premiums or enhanced coverage terms for certified organisations. Given the rising cost of cyber insurance, this can represent significant savings.

Improved tender scoring applies across the public sector, not just the NHS. Local authorities, central government departments, and education bodies all recognise Cyber Essentials Plus. Achieving certification opens doors to a broader range of public sector opportunities.

Enhanced reputation and trust matter in the healthcare supply chain, where patient safety is paramount. Displaying the Cyber Essentials Plus badge on your website and marketing materials demonstrates to NHS partners that your organisation takes security seriously.

Reduced breach risk is the most tangible benefit. The five controls tested by Cyber Essentials Plus address the attack vectors responsible for the vast majority of successful cyber attacks. Organisations that implement these controls properly are significantly less likely to suffer a data breach or ransomware incident.

Preparing Your Organisation

Preparation is key to a smooth Cyber Essentials Plus assessment. Start by conducting an internal audit of your current security posture against the five controls. Identify gaps early and create a remediation plan with clear ownership and deadlines.

Ensure your device inventory is comprehensive and accurate. Every device that connects to your network — including laptops, desktops, servers, tablets, and mobile phones — must be accounted for. BYOD (bring your own device) policies must be clearly defined, and any personal devices accessing company data must meet the same security standards as corporate equipment.

Review your software inventory and confirm that all applications are within their supported lifecycle. Remove or replace any end-of-life software. Pay particular attention to web browsers, email clients, and operating systems, as these are the primary targets for attackers.

Verify that your patching processes can meet the 14-day requirement consistently. This means having automated patch management tools in place and a process for handling patches that require testing before deployment — particularly relevant for healthcare-specific software where patches may affect validated systems.

Maintaining Certification for Ongoing NHS Contracts

Cyber Essentials Plus certification is valid for 12 months. For NHS suppliers, allowing certification to lapse can have immediate commercial consequences. Many NHS contracts include clauses requiring continuous certification, and procurement teams regularly verify supplier certifications during contract management reviews.

Best practice is to begin the renewal process at least eight weeks before your certificate expires. This provides adequate time for any remediation work, assessment scheduling, and re-certification. Many organisations align their renewal cycle with their annual IT security review to maximise efficiency.

Between assessments, maintain the discipline of the five controls. Continue patching within 14 days, review user access quarterly, keep malware protection current, and audit firewall rules regularly. Organisations that maintain these practices year-round find the annual re-assessment process significantly less stressful.

How Cloudswitched Supports NHS Suppliers

At Cloudswitched, we specialise in helping NHS supply chain organisations achieve and maintain Cyber Essentials Plus certification. Our team understands the unique challenges faced by healthcare suppliers — from legacy medical device software to complex multi-site environments.

We provide a comprehensive service that includes gap analysis against the current Cyber Essentials Plus requirements, remediation support to address identified weaknesses, pre-assessment testing to ensure you are ready before the formal assessment, and ongoing management to maintain compliance throughout the certification year.

Our approach is designed to minimise disruption to your operations while ensuring a first-time pass. We work with your existing IT team or, for organisations without dedicated IT staff, provide the full technical capability needed to achieve certification.

Frequently Asked Questions

Is Cyber Essentials Plus mandatory for all NHS suppliers?
Not universally, but it is increasingly required for suppliers who handle patient data, connect to NHS networks, or provide IT services. Many procurement frameworks now list it as a mandatory requirement, and individual NHS trusts often specify it within their supplier security standards.

How long does certification take?
For a well-prepared organisation, the assessment process typically takes one to two weeks. However, remediation work to address gaps may add several weeks. We recommend allowing eight to twelve weeks from initial gap analysis to certification for organisations starting from scratch.

What happens if we fail the assessment?
If issues are identified, you will typically receive a remediation period (usually 30 days) to address them, followed by a re-test of the failed elements. Working with an experienced partner like Cloudswitched significantly reduces the risk of failure.

Does Cyber Essentials Plus cover cloud services?
Yes. Cloud services such as Microsoft 365, Google Workspace, and AWS are within scope. The assessment examines how these services are configured, including access controls, multi-factor authentication, and administrator account security.

Can we scope out certain systems?
Cyber Essentials Plus requires that all devices and systems connected to your network are in scope. However, systems that are physically or logically isolated from your main network may be excluded. This requires careful network architecture planning and must be agreed with the assessor before the assessment begins.