Summary
Internal NHS England (previously NHS Digital) services have migrated to NHS CIS2 Authentication, but other services may not be migrated in time to meet current timescales.
The revised retirement date for CIS1 Authentication is 28 February 2027. As part of the deprecation, the service level for CIS1 Authentication will drop to Silver on 1 October 2025.
Details
CIS1 Authentication was originally scheduled for retirement by September 2023. We gave suppliers an extra year to migrate to CIS2 Authentication and extended the retirement date to September 2024.
Now, NHS England applications have migrated to CIS2 Authentication or removed dependencies on CIS1 Authentication. While progress has been made again, it's clear that not all suppliers will complete the migration within the timeframe.
Out of concern for impacted NHS organisations, we intend to:
-
account for any suppliers who have not completed the migration to NHS CIS2 Authentication or have not completed the rollout of their changes to all sites, by continuing to support CIS1 Authentication, but at gradually reduced service levels starting from 1 October 2025
-
remove the SLA for CIS1 Authentication from 1 March 2026
-
continue to retire legacy versions of client software (and associated devices) that might increase the risk of security and/or operational impacts from these reduced service levels
-
retire and remove the CIS1 Authentication service by 28 February 2027, meaning it can no longer be used
Currently both CIS1 Authentication and NHS CIS2 Authentication are supported to a Platinum SLA - supported hours are 24 hours a day, 365 days a year with 99.9% availability (target maximum of 44 minutes of downtime per month).
Revised CIS support plans
On 1 October 2025:
-
we will reduce the support level for the CIS1 Authentication service to a Silver SLA
-
operational hours will remain 24 hours a day, 365 days a year, but support hours will be reduced to 8am to 6pm Monday to Friday and 99.5% availability (target maximum of 3.5 hours of downtime per month)
-
NHS CIS2 Authentication will continue to be run to Platinum SLA
On 1 March 2026:
-
no SLA will be in place for the CIS1 Authentication service, and any issues raised with the CIS1 Authentication service cannot be relied upon to be fixed.
-
NHS CIS2 Authentication will continue to be run to Platinum SLA
We are aiming to retire and remove CIS1 Authentication from operational service by 28 February 2027.
For more details, see the revised CIS1 Authentication deprecation notice.