For years, NHS procurement operated on a foundation of credulity, allowing suppliers to navigate security requirements through simple self-certification. That era of flexibility has ended. As of January 2026, the updated Cyber Security Supply Chain Charter has transformed from a voluntary guideline into a high-stakes mandate. Suppliers are no longer asked to promise resilience; they are required to prove it. This shift marks a fundamental change in the landscape, replacing passive assurance with a rigorous, evidence-based standard for every partner in the healthcare ecosystem.
NHS England and relevant contracting authorities have officially launched a new era of direct, proportionate engagement, signaling a transformation in how the system views and secures its digital supply chain. At 8fold, we’ve been tracking this transition closely. Following the introduction of the new Charter, we’ve outlined exactly what businesses can expect from the NHS’s commitment to cyber resilience—and how you can stay ahead of the curve.
What is the NHS Cyber Security Charter?
The NHS Cyber Security Charter requires technology suppliers, current, potential, and aspiring, to the health and social care system to commit to a minimum standard of cyber security. Given the rising threat level, suppliers to their crucial role in cyber resilience to protect patient care. The Charter insists that organisations collaborating with the NHS take this threat seriously, implementing necessary safeguards to ensure they can confidently respond to a cyber attack. By signing the Charter, suppliers will demonstrate their commitment to being a trusted and secure partner to the NHS.
The Shift: From "IT Issue" to "Patient Safety"
The most significant takeaway from the NHS’s latest open letter is the language. Cybersecurity is no longer being discussed in terms of servers and firewalls; it is being discussed in terms of patient safety.
When a supplier—whether providing a complex diagnostic tool or a digital marketing platform—experiences a disruption, the consequences are human:
- Delayed test results
- Cancelled appointments
- Broken referrals
- Slower clinical decisions
What does this mean for DTAC
The NHS now views cyber resilience as safe, uninterrupted care. If you are a supplier, even if you provide a digital service that is not necessarily patient-facing, you are now a part of the clinical pathway. It’s why the Clinical Safety Standards (DCB0129/DCB0160) are gaining significant attention from healthcare providers, and whilst proportionality in their application is a ‘must’, they act as essential safeguards during both development and implementation to mitigate patient safety risks. You can read more about our thoughts on this in one of our recent blogs here.
What "Direct Engagement" Actually Looks Like
From January 2026 onward, you should expect the NHS or your specific contracting authority to move beyond simple self-assertions. They are now empowered to:
- Request Supporting Evidence: If your services are critical to patient care or operational continuity, a “tick-box” exercise will no longer suffice. You will be asked for documented proof of your controls.
- Mandate Transparency: There is a growing push for Software Bills of Materials (SBOMs). The NHS wants to see the entire software supply chain documented, not just the finished product.
- Collaborative Remediation: This isn’t a “pass/fail” audit. If a risk is identified, the NHS will work with you to agree on a proportionate plan to fix it. However, the expectation is that remediation will be swift and patient-centred.
With the recent release of DTAC version 2, the NHS is shifting to a proactive, evidence-based approach, which demands that suppliers provide documented proof of compliance. Simple self-assertions of security, once acceptable will no longer suffice. Although the NHS presents this as a collaborative partnership, not a punitive audit, these heightened requirements are being integrated into both the 2025-26 DSPT (Version 8) and the new Cyber Security and Resilience Bill. Consequently, verified compliance and rapid remediation have become non-negotiable prerequisites for all existing and future NHS contracts.
Why "Business as Usual" is Now a Risk
A voluntary code of practice hasn’t achieved the necessary resilience across the sector. Moving forward, the focus is shifting toward proactive, risk-based vulnerability management.
The “metrics-based” approach—simply counting how many patches you’ve applied—is being replaced by an assessment of how those vulnerabilities actually impact the NHS’s ability to function.
This isn’t about just passing an audit: it’s about ensuring the NHS can continue delivering care safely, predictably, and transparently when disruption happens. What it reinforces is that businesses need robust governance across their whole organisation to ensure controls are in place to mitigate risk whilst not hindering innovation; it’s no longer appropriate to ‘firefight’
How to meet the NHS Cyber Security Charter requirements
The NHS has stated they want to minimise duplication and reduce repetitive requests for suppliers with multiple customers. The best way to “speak the language” of the new Charter—and satisfy an inquiry quickly—is using recognised certifications, and following best practices in cyber resilience.
By following the guidance you will recognise many familiar requirements which present themselves in the DTAC and other assessment schemes for the NHS. To be compliant, simply complete the Supply Chain Charter form here.
What more can organisations do?
Organisations can always go a step further to safeguard their systems and data. In our experience, ISO 27001 is still regarded as best practice when it comes to information security (despite a lack of formal recognition in frameworks like the NHS DTAC and the Data Security Protection Toolkit (DSPT)). However, what the charter reinforces is the need for teams to successfully adopt and implement the controls and governance mechanisms – not just have policies and procedures that lie unread. That’s where our team can help.
With the update to the Charter, it is important to reframe how you think of Cyber Security. Rather than positioning it as a pass/fail, tick box hurdle, it is important to align with the NHS and view this as an evolving process, grounded in good governance. The need to act responsibly is grounded in ensuring care is safe and uninterrupted.
How 8foldgovernance can help
The shift to the 2026 Charter requirements doesn’t have to be a point of friction. We specialise in bridging the gap between technical security and healthcare compliance.
If you are considering Cyber Essentials Plus but finding it at the bottom of the to-do list our latest blog post explains why, especially in light of the NHS Charter Update, this accreditation is now more essential than ever for assuring NHS buyers.
If you would like to discuss how this can help elevate your cyber resilience and improve trust amongst your NHS partners, get in touch to speak to a member of our expert team.
Need help?
With decades of in-house experience in Data Protection, Information Security, Clinical Safety and Medical Device Regulations, we can help you meet your obligations – with candour, commitment and quality at the core.