Cyber Essentials for NHS Suppliers
- Jul 2
- 9 min read
Cyber Essentials and NHS Suppliers
Cyber Essentials has become the baseline cybersecurity certification that many NHS suppliers are expected to achieve as part of procurement, supplier assurance, and wider cybersecurity due diligence activities. Developed with the support of the UK National Cyber Security Centre (NCSC), the scheme focuses on a defined set of technical controls designed to protect organisations against common cyber threats.
The certification is relevant to a wide range of organisations supplying products and services to the NHS, including health-tech companies, digital health providers, SaaS vendors, cloud service providers, managed service providers, medical device manufacturers, and other organisations that process, store, or access NHS information and systems.
However, Cyber Essentials is only one part of the wider NHS assurance landscape. Suppliers are often required to demonstrate compliance across multiple frameworks depending on the nature of their products and services. This guide explains how Cyber Essentials fits alongside the NHS Data Security and Protection Toolkit (DSPT) and the Digital Technology Assessment Criteria (DTAC), helping suppliers understand where each framework applies and how they work together.
What Cyber Essentials Covers
Cyber Essentials is the UK government's baseline cybersecurity certification scheme, developed with the National Cyber Security Centre (NCSC) to help organisations protect themselves against the most common cyber threats. The scheme focuses on a defined set of technical controls that, when implemented effectively, can significantly reduce exposure to opportunistic attacks. IASME acts as the NCSC's Cyber Essentials Delivery Partner and oversees certification, accreditation, and scheme management.
The scheme is built around five technical control areas:
Firewalls and Internet Gateways - controlling and restricting unauthorised network access.
Secure Configuration - ensuring systems are configured securely and unnecessary functionality is removed.
Security Update Management - applying patches and updates to address known vulnerabilities.
User Access Control - limiting access to systems and information based on business need.
Malware Protection - preventing, detecting, and responding to malicious software.
The assessment scope extends beyond traditional office networks. Organisations must consider internet-facing systems, cloud services, user devices, servers, laptops, mobile devices, and other technologies used to process, store, or access organisational information.
For NHS suppliers, health-tech companies, and medical device manufacturers, Cyber Essentials is often the starting point of a broader assurance programme that may also include the DSPT, DTAC, ISO 27001, and other cybersecurity frameworks.
The scheme continues to evolve in response to emerging threats. Recent updates have increased expectations around cloud security and identity management, including stronger requirements relating to multi-factor authentication (MFA). Organisations should always review the latest IASME question set and scheme requirements before certification, as assessment criteria and automatic failure conditions may change between annual releases.
Why NHS Suppliers Need Certification
Cyber Essentials has become an increasingly important requirement for organisations supplying products and services to the NHS and wider public sector. This reflects the UK government's policy of embedding baseline cybersecurity requirements into procurement and supplier assurance processes. Under Procurement Policy Note 014 (PPN 014) and related public-sector procurement expectations, Cyber Essentials is frequently required where suppliers provide technology services or handle sensitive information.
For NHS suppliers, the requirement is most relevant to organisations that process NHS personal data, connect to NHS systems, provide cloud-hosted services, deliver digital health technologies, or supply IT products and services. In these scenarios, organisations are increasingly expected to hold Cyber Essentials Plus (CE Plus) certification or demonstrate equivalent assurance through recognised assessment routes.
A key development is the introduction of the Information Security Toolkit Procurement Questionnaire (ISTPQ) as part of NHS England's supplier assurance framework. From September 2025, existing suppliers in scope have increasingly been required to demonstrate appropriate cybersecurity assurance through the evolving ISTPQ process, which incorporates evidence relating to Cyber Essentials and broader security controls.
It is important, however, to avoid overstating the position. Cyber Essentials is not a universal legal requirement for every NHS supplier, nor is it mandated across every NHS contract. NHS Standard Contract requirements remain risk-based, and certification is often treated as desirable, expected, or proportionate to the services being provided rather than a blanket obligation. Procurement teams may nevertheless view the absence of certification as a risk factor during supplier assessment.
The broader regulatory landscape is also moving in the same direction. Frameworks such as the EU NIS2 Directive and emerging cybersecurity legislation place increasing emphasis on supplier security, governance, incident management, and resilience. For NHS suppliers, Cyber Essentials is therefore best viewed as a baseline assurance measure that supports procurement readiness while forming part of a wider cybersecurity and compliance programme.
Cyber Essentials vs Cyber Essentials Plus
Cyber Essentials and Cyber Essentials Plus are based on the same five technical control areas, but they differ significantly in the level of assurance they provide.
Cyber Essentials is primarily a self-assessment certification. Organisations complete a detailed questionnaire covering firewalls, secure configuration, security updates, access control, and malware protection. The responses are then reviewed by an independent certification body to determine whether the organisation meets the scheme requirements.
Cyber Essentials Plus (CE Plus) builds on this foundation by adding independent technical verification. In addition to reviewing the self-assessment, a qualified assessor performs hands-on testing of the organisation's controls. This typically includes device testing, account security verification, malware protection checks, and external vulnerability assessment activities designed to validate that controls are operating effectively in practice.
For NHS suppliers, the distinction is important. Organisations handling NHS patient information, OFFICIAL-classified information, business-critical services, cloud-hosted healthcare systems, or technology connected to NHS environments are increasingly expected to demonstrate a higher level of cybersecurity assurance. In these situations, Cyber Essentials Plus is often preferred because it provides independent evidence that security controls have been tested rather than simply declared.
Cyber Essentials Plus can also strengthen supplier assurance responses, support procurement activities, and provide additional confidence to NHS buyers, particularly where services involve sensitive information or operationally important systems.
Both Cyber Essentials and Cyber Essentials Plus are valid for 12 months from the date of certification. Organisations must undergo annual renewal to maintain certification status and demonstrate that controls continue to meet the current scheme requirements. As cyber threats and certification standards evolve, regular reassessment helps ensure security controls remain effective and aligned with best practice.
How CE Fits With DSPT and DTAC
Cyber Essentials, the Data Security and Protection Toolkit (DSPT), and the Digital Technology Assessment Criteria (DTAC) are often treated as separate requirements, but in practice they form a layered assurance framework for NHS suppliers.
Cyber Essentials provides the foundation. It establishes a baseline level of cybersecurity through controls covering firewalls, secure configuration, security updates, access control, and malware protection. For many NHS suppliers, it is the first formal cybersecurity certification requested during procurement and supplier assurance activities.
The DSPT builds on this foundation. Organisations that process, store, or access NHS patient data must complete the annual Data Security and Protection Toolkit assessment against the National Data Guardian's Data Security Standards. While Cyber Essentials does not satisfy DSPT requirements on its own, certification provides valuable supporting evidence for areas such as access control, patch management, device security, malware protection, and technical governance. Organisations with Cyber Essentials certification often find they can complete parts of the DSPT more efficiently because key controls have already been documented and independently assessed.
DTAC applies specifically to digital health technologies used within the NHS. NHS England's Digital Technology Assessment Criteria framework assesses products across clinical safety, data protection, technical security, interoperability, and usability. Within the technical security domain, suppliers are required to demonstrate recognised cybersecurity assurance, with Cyber Essentials certification forming an important component of the evidence expected for many digital health products.
Suppliers should also be aware that DTAC Version 2 came into effect on 6 April 2026, introducing updated requirements and evidence expectations for technologies seeking NHS adoption.
Rather than viewing these frameworks separately, NHS suppliers should think of them as a connected assurance stack. Cyber Essentials provides the cybersecurity baseline, while DSPT and DTAC build on that foundation to assess broader information governance, healthcare security, and product assurance requirements. Organisations that establish strong Cyber Essentials controls early are often better positioned to meet wider NHS assurance expectations with less duplication of effort.
Getting Certified: Process and Cost
Achieving Cyber Essentials or Cyber Essentials Plus is typically a straightforward process when approached methodically. The first step is to select an IASME-accredited Certification Body, which will guide the organisation through the assessment and certification process.
Organisations pursuing Cyber Essentials complete the official self-assessment questionnaire covering the scheme's five control areas: firewalls, secure configuration, security update management, user access control, and malware protection. The questionnaire is reviewed by a qualified assessor before certification is awarded.
For Cyber Essentials Plus, the process includes the same self-assessment stage but adds an independent technical assessment. The Certification Body conducts hands-on testing to verify that key security controls are operating effectively in practice. This provides a higher level of assurance and is often preferred for organisations handling sensitive information or delivering critical services.
Costs vary according to organisational size and certification scope. Rather than fixed pricing, IASME publishes certification fees using size-based tiers, with Cyber Essentials Plus attracting additional costs due to the technical verification activities involved. Suppliers should always consult the latest IASME pricing guidance and obtain quotations from accredited Certification Bodies.
Organisations should also be aware of ongoing scheme updates. Following the introduction of the updated Cyber Essentials Requirements for IT Infrastructure, accounts created after 26 April 2026 are assessed against the revised requirements. Organisations with earlier accounts benefit from a transitional period, meaning many NHS suppliers are currently managing certification and renewal activity during the migration to the updated scheme.
The most successful certifications begin with preparation. A practical approach is to complete a Cyber Essentials checklist, perform a gap analysis against the current requirements, remediate any identified weaknesses, and assemble supporting evidence before beginning the formal assessment. This reduces the risk of delays, failed assessments, and unexpected remediation work while improving confidence that certification can be achieved efficiently.
Cyber Essentials vs ISO 27001
Cyber Essentials and ISO/IEC 27001 are often discussed together, but they serve different purposes and operate at different levels of assurance.
Cyber Essentials is a baseline cybersecurity certification focused on five technical control areas: firewalls, secure configuration, security update management, user access control, and malware protection. It is designed to demonstrate that an organisation has implemented fundamental security measures against common cyber threats.
ISO 27001, by contrast, is a comprehensive Information Security Management System (ISMS) standard. It covers governance, risk management, policies, supplier assurance, incident response, business continuity, audit, continual improvement, and the wider organisational processes required to manage information security effectively over time.
For many NHS suppliers, Cyber Essentials acts as the entry point. It is frequently requested during procurement and provides a recognised baseline of cyber assurance. As organisations grow, handle larger volumes of sensitive information, deliver critical digital services, or seek enterprise and NHS contracts, ISO 27001 often becomes the more appropriate framework because it provides a broader and internationally recognised approach to information security management.
ISO 27001 can also support wider assurance activities, including the DSPT, customer due diligence, supplier assessments, and regulatory compliance programmes. While Cyber Essentials demonstrates technical hygiene, ISO 27001 demonstrates that security is managed systematically across the organisation.
The two frameworks are complementary rather than competing. Many organisations achieve Cyber Essentials first and then use it as a stepping stone towards ISO 27001 certification, building from a technical security baseline to a mature, risk-based security management programme.
NHS Supplier Cyber Essentials FAQs
Is Cyber Essentials mandatory for NHS suppliers?
Not universally. Cyber Essentials is not a blanket requirement across all NHS contracts, but it is increasingly built into procurement and supplier assurance processes where organisations provide IT services, digital products, cloud services, or handle NHS information. Many NHS buyers treat certification as a baseline indicator of cybersecurity maturity, particularly where sensitive data or critical systems are involved.
What is Cyber Essentials Plus?
Cyber Essentials Plus is the higher assurance version of the Cyber Essentials scheme. In addition to the standard self-assessment questionnaire, it includes independent technical verification by a qualified assessor. This provides evidence that security controls are operating effectively in practice rather than relying solely on organisational declarations.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment certification reviewed by an accredited certification body. Cyber Essentials Plus includes the same requirements but adds hands-on testing of devices, systems, and security controls. Both certifications assess the same five technical control areas, but Plus provides a higher level of independent assurance.
How much does Cyber Essentials certification cost?
Certification costs vary according to organisation size and the level of certification sought. IASME publishes tiered pricing for Cyber Essentials, while Cyber Essentials Plus attracts additional costs because of the technical assessment work involved. Most organisations obtain quotations directly from an IASME-accredited Certification Body before beginning the certification process.
How long does Cyber Essentials certification last?
Both Cyber Essentials and Cyber Essentials Plus certificates remain valid for 12 months from the date of issue. To maintain certification status, organisations must complete the assessment process again each year and demonstrate continued compliance with the current scheme requirements.
How can I check whether a supplier holds Cyber Essentials certification?
Certified organisations can be verified through the official IASME Cyber Essentials certificate database. Buyers, customers, and procurement teams can search for an organisation and confirm whether certification is current. Suppliers should also be able to provide a copy of their certificate as part of procurement, due diligence, or supplier assurance activities.
Preparing for NHS Cyber Requirements
For NHS suppliers, Cyber Essentials is best viewed as the foundation of a wider assurance programme rather than a standalone certification. The controls required for Cyber Essentials support many of the technical security expectations found within the NHS Data Security and Protection Toolkit (DSPT) and the Digital Technology Assessment Criteria (DTAC). Establishing a strong cybersecurity baseline early can reduce duplication of effort, strengthen procurement responses, and make it easier to demonstrate compliance with wider NHS assurance requirements.
As cybersecurity expectations continue to evolve across healthcare, suppliers are increasingly expected to evidence not only technical controls but also governance, risk management, resilience, and ongoing assurance. This is particularly important for organisations handling patient data, delivering digital health technologies, supporting NHS operations, or supplying connected medical devices.
The AbedGraham Group supports health-tech companies, medical device manufacturers, digital health suppliers, and NHS vendors with cybersecurity readiness programmes, Cyber Essentials preparation, DSPT readiness and independent audit support, vCISO services, and wider information security assurance. Our consultants help organisations build proportionate, defensible security programmes that support procurement, compliance, and long-term operational resilience.
Book a discovery call to discuss your NHS cybersecurity and assurance requirements.


Comments