Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

DSPT for Category 2 Organisations

  • Published: December 13, 2025
  • Category: DSPT

Share this post

Headshot of a man wearing glasses and braces over a light shirt
Daniel Mannion

Share this post

Key Changes to Essential Data Protection & Information Security Standards in the NHS

The NHS Data Security and Protection Toolkit (DSPT) is the essential framework for any business working in the UK health and care market. It’s a mandatory requirement that ensures patient data is kept safe and secure, from NHS Trusts right through to innovative tech companies.

Understanding the DSPT categories

The toolkit defines four categories for organisations supplying services to the NHS. Here’s how they break down:

  • Category 1 – NHS Trusts, Integrated Care Boards
  • Category 2 – IT Suppliers, Operators of Essential Services
  • Category 3 – Other suppliers, local authorities
  • Category 4 – GP Surgeries

Category 2 suppliers are critical. 

They provide essential infrastructure and services to the NHS. This means the importance of cybersecurity and information security is rightfully raised compared to Category 3 and below.

Need Help? Book a Call with our Expert Team
DSPT for Category 2 Organisations DSPT for Category 2 Organisations DSPT for Category 2 Organisations,Cyber Assurance Framework (CAF),DSPT Category 2,Independent cyber audit,NHS supplier requirement

What’s new in Version 8 of the DSPT?

Version 8 of the DSPT has recently been published, bringing with it some important updates, particularly for the companies in Category 2. Relative to the prior version, most of the changes are minor, including small modifications to evidence requirements and some wording changes. The major takeaways, however, are the introduction of two sub-classes within Category 2, and the reaffirmation that an independent audit is now a must-have.

You can learn more about the changes in our recent blog here.

What is CAF?

The increasing focus on cybersecurity manifests as greater alignment with the Cyber Assurance Framework (CAF). CAF is a security and risk management framework created by the UK National Cybersecurity Centre, which sets out key objectives to help organisations improve their security posture.

In short, the CAF objectives are:

  • Managing security risk
  • Protecting against cyber attack
  • Detecting cybersecurity events
  • Minimising the impact of cybersecurity incidents

These objectives, hand-in-hand with the data protection requirements already in the toolkit, are informing the path for the DSPT going forward.

How does this impact your organisation in the healthcare space?

  • If your organisation receives ‘voluntary’ data requests from public bodies i.e. requests that are not made under statutory powers that require you to disclose; your administrative and legal burden to assess them will be reduced.
  • You may now share this data under one of the ‘recognised legitimate interest’ conditions where they apply.
  • The responsibility for assessing if the requested information is appropriate rests with the receiving public body, not you.
  • Don’t forget: If you’re requested to share health data (Special Category Data), you’ll still need to identify an appropriate lawful basis for the share under Article 9.

Timescale: In force from December 2025 

Guidance: ICO Draft Recognised Legitimate Interest Guidance is currently up for consultation (closes 30 October 2025)

The Category 2 Split

In this latest version, the two types of Category 2 suppliers will have different assessment criteria:

1. Specific Operators of Essential Services (OES's)

They will be required to submit a heavily CAF-aligned version of the DSPT. This version is structured around the CAF objectives, each with specific compliance thresholds.

2. General IT Suppliers

Defined as any external organisation supplying digital goods and services to the NHS, with 50+ staff and £10M+ turnover will complete a version of the toolkit structured similarly to previous years. This version will still include a significantly increased focus on meeting cybersecurity and information security requirements compared to Category 3.

As in the previous version, all organisations completing the CAF-aligned DSPT must still submit a baseline version by December 2025 to show commitment to the ongoing review process.

Independent Audits

The other big talking point is the clarification that Category 2 suppliers must have evidence of a cyber resilience audit carried out by an independent assessor.

How do you ensure your DSPT audit is effective? 

The audit scope should be directly linked to the clauses of the toolkit to ensure effective coverage, and this will depend on whether your organisation is completing the CAF-aligned DSPT or not. In general, the audit will likely include a review of your:

  • Policies and procedures
  • Evidence of security activities and records of reviews
  • Technical controls (e.g., email security, perimeter monitoring)
  • Staff competence and awareness
  • Data privacy and sharing considerations

This audit is mandatory for you as a Category 2 supplier. Making sure you give yourself time to prepare and get it booked well in advance of the June 2026 submission deadline will be key to your success with the DSPT this year. Be sure to find an auditor from the approved list provided by the National Cyber Security Centre (NCSC) here.

What’s coming next?

While we can’t precisely predict the content of the next version of the toolkit, we believe the alignment of DSPT and CAF will continue to progress. This means that robust cybersecurity controls and processes are going to be increasingly important to assessors, signalling a move to focus on information security best practices as much as data protection legislation. 

Studying the structure of CAF and understanding your organisation’s position relative to its objectives, and if there are any gaps, will set you up to respond efficiently to any changes in the toolkit for you in the coming years.

Need Help Navigating DSPT Version 8?

We can guide and support you through the entire process, including the mandatory independent audit.

Book a Call with our Expert Team

Other Articles​

Loading...
DSPT Audit

Preparing for the Category 2 DSPT Audit: What you need to know.

Read More →

March 23, 2026
NHS DSPT Auditor

8foldGovernance approved as DSPT Auditor for IT Suppliers to the NHS

Read More →

March 6, 2026
Stay ahead with NHS DSPT V8. Discover essential changes, compliance tips, and expert support for seamless 2025/26 submissions.

DSPT Version 8: Preparing for the latest version

Read More →

November 6, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept