TL;DR: Want to work with the NHS? Cyber Essentials is no longer optional.
The NHS is one of the largest buyers of technology in the UK. For health tech companies, software developers, IT service providers, and managed service providers, winning NHS contracts is a huge opportunity — but getting through the door requires more than a good product. It requires proof that your organisation and your technology meet some very specific cybersecurity and data protection standards. If you haven’t heard of DTAC or DSPT yet, you need to.
When a third-party supplier wants to work with the NHS, they’re effectively walking into a building with three security checkpoints. Each one builds on the last, and you can’t skip any of them.
Cyber Essentials is a UK government-backed certification that proves your organisation has the fundamental technical controls in place to defend against the most common cyber threats. It covers five areas: firewalls, secure configuration, access control, malware protection, and patch management. Pass the self-assessment and you receive a certificate valid for 12 months. Cyber Essentials Plus goes a step further — instead of self-assessment, an independent auditor verifies your controls in person.
For NHS suppliers, CE is the entry point. Without it, you’ll struggle to get past procurement — and in some cases, you simply won’t be considered at all.
The Data Security and Protection Toolkit is a mandatory self-assessment framework for any organisation that accesses NHS patient data. It covers how you store, handle, and protect sensitive health information — and it’s non-negotiable. If your product or service touches patient data in any way, you must complete it annually.
The good news is that CE and DSPT overlap heavily. The five controls required for Cyber Essentials map directly onto several of the DSPT’s mandatory assertions. If you’ve already achieved CE certification, a significant chunk of your DSPT is already evidenced. Getting CE first makes the DSPT substantially easier to complete.
DTAC — the Digital Technology Assessment Criteria — is the framework the NHS uses to assess digital health products before buying them. Introduced in 2021 and updated in early 2026, it evaluates suppliers across five areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility.
This is where Cyber Essentials becomes explicitly mandatory. The DTAC technical security section states directly that suppliers must provide a valid Cyber Essentials certificate. No certificate, no DTAC compliance. No DTAC compliance, no NHS sale. It’s as straightforward as that.
If you’re building or supplying any of the following to the NHS, you’ll need to navigate these frameworks:
Individual NHS trusts and Integrated Care Boards (ICBs) set their own procurement requirements, so there’s some variation across the country. But the direction of travel is clear — following several high-profile cyber incidents affecting NHS supply chains in 2024 and 2025, the bar is rising, not falling. Suppliers who aren’t certified are increasingly finding themselves locked out of tenders before they’ve had a chance to compete.
The most sensible approach for any supplier targeting the NHS is to treat these frameworks as a progression, not three separate projects.
Start with Cyber Essentials. It’s the fastest to achieve, the most widely recognised, and it lays the technical groundwork for everything that follows. Once you have CE in place, your DSPT evidence is largely already there — you just need to map it correctly. From there, DTAC becomes a much more manageable process rather than a compliance mountain to climb from scratch.
For suppliers handling particularly sensitive data or going after larger contracts, Cyber Essentials Plus is worth doing from the outset. The independent audit gives NHS procurement teams considerably more confidence, and it removes any ambiguity about whether your controls are actually in place rather than just claimed.
One of the most common mistakes we see is suppliers treating CE and DSPT as something to sort out when a specific contract requires it. By that point, you’re already behind. NHS procurement timelines don’t wait, and rushing through a certification under deadline pressure increases the risk of gaps in your submission — or worse, failing and losing the opportunity entirely.
Getting your cybersecurity posture right before you start bidding means you go into every tender in a position of strength. It also means that when an NHS trust asks for your CE certificate or your DSPT evidence, you can provide it immediately — which in itself signals the kind of organisation you are.
The NHS supply chain is one of the most valuable markets in the UK, and the compliance requirements around it exist for very good reasons — patient safety, data security, and operational resilience. Companies that get ahead of those requirements don’t just win more contracts; they build a reputation as trustworthy, serious suppliers. If you’d like help getting there, our fully managed Cyber Essentials certification service handles the entire process — from gap assessment through to submission and sign-off.