Cyber Essentials for NHS Suppliers and Healthcare Organisations

Cyber Essentials sits alongside the Data Security and Protection Toolkit (DSPT) at the foundation of NHS supplier assurance. DSPT is the mandatory framework for organisations handling NHS patient data; CE is the baseline cybersecurity certification that DSPT assessments reference, and that most NHS procurement frameworks require independently.

This guide explains how CE, DSPT, and NHS supplier due diligence fit together, what the controls actually ask of a healthcare organisation or NHS supplier, and the sector-specific issues that most often come up during assessment.

Four overlapping groups need Cyber Essentials in a UK healthcare context:

DSPT is the NHS's own data security assessment framework. Every organisation that accesses NHS patient data, connects to the NHS network, or processes NHS-commissioned patient information must complete DSPT annually and publish a "Standards Met" status.

DSPT has many questions. One of them - assertion 8.3.4 - asks whether the organisation holds Cyber Essentials or demonstrates equivalent technical controls. For most organisations, holding Cyber Essentials is the simplest way to answer that assertion credibly. Equivalent controls without CE are possible but require more documentation and more evidence.

The practical relationship:

• Cyber Essentials is the baseline cybersecurity certification
• DSPT is the broader data security framework that includes CE as one assertion among many
• Holding Cyber Essentials is not sufficient for DSPT on its own - DSPT covers information governance, training, incident response, and other domains CE does not touch
• DSPT "Standards Met" is usually not sufficient for NHS procurement frameworks on its own - many frameworks also ask for CE directly

The healthiest posture for most NHS suppliers is to hold both: CE for the technical baseline, DSPT for the full NHS data governance scope.

The requirements vary by framework, but the common asks include:

NHS SBS frameworks (many NHS Shared Business Services commercial frameworks require CE as a qualifying criterion for onboarding).

Crown Commercial Service G-Cloud and RM6277 / RM6288 frameworks (CE under PPN 014/21 for contracts involving sensitive or personal data, which covers most NHS-adjacent work).

Direct NHS Trust procurement (individual trusts run their own supplier onboarding; most require DSPT plus Cyber Essentials as a minimum).

NHS Digital's Supplier Assurance (for suppliers integrating with national NHS systems, including via API).

The safest assumption for any organisation hoping to sell into the NHS is that you will need both DSPT and Cyber Essentials before a procurement process can progress.

A typical NHS-adjacent organisation runs some mix of:

• Microsoft 365 or Google Workspace for corporate email and productivity
• A clinical or patient management system (SystmOne, EMIS Web, Cerner, Epic, MAXIMS, or a private-sector equivalent)
• DSPT-linked platforms (NHSmail for communication with NHS colleagues)
• Integration with NHS Spine, e-Referral, or SCR
• On-premise clinical workstations (common in diagnostic imaging, pharmacy, labs)
• A VPN or MPLS link to NHS networks
• Medical devices connected to the network (imaging devices, lab analysers, pharmacy dispensing systems)

All of these can be in scope. The clinical systems typically are not your certification body's concern in detail - they are SaaS or vendor-managed - but the endpoints that access them are in scope, and the credentials used to access them are in scope.

This is the Cyber Essentials question unique to healthcare. Connected medical devices (MRI scanners, lab analysers, pharmacy robots, pathology slide scanners) often run old operating systems - Windows 7, Windows XP, stripped-down Linux distributions - because the medical device regulations make patching them complex. The device manufacturer may not have released a security patch in years, even for known vulnerabilities.

The workable Cyber Essentials positions:

What does not work is ignoring the device entirely because "it is a medical device, it is not really IT". It is IT. It is on your network. It is in scope unless you have documented why it is not.

Many NHS suppliers have NHSmail accounts for corresponding with NHS colleagues and may have Spine access for specific systems. These are managed by NHS Digital, not by your organisation. They count as cloud services that your staff use to access NHS data.

For Cyber Essentials purposes, the relevant questions are:

• Are NHSmail accounts protected with MFA? (NHSmail has its own MFA approach; confirm your staff have it enabled per NHSmail policy.)
• Is NHSmail accessed from managed devices or personal devices? (BYOD questions apply here the same as anywhere.)
• Is your Spine access via named individual smart cards, not shared? (It usually is - smart cards are the NHS default - but confirm.)

The answer is generally "NHSmail handles MFA on its end; our side is that we use NHSmail from managed devices only". That passes if it is true.

Healthcare organisations, particularly locum and staffing agencies, handle the same intense right-to-work and payroll documentation that general recruitment agencies do - plus additional healthcare-specific data (DBS checks, NMC/GMC registration numbers, revalidation evidence, occupational health records). All of it is personal data; most of it is special category data under GDPR. The CE questions about access control, MFA, and secure storage apply with extra emphasis.

If you are a small-to-medium NHS supplier aiming for CE:

1. Confirm your DSPT status. If you do not yet hold DSPT Standards Met, that is a separate assessment track alongside CE. Most NHS contracts want both.

2. Enumerate every system that holds NHS-linked data. Include clinical systems, NHSmail, Spine, integrated platforms, and corporate systems that reference NHS data.

3. Enforce MFA. Every user on every in-scope service. NHSmail handles its own MFA; everything else needs yours.

4. Isolate medical devices. If you run clinical hardware, declare the scope posture explicitly.

5. Enrol staff laptops in MDM. Intune or Jamf, with baseline security policies.

6. Submit. CE from £299.99 + VAT; most NHS suppliers fall into the small (10-49) or medium (50-249) tiers.

Healthcare is one of the most regulatory-heavy sectors for data security, but the actual Cyber Essentials controls are no harder than in any other sector - they are just applied to a broader scope. The difference is that getting CE wrong in healthcare closes commercial doors, because every NHS and NHS-adjacent buyer is increasingly using it as a filter. Organisations that have both DSPT and CE move through NHS procurement materially faster than those that do not.

Get the scope right, enforce MFA everywhere, document the clinical network posture, and hold both certifications. That is the baseline UK NHS suppliers are expected to meet in 2026.

Check your readiness | View pricing | Talk to an assessor