Talk to us!

The NHS has issued a new call to action for all current and aspiring suppliers: sign the Cyber Security Charter and raise the bar on digital trust.

This open letter (PRN01161), issued 15 May 2025 by NHS England, highlights the reality that cyber threats—especially ransomware—have reached a new level of severity and frequency. Before, you might have assumed that being DTAC compliant was enough, but this move shows that the NHS’s higher goal is to shape a culture of shared responsibility across its entire digital supply chain.

What the Cyber Security Charter Asks of Suppliers

While the Charter is voluntary, the expectations are both clearly defined and wide-ranging. Key commitments include:

• Keeping systems in support with timely patching
• Maintaining a minimum of "Standards Met" in the Data Security and Protection Toolkit (DSPT)
• Applying Multi-Factor Authentication (MFA) internally and enabling it within NHS-facing products
• Implementing 24/7 monitoring and immutable backups
• Conducting board-level incident response exercises
• Following the DSIT/NCSC Software Code of Practice
• Collaborating openly with NHS England in the event of a cyber-attack

A Note From Our Co-Founder: Michael Bell

“Here at Acorn Compliance, we welcome clear and needed guidelines like these to keep healthtech innovations secure for companies, healthcare providers, and patients alike. It reflects the reality we've long witnessed: the NHS doesn't just need innovation; it needs resilient and safe innovation.

This Charter provides benchmarks that go beyond DTAC. I believe this is setting the tone for what is to come in terms of the increased security standards coming this year via the Cyber Assessment Framework and the Cyber Resilience Bill.

We believe safety and security are non-negotiable areas of compliance and we’d recommend all innovators prepare for what is coming by uplifting security compliance beyond the current DTAC standard. Start working towards compliance now with frameworks like Cyber Essentials Plus and ISO 27001 to avoid unnecessary obstacles when you try to get to market.

Fortunately, with our Squirrel™ automated compliance platform, there is a cost-effective way to achieve and maintain compliance. Most importantly, Squirrel™ includes expert human support, so you get expert advice and guidance when you need it. For us, compliance needs to be embedded into your company’s culture and development from the beginning, not left as an afterthought. That’s why we’re here to work together so your innovation gets to those who need it most, as fast as possible.”

The Quick Rundown: What Does All This Mean for You?

• Start Now: The Charter is not yet mandatory, but its principles are fast becoming the expected standard.
• Integrate Security Early: Aligning your cybersecurity architecture with clinical safety and data protection. It's fundamental.
• Review Your Current Position: Do your contracts reference MFA, secure coding, and backup plans? If not, you're exposed and you can be sure that future contracts will contain these measures.
• Look Ahead: The NHS will soon assess suppliers against these principles. Signing the Charter is a signal—not just of compliance, but of leadership.

How Can Squirrel™ Help?

Squirrel™ supports suppliers with:

• End-to-end DTAC compliance
• DSPT submissions and external audits
• Clinical Safety Officer as a Service (CSOaaS)
• Security and risk alignment with UK GDPR, ISO 27001, ISO 27701, ISO 42001 and more
• Guidance on the DSIT/NCSC Software Code of Practice

Squirrel™ is also tracking the forthcoming supplier self-assessment form and will be ready to guide you through the sign-up process when it launches this autumn. Contact us to see how Squirrel™ can keep you updated on regulation changes across multiple frameworks.

Book a free discovery call.

‍