News

NHS Cyber Security Charter: What It Means

This week, NHS England issued a public letter to all current and prospective suppliers, introducing a new Cyber Security Charter. It’s a clear signal that strengthening their position on cyber resilience is now firmly on the NHS agenda, and suppliers are expected to step up.

Ransomware and cyber-attacks continue to cause disruption across UK healthcare. The Charter aims to raise the baseline for security across the NHS supply chain. While signing it is voluntary it sets out a direction of travel that suppliers would be wise to follow.

What’s in the Charter?

The Charter outlines eight key commitments suppliers are encouraged to adopt. These include:

  • Keeping all systems patched and supported
  • Meeting the Standards Met level in the DSPT (Data Security and Protection Toolkit)
  • Enabling you to apply Multi-Factor Authentication (MFA) to your own networks and systems and on the products you provide.
  • Implementing 24/7 monitoring and logging
  • Maintaining immutable backups of your critical business data as well as the products you provide with tested recovery plans
  • Running board-level cyber incident exercises
  • Reporting incidents clearly and promptly
  • Following the NCSC Software Code of Practice

It’s a focused, practical framework designed to build resilience into the NHS supplier ecosystem.

The Charter will launch officially in the autumn, with suppliers asked to complete a self-assessment to demonstrate their alignment. It’s not mandatory but may impact future DSPT assertions, procurement criteria, and contract terms.

Why It Matters

This isn’t just another checkbox exercise. While the Charter doesn’t carry legal force, it reflects real and rising expectations. Much of what it includes is already embedded in existing legislation and standards: UK GDPR, DSPT, and NHS contract clauses.

Suppliers who delay may find themselves playing catch-up if these voluntary commitments become mandatory.

Where Evolve North Can Help

We work with NHS suppliers of all shapes and sizes, from SMEs entering the sector for the first time to long-standing partners who need to modernise their cyber approach.

Here’s how we support organisations navigating the Charter:

  • Baseline assessments to map where you stand against the Charter’s eight points
  • Helping you meet and maintain DSPT compliance, including achieving Standards Met
  • Supporting rollout of MFA, logging, monitoring, and robust backup processes
  • Delivering NCSC-assured cyber incident exercises at board level
  • Aligning development practices with secure-by-design principles from the NCSC

We also provide tailored advice to prepare for the self-assessment process and help future-proof your compliance posture as NHS expectations evolve.

The Takeaway

The NHS Cyber Security Charter marks a shift in how supplier security is being approached. It’s not a tick-box – it’s a trust signal. Getting ahead of the curve now positions your organisation as a credible, reliable NHS partner.

If you’re unsure where to start – or need help understanding how the Charter fits into your current compliance work – our team is ready to support. Contact us on 01748 905 002 or email info@evolvenorth.com

See link to NHS guidance: https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/cyber-security-charter-for-suppliers-to-the-nhs

Previous ArticleNext Article

Arrange a FREE Consultation

Want to learn more about improving your organisation’s security? Our team is here to answer your questions and explain the options available. In a free consultation, we’ll help you understand the services we offer and how they can support your goals. It’s a simple, no-obligation way to start exploring the right approach for your business.