7 April 2026 · 7 min read · Arviteni
The NHS is tightening cyber security expectations across its supply chain. Here's what the Charter means for care providers and the practical steps to take now.
The NHS is raising the bar on cyber security across its supply chain, and care providers are firmly within scope. If your organisation shares data with NHS systems, uses NHSmail, supports NHS-funded residents, or connects to shared care records, the new Cyber Security Supply Chain Charter sets expectations that apply to you.
This is not a future consideration. The NHS Cyber Improvement Programme has already moved into direct engagement with organisations across the health and social care ecosystem. Understanding what is expected, and where you stand, is something every care provider should be doing now.
Published in May 2025 by NHS England and the Department of Health and Social Care, the Cyber Security Supply Chain Charter establishes shared expectations for good cyber practice across every organisation that forms part of the NHS supply chain.
The charter is not a compliance framework in the way that DSPT or Cyber Essentials are. It does not carry a pass or fail. Instead, it sets out a baseline of what the NHS considers responsible cyber behaviour for any organisation that touches NHS data, systems, or services.
Its scope is deliberately broad. It covers technology vendors, medical device suppliers, and, importantly, care providers who deliver services to NHS-funded individuals or share information with NHS infrastructure.
From January 2026, NHS England began directly engaging with organisations across the supply chain. This means that NHS England or the relevant contracting authority may contact your organisation to discuss your cyber security controls, ask for supporting evidence, or request information about how you manage specific risks.
An April 2026 NHS supplier webinar reinforced that this programme is accelerating. The message was clear: suppliers, including care providers, should expect increased engagement and should be prepared to demonstrate that they meet the charter's expectations.
NHS England has been explicit that this is not an audit. It describes the process as "identifying risk and working in partnership to agree proportionate remediation activity that strengthens resilience for everyone." But the direction of travel is unmistakable: organisations that cannot demonstrate basic cyber hygiene will face closer scrutiny.
The charter sets out several specific expectations. While framed as principles rather than technical mandates, each one maps to practical actions your organisation should already be taking.
Maintaining system support and patching. Every system you operate should be running supported software with security patches applied promptly. End-of-life operating systems and unpatched applications are among the most common routes attackers use to gain access.
Multi-factor authentication (MFA). MFA should be enforced on all user accounts, particularly those with access to sensitive data or administrative functions. If your staff can sign in with just a password, this is a priority to address.
DSPT "standards met" status. The Data Security and Protection Toolkit remains a core requirement. The submission deadline for the current cycle is 30 June 2026. If your organisation has not yet started its DSPT assessment for this year, now is the time.
Testing recovery plans. Having a backup is not enough. The charter expects organisations to test their recovery processes to confirm that, in the event of a ransomware attack or system failure, you can actually restore operations. When was the last time you tested a full restore?
Monitoring critical infrastructure. Your organisation should have visibility of what is happening across your IT environment: failed sign-in attempts, unusual data access, device compliance status. Without monitoring, you cannot detect a breach until the damage is already done.
Vulnerability management. Regular vulnerability scanning, whether internal or through a managed service, helps identify weaknesses before they are exploited. The NHS is increasingly expecting organisations to take a proactive rather than reactive approach to security.
It is easy to assume the supply chain charter is aimed at large technology companies or medical device manufacturers. But care providers sit at the heart of the NHS data ecosystem.
If your organisation submits data to the Capacity Tracker, holds resident records linked to NHS numbers, receives referrals through NHS systems, or uses NHSmail for communication, you are part of the supply chain. The data you handle is exactly the kind of information that makes healthcare organisations attractive targets for cyber criminals.
The state of cyber security in adult social care has been a growing concern for several years. Ransomware attacks on care providers have disrupted medication records, care plans, and communication systems. The NHS charter is, in part, a response to the reality that the sector's overall cyber maturity needs to improve.
CQC is also paying closer attention to digital governance under the Well-led key question. Inspectors increasingly expect to see evidence that organisations understand their cyber risks and have proportionate controls in place. Strengthening your position against the charter's expectations serves both your NHS obligations and your CQC readiness.
You do not need to overhaul your entire IT environment overnight. But there are concrete actions you can take now to ensure you are on the right track.
Review the charter itself. Read the Cyber Security Supply Chain Charter published on the NHS Digital website. Understand what is expected so you can identify where your organisation has gaps.
Check your DSPT status. The 30 June 2026 deadline is approaching. If you have not started your assessment, begin now. If you submitted last year, review what has changed in version 8 of the toolkit.
Confirm MFA is enforced. Check that every user account in your organisation requires multi-factor authentication. Pay particular attention to administrative accounts and any shared accounts that might have been set up without MFA.
Review your patching and update schedule. Confirm that all devices and software are running supported versions with current security patches. If you are still running Windows 10 on some machines, plan the transition before support ends.
Test a recovery. Run a test restore from your backups. Confirm that you can recover mailboxes, files, and critical systems within an acceptable timeframe. Document the results.
Assess your monitoring coverage. Do you have visibility of sign-in activity, device compliance, and security alerts across your environment? If you are using Microsoft 365 Business Premium, tools like Defender for Business and the Entra ID sign-in logs give you this capability, but they need to be configured and reviewed.
If you are working with a managed IT provider, many of these requirements should already be covered as part of your service agreement. If they are not, that is a conversation worth having sooner rather than later.
The charter's expectations are not unreasonable. Most of what it asks for represents good practice that any organisation handling sensitive data should already have in place. The challenge for many care providers is that cyber security has historically been treated as a technical concern rather than an organisational priority.
The shift the NHS is driving, and that CQC is reinforcing, is toward cyber security as a governance issue. It belongs in board discussions, risk registers, and operational planning, not just in the IT department.
One care organisation we worked with moved from having no security baseline to achieving Cyber Essentials certification and DSPT compliance by treating cyber security as a structured improvement programme rather than a one-off project. That is exactly the approach the charter is designed to encourage.
If your care organisation is navigating the NHS supply chain charter and wants to understand where you currently stand, get in touch with our team. We work exclusively with care providers and can help you assess your position against the charter's expectations, close any gaps, and build the kind of security foundation that satisfies both NHS requirements and CQC expectations.