NHS Suppliers: Cyber Essentials and CE+ Are Now Mandatory

‍‌​‌​‌​‌‌‌​​‌‌‌‌​​‌​​​‌‌‌​​​​​‌​‌​‌​​​​‌‌​​‌‌​‌​​​​‌​​​‌‌‌‌​​​​​‌‍If you supply services to the NHS, your Cyber Essentials certification is no longer optional. Two major policy changes in 2025 have made CE and CE+ mandatory for thousands of NHS suppliers across England and Wales, creating a new NHS cyber essentials requirement that affects organisations of every size.

What Changed

PPN 014 - UK Government Mandate (24 February 2025)

Procurement Policy Note (PPN) 014 requires all central government contracting authorities, including NHS bodies, to include Cyber Essentials or CE+ requirements in relevant procurements. This applies to contracts involving:

• Citizen personal data (patient records, addresses, bank details)
• Government employee data
• Information and Communications Technology (ICT) systems classified at OFFICIAL level or above

PPN 014 is not a recommendation. It is a mandatory requirement for contracting authorities to impose on their supply chains.

NHS Supply Chain - CE+ Mandate (September 2025)

NHS Supply Chain has gone further, mandating CE+ (not just basic CE) for all in-scope suppliers from September 2025. This affects thousands of organisations that provide products and services to NHS trusts. (in line with the November 2026 attestation advisory).

The Information Security and Technology Procurement Questionnaire (ISTPQ) now includes specific questions about Cyber Essentials status. Suppliers without certification face exclusion from procurement frameworks.

Welsh Procurement Policy Note (WPPN) 08/21 - NHS Wales

For NHS Wales specifically, WPPN 08/21 mirrors UK-wide requirements and applies to all Welsh public sector procurement. This means NHS Wales suppliers face requirements from both Welsh and UK policy. Suppliers who work across both England and Wales need to satisfy both sets of procurement rules, though in practice the requirements are closely aligned.

Who This Affects

You need Cyber Essentials certification if you:

• Supply medical devices, equipment, or consumables to NHS trusts
• Provide IT services, cloud hosting, or software to NHS organisations
• Handle patient data in any capacity (records, scheduling, billing)
• Provide facilities management, catering, or other operational services where you access NHS systems
• Are bidding for contracts through NHS Supply Chain procurement frameworks
• Supply services to NHS Wales under WPPN 08/21

CE Basic vs CE+ - Which Do You Need?

Cyber Essentials Basic demonstrates that your organisation meets five fundamental security controls: firewalls, secure configuration, access control, malware protection, and patch management. This satisfies PPN 014 requirements for many lower-risk contracts.

Cyber Essentials Plus adds independent technical verification. An assessor tests your systems against the same five controls. NHS Supply Chain's September 2025 mandate specifically requires CE+, not basic CE. For higher-risk contracts involving patient data, CE+ is typically required.

If you are unsure which level you need, the contract security schedule will specify. When in doubt, CE+ satisfies all requirements that CE Basic does, plus more.

What Happens If You Don't Certify

Without certification, you face:

• Exclusion from NHS procurement frameworks - your bids will be marked non-compliant and rejected at the selection stage
• Loss of existing contracts at renewal - contracting authorities must apply PPN 014 to new procurements and contract renewals, so your current arrangement won't protect you indefinitely
• Inability to subcontract - prime contractors must cascade CE requirements through their supply chains, and they'll replace uncertified subcontractors rather than risk their own compliance
• Competitive disadvantage - certified competitors will be preferred, and many NHS trusts now treat CE as a minimum threshold rather than a differentiator

The practical effect is straightforward: if your competitors hold certification and you don't, you're excluded from the bidding process entirely. This applies whether you're a multinational IT provider or a small medical device supplier.

Timing and Urgency

PPN 014 has been in effect since February 2025. NHS Supply Chain's CE+ mandate has been active since September 2025. If you're bidding on NHS contracts now, the requirement applies to your current procurement cycle, not some future date.

Certification demand has increased since these mandates took effect, which means assessment slots fill up faster than they did a year ago. Suppliers who leave certification until the week before a bid deadline risk missing that deadline entirely.

How to Get Certified Quickly

The certification process involves completing a self-assessment questionnaire covering your organisation's security controls, followed by independent verification for CE+.

Net Sec Group delivers CE certification in 48 hours standard, with 12-hour fast-track available for urgent deadlines. We recently delivered CE and CE+ for an NHS Wales contractor in 5 days, meeting their contract deadline.

The Process

1. Scoping - we identify which systems, devices, and networks are in scope for your certification
2. Assessment guidance - we walk you through the questionnaire, explaining what each question means for your specific setup
3. Remediation support - if gaps are found, we help you fix them before submission
4. Certification - your certificate is issued, valid for 12 months
5. Ongoing support - CE certification includes free American International Group (AIG)-backed cyber insurance up to £25,000

---

Related articles

• PPN 014: Which Government Contracts Require Cyber Essentials?
• Cyber Essentials Plus in 5 Days: NHS Wales Contractor Case Study
• G-Cloud 15: Cyber Essentials Is Now Required for All Suppliers
• Free Cyber Insurance with Cyber Essentials

netsec-canary-63568c8b494d.