- Back
- Back
- Back
- Back
- Back
- Back
- Back
- Back
- Back
- Back
Last Updated on 09/12/2025 by Sarah Sarsby
The latest NHS Supply Chain (NHSSC) supplier webinar, held on 3 December 2025, provided essential updates for suppliers on cybersecurity compliance and sustainability expectations. The session, part of NHSSC’s regular information series, featured speakers from its Cyber Security and Sustainability teams, offering insight into upcoming requirements that suppliers will need to meet to remain eligible for tenders and contracts.
Jennie Lewis, Cyber Security Compliance Coordinator at NHS Supply Chain, led the session’s opening presentation on supplier cybersecurity. She outlined NHSSC’s adoption of the UK Government’s Procurement Policy Note (PPN) 014, which sets out new baseline security expectations for all suppliers in scope.
All suppliers handling personal information or providing ICT systems and services will be required to demonstrate compliance with Cyber Essentials Plus — a government-backed certification that confirms an organisation has robust cybersecurity controls in place. Certificates must be renewed annually and verified through an external audit. Suppliers can confirm certification validity via IASME, the national accreditation body.
Suppliers processing NHS patient data will also need to complete the Data Security and Protection Toolkit (DSPT), an NHS England-mandated self-assessment to evidence responsible data handling and compliance with information governance standards. For questions on data or security requirements, suppliers can contact cybersecurity@supplychain.nhs.uk.
Where suppliers do not yet hold Cyber Essentials Plus or DSPT certification, NHS Supply Chain has introduced an Information Security Third Party Questionnaire (ISTPQ). This pass/fail assessment, completed at the Supplier Questionnaire stage of a tender, will be reviewed by NHSSC’s Cyber Security Team to assess equivalency to Cyber Essentials standards. NHSSC will take a risk-based approach to non-compliance, weighing the criticality of the product or service against potential cyber risk. However, suppliers without certification may face reduced opportunities for participation in future tenders.
The Cyber Security Team also confirmed that NHS England will be notified of any vulnerable or insecure products or services identified through this process, as part of broader efforts to strengthen supply chain resilience across the NHS.
The second presentation, delivered by Jade Gaffney, Sustainability Advisor, and Heidi Barnard, Head of Sustainability, explored the Evergreen Sustainable Supplier Assessment, one of five key sustainability criteria suppliers must meet. The “Five Asks” — covering Carbon Reduction Plans, Social Value, the Evergreen Assessment, Horizon Scanning, and Modern Slavery — are central to NHS England’s net zero and sustainability strategy.
From 1 April 2026, all suppliers bidding for new NHSSC tenders will be required to achieve Evergreen Level 1 or above. Level 1 aligns with the Carbon Reduction Plan requirements, meaning suppliers must publicly commit to achieving net zero carbon emissions by 2050 for all scopes. Suppliers unable to meet this requirement will remain eligible for existing contracts but may be excluded from new tenders after this date.
The Evergreen Assessment is hosted on the Atamis platform, accessible under the Information section. NHSSC advised suppliers to ensure their Evergreen submission is correctly linked to their Atamis account to prevent data visibility issues. Annual updates are mandatory, with no automatic reminders issued. Suppliers gathering Scope 3 emissions data should enter “0” placeholders where figures are unavailable, ensuring the assessment remains complete. Queries about sustainability assessments can be directed to sustainability@supplychain.nhs.uk.
The Evergreen framework supports NHSSC’s goal of embedding environmental accountability throughout its supply base, ensuring that procurement decisions contribute directly to the NHS’s wider sustainability and net zero commitments.
