DSPT v8 Requirements: What to Complete Before June 2026
The DSPT v8 requirements represent a significant structural shift for 2025-26. Version 8 aligns to the NCSC Cyber Assessment Framework (CAF) v3.4, introduces new mandatory audit areas, and removes a key equivalence that IT suppliers have relied on for years. The deadline remains 30 June 2026. Non-completion puts contracts and procurement status at risk, and for Operators of Essential Services, triggers regulatory enforcement.
This guide covers what changed, who needs to act, and what the practical steps look like.
What changed in DSPT v8 requirements
The headline shift is structural. DSPT v8 completes the move from the National Data Guardian's 10 data security standards to the NCSC Cyber Assessment Framework as the underlying assurance model. NHS England and the National Data Guardian confirmed this transition in a joint statement in September 2024.
For large NHS organisations (Category 1), the assessment now uses 47 contributing outcomes across five objectives, rather than prescriptive tick-box controls. Thirty-nine of those outcomes come directly from the NCSC CAF. Eight are health-sector-specific additions under a new Objective E covering appropriate information use and sharing. Each outcome is assessed at three levels: Not Achieved, Partially Achieved, or Achieved.
For IT suppliers and smaller organisations (Categories 2 to 4), the interface still uses assertions and evidence items. But these are now mapped against a CAF profile in the background, meaning the direction of travel is clear.
The MFA change that catches IT suppliers
Evidence item 4.5.3 covering multi-factor authentication has been amended for IT suppliers. Cyber Essentials Plus certification no longer provides equivalence to this evidence item. IT suppliers who previously relied on their CE+ certificate to satisfy this requirement must now demonstrate MFA compliance separately within the DSPT.
This is not a minor administrative change. NHS England's MFA policy now requires enforcement on all remote user access to all systems and all privileged user access to externally hosted systems, irrespective of whether Cyber Essentials Plus certification is held.
Who must meet DSPT v8 requirements
Every organisation that accesses NHS patient data or systems must complete the DSPT. The assessment varies by category.
Category 1 covers NHS Trusts, Integrated Care Boards, Commissioning Support Units, Arm's Length Bodies, Operators of Essential Services, and Genomics organisations. These complete the full CAF-aligned assessment. For 2025-26, OES independent providers and Genomics organisations join Category 1 for the first time.
Category 2 covers large IT suppliers: those with 50 or more staff and turnover of at least GBP 10 million, supplying digital goods or services to NHS or care organisations. These complete 12 mandatory assertions covering governance, identity and access control, breach reporting, vulnerability management, continuity planning, incident response, security patching, and firewall management.
Category 3 covers smaller IT suppliers, dentists, opticians, pharmacies, social care providers, local authorities, universities, and charities with NHS data access. A lighter assessment applies.
Category 4 covers GP practices with the lightest assessment burden.
If you are a digital health company selling into the NHS, you fall into Category 2 or 3 depending on your size. Either way, completion is mandatory.
What happens if you miss the deadline
The 30 June 2026 deadline is not advisory.
Contractual consequences. DSPT completion is required under the NHS Standard Contract (clause 21.2). Every NHS provider must verify that its suppliers, data processors, and joint controllers have completed a DSPT or can demonstrate an equivalent standard. Non-completion by a supplier triggers escalation to board level within the commissioning organisation.
Public visibility. Your DSPT status is publicly searchable. A "Standards Not Met" result is visible to every NHS organisation evaluating you as a potential supplier.
Regulatory enforcement for Operators of Essential Services. Under the Network and Information Systems Regulations 2018, the Secretary of State via DHSC can issue enforcement notices and penalty notices of up to GBP 17 million for material contraventions that create significant risk to essential service provision. According to the DHSC NIS Regulations health sector guide, 58 enforcement notices have been issued for unsupported systems and 71 for unmitigated vulnerabilities since 2018.
Escalation pathway. Organisations that cannot meet the required standards must submit an improvement plan with specific completion dates no later than June 2026. Plans without dates, with dates extending beyond the deadline without exceptional approval, or lacking realistic implementation pathways are rejected. Failure to engage triggers escalation through Regional Security Leads, the Joint Cyber Unit, and ultimately NHS England and DHSC.
The mandatory audit areas for 2025-26
NHS Trusts, ICBs, ALBs, and CSUs must cover nine mandatory outcomes plus three self-selected outcomes in their independent audit:
- Board direction (A1.a)
- Policy, process, and procedure development (B1.a)
- Secure by design (B4.a)
- Resilience preparation (B5.a)
- Backups (B5.c)
- Securing logs (C1.b)
- Incident root cause analysis (D2.a)
- Managing data subject rights under UK GDPR (E2.a)
- National data opt-out policy (E2.c)
OES providers and Genomics organisations cover eight mandatory outcomes plus four self-selected:
- Risk management process (A2.a)
- Supply chain (A4.a)
- Identity verification, authentication, and authorisation (B2.a)
- Vulnerability management (B4.d)
- Monitoring coverage (C1.a)
- Response plan (D1.a)
- Consent (E2.b)
- Using and sharing information for direct care (E3.a)
IT suppliers must cover all 12 mandatory assertions with no self-selection option.
How DSPT v8 connects to other frameworks
If your organisation already holds certifications or has completed assessments against related frameworks, some of that work carries over.
ISO 27001. Where an organisation holds ISO 27001 certification with a scope that encompasses all health and care data processing, applicable DSPT evidence items are marked as complete automatically. Partial scope (covering only the IT department, for example) provides supporting evidence but does not trigger automatic completion.
Cyber Essentials and Cyber Essentials Plus. Holding CE+ can reduce the scope of your DSPT independent audit to cover only evidence items not already covered by the CE+ assessment. But CE+ does not exempt you from DSPT completion, and the v8 MFA equivalence removal means CE+ alone no longer satisfies evidence item 4.5.3.
UK GDPR. DSPT v8's Objective E outcomes directly cover GDPR compliance obligations including data subject rights management and the national data opt-out policy. Completing DSPT to the required standard provides evidence of GDPR compliance that the Health Research Authority accepts when organisations apply for Confidentiality Advisory Group approval.
Practical steps before the deadline
For IT suppliers and digital health companies, the priority actions are:
Check your category. Confirm whether you fall into Category 2 or 3 based on your staff count and turnover. This determines which assertions apply to you.
Address MFA separately from Cyber Essentials. If you previously relied on CE+ for evidence item 4.5.3, you need to document your MFA implementation independently. Review NHS England's MFA policy requirements: MFA on all remote access and all privileged access to externally hosted systems.
Review the change log. Download the "DSPT 2025-26 V7 to V8 - Log of changes" document from the DSPT website to identify every evidence item that has changed wording or requirements.
Map existing certifications to DSPT evidence items. If you hold ISO 27001 with a scope covering all NHS data processing, your certification can auto-complete applicable evidence items. This can significantly reduce your assessment burden.
Submit early. Waiting until the final week of June risks technical issues, evidence gaps, and no time for improvement plans. Organisations that identify gaps early can submit improvement plans that are far more likely to be accepted.
Your team is already managing ISO 27001, Cyber Essentials, DTAC, GDPR, and now a structurally different DSPT v8. Each framework overlaps with the others, and evidence collected for one often satisfies requirements in another. Running them as separate compliance exercises doubles the workload without improving the outcome.
Naq automates compliance across 20+ frameworks from a single platform. Over 300 integrations gather evidence automatically, work completed for one framework maps across to overlapping standards, and the platform tracks changes as requirements evolve. Expert support from in-house compliance specialists, pen testers, and auditors is available where automation alone is not enough.
