2026 - the year to focus on supply chain cyber risk?
In 2025, large scale cyber incidents were frequently in the news. Whilst the reports focused on particular high profile organisations which were impacted, in many cases the cyber attacks didn’t actually directly target those organisations and instead the attack targeted a third party supplier within that organisation’s supply chain (known as a supply chain attack).
In response to ever growing cyber risk, the government has recently recommended three key actions that all large UK businesses should take to improve their cyber resilience (see our previous article here.) The government’s third recommendation was that organisations should require their supply chain partners to be certified under the Cyber Essentials Scheme. Cyber Essentials is a government-backed certification scheme which is recommended as the minimum standard of cyber security for all organisations.
Following the government’s recommendation, the National Cyber Security Centre (the NCSC, which is the UK National Technical Authority for cyber security) in December published its Cyber Essentials Supply Chain Playbook, which is a new resource aimed at supporting UK organisations in using Cyber Essentials more effectively across their supply chains. If 2025 taught us anything, it is that cyber security is more important than ever and yet the playbook highlights that currently only 14% of organisations are “on top of the potential risks faced by their immediate suppliers”.
The NCSC says the intention of the playbook is to support organisations in embedding Cyber Essentials across their supply chains in order to better protect their businesses. The playbook asks senior leaders across UK organisations to direct their procurement and information security teams to require suppliers to have Cyber Essentials. Whilst this isn’t a compulsory requirement, UK organisations who ignore government and NCSC cyber resilience recommendations, fail to adopt recommendations and suffer a cyber attack are likely to be criticised by regulators.
But where to start?
The NCSC says the playbook is designed to give organisations the resources and guidance to help them embed Cyber Essentials into their supply chains. The initial step the playbook suggests is that a supply chain audit is carried out by organisations using the IASME Supplier Check tool. This tool is said to provide a view across an organisation’s supply chain to quickly verify whether its suppliers are Cyber Essentials certified and whether their certification is CE or CE Plus. From there an organisation must decide what its minimum security requirements are for different types of supplier in its supply chain and where those requirements are not currently being met to take prompt action to bring suppliers in line with expectations. As with most regulatory requirements, this is not a one and done requirement of course, so ongoing compliance by suppliers must be monitored and requirements must be embedded within procurement processes to capture new suppliers.
Further reading:
Cyber Essentials readiness tool – a tool which supports organisations prepare for Cyber Essentials certification.
Cyber Assessment Framework (CAF) – an NCSC tool that can be used to improve cyber resilience in relation to an organisation’s most critical services, regardless of whether the organisation is in scope of the CAF.
Cyber Action Toolkit – a free NCSC toolkit which helps smaller organisations put some basic cyber security measures in place to help guard against the most common cyber threats.
____________________________________________________________________________________
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.
