DSPT v8 deadline: what to submit by 30 June 2026
DSPT v8 deadline: what to submit by 30 June 2026
The DSPT v8 deadline is 30 June 2026, and for any supplier selling software or services into the NHS, the practical question now is not whether to start but what actually has to land in the toolkit before the date passes. The 2025-26 Data Security and Protection Toolkit, version 8, was published on 18 September 2025 (dsptoolkit.nhs.uk, News item 161). With weeks left, the work that matters is submission: completing your Outcomes, Assertions and Evidence items, and, if you fall into the IT Supplier category, getting an independent assessment report filed alongside them.
This piece covers the mechanics of that final stretch. If you still need a step-by-step preparation plan, read the companion eight-week DSPT v8 checklist for NHS suppliers. What follows assumes you are now deciding what to submit, in what form, and what happens to your NHS access if you do not reach the standard.
What DSPT v8 actually requires you to submit by 30 June 2026
Submission means completing and filing your Outcomes, Assertions and Evidence items inside the toolkit. The exact set depends on the organisation type you select. Non-NHS-sector organisations, the IT Supplier and Other categories, are assessed against assertions and evidence items. NHS-sector bodies work to the CAF-aligned outcome and indicator set. DSPT v8 is aligned to CAF version 3.4, so suppliers evidencing for this round work to v3.4 outcomes, not the v4.0 framework released in August 2025.
One amendment worth flagging for this round is multi-factor authentication under Item 4.5.3. Treat it as an evidence-item change, not a redesign of the toolkit. You will need to show that MFA is in place and evidenced against that item, but the structure of v8 is the 2025-26 iteration of the toolkit you already know.
The submission is not a form you fill in on the day. Each assertion needs evidence attached, and assembling that evidence (policies, access logs, training records, supplier contracts) is what takes the time. With the deadline weeks away, the constraint is no longer understanding the requirement. It is collecting the proof.
Are you a Category 2 IT Supplier, or Category 3 (Other)?
This is where suppliers most often pick the wrong path, and the choice changes how much work the deadline represents.
The IT Supplier category, Category 2, is defined as an organisation external to the NHS that contracts with an NHS or care organisation to provide digital goods and services, whether software or physical, to the NHS or care (dsptoolkit.nhs.uk, Help/5). The selection criteria require all three of the following: 50 or more staff, a turnover of £10m or more, and supplying digital goods and services to the NHS or care.
All three must be true. A company that does not meet every one of those thresholds selects Other, Category 3, which is the route described as covering charities, some companies and NHS business partners. For most smaller suppliers, Category 3 (Other) is the correct selection.
The common mistake is assuming that supplying NHS-facing software is enough to make you a Category 2 IT Supplier. It is not. Supplying digital goods and services is only one of three tests, and a 30-person company under £10m turnover is Category 3 even if everything it sells goes to the NHS. Selecting Category 2 by accident pulls you into a more demanding submission than you are required to complete, with an external audit attached. Selecting it incorrectly the other way, understating your size to avoid the audit, leaves you out of standard at submission. Confirm your headcount and turnover against the thresholds before you choose.
The Category 2 independent assessment: who carries it out and when it must be filed
If you do meet all three Category 2 thresholds, your 2025-26 DSPT submission includes a mandatory independent assessment, an external audit carried out by an accredited assessor. Both the assessment report and the DSPT submission itself must be filed by 30 June 2026. The Independent Assessment Guides for this round are valid until that toolkit deadline (dsptoolkit.nhs.uk, Independent Assessment Guides).
The assessment is not something you can self-certify. NHS England points to assessors from the NCSC Cyber Resilience Audit scheme, or equivalent professionals experienced in assessing against the CAF. The framework documents to work from carry exact titles: the Data Security and Protection (DSP) Toolkit Strengthening Assurance Framework 2025-26, the DSP Toolkit Strengthening Assurance Guide 2025-26, and the DSP Toolkit Independent Assessment Report Template and Terms of Reference v1.1.
The timing point is the one to act on now. An external assessor needs lead time to scope the work, run the audit and produce a report you can file. Booking that in with weeks to go, rather than days, is the difference between a clean submission and a scramble. If you are a confirmed Category 2 supplier and have not yet engaged an assessor, that is the first call to make.
What is at stake if you miss the DSPT v8 deadline
DSPT completion is a contractual requirement under the NHS England Standard Conditions contract, and it is necessary for organisations using national systems. It is written into the terms you sell under, not an internal hygiene exercise.
Failing to reach the required standard by the deadline puts continued access to NHS national systems and data connections at risk: NHSmail, the Spine and the Electronic Prescription Service among them. The toolkit guidance also directs organisations submitting at a Standards Not Met status via API to stop using their connection. The effect is commercial. An NHS buyer cannot keep you connected to systems you no longer meet the conditions to use, and a contract that depends on those connections is exposed the moment your status lapses.
The risk is not framed as an automatic same-day disconnection. It is a gate. Missing the standard does not flip a switch at one minute past the deadline, but it removes the contractual basis for the access your product relies on, and it gives buyers a reason to pause procurement or renewal. For a supplier whose pipeline runs through NHS contracts, that is a revenue problem before it is a compliance one.
Where DSPT v8 sits alongside DCB 0129 for NHS buyers
DSPT v8 rarely travels alone in a procurement conversation. While the DSPT proves your data is secure, DCB 0129 proves your product is clinically safe. NHS buyers treat these as a single compliance pack; you cannot have one without the other.
DCB 0129 is the clinical risk management standard for the manufacture of health IT systems, an information standard under section 250 of the Health and Social Care Act 2012 (digital.nhs.uk). It applies to manufacturers of health IT systems, as distinct from DCB 0160, which sits with the deploying organisation. For a supplier building the product, 0129 is the relevant standard, and a buyer assessing you will expect both it and your DSPT v8 status before signing.
Treating the two as one body of work, rather than two separate projects, is what shortens the path to a contract. The evidence overlaps, and the buyer is reading them together.
Mapping one set of evidence across DSPT v8 and your other frameworks
The Naq platform automates DSPT v8, DCB 0129, DTAC, ISO 27001 and Cyber Essentials from a single dashboard. Controls are mapped across those frameworks, so one piece of evidence such as an access policy or a training record satisfies the requirement wherever it appears, rather than being collected several times over for each standard. For a supplier facing the 30 June 2026 deadline alongside everything else a buyer asks for, that reuse is what makes the timeline workable.
Where teams need named expert sign-off, Naq's in-house Clinical Safety Officers and virtual DPOs sit alongside the platform, so the clinical safety and data protection roles a buyer expects are covered without a permanent hire.
For the duty that lands sooner than the DSPT deadline, the new data protection complaints-handling process takes effect on 19 June 2026 and applies to every controller, NHS supplier or not.
To see how your DSPT v8 evidence maps across your existing tooling and frameworks, book a 15-minute demo.
FAQ
When is the DSPT v8 deadline?
The DSPT v8 deadline is 30 June 2026. The 2025-26 toolkit, version 8, was published on 18 September 2025 (dsptoolkit.nhs.uk).
Am I a Category 2 IT Supplier or Category 3 (Other)?
You are Category 2 only if all three apply: 50 or more staff, £10m or more turnover, and you supply digital goods or services to the NHS or care. If you do not meet all three, you select Other, Category 3. Most smaller suppliers are Category 3.
Do Category 2 IT Suppliers need an independent assessment?
Yes. A qualified external assessor carries out the assessment, and both the report and the DSPT submission must be filed by 30 June 2026.
What happens if I miss the DSPT v8 deadline?
DSPT completion is a contractual requirement under the NHS England Standard Conditions contract and is necessary to use national systems such as NHSmail. Failing to reach the standard puts continued access at risk, including NHSmail, the Spine and the Electronic Prescription Service.
