Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

Preparing for the Category 2 DSPT Audit: What you need to know.

  • Published: March 23, 2026
  • Category: DSPT

Share this post

Avatar photo
Lily Stevens

Share this post

As a large IT supplier to the NHS, you are the digital backbone of a system that millions of people rely on every day. Whether you are managing patient records, facilitating remote consultations, or streamlining administrative workflows, the sheer volume of sensitive data passing through your systems makes your security posture a matter of national importance.

This year, the Data Security and Protection Toolkit (DSPT) has refined its expectations, particularly for Category 2 organisations. While you aren’t yet required to align fully with the Cyber Assessment Framework (CAF), the scrutiny on your cybersecurity and information security is higher than ever before.

In this guide, we break down exactly what “Category 2” means for your business, why your ISO 27001 certification might not be the “get out of jail free” card you expected, and how you can navigate the audit process without derailing your daily operations.

Learn More
Category 2 DSPT Audit

How do I know I am a Category 2 organisation?

Category 2 organisations are known as IT Suppliers. They are defined as external organisations supplying digital goods and services to the NHS, with over 50 staff and a turnover exceeding £10 million. 

These organisations will complete a version of the toolkit similar to previous years, but with a significantly increased focus on meeting cybersecurity and information security requirements compared to Category 3 organisations.

Category 2 DSPT Audit Preparing for the Category 2 DSPT Audit: What you need to know. Category 2 DSPT Audit

IT Suppliers

Defined as external organisations supplying digital goods and services to the NHS, with over 50 staff and a turnover exceeding £10 million. These organisations will complete a version of the toolkit similar to previous years, but with a significantly increased focus on meeting cybersecurity and information security requirements compared to Category 3 organisations.

Does "Category 2" mean my DSPT submission is aligned with CAF?

The short answer is no. This year, category 2 organisations (unlike category 1) will not need to submit a CAF-aligned DSPT, but there are 58 additional mandatory evidence items compared to a category 3 submission, with a higher focus on cyber security, and the audit remains an addition for these organisations.

Is the audit mandatory for all Category 2 organisations?

Yes, an independent audit is required for Category 2 organisations.

What is the scope of the audit?

Category 2 DSPT Audit Preparing for the Category 2 DSPT Audit: What you need to know. Category 2 DSPT Audit

For the IT suppliers, the audit focuses on validating controls across the 12 mandatory areas of the DSPT submission. 

This includes assessing the effectiveness of your accountability and governance framework for data protection and security, and that controls are established for identity & access control, access to privileged accounts, business continuity, software/vulnerability patching, and supplier management

How long does the Audit take?

Our audit process is structured to run asynchronously over 14 working days, facilitated by our support. While we will require access to several key stakeholders within your organisation, we will manage the scheduling of calls and coordinate with you to minimise any disruption to your business operations.

You can view this audit as a comprehensive step, positioned between a Cyber Essentials Plus audit and a more extensive undertaking like an ISO 27001 certification. It is a process that requires due diligence and cannot be completed in a single afternoon, but it is also not designed to cause a full week of major business interruption.

Do ISO 27001 or Cyber Essentials Plus (CE+) exempt me from the DSPT Audit?

Having ISO 27001 and CE+ does not completely exempt you from needing to conduct the DSPT Audit. However, for IT suppliers, the audit scope can be reduced in complexity if your organisation has one or both of these certifications.

Can we use our internal audit team?

No, the requirements within the DSPT specify that this needs to be an independent and external audit. There are several organisations listed on the DSPT portal as organisations you can use for this, of which we are one.

What happens if we ‘Fail’ the Audit?

The audit is not a pass/fail assessment; rather, its purpose is to identify existing gaps and areas where improvements are necessary and verify the veracity of your self-assessment submission. However, not having an independent audit that verifies your controls will mean you will not ‘pass’ the requirements of the DSPT. 

We will not share your results with the NHS until you confirm you are prepared. If there are controls that need strengthening or processes that require better embedding, our expert team is available to advise and support remediation. 

Do you get a certificate on completion of the Audit?

We provide all clients with a certificate and a badge for their website as proof of a successful audit. 

As a large organisation handling millions of data points daily, you are the digital backbone of the NHS. The NHS relies on you to ensure the safe and effective delivery of digitally enabled healthcare. Therefore, you cannot afford to guess your compliance.

This critical responsibility necessitates robust data and cybersecurity measures, which is where we provide our support. We can help you confidently adopt the latest DSPT version, integrating it into your existing governance framework and conducting the necessary DSPT audit.

Book your free Readiness Review with a Member of our Team now.

Book Readiness Review

Need help?

If you need help with any aspect of your compliance, our team are here to help. With decades of in-house experience in Data Protection, Information Security, Clinical Safety and Medical Device Regulations, we can help you meet your obligations – with candour, commitment and quality at the core.

Get in Touch

Other Articles​

Loading...
NHS DSPT Auditor

8foldGovernance approved as DSPT Auditor for IT Suppliers to the NHS

Read More →

March 6, 2026
DSPT for Category 2 Organisations

DSPT for Category 2 Organisations

Read More →

December 13, 2025
Stay ahead with NHS DSPT V8. Discover essential changes, compliance tips, and expert support for seamless 2025/26 submissions.

DSPT Version 8: Preparing for the latest version

Read More →

November 6, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept