NHS Supplier Services
Supplying the NHS means meeting strict compliance standards, not just delivering a product or service. From quality and safety certification to cyber security, data protection and sustainability, getting compliance right is essential to winning and retaining NHS contracts.
Supplying goods or services to the NHS requires more than commercial capability — it demands demonstrable compliance with a robust and evolving regulatory framework. NHS suppliers are expected to meet stringent requirements across quality management, product safety, data protection, cyber security, sustainability, and ethical business practices. From ISO certifications and medical device conformity to cyber assurance, data governance and net-zero commitments, compliance is now a critical gateway to NHS procurement. Understanding and meeting these obligations is essential for suppliers seeking to win, retain, and grow NHS contracts in an increasingly regulated and competitive environment.
Vassallo (UK) can provide services to support NHS suppliers with compliance obligations such as audits, completing impartial and self-assessments, data processing and governance policy implementation.
NHS Supplier Requirements
1. Quality Management & Accreditation
ISO standards required:
BS EN ISO 9001:2015 (Quality Management System) — accredited by UKAS or equivalent.
BS EN ISO 13485:2016 (if supplying medical devices) — accredited by UKAS or equivalent.
The scope of the certification must cover all activities relevant to the contract (sales, manufacturing, storage, distribution).
If a key contractor or sub-supplier is involved, their ISO certification must also be provided.
If certification isn’t in place at bid time, a letter from the certification body confirming active assessment is needed.
Read more about ISO 9001 QMS.
2. Medical Device Compliance (if applicable)
If you’re supplying medical devices or related regulated products:
Products must carry:
UKCA marking (British conformity mark), OR
CE marking if still accepted under transitional arrangements.
Devices must have a Declaration of Conformity and be registered with the MHRA (Medicines and Healthcare products Regulatory Agency).
All conformity assessments must align with the UK Medical Device Regulations (UK MDR 2002).
Read more about UKCA and CE requirements for NHS Suppliers
3. Cybersecurity & Data Protection
Depending on what you supply:
Cyber Essentials / Cyber Essentials Plus
Suppliers in scope of Procurement Policy Note (PPN) 014 should demonstrate Cyber Essentials Plus compliance, or equivalent evidence of strong cyber controls.
Applies if you handle NHS personal data or supply IT/digital products/services.
Cyber Essentials Plus must be renewed annually after an external audit.
Data Security & Protection Toolkit (DSPT)
Mandatory if you handle NHS patient data or have access to NHS systems.
Annual self-assessment against the National Data Guardian’s 10 security standards.
Other tech certifications
Depending on the service, additional technical accreditations (e.g., ISO/IEC 27001 for information security systems) may also be required or looked on favourably.
Read more about NHS Suppliers Cybersecurity Requirements.
4. Sustainability & Social Value (Growing Requirements)
All NHS suppliers are increasingly required to demonstrate contribution to NHS sustainability goals:
Carbon Reduction Plan (CRP) — published and aligned to net zero goals.
Evergreen Supplier Assessment — completed annually to report sustainability performance.
Modern Slavery Assessment Tool (MSAT) — required to assess and mitigate risks in your own supply chain.
Minimum 10% weighting for net-zero/social value in procurement evaluation.
Read more about the Evergreen Sustainable Supplier Assessment.
5. Supplier Code of Conduct & Legal Compliance
While not a single “certificate,” NHS suppliers are expected to observe:
Ethical business standards and anti-corruption laws.
Supplier Codes of Conduct where applicable.
Compliance with all applicable UK laws (employment, equality, human rights, etc.).
Note: Each NHS contracting authority may have its own supplier behaviour code based on overarching NHS procurement and ethics policies.
Read more about NHS Supplier Code of Conduct.
6. Procurement & Tender Documents
When tendering:
You must provide evidence of all required certifications and compliance documents with your bid.
Procurement rules under the Procurement Act / Public Contracts Regulations apply (competitive tendering, fair evaluation).
Framework agreements often require pre-qualification questionnaires, which will be assessed early.
Read more details of NHS Supplier Procurement and Tender Documents.
Our NHS Supplier Services will help you prepare your organisation to maximise the likelihood of success.
“Quality in healthcare is not about doing more — it’s about doing what matters most for the patient.”
We can help you today
Contact us now to discuss your requirements.
