Blog
Compliance
NHS DSPT
DCB 0129
ISO 27001
May 4, 2026
Approx 9 min read

DSPT v8 deadline: an eight-week checklist for NHS suppliers

The DSPT v8 deadline of 30 June 2026 is the date your live NHS contracts and most of your active pipeline depend on. Trusts and Integrated Care Boards check supplier status on the public NHS DSPT register before they sign new orders or renew at end of term. Eight weeks out, the question is whether your evidence will pass Standards Met on submission day.

The DSPT v8 deadline that is keeping NHS deals open

DSPT v8 was published on 18 September 2025 with submission due by 30 June 2026, per the DSPT 2025-26 publication notice. The deadline has not been deferred. The 31 December 2025 milestone that some suppliers remember was an interim assessment and improvement-plan checkpoint, not a change to the final-submission date.

One thing changed structurally in v8. The assurance model is now aligned to NCSC Cyber Assessment Framework v3.4, completing the move away from the National Data Guardian's 10 Data Security Standards. Category 1 organisations (NHS Trusts, Integrated Care Boards, Commissioning Support Units, ALBs, designated Operators of Essential Services, and Genomics organisations) now assess against CAF outcomes. Category 2 IT suppliers continue with a non-CAF aligned assessment for 2025-26, using the assertion-and-evidence interface they already know.

The framework sits on a commercial spine. DSPT completion is a contractual requirement under the NHS Standard Contract 2025/26, which obliges every NHS provider to verify that its processors and joint controllers have completed a DSPT or equivalent. Submission status is publicly visible on the DSPT organisation search; NHS commissioners and prospective buyers see what you see. Standards Not Met on the public register is the procurement blocker your sales team will hear about second.

Where most NHS suppliers actually are at week eight

The honest position at eight weeks is that the supplier knows roughly what they need and has draft evidence in two or three places, but has not booked the independent assessor. That is the gap the next eight weeks need to close.

Two checks tell you where you really are. Every assertion that scored Approaching last cycle should now sit on fresh evidence under v8 wording. The independent assessor should be booked for a date that leaves time to fix flagged items before submission. If either is not in place, the checklist below is the order of operations. The full IT-supplier mandatory assertion set is published in the Independent Assessment Guides; walk it with your assessor, since the figure has been quoted inconsistently in third-party guidance.

Weeks 8 to 7 (5 May to 18 May): triage and gap-finding

The first fortnight is diagnosis. By the end of it, the supplier has a true picture of where they are and a named owner for each gap.

  1. Confirm category. Pull staff count and turnover. A company sits in Category 2 (IT Supplier) only if it meets all three thresholds: 50+ staff, £10m+ turnover, and supplies digital goods or services to NHS or care organisations. A company that does not meet all three sits in Category 3 (Other), alongside charities and NHS Business Partners. Most digital health and SaaS suppliers fall in Category 3. The common mistake is selecting IT Supplier on the assumption that supplying NHS-facing software qualifies; without the staff and turnover thresholds, Other is the correct category. Submitting against the wrong category produces the wrong assertion set and an avoidable rejection.
  2. Pull last cycle's submission. Walk every assertion that scored Approaching or carried a comment from the assessor. Those are the items that need fresh evidence first.
  3. Download the V7 to V8 log of changes from the documents bundle linked under the DSPT 2025-26 publication notice. Walk every changed item. Mark which previously Met items now require new evidence under v8 wording.
  4. Map ISO 27001 if held. An ISO 27001 certificate with scope encompassing all NHS data processing auto-completes applicable DSPT evidence items. Partial scope, for example a HQ office or development environment only, is supporting evidence. Flag any DSPT evidence items still requiring standalone responses.
  5. Identify and book the independent assessor. Category 2 IT suppliers cannot self-submit on the assertions requiring independent verification, per DSPT independent audit guidance. Provider booked and scope agreed inside this fortnight, with the access window confirmed. Assessor diaries fill from May onwards.

Weeks 7 to 5 (18 May to 1 June): the long-lead evidence pack

The middle fortnight is where the long-lead artefacts are drafted and signed off. None of them can be produced credibly inside submission week.

  1. MFA evidence pack. Document MFA enforcement on all remote user access and on all privileged access to externally hosted systems. Include screenshots and configuration exports against identity-provider logs. The NHS England policy on MFA is the policy reference; the v8 wording is the evidence specification.
  2. Vulnerability and patching evidence. v8 retains the strict patching window for high-risk and critical updates, applied within 14 days of release. Pull patch reports for the last quarter and confirm the policy reflects current Cyber Essentials and DSPT wording.
  3. Incident response. A current plan dated within the last 12 months. A tabletop exercise within the last 12 months. Root cause analysis for any actual incident in scope.
  4. Supply chain and processor evidence. A current register of suppliers and processors, with contracts confirming UK GDPR and Data Protection Act terms, and a documented security review for each in-scope sub-processor. v8 strengthens the supply chain assertions, and the chain takes longer to walk than most suppliers expect.
  5. Information governance training. Completion records for every member of staff for the current cycle. Records that were complete twelve months ago are not complete now.
  6. National data opt-out policy. For organisations in scope, including some Category 2 and 3 suppliers handling de-identified data flows, a documented policy and an operational record of how opt-outs are handled.
  7. Data subject rights process. Documented end to end, with timestamps for any subject access requests responded to in the last 12 months. The DSPT view of UK GDPR Article 32 evidence overlaps with ICO data security guidance, so material gaps in this evidence pack tend to surface in both directions.

Weeks 5 to 3 (1 June to 15 June): the independent assessment window

The third fortnight is the assessment itself. Independent assessors must complete their work between January and June 2026 with submissions filed by 30 June, per the strengthening assurance guidance.

  1. Walk the mandatory assertions with the assessor. The artefacts mapped in Block 2 above sit underneath them. Anything missing is flagged.
  2. Resolve assessor flags inside the window. Items marked partial get corrected or evidenced. Approaching scores can be lifted to Met if the supporting evidence is produced before report sign-off.
  3. Lock the assessment report. The independent assessment report and Terms of Reference reach final form. Holding either of these open into the submission fortnight squeezes board sign-off and creates an unnecessary failure mode.

Weeks 3 to 1 (15 June to 24 June): submission and sign-off

The penultimate fortnight is the submission itself, with executive sign-off and a contingency route if any item cannot be Met.

  1. Submit on the DSPT toolkit. Upload assertions, evidence items and the independent assessment report.
  2. Board or accountable officer sign-off. Standards Met submissions require sign-off at the appropriate level. For a digital health SME, that is typically the CTO or CISO. For Category 2 IT suppliers under independent assessment, executive sign-off is part of the submission package.
  3. Improvement plan if any assertion cannot be Met. Plans must carry specific completion dates. Plans without dates, or with dates extending beyond the deadline without exceptional approval, are rejected per NHS England's interim assessment guidance. Engage Regional Security Lead pathways before submission day, never after.

The final week (24 to 30 June): protecting the submission

In submission week, the priority is operational. The toolkit submission shows on the public register, and active prospects see the record on the day they expect it.

  1. Confirm submission status on the public register; NHS commissioners and prospective buyers check the same view.
  2. Update sales collateral and procurement responses to reference the 2025-26 v8 record. Active NHS prospects expect a current Standards Met record on the deadline.
  3. Brief commercial and customer success teams. Renewal conversations and procurement reviews from 1 July onward reference the live submission, not the prior cycle.

What NHS suppliers commonly leave too late

Five gaps account for the bulk of v8 submissions that miss Standards Met on first attempt.

MFA evidence as a standalone item. Suppliers still answering 4.5.3 with "we hold Cyber Essentials Plus" do not pass v8. The CE+ equivalence has gone, and the standalone MFA evidence pack is the most common late discovery. Cyber Essentials v3.3, the Danzell question set, makes MFA mandatory for in-scope cloud services with auto-fail consequences, applied to assessment accounts created from 28 April 2026, per the IASME April 2026 update. The MFA story has tightened across both schemes at the same time.

CSO sign-off and DCB 0129 Compliance. Digital health vendors often focus exclusively on the DSPT, only to find their procurement blocked because they lack a Clinical Safety Officer (CSO). While the DSPT proves your data is secure, DCB 0129 proves your product is clinically safe. In 2026, NHS buyers treat these as a single 'compliance pack', you cannot have one without the other.

ISO 27001 scope that does not cover NHS data processing. Vendors holding ISO 27001 with scope limited to a HQ office or a development environment often assume the certificate auto-completes DSPT evidence items. Partial scope is supporting evidence only. The detail of where ISO 27001 evidence reduces the DSPT audit burden sits in the cross-framework guide.

Sub-processor evidence. Suppliers commonly hold the data processing agreement on the prime contract and assume the same applies down the chain. v8 strengthens supply chain assertions, and walking the chain to confirm a current DPA and a documented security review on every in-scope sub-processor takes more time than most suppliers expect.

Independent assessor capacity in June. Diaries fill from May onward. A supplier booking in mid-May for a late-June audit lands at the back of the queue. The slot itself is the biggest hard constraint on the submission timetable.

How DSPT v8 evidence maps to the rest of your compliance work

DSPT v8 sits on top of the work most digital health vendors are already doing across UK GDPR, ISO 27001, Cyber Essentials and DCB 0129. The technical and organisational measures evidence in DSPT v8 is the operational expression of UK GDPR Article 32. An ISO 27001 certificate at the right scope auto-completes a meaningful set of DSPT items, and DTAC V2 ran on the same evidence base as DSPT v8, so a single technical security narrative tends to satisfy both.

Once the v8 submission is in, the next sensible move is consolidation: collecting each piece of evidence once and mapping it across the frameworks the team already runs.

The submission window closes on 30 June 2026, and the contracts that depend on it run on without renegotiation. Data sharing agreements stay in force, and the next renewal conversation opens on the product itself.

How Naq Supports DSPT v8

The Naq platform is built to automate DSPT v8, DTAC V2, DCB 0129, Cyber Essentials and ISO 27001 from a single dashboard. Controls are mapped across frameworks, so one piece of evidence satisfies requirements in DSPT, DTAC and Cyber Essentials at the same time, rather than being collected three times.

In-house Clinical Safety Officers and virtual DPOs sit alongside the platform where supplier teams want a human in the loop on the clinical safety case or the controller decisions a DSPT submission depends on.

To see how DSPT v8 evidence maps across your existing tooling and frameworks, book a 15-minute demo at naqcyber.com.

Frequently asked questions

What is the DSPT v8 deadline?

The DSPT v8 submission deadline for organisations in scope is 30 June 2026. The 2025-26 version was published on 18 September 2025 and the deadline has not been deferred. The 31 December 2025 milestone was an interim assessment and improvement-plan checkpoint, not a change to the final-submission date.

Do I need an independent audit for DSPT v8 as an IT supplier?

Yes. Category 2 IT suppliers are required to undertake independent assessment under the v8 cycle, continuing the requirement introduced for 2024-25. The assessment must be carried out between January and June 2026, with the report and DSPT submission filed by 30 June 2026.

Can I still use my Cyber Essentials Plus certificate for the MFA evidence item?

No. Evidence item 4.5.3 has been amended for IT suppliers in DSPT v8. Cyber Essentials Plus alone no longer provides equivalence. MFA must be evidenced separately inside the DSPT, with documentation of enforcement on remote user access and on privileged access to externally hosted systems.

What happens to my NHS contract if I miss the deadline?

DSPT completion is a contractual requirement under the NHS Standard Contract 2025/26, and submission status is publicly visible on the DSPT organisation search. Standards Not Met blocks new orders and flags renewals. Operators of Essential Services also fall under the Network and Information Systems Regulations 2018 enforcement regime; that route does not apply to ordinary Category 2 IT suppliers.

Does ISO 27001 reduce the DSPT v8 burden?

It can. An ISO 27001 certificate with scope encompassing all NHS data processing auto-completes applicable DSPT evidence items. Partial scope, for example a HQ office or development environment only, counts as supporting evidence and does not auto-complete the DSPT. Confirming scope coverage early in the eight-week window is the difference between a clean cross-framework submission and a duplicated evidence run.

Written by
The Naq Team
Share
Share
Compliance
NHS DSPT
NHS DTAC
What NHS readiness actually looks like
February 16, 2026
Compliance
NHS DSPT
NHS DTAC
DCB 0129
Navigating Healthcare Compliance in 2024: Key Developments and Emerging Requirements
February 25, 2024
Compliance
NHS DSPT
NHS DTAC
Why Companies Fail NHS DSPT Renewal
February 17, 2026
Compliance
ISO 27001
ISO 27001:2022 Transition: What to Do If You Missed the Deadline
April 5, 2026
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy