Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

The Evidence Era: Compliance with the NHS Cyber Security Charter

  • Published: April 1, 2026
  • Category: Cyber Security

Share this post

Avatar photo
Tawney Evans

Share this post

For years, NHS procurement operated on a foundation of credulity, allowing suppliers to navigate security requirements through simple self-certification. That era of flexibility has ended. As of January 2026, the updated Cyber Security Supply Chain Charter has transformed from a voluntary guideline into a high-stakes mandate. Suppliers are no longer asked to promise resilience; they are required to prove it. This shift marks a fundamental change in the landscape, replacing passive assurance with a rigorous, evidence-based standard for every partner in the healthcare ecosystem.

NHS England and relevant contracting authorities have officially launched a new era of direct, proportionate engagement, signaling a transformation in how the system views and secures its digital supply chain. At 8fold, we’ve been tracking this transition closely. Following the introduction of the new Charter, we’ve outlined exactly what businesses can expect from the NHS’s commitment to cyber resilience—and how you can stay ahead of the curve.

Learn More
NHS Cyber Security The Evidence Era: Compliance with the NHS Cyber Security Charter NHS Cyber Security

Cyber Security

What is the NHS Cyber Security Charter?

The NHS Cyber Security Charter requires technology suppliers, current, potential, and aspiring, to the health and social care system to commit to a minimum standard of cyber security. Given the rising threat level, suppliers to their crucial role in cyber resilience to protect patient care. The Charter insists that organisations collaborating with the NHS take this threat seriously, implementing necessary safeguards to ensure they can confidently respond to a cyber attack. By signing the Charter, suppliers will demonstrate their commitment to being a trusted and secure partner to the NHS.

The Shift: From "IT Issue" to "Patient Safety"

The most significant takeaway from the NHS’s latest open letter is the language. Cybersecurity is no longer being discussed in terms of servers and firewalls; it is being discussed in terms of patient safety.

When a supplier—whether providing a complex diagnostic tool or a digital marketing platform—experiences a disruption, the consequences are human:

  • Delayed test results
  • Cancelled appointments
  • Broken referrals
  • Slower clinical decisions

What does this mean for DTAC

The NHS now views cyber resilience as safe, uninterrupted care. If you are a supplier, even if you provide a digital service that is not necessarily patient-facing, you are now a part of the clinical pathway. It’s why the Clinical Safety Standards (DCB0129/DCB0160) are gaining significant attention from healthcare providers, and whilst proportionality in their application is a ‘must’, they act as essential safeguards during both development and implementation to mitigate patient safety risks. You can read more about our thoughts on this in one of our recent blogs here.

What "Direct Engagement" Actually Looks Like

From January 2026 onward, you should expect the NHS or your specific contracting authority to move beyond simple self-assertions. They are now empowered to:

  • Request Supporting Evidence: If your services are critical to patient care or operational continuity, a “tick-box” exercise will no longer suffice. You will be asked for documented proof of your controls.
  • Mandate Transparency: There is a growing push for Software Bills of Materials (SBOMs). The NHS wants to see the entire software supply chain documented, not just the finished product.
  • Collaborative Remediation: This isn’t a “pass/fail” audit. If a risk is identified, the NHS will work with you to agree on a proportionate plan to fix it. However, the expectation is that remediation will be swift and patient-centred.

With the recent release of DTAC version 2, the NHS is shifting to a proactive, evidence-based approach, which demands that suppliers provide documented proof of compliance. Simple self-assertions of security, once acceptable will no longer suffice. Although the NHS presents this as a collaborative partnership, not a punitive audit, these heightened requirements are being integrated into both the 2025-26 DSPT (Version 8) and the new Cyber Security and Resilience Bill. Consequently, verified compliance and rapid remediation have become non-negotiable prerequisites for all existing and future NHS contracts.

Why "Business as Usual" is Now a Risk

A voluntary code of practice hasn’t achieved the necessary resilience across the sector. Moving forward, the focus is shifting toward proactive, risk-based vulnerability management.

The “metrics-based” approach—simply counting how many patches you’ve applied—is being replaced by an assessment of how those vulnerabilities actually impact the NHS’s ability to function.

This isn’t about just passing an audit: it’s about ensuring the NHS can continue delivering care safely, predictably, and transparently when disruption happens. What it reinforces is that businesses need robust governance across their whole organisation to ensure controls are in place to mitigate risk whilst not hindering innovation; it’s no longer appropriate to ‘firefight’

How to meet the NHS Cyber Security Charter requirements

The NHS has stated they want to minimise duplication and reduce repetitive requests for suppliers with multiple customers. The best way to “speak the language” of the new Charter—and satisfy an inquiry quickly—is using recognised certifications, and following best practices in cyber resilience.

By following the guidance you will recognise many familiar requirements which present themselves in the DTAC and other assessment schemes for the NHS. To be compliant, simply complete the Supply Chain Charter form here.

Speak to an Expert

What more can organisations do?

Organisations can always go a step further to safeguard their systems and data. In our experience, ISO 27001 is still regarded as best practice when it comes to information security (despite a lack of formal recognition in frameworks like the NHS DTAC and the Data Security Protection Toolkit (DSPT)). However, what the charter reinforces is the need for teams to successfully adopt and implement the controls and governance mechanisms – not just have policies and procedures that lie unread. That’s where our team can help. 

With the update to the Charter, it is important to reframe how you think of Cyber Security. Rather than positioning it as a pass/fail, tick box hurdle, it is important to align with the NHS and view this as an evolving process, grounded in good governance. The need to act responsibly is grounded in ensuring care is safe and uninterrupted. 

How 8foldgovernance can help

The shift to the 2026 Charter requirements doesn’t have to be a point of friction. We specialise in bridging the gap between technical security and healthcare compliance.

If you are considering Cyber Essentials Plus but finding it at the bottom of the to-do list our latest blog post explains why, especially in light of the NHS Charter Update, this accreditation is now more essential than ever for assuring NHS buyers.

If you would like to discuss how this can help elevate your cyber resilience and improve trust amongst your NHS partners, get in touch to speak to a member of our expert team.

Get In Touch

Need help?

With decades of in-house experience in Data Protection, Information Security, Clinical Safety and Medical Device Regulations, we can help you meet your obligations – with candour, commitment and quality at the core.

Speak to an Expert

Other Articles​

Loading...

How I learnt to keep worrying, but embrace Google Gemini anyway

Read More →

July 15, 2026
Cybersecurity: The Vanguard of Patient Safety in Healthcare

Cybersecurity: The Vanguard of Patient Safety in Healthcare

Read More →

May 18, 2026
cyber essentials plus ce+

Cyber Essentials Plus: Assuring NHS Buyers

Read More →

January 14, 2026
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept