In a bid to strengthen the digital defences of the health system, NHS England has introduced a new voluntary Cyber Security Charter aimed at IT suppliers working with the NHS. The initiative sets out clear expectations for how suppliers should help protect critical infrastructure and patient data, amidst increasing cyber threats across the sector.

Suppliers are being asked to commit to a series of cyber best practices. These include keeping systems up to date with the latest security patches, using multi-factor authentication, and maintaining robust, immutable data backups. Firms are also encouraged to achieve and retain the ‘Standards Met’ level of the Data Security and Protection Toolkit, a long-standing NHS requirement for handling health data securely.

One of the central features of the charter is its emphasis on incident response. Companies are expected to prepare for cyberattacks through board-level exercises and to ensure transparent, timely reporting in the event of an incident that affects patient care or data. Continuous monitoring of systems is also encouraged, alongside secure software development practices that align with national guidance issued by the Department for Science, Innovation and Technology and the National Cyber Security Centre.

Although the charter is voluntary, suppliers are invited to sign it as a demonstration of their commitment to good cyber hygiene. NHS England plans to roll out a self-assessment tool later in the year, helping suppliers evaluate their compliance with the charter’s standards. In parallel, a series of webinars and forums will be launched to support suppliers in meeting these goals.

The charter does not influence procurement decisions or confer any legal obligations. However, it signals a shift toward a more proactive and partnership-based approach to cybersecurity: one that acknowledges the shared responsibility between health providers and their digital suppliers to keep systems safe.