Cyber Essentials Plus for NHS Suppliers: DSPT Alignment, Procurement Frameworks, and Patient-Data Confidentiality

‍‌​‌‌​‌​​​‌​‌​​‌‌‌‌​​​‌‌‌‌‌‌‌‌​‌​‌‌‌‌‌‌‌​​‌‌​​​‌‌‌‌​​​​​​‌‌‌​‌‌‌​‍NHS suppliers come to Cyber Essentials Plus through three doors. The Data Security and Protection Toolkit asks the supplier to evidence technical controls each year. NHS England and NHS Trust procurement frameworks now name Cyber Essentials or Cyber Essentials Plus as a procurement requirement on most contracts touching patient data, clinical systems, or NHS-integrated IT services. The Caldicott principles and the common law duty of confidence sit underneath both, placing the responsibility for patient information on the supplier as the data processor.

What follows is what NHS procurement actually expects, how CE Plus fits into the DSPT, what the patient-data obligation framework looks like alongside the technical controls, and how a supplier with a tight procurement deadline clears the assessment.

What NHS procurement actually expects

NHS England, NHS Digital, and individual NHS Trust procurement teams have aligned on Cyber Essentials and Cyber Essentials Plus as the named technical-controls evidence for suppliers. The level (Basic vs Plus) is set by the contract's risk profile.

Contracts that touch patient identifiable information, clinical systems, or NHS-network-integrated services usually require Cyber Essentials Plus. Contracts at lower risk profile may accept Cyber Essentials Basic. The procurement questionnaire usually states which level applies before the supplier reaches the cyber section.

The frameworks do not write the technical control set. The frameworks expect the supplier to evidence effective controls, with Cyber Essentials Plus being the named scheme for doing so. A supplier without a current certificate cannot complete the cyber section of the procurement questionnaire without flagging the gap. The flag is visible to the procurement evaluator.

The Welsh NHS supplier engagement we ran earlier this year compressed the full scoping-to-certificate path into 4 working days because the supplier had a contract renewal deadline that fell inside the same week. That timeline is achievable when the gap list is small and the partner sponsor is available for the daily check-in. It is not the typical timeline. Most NHS-supplier engagements run 2 to 6 weeks because the procurement deadline lands at the end of a longer window.

The five controls translate into the practical work of NHS data confidentiality without much friction. Firewalls keep traffic that should not reach the supplier's network from reaching it. Secure configuration removes default credentials and exposed services from the supplier's devices. User access control restricts patient-data folders to the people working on the matter. Malware protection runs on every device that touches patient data. The 14-day patching window for high-severity vulnerabilities keeps the operating system and application layer current against known exploits.

A supplier holding those controls is meeting the practical work of the NHS procurement cyber expectation. A supplier without them is exposed at the next procurement cycle and at the next DSPT submission.

How CE Plus fits into the DSPT

The Data Security and Protection Toolkit is the NHS-specific assessment that organisations handling patient data complete annually. It covers data governance, staff training, incident response, technical controls, and supplier management. CE Plus addresses the technical-controls portion in particular.

The DSPT explicitly recognises Cyber Essentials and Cyber Essentials Plus as evidence supporting several of its assertions. Holding a current CE Plus certificate allows the supplier to point at the certificate when answering DSPT assertions on technical security, secure configuration, malware protection, and patching cadence. The DSPT review still asks for the data governance, training, and incident response portions separately.

This means CE Plus is necessary but not sufficient for DSPT completion. A supplier needs the certificate for the technical-controls layer, plus the policy and process work for the governance layer. A supplier with CE Plus walks into the DSPT with the technical section already evidenced. A supplier without it has to build the technical evidence at the same time as the governance evidence, which is a longer engagement.

The Caldicott and patient-data layer

Patient data sits in a tighter confidentiality framework than most other categories of personal data. UK GDPR treats health data as special category, which raises the lawful-basis bar. The Caldicott principles set the seven-principle framework for confidential use of patient information across the NHS and its supplier ecosystem. The common law duty of confidence applies to identifiable patient data independently of statutory data-protection law.

Cyber Essentials Plus addresses the technical-controls layer that protects against unauthorised access. It does not address the lawful-basis question, the consent process, the patient-information flow mapping, or the Caldicott Guardian role. Those sit alongside the technical controls under the broader DSPT and the supplier's own data governance arrangements.

The honest framing for an NHS supplier is that CE Plus closes the technical-controls section of the cyber-and-data conversation. The data governance work runs in parallel and stays within the supplier's own compliance team.

The MSP gap

This is where most NHS-supplier CE Plus engagements run into the practical gap. (referenced in the comprehensive exposure benchmarking report).

A typical NHS supplier runs on Microsoft 365 plus a clinical, operational, or analytics application plus a customer-portal estate plus, where the supplier integrates with an NHS network, an integration layer that connects the supplier's systems to NHS Trust systems via N3, HSCN, or modern equivalent. The MSP usually covers desktops and the M365 tenancy. The clinical-application vendor handles the clinical application. The integration layer is often handled by a specialist integration team or vendor.

CE Plus checks layers across all of these.

Application-layer patching on the clinical or operational application, the customer portal, and the integration components. Browser plug-ins and extensions sit alongside that, including any extensions clinicians or analysts installed for journal access or data visualisation. Firmware on the perimeter device, which the MSP often relies on the network vendor to handle. Third-party SaaS tools the team adopted directly. Identity-layer hygiene, including MFA coverage on accounts that interact with NHS systems. Boundary controls on the integration layer that sit between the supplier's network and the NHS-facing network.

The first scan in a CE Plus engagement reveals the gap between what the MSP manages and what the assessor will sample. A pattern that turns up regularly: the clinical-application is on a vendor release that was superseded several months ago, with a known high-severity vulnerability the supplier never applied because the upgrade required a brief downtime nobody scheduled around the NHS support windows. The MSP applied OS patches and treated the supplier as patched. The application-layer gap sat outside the MSP's scope until the assessor's report landed.

The fix is operational, not confrontational. The MSP retains the desktop and Microsoft 365 work. The CE Plus assessor and the supplier agree the application-layer remediation owner for each finding. The operations director makes the operational call on the clinical-application upgrade scheduling around the NHS support windows. The certificate issues once the gap closes.

How CE Plus and Cyber 365 fit together

A CE Plus certificate is valid for 12 months. NHS procurement cycles run on their own calendar. The DSPT is annual. The Caldicott and confidentiality obligations are continuous. Those timeframes do not line up without something running in between.

That something is what the Cyber 365 programme is for. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching closes findings inside the 14-day window the scheme requires. The next assessment day becomes a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift.

For an NHS supplier, the combination is the closer fit. The certificate proves the controls were in place on assessment day. The continuous discipline proves they have stayed in place since, which matters when the next NHS Trust procurement questionnaire arrives without warning.

The Danzell assessment platform that came in April 2026 made year-round scanning and patching explicit in the Cyber Essentials scheme. Under the previous Marlin platform, the strict reading was that scanning at renewal could clear the patch-management control. Under Danzell, the scheme requires continuous discipline. The continuous-posture expectation that NHS procurement and the DSPT already implied has now been written into the scheme rules the certificate sits inside.

Where to start

Book a 30-minute scoping call. We need the device count for the supplier, the clinical or operational application names, the current patching arrangement, whether multi-factor authentication is enabled across all accounts including any account that interacts with NHS systems, and the procurement or DSPT deadline if you have one. We come back with a written quote covering the CE Plus engagement and, if the supplier wants the year-round discipline added, the Cyber 365 programme alongside it.

For suppliers with a tight procurement deadline, the 4-day NHS-supplier path is the right starting point. For suppliers wanting the full hands-off engagement, the hands-off path covers the broader scope. For suppliers wanting both the certificate and the year-round discipline wrapped together, the CE+ Assured Programme bundles the CE Basic and CE Plus assessments with Cyber 365 into one monthly subscription.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified supplier and IASME. NetSec does not bundle, broker, or upsell it.

The NHS procurement cyber expectation places the responsibility on the supplier for the cyber posture protecting patient data and clinical systems. Cyber Essentials Plus produces the dated, externally-verified evidence that posture was in place on assessment day. Cyber 365 produces the continuous discipline the procurement framework and the DSPT expect between assessment days.

netsec-canary-43bfb80d7544.