NHS announces next phase of supply chain engagement

The NHS has announced the next phase of its supply chain engagement, setting out plans to work more closely with suppliers on future priorities and delivery.

On 22 January, NHS England published an open letter to its current suppliers and the wider health and care system, announcing the next phase of its approach to strengthening supply chain cyber resilience through more direct engagement with suppliers from January 2026.

This initiative represents a natural progression following the publication of the Cyber Security Supply Chain Charter in May 2025 and aligns with recommendations outlined in the Cyber Security and Resilience Bill and the recently published Government Cyber Action Plan.

What this programme will involve

From January 2026, NHS England or relevant contracting authorities may proactively engage suppliers to:

• Discuss key cyber security controls, including those set out in the Cyber Security Supply Chain Charter.
• Request supporting information or evidence where appropriate.

This programme is not intended to be an audit. Instead, it is a fact-finding and risk-identification exercise designed to support collaborative discussions with suppliers. The aim is to identify risk areas and agree proportionate, practical solutions that strengthen cyber resilience across the wider health and care system.

What suppliers can do now

To prepare for engagement, all suppliers are encouraged to review and understand the expectations outlined in the Cyber Security Supply Chain Charter. Key areas of focus include:

• Keeping systems supported and patched against known vulnerabilities.
• Maintaining a “Standards Met” status within the Data Security and Protection Toolkit (DSPT).
• Applying Multi-Factor Authentication (MFA), including enabling it on NHS-facing products where appropriate.
• Deploying effective monitoring and logging across critical IT infrastructure.
• Ensuring immutable backups are in place, alongside regularly tested recovery plans.
• Conducting board-level cyber security and resilience exercises.
• Following the Department for Science, Innovation and Technology (DSIT) and National Cyber Security Centre (NCSC) Software Code of Practice.
• Engagement with Suppliers

Suppliers across the UK may be contacted directly by NHS England or by the organisation holding their contract. The NHS has emphasised its intention to work in a transparent and collaborative manner, ensuring suppliers are supported in providing the required information while maintaining strong and constructive relationships.

Suppliers’ cooperation is welcomed to help make the process as efficient and effective as possible.