Key Changes to Essential Data Protection & Information Security Standards in the NHS
The NHS Data Security and Protection Toolkit (DSPT) is the essential framework for any business working in the UK health and care market. It’s a mandatory requirement that ensures patient data is kept safe and secure, from NHS Trusts right through to innovative tech companies.
Understanding the DSPT categories
The toolkit defines four categories for organisations supplying services to the NHS. Here’s how they break down:
- Category 1 – NHS Trusts, Integrated Care Boards
- Category 2 – IT Suppliers, Operators of Essential Services
- Category 3 – Other suppliers, local authorities
- Category 4 – GP Surgeries
Category 2 suppliers are critical.
They provide essential infrastructure and services to the NHS. This means the importance of cybersecurity and information security is rightfully raised compared to Category 3 and below.
What’s new in Version 8 of the DSPT?
Version 8 of the DSPT has recently been published, bringing with it some important updates, particularly for the companies in Category 2. Relative to the prior version, most of the changes are minor, including small modifications to evidence requirements and some wording changes. The major takeaways, however, are the introduction of two sub-classes within Category 2, and the reaffirmation that an independent audit is now a must-have.
You can learn more about the changes in our recent blog here.
What is CAF?
The increasing focus on cybersecurity manifests as greater alignment with the Cyber Assurance Framework (CAF). CAF is a security and risk management framework created by the UK National Cybersecurity Centre, which sets out key objectives to help organisations improve their security posture.
In short, the CAF objectives are:
- Managing security risk
- Protecting against cyber attack
- Detecting cybersecurity events
- Minimising the impact of cybersecurity incidents
These objectives, hand-in-hand with the data protection requirements already in the toolkit, are informing the path for the DSPT going forward.
How does this impact your organisation in the healthcare space?
- If your organisation receives ‘voluntary’ data requests from public bodies i.e. requests that are not made under statutory powers that require you to disclose; your administrative and legal burden to assess them will be reduced.
- You may now share this data under one of the ‘recognised legitimate interest’ conditions where they apply.
- The responsibility for assessing if the requested information is appropriate rests with the receiving public body, not you.
- Don’t forget: If you’re requested to share health data (Special Category Data), you’ll still need to identify an appropriate lawful basis for the share under Article 9.
Timescale: In force from December 2025
The Category 2 Split
In this latest version, the two types of Category 2 suppliers will have different assessment criteria:
1. Specific Operators of Essential Services (OES's)
They will be required to submit a heavily CAF-aligned version of the DSPT. This version is structured around the CAF objectives, each with specific compliance thresholds.
2. General IT Suppliers
Defined as any external organisation supplying digital goods and services to the NHS, with 50+ staff and £10M+ turnover will complete a version of the toolkit structured similarly to previous years. This version will still include a significantly increased focus on meeting cybersecurity and information security requirements compared to Category 3.
As in the previous version, all organisations completing the CAF-aligned DSPT must still submit a baseline version by December 2025 to show commitment to the ongoing review process.
Independent Audits
The other big talking point is the clarification that Category 2 suppliers must have evidence of a cyber resilience audit carried out by an independent assessor.
How do you ensure your DSPT audit is effective?
The audit scope should be directly linked to the clauses of the toolkit to ensure effective coverage, and this will depend on whether your organisation is completing the CAF-aligned DSPT or not. In general, the audit will likely include a review of your:
- Policies and procedures
- Evidence of security activities and records of reviews
- Technical controls (e.g., email security, perimeter monitoring)
- Staff competence and awareness
- Data privacy and sharing considerations
This audit is mandatory for you as a Category 2 supplier. Making sure you give yourself time to prepare and get it booked well in advance of the June 2026 submission deadline will be key to your success with the DSPT this year. Be sure to find an auditor from the approved list provided by the National Cyber Security Centre (NCSC) here.
What’s coming next?
While we can’t precisely predict the content of the next version of the toolkit, we believe the alignment of DSPT and CAF will continue to progress. This means that robust cybersecurity controls and processes are going to be increasingly important to assessors, signalling a move to focus on information security best practices as much as data protection legislation.
Studying the structure of CAF and understanding your organisation’s position relative to its objectives, and if there are any gaps, will set you up to respond efficiently to any changes in the toolkit for you in the coming years.
Need Help Navigating DSPT Version 8?
We can guide and support you through the entire process, including the mandatory independent audit.