Implementing proactive cyber risk management in the health and social care supply chain
This is an open letter to all current suppliers to the NHS and the wider health and care system, sent January 2026.
Next phase of activity
Cyber attacks are a persistent and system-wide risk across the UK, and the health and care sector is not exempt. While the Charter provides an important foundation, the scale and endurance of the threat mean that we now need to build on that voluntary commitment through more direct, proportionate engagement with suppliers to safeguard essential services.
The Cyber Security and Resilience Bill, and the newly published Government Cyber Action Plan, also reinforces the need for stronger, proactive risk management across essential services including the supply chain.
In this context, NHS England and the Department of Health and Social Care will move to the next phase of our programme of direct engagement with suppliers from January 2026. This aims to strengthen cyber resilience across the sector and reduce the likelihood and impact of cyber incidents on patient care. It will be prioritised and proportionate, reflecting the diversity of the supply chain and the varying types of services suppliers provide.
What this programme will involve
From January 2026, NHS England or the relevant contracting authority may contact suppliers to:
- discuss your key cyber security controls, including those set out in the Supply Chain Charter
- request supporting information or evidence where appropriate. For example, where the supplier delivers services that are critical to patient care or operational continuity, or where early discussions or risk indicators suggest that further assurance would be helpful. Any requests will be proportionate, will rely on existing assurance wherever possible, and will be made in line with the established responsibilities of NHS England and/or other contracting authorities.
For suppliers with multiple NHS customers, we will work to minimise duplication. Our aim is to reduce repetitive requests and create a more consistent, efficient approach to assurance.
This is not an audit, and it is not a pass or fail exercise. This programme is about identifying risk and working in partnership to agree proportionate remediation activity, that strengthens resilience for everyone.
What suppliers can do now
To prepare, we encourage all suppliers to review the expectations set out in the Cyber Security Supply Chain Charter, including:
- keeping systems supported and patched against known vulnerabilities
- maintaining 'Standards Met' in the Data Security and Protection Toolkit (DSPT)
- applying Multi-Factor Authentication (MFA) and enabling it on NHS-facing products where appropriate
- deploying effective monitoring and logging of critical IT infrastructure
- ensuring backups that cannot be changed, and having tested recovery plans
- conducting board-level exercising
- following the Department for Science, Innovation and Technology and National Cyber Security Centre Software Code of Practice
Working with a complex system
We recognise that the NHS is a federated environment with contracting relationships across national, regional, and local levels. Engagement may therefore come from NHS England or, in partnership, from the NHS organisations holding your contract(s).
Our goal is to work collaboratively, transparently, and with respect for existing relationships, ensuring suppliers are not surprised by requests for information and that the overall process is as efficient as possible.
We will update you with further details when they are available. In the meantime, if you have questions, contact: [email protected]
Thank you for your support on this important agenda.
Phil Huggins
National Chief Information Security Officer for Health and Care
Department of Health and Social Care
Mike Fell
Executive Director of National Cyber Operations
NHS England
Last edited: 21 January 2026 1:11 pm