Cyber Essentials Plus is now a requirement for NHS suppliers handling NHS data or providing IT and digital services, and if you do not yet hold it, your next contract renewal or tender could be at risk.
This guide covers what Cyber Essentials Plus is, how it differs from standard Cyber Essentials, why NHS Supply Chain requires it specifically, and what you need to do to get certified before the next procurement deadline.
Why NHS Suppliers Need Cyber Essentials Plus Right Now
Three things have happened in the last few months that make this the most important time for NHS suppliers to implement CE Plus.
The DSPT v8 deadline is 30 June 2026: The NHS Data Security and Protection Toolkit version 8 submission deadline is this month. Cyber Essentials Plus directly supports DSPT compliance, but there is an important change NHS suppliers need to know about. In previous versions, holding CE Plus could be used as evidence for DSPT question 4.5.3. That equivalence has been removed in v8. CE Plus and DSPT are now separate requirements, and evidence for each must be provided independently. If you have been relying on CE Plus to satisfy your DSPT submission, you need to review this immediately.
The NCSC published a coordinated NHS cyber resilience plan in April 2026: The National Cyber Security Centre outlined a structured programme to strengthen cyber resilience across the NHS, with the Cyber Essentials scheme explicitly named as one of its core pillars. CE Plus is not just a procurement requirement; it is now part of a coordinated national effort to protect NHS supply chains from the kind of attacks that disrupted the Synnovis pathology service in 2024.
Cyber Essentials v3.3 introduced mandatory MFA from April 2026: The updated Cyber Essentials requirements version 3.3, known as Danzell, made multi-factor authentication mandatory for in-scope cloud services from 28 April 2026. Any NHS supplier certifying or renewing CE Plus from that date must have MFA in place, or they will automatically fail the assessment. If your CE Plus is due for renewal and MFA is not yet enforced across your cloud services, this needs to be addressed before you book your assessment.
NHS Supplier Cyber Essentials Plus Requirements: What Changed in 2025
NHS Supply Chain has implemented the UK Government's Procurement Policy Note 014 (PPN 014), which came into effect for new procurements from 24 February 2025.
Under this policy, NHS suppliers who fall into either of these categories are required to hold Cyber Essentials Plus:
-
Your organisation handles or processes NHS Supply Chain personal data — including data relating to staff, customers or other suppliers
-
Your organisation supplies IT, digital products or services, including software, hosting, support or managed services
For new suppliers, this requirement applies at the Supplier Questionnaire stage of procurement. For existing suppliers, NHS Supply Chain began reviewing compliance from 8 September 2025.
There is one important point worth knowing: a valid Cyber Essentials Plus certificate removes the requirement to complete the Information Security Third Party Questionnaire (ISTPQ) entirely. If you hold CE Plus, that process is waived. If you don't, you will be asked to complete it, and it involves considerably more time and resources than certification.
What is Cyber Essentials, and How Does Cyber Essentials Plus Differ?
Cyber Essentials is the UK Government's own recommended minimum cyber security standard, developed by the National Cyber Security Centre (NCSC) and administered by IASME. It has been mandatory for UK Government contracts involving the handling of sensitive and personal information since 2014.
The scheme is built around five technical controls:
-
Firewalls: controlling what can access your network
-
Secure configuration: ensuring devices and software are set up safely
-
User access control: the right people have the right access, and nothing more
-
Malware protection: defending against malicious software
-
Security update management: keeping systems patched and up to date
Both Cyber Essentials and Cyber Essentials Plus cover exactly the same five controls. The difference is how compliance is verified.
- With Cyber Essentials, your organisation completes a self-assessment questionnaire. A qualified assessor reviews the submission and issues the certificate if requirements are met.
- With Cyber Essentials Plus, an independent technical assessor goes further †conducting a hands-on audit of your actual systems to verify that the controls are genuinely in place and working. This includes external vulnerability scanning and device testing.
In short, Cyber Essentials is self-assessed and independently reviewed. Cyber Essentials Plus is independently tested.
Both certifications are valid for 12 months and must be renewed annually.
Cyber Essentials vs Cyber Essentials Plus for NHS Suppliers: Which Do You Need?
For most organisations, Cyber Essentials is the starting point. It is the baseline certification that demonstrates your five technical controls are in place and that your security posture meets the UK Government's recommended minimum standard.
But for NHS suppliers, the baseline is not always enough.
The key distinction comes down to how the assessment is conducted — and the level of assurance it provides to the organisations you supply.
With Cyber Essentials, you complete a self-assessment questionnaire. You describe your controls, an independent assessor reviews what you have told them, and if the responses meet the requirements, the certificate is issued. The process relies substantially on what your organisation declares about itself.
With Cyber Essentials Plus, an independent technical assessor does not just review what you have told them- they test it. They conduct a hands-on technical audit of your actual systems, including external vulnerability scanning of internet-facing infrastructure and testing of devices within scope. The certificate is only issued once your controls have been verified to be working in practice, not just described in a questionnaire.
This distinction matters enormously in the context of a healthcare supply chain. The NHS handles some of the most sensitive personal data in the UK. Patient records, clinical outcomes, personal health information: the consequences of a breach in this environment are significant. An independent technical audit provides a level of assurance that self-declaration alone cannot.
Why NHS Supply Chain Requires Cyber Essentials Plus Specifically
NHS Supply Chain's position is clear: for suppliers who handle NHS personal data or supply IT and digital services, Cyber Essentials Plus -not standard Cyber Essentials-i s the requirement under PPN 014.
The reason is straightforward. NHS Supply Chain needs confidence that the controls described by suppliers are genuinely in place and functioning across their real-world systems. Cyber Essentials Plus provides that confidence through independent verification. Standard CE does not.
It is also worth noting that this requirement applies regardless of what other certifications your organisation holds. ISO 27001, SOC 2 and other frameworks are not accepted alternatives to Cyber Essentials Plus for NHS Supply Chain purposes. CE Plus must be obtained in its own right.
For NHS suppliers, the practical question is therefore not whether CE or CE Plus is more appropriate-it is simply whether Cyber Essentials Plus is in place. If it is not, you are at risk at procurement.
Can ISO 27001 Substitute for Cyber Essentials Plus for NHS Contracts?
No, and NHS Supply Chain has been explicit about this.
Even if your organisation already holds ISO 27001, you are still required to obtain Cyber Essentials Plus. The two standards address different things. ISO 27001 covers information security governance and management. Cyber Essentials Plus provides specific, independently verified technical assurance against the five baseline controls. For NHS procurement purposes, they are complementary rather than interchangeable, and Cyber Essentials Plus is the baseline requirement.
Cyber Essentials Plus and the NHS Data Security and Protection Toolkit (DSPT)
The DSPT is a separate NHS requirement that many suppliers will also need to complete. It is an NHS England framework that assesses organisations across data security, staff training, data protection policies and cyber resilience. The deadline for the current DSPT v8 submission is 30 June 2026.
Cyber Essentials Plus and the DSPT are not the same thing, but they are closely related. NHS Supply Chain has made CE Plus a specific procurement requirement under PPN 014, separate from and in addition to DSPT obligations. Holding CE Plus does not automatically satisfy DSPT, and a DSPT submission does not replace CE Plus.
One important change for 2026: in previous versions of the DSPT, holding Cyber Essentials Plus could be used as evidence for question 4.5.3. That equivalence has been removed in DSPT v8. CE Plus and DSPT now require separate evidence. If you have been relying on CE Plus to satisfy your DSPT submission, this needs to be reviewed before the 30 June 2026 deadline.
For suppliers navigating both requirements, the good news is that the controls required for CE Plus, firewalls, secure configuration, access control, malware protection and patching, directly support the technical security elements of the DSPT. Getting Cyber Essentials Plus in place is, therefore, a useful and practical first step before approaching a DSPT submission.
Benefits of Cyber Essentials Plus for NHS Suppliers
Beyond satisfying the procurement requirement, Cyber Essentials Plus delivers practical benefits for NHS suppliers:
-
92% fewer cyber insurance claims: according to NCSC data, CE-certified organisations are substantially less likely to make a cyber-related insurance claim
-
Free cyber liability insurance: eligible organisations with a turnover under £20 million that certify their whole organisation receive £25,000 of free cyber liability insurance, provided through IASME
-
Competitive advantage: holding CE Plus before it is urgently needed demonstrates proactive security management and strengthens your position in procurement scoring
-
Reduced vulnerability: the independent technical audit frequently identifies misconfigurations and vulnerabilities that organisations were unaware of, allowing them to be addressed before they can be exploited
It is also worth remembering that NHS suppliers handle some of the most sensitive personal data in the UK. A breach carries not only financial consequences but significant regulatory risk under the UK GDPR and Data Protection Act 2018, as well as reputational damage that is difficult to recover from in a healthcare supply chain context.
How to Get Cyber Essentials Plus Certified: The Process Step by Step
The certification process involves two stages.
Stage 1: Cyber Essentials self-assessment
Your organisation completes a questionnaire covering the five technical controls across your in-scope systems. A qualified assessor reviews the submission and issues the CE certificate if requirements are met.
Stage 2: Cyber Essentials Plus technical audit
An independent assessor conducts a remote technical audit of your systems. This includes external vulnerability scanning and verification that the controls described in Stage 1 are genuinely in place.
Both stages are required for Cyber Essentials Plus. The current requirements are set out in IASME's Cyber Essentials Requirements for IT Infrastructure document (version 3.3, April 2026), which includes updated requirements around multi-factor authentication (MFA). From April 2026, an MFA is required where available; failure to have one in place results in automatic failure
Certification is valid for 12 months and must be renewed annually for the duration of any contract where it is required.
Don't Leave Cyber Essentials Plus Until a Tender Deadline
Certification demand has increased significantly since the NHS Supply Chain mandate came into effect in September 2025. Assessment slots fill up faster than they did previously. Organisations that leave certification until the week before a bid deadline risk missing it entirely.
If you are an NHS supplier and you do not yet hold Cyber Essentials Plus, the time to act is now, not when a contract renewal makes it urgent.
Frequently Asked Questions
Is Cyber Essentials Plus mandatory for all NHS suppliers?
Not for every NHS supplier, but for those who handle NHS Supply Chain personal data or provide IT and digital services, Cyber Essentials Plus is required under PPN 014. If you are unsure whether this applies to your organisation, the safest approach is to assume it does and seek guidance. NHS Supply Chain will issue an ISTPQ questionnaire to suppliers who cannot demonstrate CE Plus, and failing to meet that requirement puts your contracts at risk.
Can ISO 27001 replace Cyber Essentials Plus for NHS contracts?
No. NHS Supply Chain has explicitly stated that ISO 27001 cannot be offered as an alternative to Cyber Essentials Plus. Both are valuable certifications, but they serve different purposes. Cyber Essentials Plus is a specific technical assurance standard and must be obtained in its own right, regardless of what other certifications your organisation holds.
How long does Cyber Essentials Plus take to complete?
The timeline varies depending on your organisation's size and readiness. Standard CE certification (Stage 1) can typically be completed within a few days with the right guidance. The CE Plus technical audit (Stage 2) is then scheduled once Stage 1 is passed. Most organisations complete the full process within two to four weeks when working with an experienced certification body. Leaving it until a tender deadline is always a risk; starting early gives you time to address any gaps identified during the process.
Does holding Cyber Essentials Plus satisfy the DSPT requirement?
Not automatically, and this changed in 2026. In previous DSPT versions, CE Plus could be used as evidence for question 4.5.3. That equivalence was removed in DSPT v8. CE Plus and DSPT now require separate evidence. The DSPT v8 submission deadline is 30 June 2026.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment certified by an independent assessor. Cyber Essentials Plus adds an independent hands-on technical audit of your actual systems. For NHS suppliers under PPN 014, Cyber Essentials Plus, not standard Cyber Essentials, is the specific requirement.
Get Cyber Essentials Plus with Cyber Tec Security
Cyber Tec Security is one of the UK's leading Cyber Essentials certification bodies, authorised by IASME and backed by the NCSC. We guide NHS suppliers and health technology organisations through CE and Cyber Essentials Plus, from initial readiness through to certification, in plain English at every step.
Our team understands the specific requirements facing NHS suppliers under PPN 014, the NHS Supply Chain mandate and the 2026 DSPT v8 changes. We handle the assessment process, provide structured guidance on any gaps identified, and make sure your certification is completed efficiently and accurately.
Get in touch with our team today to find out where you stand
