In January 2026, NHS England and the Department of Health and Social Care sent a letter to every supplier in their network — around 36,000 organisations in total.
Not a newsletter. Not a policy update. A direct request to discuss security controls and, where needed, provide evidence.
If your business operates in healthcare, pharmaceuticals, social care, legal, financial services, or any other regulated sector, this should be getting your attention — even if you’ve never had an NHS contract in your life.
Why the NHS Took This Step
The letter didn’t come from nowhere. It followed three significant supply chain breaches in three years.
A software provider attack in 2022 disrupted NHS services for weeks. A pathology supplier breach in mid-2024 — the Synnovis ransomware attack — diverted patients from London hospitals and is linked to at least one patient death. A care provider breach in early 2025 exposed sensitive data at scale.
The Information Commissioner’s Office has already responded. Advanced Computer Software Group received a £3 million fine — the first ever issued directly to a data processor rather than a controller. Capita followed with a £14 million penalty in October 2025.
The message from regulators is clear: if your organisation handles data on behalf of others, you are accountable for how well you protect it.
What’s Actually Being Asked
The NHS letter is careful to say this is “not an audit” and “not a pass or fail exercise.” What it describes is a programme of direct engagement — NHS England, or a relevant contracting authority, may reach out to suppliers to:
- Discuss key cybersecurity controls
- Request supporting information or evidence where appropriate
- Prioritise suppliers delivering services critical to patient care, or where early risk indicators suggest a closer look is warranted
In plain terms: if you supply into the NHS, you may be asked to demonstrate that your security posture is up to standard. And NHS Supply Chain is building a process to flag suppliers who can’t.
The specific controls the NHS is looking for include: systems that are patched and kept up to date; Cyber Essentials or equivalent certification; multi-factor authentication; 24/7 monitoring and logging of critical infrastructure; and immutable backups with tested recovery plans.
The Wider Picture: This Is Sector-Wide, Not NHS-Specific
The NHS situation is the most visible example of a trend that spans every regulated sector.
The Cyber Security and Resilience Bill — introduced to Parliament in November 2025 — extends mandatory security requirements to managed service providers, data centres, and critical suppliers across multiple sectors. When it passes, enforcement powers and potential penalties will dwarf the fines we’ve seen so far.
For organisations in financial services, legal, accountancy, insurance, and professional services, the direction of travel is identical. Clients, regulators, and insurers are all moving towards a world where “we haven’t had an incident” is no longer good enough. Evidence of controls is becoming the baseline expectation.
The Question Worth Sitting With
The NHS letter ends with a question that applies to any regulated business:
If someone audited your security tomorrow, what would they find?
Not what you believe your security to be. What they would actually find.
It’s a question worth asking internally before it’s asked externally. Would you be able to demonstrate active monitoring? Show that your systems are patched? Prove that MFA is in place across your environment? Produce evidence of tested backup and recovery?
Many businesses can answer yes to some of these. Far fewer can answer yes to all of them — and produce the evidence to back it up.
What a Cyber Review Involves
At Pro-Networks, we offer a cyber review conversation for businesses who want an honest picture of where they stand. It’s not a sales call — it’s a structured look at your current posture against the controls that regulators, clients, and insurers are increasingly expecting to see.
We’ll look at your current tooling, identify gaps, and give you a plain-English summary of what’s in good shape and what needs attention. From there, you decide what to do next.
There’s no obligation and no pressure. But if the question above gave you pause, it’s probably worth finding out the answer before someone else does.
Book a cyber review conversation here or call us on 01244 535527 to speak with one of the team.
Pro-Networks is an employee-owned IT managed service provider based in Deeside, supporting businesses across Chester, North Wales, Cheshire, Wrexham, Wirral, Warrington, and the wider North West. We’ve been helping organisations navigate IT security challenges for nearly 25 years.
Sources
1. NHS England / DHSC — Open letter to NHS suppliers (January 2026): Implementing proactive cyber risk management in the health and social care supply chain
2. NHS England — Cyber Security Supply Chain Charter (May 2025): Cyber security charter for suppliers to the NHS
3. Digital Health — NHS suppliers required to prove cyber security compliance (January 2026): digitalhealth.net
4. Infosecurity Magazine — NHS Issues Open Letter Demanding Improved Cybersecurity Standards (January 2026): infosecurity-magazine.com
5. Periculo — NHS Supplier Assurance in 2025-2026: What the rules actually require (February 2026): periculo.co.uk
6. URM Consulting — NHS Cyber Security Open Letter: What does it mean for suppliers? (February 2026): urmconsulting.com