The NHS DSPT (Data Security and Protection Toolkit): What You Need to Know for 2025/26

What is the DSPT?

If your organisation accesses NHS patient data or systems, you must complete the NHS DSPT (Data Security and Protection Toolkit) every year. It’s an online self-assessment that checks you meet the required data protection and cyber security standards.

The 2025/26 cycle is now well under way. Version 8 of the DSPT saw the most significant changes since the Toolkit launched in 2018 and more are on the horizon for 2026/27. It’s essential to understand your category, the evidence you’ll need and any audit requirements.

Who must complete the DSPT?

The DSPT isn’t just for NHS trusts. You must submit a self-assessment if your organisation:

• Handles health or care data.
• Uses NHS systems (e.g. NHSmail, e-Referrals).
• Delivers services under an NHS contract.
• Plans to work in UK health or social care.

If you don’t complete the DSPT, or fail to meet its standards, you could face:

• Loss of NHS systems access (including NHSmail).
• Delays in contract approvals or renewals.
• Contract restrictions or financial penalties.
• Reputational damage.
• Increased data security risks.

Categories and requirements

The DSPT groups organisations into four categories. Which one you’re in determines which questions you answer, what evidence you need to show and whether you have to undergo an independent audit.

• Category 1: Large NHS bodies, such as arm’s-length bodies (regulators and standard-setters), integrated care bodies/clinical commissioning groups (organisations planning and funding local NHS services) and commissioning support units (supporting commissioners in delivering NHS-funded services), and OES (operators of essential services) as defined by the NIS Regulations.
• Category 2: Large IT suppliers.
• Category 3: Community providers such as pharmacies, domiciliary care providers and residential care homes.
• Category 4: GPs (general practices) providing primary care, extended diagnostics, minor surgery, and health promotion.

CAF alignment

Since 2024/25, Category 1 organisations have had to complete their DSPT using the CAF (Cyber Assessment Framework). This is a more detailed, outcome-focused standard built on internationally recognised frameworks:

• NIST Cyber Security Framework
• CIS 18 (CIS Critical Security Controls)
• ISO/IEC 27001:2022
• Cyber Essentials

There are five objectives: four from the standard CAF (A–D), plus an NHS-specific Objective E covering lawful use and sharing of patient information.

Evidence must be robust and demonstrable – it’s not enough just to say “yes” to a requirement; you must show how you meet it.

There are no exemptions for organisations already certified to Cyber Essentials Plus or ISO 27001.

NHS England intends to extend CAF alignment to more organisation types in the next DSPT cycle.

What’s new in 2025/26?

There are several new changes for 2025/26:

• Mandatory independent audits for Categories 1 and 2.
• Early baseline submission –all organisations must have submitted an interim self-assessment by 31 December 2025.
• Increased focus on governance and resilience, including incident detection and response, supply chain security and lawful data sharing.
• Clearer evidence expectations – documentation must be consistent, current, and directly address each evidence item.

Key dates for 2025/26

• December 2025 – DSPT portal opens for baseline submission.
• 31 December 2025 – Baseline submission deadline.
• 30 June 2026 – Final submission deadline.

How to prepare your DSPT submission

1. Appoint a DSPT lead
   This may be someone in-house or an outsourced DPO (data protection officer) or legal expert who understands both data privacy and cyber security.

2. Register on the DSPT portal
   Create your organisation’s profile, confirm your category and download your evidence list.

3. Understand your category’s requirements
   Category 1: Around 179 evidence items (166 mandatory).
   Category 2: Slightly fewer, but still substantial.
   Categories 3 and 4: Around 42 mandatory items.

4. Build evidence early
   Collect policies, procedures, and technical configurations that prove compliance. If relevant, use frameworks such as the NIST CSF, CIS 18, ISO 27001 and Cyber Essentials to guide your approach.

5. Identify and close gaps
   Run a readiness session to compare your current position against the DSPT standards. Address any missing controls, outdated documents or unclear responsibilities.

6. Prepare for audit (if applicable)
   If you’re in Category 1 or 2, make sure your documentation and processes are audit-ready well before the deadline.

When to get expert help

It’s worth involving a DPO or data privacy legal specialist if you need to:

• Clarify lawful bases for processing and sharing patient data.
• Draft or update privacy notices, data sharing agreements, or consent procedures.
• Strengthen cyber security measures, incident response, and breach reporting.
• Interpret CAF-aligned standards and governance requirements.
• Ensure your evidence meets NHS and UK GDPR expectations.
• Prepare for an independent audit.

Even if you’re not required to have an audit, commissioning one voluntarily can highlight risks, confirm compliance, and demonstrate due diligence.

How GRC Solutions can help you

Our DSPT audit is delivered by data protection and governance specialists. Designed to align with the NHS Data Security and Protection Toolkit standards, it comprises:

• A methodical review of your DSPT submission and supporting evidence
• Interviews with key personnel to assess understanding and implementation
• An appraisal of policies, procedures and technical controls

You will receive a detailed report highlighting findings, risks and practical, risk-rated recommendations.

This service offers independent assurance to support internal compliance efforts – ideal for suppliers approaching DSPT deadlines or seeking to maintain high data protection standards.