Cyber Essentials for UK NHS suppliers Certified by Fig.
Fig Group certifies UK suppliers to the NHS - software vendors, MSPs supporting trusts, and service providers that handle NHS patient or organisational data. IASME-licensed, from £299.99 + VAT, typically within 6 working hours. Tailored to the DSP Toolkit and NHS supplier framework reality.
Sector-specific
Tailored to nhs suppliers
The standard scheme guidance does not address the operational reality of this sector. These are the scope, regulatory, and supplier-cascade points Fig assessors check first.
- 01NHS DSP Toolkit overlap - CE satisfies one NHS DSP Toolkit control.
- 02NHSmail access and SCN / HSCN network scoping.
- 03Health and care information processing in the scope boundary.
- 04Patient data protection alongside GDPR and NIS2 obligations.
- 05NHS framework supplier requirements (increasingly require CE or CE Plus).
- 06DSPT + CE + ISO 27001 alignment pathways.
Pricing at a glance
Below the standard IASME fee at every tier
No re-submission charges. Three free re-submissions included. Published pricing - no gated forms or consultancy add-ons.
Turnaround
6 hours
For compliant submissions before midday.
Cyber Essentials
£299.99 – £549.99
+ VAT, by organisation size.
Cyber Essentials Plus
£1,499 – £4,499
+ VAT, third-party verified.
Common questions
Frequently asked questions
Does Cyber Essentials satisfy the DSP Toolkit?
CE satisfies one specific DSP Toolkit assertion about cyber security. It does not replace the full DSP Toolkit submission - but it is often used as strong supporting evidence for the underlying cyber assurance control.
Do NHS trusts require their suppliers to hold CE?
Increasingly, yes. Many NHS framework agreements and direct contracts require CE or CE Plus as part of supplier due diligence. Always check the specific contract or tender documents.
What scope should an NHS-supplier SaaS use?
Corporate estate only (laptops, M365/Google Workspace, SSO, home routers via VPN). Production infrastructure is assessed separately under ISO 27001 / ISO 27017. Fig publishes guidance for SaaS scoping on /blog/cyber-essentials-for-saas-companies-scoping-question-nobody-gets-right.
Do we need CE or CE Plus for NHS contracts?
Depends on the contract. Many NHS frameworks require CE Plus for higher-risk data. Tender docs usually specify. Budget for Plus if you are bidding on significant NHS work.
How fast can NHS-supplier CE be completed?
For compliant submissions before midday on a UK business day, Fig issues the certificate within 6 working hours. This matters when NHS tender deadlines move quickly.
Deep-dive articles
Long-form guidance for nhs suppliers
Technical guidance written by an IASME-licensed assessor - scope edge cases, supplier cascade, and regulatory overlap that the scheme guidance does not cover.
Next step
Ready to certify?
From £299.99 + VAT. IASME-licensed. Typically within 6 working hours. No consultancy add-ons.