Monday 11th May 2026, London

At Through Technology, we are pleased to confirm that we have signed the NHS England Supplier Cyber Security Charter — a voluntary commitment to strengthening cyber resilience across the health and care system.

This is an important step for us as a business, and more importantly, for the organisations and citizens who rely on secure, resilient digital services across the NHS.

What is the NHS Supplier Cyber Security Charter?

The NHS England Cyber Security Charter is a set of commitments designed to raise the baseline of cyber security across the NHS supply chain.

It asks suppliers to adopt a number of practical measures to protect systems, data, and ultimately patient care — reflecting the growing reality that cyber security is not just an IT issue, but a fundamental component of safe and effective healthcare.

At its core, the Charter requires suppliers to:

• Keep systems fully supported and patched against known vulnerabilities

• Achieve and maintain ‘Standards Met’ in the Data Security and Protection Toolkit (DSPT)

• Apply Multi-Factor Authentication (MFA) across internal systems and customer-facing services

• Operate effective 24/7 monitoring and logging of critical infrastructure

• Maintain immutable backups with tested recovery plans

• Conduct board-level cyber incident exercises

• Report incidents promptly and work openly with NHS England in the event of an issue

• Follow secure development practices aligned with UK government and National Cyber Security Centre guidance.

Whilst the Charter is currently voluntary, it is clearly setting the direction of travel for supplier assurance across the NHS.

Why this matters

The NHS has made it clear that cyber security is now directly linked to patient safety and service continuity.

Cyber incidents affecting suppliers can have real-world consequences — from service disruption to delays in care. The Charter reflects a wider shift towards recognising that every supplier is part of the clinical and operational ecosystem.

As such, the expectation is increasingly that suppliers:

• Take proactive responsibility for cyber resilience

• Provide evidence of their controls where required

• Work collaboratively with NHS/Customer organisations to manage risk

This aligns closely with how Through Technology already work with our customers. But communicating that, and encouraging all suppliers to meet the objectives is key to ensuring a robust supply chain and setting the standard for how we collaborate both with customers and with their third-party suppliers.

+What this means for our customers

Signing the Charter is more than a statement — it reinforces the way we already operate and gives our customers additional assurance that:

1. Security is embedded in how we deliver

Through Technology already maintains a strong security baseline, including ISO 27001 certification and Cyber Essentials Plus, and applies secure-by-design principles across our engagements. The Charter formalises our commitment to continually improving that position.

2. We are aligned with NHS expectations

The Charter provides a clear articulation of what “good” looks like from an NHS perspective. By signing it, we are aligning directly with NHS England’s expectations — reducing friction in assurance, onboarding, and ongoing engagement.

3. We are a transparent and collaborative partner

A key theme of the Charter is openness — particularly around incident reporting and response. Customers can expect us to:

• Communicate clearly and promptly

• Work transparently in the event of issues

• Collaborate on proportionate, risk-based improvements

What it means for Through Technology

For us as a business, signing the Charter reinforces three key principles:

Continuous improvement

Cyber security is not static. We will continue to invest in our controls, processes, and capabilities to stay ahead of evolving threats.

Evidence over assertion

The NHS is moving towards a model where suppliers are expected to demonstrate — not just declare — their security posture. We support this shift and are already aligned with tools such as Risk Ledger, Annual CE+ Audits, Customer-led ITHC testing and ISO27001.

Partnership with our customers

The Charter emphasises that cyber resilience is a shared responsibility. We fully recognise this and must play our part alongside the third-party suppliers that we collaborate with or who's work we assure. Complex programme delivery is a team effort and all parties should commit to the same set of standards.

Looking ahead

The Charter is part of a broader NHS initiative to strengthen cyber resilience across the supply chain, including more direct engagement with suppliers and increasing expectations around evidence and assurance.

While voluntary today, it is reasonable to expect these principles will increasingly become embedded in:

• Procurement processes

• Contractual requirements

• Ongoing supplier assurance

By signing now, we are ensuring that Through Technology — and our customers — are ahead of that curve.

Final thoughts

Signing the NHS England Supplier Cyber Security Charter is a straightforward decision for us.

It reflects what we already believe:

If you would like to discuss what the Charter means for your organisation, or how to align your services and suppliers to NHS expectations, we would be very happy to have a conversation.

Sources

• NHS England / NHS Digital – Cyber Security Charter for Suppliers

  
  

  https://digital.nhs.uk/cyber-and-data-security/guidance-and-resources/cyber-security-charter-for-suppliers-to-the-nhs