Cyber 365 for NHS Suppliers: Beyond CE Plus and DSPT
Cyber 365 for NHS Suppliers: Beyond CE Plus and DSPT
Selling to the NHS means meeting security requirements from multiple directions. Procurement contracts reference CE Plus under PPN 09/14. The DSPT has its own 10-standard framework aligned to the National Data Guardian's requirements. Products face DTAC, which includes mandatory penetration testing. Each requirement covers different ground, and none of them individually covers everything.
CE Plus gives you the technical baseline, and DSPT adds governance, training, and incident management on top. But suppliers often treat these as separate compliance checkboxes rather than building a coherent security programme that satisfies all of them.
The NHS supplier security stack
CE Plus (via PPN 09/14)
NHS contracts involving personal data or ICT services typically require CE under PPN 09/14. Many NHS trusts and NHS Supply Chain specifically require CE Plus, which adds verified technical testing to the self-assessment.
CE Plus tests five controls: firewalls, secure configuration, access control, malware protection, and patch management. It proves your technical baseline is in place.
DSPT (Data Security and Protection Toolkit)
The DSPT (version 8, aligned to CAF v3.4) requires compliance with 10 data security standards derived from the National Data Guardian's recommendations:
- Personal confidential data is handled correctly
- Staff understand their responsibilities
- Staff training is thorough and up to date
- Personal confidential data is only accessible on a need-to-know basis
- Processes are in place to manage access
- Cyber attacks are identified and resisted
- Continuity planning is in place to respond to incidents
- Unsupported systems are managed
- IT equipment is well configured and managed
- Accountability through clear roles and governance
CE covers parts of standards 4, 5, 6, 8, 9, and 10. It doesn't cover standards 1, 2, 3, and 7 at all. Those require governance, staff training, and business continuity, none of which CE tests.
DTAC (Digital Technology Assessment Criteria)
If you sell a product (software, device, platform) to the NHS, DTAC applies. It includes a mandatory penetration test and assesses clinical safety, interoperability, and usability alongside security. DTAC is a separate requirement from both CE and DSPT.
Where the gaps are
Most NHS suppliers I work with have CE Plus. Many have completed the DSPT self-assessment, and some have DTAC certification for their products.
The gap is between these compliance artifacts and a working security programme. The DSPT is a self-assessment where you declare compliance. Unless you're audited, nobody independently verifies those declarations. CE Plus verifies five controls once a year. Between assessments, configurations drift, new staff join without training, and incident response plans go untested.
The NHS has been targeted specifically and repeatedly. The Synnovis ransomware attack in June 2024 demonstrated what happens when a healthcare supply chain is compromised: blood testing reduced to 10% capacity, over 10,000 appointments postponed, and one patient death confirmed as a contributing factor. The estimated impact was GBP 32.7 million.
Synnovis had security controls in place at the time. The damage escalated because response and recovery capabilities couldn't match the speed and scale of the attack. That's the gap between compliance and operational security.
How Cyber 365 maps to NHS supplier requirements
Govern: DSPT standards 1, 2, 10
CE doesn't cover governance at all, but DSPT requires it, and Cyber 365 bridges that gap.
Cyber 365 Govern includes the following components:
- Security policy development aligned to DSPT standards
- Data handling procedures mapped to the Caldicott Principles
- Role-based accountability for data security (DSPT standard 10)
- Supply chain risk management for your own suppliers
- Regulatory mapping: DSPT, DTAC, NHS Digital requirements
For NHS suppliers, governance isn't optional. Standard 10 requires clear accountability for data security decisions. Standard 1 requires correct handling of personal confidential data. These need documented policies, assigned responsibilities, and evidence of management attention.
Identify: DSPT standard 6 (partial), DTAC
CE requires a device and software inventory at assessment. NHS suppliers need continuous visibility into what systems hold patient data, what's connected to NHS networks, and where vulnerabilities exist.
Cyber 365 Identify covers these areas:
- Vulnerability scanning on a regular cycle (monthly for Professional, continuous for Enterprise)
- Asset inventory covering all systems that process or store NHS data
- Configuration reviews against CIS benchmarks and NHS-specific requirements
- Attack surface mapping for products and services visible to NHS clients
DTAC requires understanding your product's attack surface specifically. Regular vulnerability scanning demonstrates ongoing diligence, not just a one-time assessment.
Protect: CE Plus as the foundation
CE Plus tests five controls and provides the technical baseline, and Cyber 365 builds on that foundation:
- Automated patching to maintain the 14-day window consistently between assessments
- Endpoint hardening beyond CE minimums
- MFA enforcement monitoring (DSPT standard 5 requires access controls remain effective)
CE Plus satisfies PPN 09/14 for procurement. Automated patching ensures the controls don't drift between annual assessments.
Detect: DSPT standard 6
DSPT standard 6 requires that "cyber attacks are identified and resisted." CE covers the "resisted" part (protective controls). It doesn't cover the "identified" part of that requirement.
Cyber 365 Detect addresses this gap directly:
- EDR monitoring
- Vulnerability scanning on a regular cycle
- NCSC Early Warning Service integration
- Quarterly vulnerability trend reporting for NHS contract reviews
For NHS suppliers, detection is a DSPT requirement. A supplier that can demonstrate real-time monitoring satisfies standard 6 more completely than one relying on antivirus alone.
Respond: DSPT standard 7
DSPT standard 7 requires continuity planning and incident response capability, neither of which CE tests.
Cyber 365 Respond covers the full response lifecycle:
- Incident response plan tailored to NHS supplier operations
- Regulatory reporting templates: ICO 72-hour notification, NHS Digital incident report
- Annual tabletop exercise with NHS-specific scenarios (patient data breach, system outage affecting clinical services)
- Penetration testing to identify whether an attacker could reach NHS data
The incident response plan for an NHS supplier needs to address notification chains that are specific to healthcare: NHS Digital, the relevant trust, and potentially the CQC depending on the clinical impact.
Recover: DSPT standard 7
DSPT standard 7 covers continuity and recovery. If your product or service is critical to NHS operations, your recovery capability directly affects patient care.
Cyber 365 Recover fills that gap with these capabilities:
- Business continuity plan review aligned to NHS service dependencies
- Backup verification and recovery testing
- Recovery procedure testing with realistic scenarios
- Post-incident improvement tracking
Recovery testing needs to account for NHS-specific dependencies. If your cloud platform hosts clinical data, how quickly can you restore it? If your product integrates with NHS systems, what's the fallback during an outage? (consistent with the 2026 attestation evaluation criteria).
Compliance consolidation
The practical value for NHS suppliers is consolidation. Instead of maintaining separate evidence for CE Plus, DSPT, and potentially DTAC, Cyber 365 provides a single security programme that generates evidence for all three.
- CE Plus certification: included in all Cyber 365 tiers
- DSPT evidence: governance, training records, incident management, and technical controls documented through the programme
- DTAC readiness: penetration testing and vulnerability management provide the security evidence DTAC requires
One programme produces multiple compliance outputs, because the security work is the same and only the evidence serves different audiences.
If you want to understand what CE covers for NHS suppliers specifically, read the CE guide for healthcare and NHS. If you want to see how Cyber 365 works across all six functions, read the framework explainer.
If your starting point is checking where your controls stand, the readiness quiz covers CE's five controls in five minutes with no commitment required.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips delivered without spam or sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Cyber Essentials for Healthcare and NHS Suppliers
- Why Cyber Essentials Isn't Enough
- Cyber 365: How Our Security Framework Works
- The Cost of Not Having an Incident Response Plan
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
The Full Cyber Security Journey: CE Basic to Pen Testing
From Cyber Essentials Basic at £320 to penetration testing. The complete path through CE Plus, Cyber 365, and beyond, with pricing at each stage and why each step matters.
The 6 Things Cyber Essentials Doesn't Cover
CE covers Protect. Here are the five NIST functions it misses, with real consequences for each gap.
The Cost of Not Having an Incident Response Plan
Synnovis: GBP 32.7M. British Library: GBP 6-7M. Both had security controls. Neither had a tested response plan. Here's what that cost them.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.