The Data Security and Protection Toolkit (DSPT) remains a key requirement for organisations accessing NHS data or systems. Each year, organisations handling NHS patient data must complete the DSPT self-assessment to demonstrate they meet robust data security standards. Now, a significant change is underway: the DSPT is transitioning to align with the Cyber Assessment Framework (CAF) in order to raise the bar for cybersecurity across the health sector. This evolution is driven by the need to keep pace with an ever-changing threat landscape and to harmonise healthcare cyber standards with those in other critical sectors​.

This blog post provides a comprehensive look at the DSPT-to-CAF transition. We will explain why the change is happening, what the CAF-aligned DSPT entails, and how it impacts NHS organisations and digital health innovators. Most importantly, we’ll outline how you can begin navigating these new requirements smoothly so that your organisation remains secure and compliant.

From DSPT to CAF: Why the Change?

What is the DSPT? The DSPT is an online self-assessment toolkit that healthcare providers, commissioners, and IT suppliers use to measure their data protection and cybersecurity practices against NHS standards. Since 2018, those standards have been based on the National Data Guardian’s 10 Data Security Standards, which emphasise good practice across people, processes, and technology. However, as technology and cyber threats rapidly evolve, the NHS is enhancing its approach to go further​.

Starting in late 2024, NHS England began phasing in the National Cyber Security Centre (NCSC)’s Cyber Assessment Framework (CAF) as the new basis for DSPT assurance​. The CAF is a comprehensive framework designed initially to assess cybersecurity in the UK’s critical sectors. It provides a more advanced, outcome-focused way to evaluate security maturity. By adopting the CAF, NHS England aims to align health and care with the higher resilience standards used elsewhere and enable a more dynamic response to emerging cyber risks​. 

In short, the CAF offers a “more current framework” for evaluating and improving data security. The move is part of the government’s 2023–2030 Health and Care Cyber Security Strategy, signalling a long-term commitment to bolstering cybersecurity in healthcare.

What is the Cyber Assessment Framework (CAF)?

‍

The Cyber Assessment Framework (CAF) is a structured cybersecurity framework that revolves around four key objectives (labeled A to D) covering all aspects of cyber risk management. Each objective is supported by specific principles and expected outcomes that organisations should aim to achieve. In summary:

• Objective A: Managing Security Risk – Focuses on governance, leadership accountability, risk management processes, asset management, and supply chain security at the organisational level. It ensures that organisations understand and manage security risks proactively.
  
  
• Objective B: Protecting Against Cyber Attacks – Emphasises having effective controls to prevent attacks, including strong policies and processes, access controls (e.g., user account management), data security measures (such as encryption), secure system configuration, and resilient networks. The goal is to establish robust defences against threats.
  
  
• Objective C: Detecting Cyber Security Events – Stresses the need for active monitoring, logging, and threat detection capabilities. Organisations should be able to promptly identify unusual activity or incidents through appropriate tools and processes, such as intrusion detection systems and security incident event monitoring.
  
  
• Objective D: Minimising the Impact of Incidents – Focuses on preparedness to respond and recover. This means having up-to-date incident response plans, regular testing (like scenario exercises), data backups, and business continuity plans to reduce damage if a breach occurs​. Equally important is learning from incidents to improve future resilience.
  
  

The CAF is outcomes-based. It defines what good security outcomes look like, but it gives organisations flexibility in how to achieve them. For example, rather than prescribing one specific password policy, the framework asks whether you adequately control access to systems and data, leaving it to each organisation to decide how best to meet that outcome. 

It is worth noting that NHS England has created a health and care tailored version of the CAF, referred to as the “CAF-aligned DSPT.” This includes all the core CAF principles and adds a few additional outcomes specific to health information governance, such as ensuring the proper use and sharing of patient information​.

The result is a set of 47 contributing outcomes that NHS organisations will assess themselves against, with each outcome accompanied by indicators of good practice to guide what “good” looks like. Each outcome is scored on a maturity scale – typically Not Achieved, Partially Achieved, or Achieved – reflecting the organisation’s level of capability in that area. The aim isn’t to reach “Achieved” on all counts overnight; in fact, hitting the top level on every outcome is not expected or required​. Instead, NHS England will define a target CAF profile (a minimum required level for each outcome) suitable for each type of organisation. Meeting “Standards Met” on the DSPT will mean achieving your organisation’s CAF profile, which for many outcomes may be a ‘Partially Achieved’ level to start with. Over time, these target levels can be raised as organisations improve year by year​. This provides everyone with a clear roadmap for evolving their security posture in the coming years, rather than facing entirely new requirements with each toolkit cycle.

Key Changes and Implications of the CAF-Aligned DSPT

‍

For 2024–25, the transition to a CAF-aligned DSPT is already in motion, but not every organisation is affected immediately. Here are the key changes and what they mean for different groups:

• Large NHS Organisations Transition First: Starting from September 2024, the new CAF-aligned DSPT was rolled out to a specific group of larger health and care organisations. These include NHS Trusts , Foundation Trusts, Commissioning Support Units (CSUs), Arm’s-Length Bodies (ALBs), and Integrated Care Boards (ICBs) – essentially, high-tier NHS bodies. If you belong to one of these, you will have noticed a new DSPT interface and structure when completing your 2024/25 self-assessment. Instead of the old list of 100+ security control questions, the toolkit now presents Objectives, Principles, and Outcomes aligned to the CAF. 
• Smaller Organisations Continue with Current Standards (for Now): If you’re a smaller NHS organisation or a supplier that has not yet been contacted about the CAF change, you remain on the current DSPT (aligned to the 10 NDG standards) for this cycle. NHS England has made it clear that organisations not in the initial rollout will “continue to respond to a list of prescriptive controls” on the toolkit for the time being​. So, for example, many primary care providers, social care organisations, and most digital health SMEs will still complete DSPT version 6 (the pre-CAF version) this year. However, be aware: behind the scenes, even the old DSPT submissions are being nationally mapped to the CAF to create baseline profiles. And over the next couple of years (likely after 2025), these smaller organisations will also transition to the CAF-aligned toolkit. The core expectations you need to meet won’t suddenly change overnight if you haven’t switched yet, but you should anticipate more outcome-focused requirements in the near future. It’s wise to start familiarising your team with the CAF concepts now, rather than waiting until the last minute.
• Naq helps organisations stay ahead of these regulatory shifts by continuously monitoring NHS updates and automatically surfacing relevant changes within the platform. Whether you're already required to meet CAF standards or preparing for future rollout, Naq ensures you're not caught off guard. You’ll receive timely guidance, practical next steps, and expert support tailored to your organisation's current and future compliance status.
  Want to see how Naq can streamline your transition to the CAF-aligned DSPT? Book a personalised demo to learn more.
• Outcome-Focused Compliance: One of the most significant shifts with the CAF-aligned DSPT is moving away from a pure yes/no checklist of controls to an outcome-focused assessment​. This has several implications. Organisations have more flexibility to implement security in ways that make sense locally, you’re encouraged to use professional judgment on how to meet each outcome, rather than being told exactly how to do it​. At the same time, simply having a policy or a tool in place is not enough; you need to evaluate whether your measures are effectively achieving the intended outcome. For example, it’s not sufficient to tick “we have cybersecurity awareness training.” Under the CAF approach, you’ll need to consider whether your training program is actually resulting in staff who are aware of threats and handling data safely (and if not, improve it). This change will push organisations to think deeper about the effectiveness of their security controls, fostering a more mature security culture over time.
• Continuous Improvement and Long-Term Planning: The new framework introduces a philosophy of continuous improvement.  This is a welcome change for many, as it offers clarity on future requirements and enables better strategic planning and investment. For example, if you know that by 2026 you’ll need to reach a higher level in network monitoring or vendor risk management, you can start budgeting and working toward that now. The emphasis is on progress over perfection. Each year, NHS England may raise the minimum required levels for certain outcomes (the “CAF profile” thresholds) as cyber threats evolve or as capabilities across the sector improve​.
• Retention of Core Data Protection Principles: It is essential to emphasise that the transition to CAF does not discard the fundamentals of the previous DSPT standards, such as strong access controls, staff training, up-to-date antivirus, and data use consent. In fact, the NDG’s ten security standards have been mapped into the new framework to ensure nothing essential is lost​. What does change is how those expectations are organised and assessed. You might notice new terminology (e.g. “contributing outcomes” and “indicators of good practice”) and broader questions that require explanation or evidence of effectiveness. But if you have been compliant with DSPT in past years, you have a solid foundation to build on. Moreover, a few specific national policies will be mandated across the board to address high-priority risks, regardless of the new flexibility. For instance, multi-factor authentication for account access is now enforced as a mandatory control in the updated toolkit​, reflecting its critical role in preventing breaches. These mandatory measures ensure that flexibility in implementation never compromises minimum security requirements.
  

‍

Preparing for a Smooth Transition

‍

Whether your organisation is already facing the CAF-aligned DSPT this year or expects to transition in the near future, preparation is key. Below are several steps and best practices to help you navigate the change with confidence:

1. Stay Informed of NHS Guidance: Make sure you keep up with the latest guidance from NHS England regarding the DSPT updates. If your organisation is part of the initial rollout group, you should have received official communications and support materials. (NHS England has hosted webinars and published guidance documents to explain the CAF approach​). Keeping an eye on the DSPT website’s news section and subscribing to official newsletters will ensure you don’t miss critical updates or deadlines. For Naq customers, these updates are delivered directly through the Naq platform, along with expert insights and tailored alerts to help you respond quickly and stay ahead of changes—no need to manually monitor multiple sources.
   
   
2. Review the CAF Objectives and Map Your Gaps: It’s a good idea to perform a gap analysis between your current security controls and the CAF outcomes. Start by familiarising yourself (and your security/IG team) with the four CAF objectives and their underlying principles. NHS resources include mapping documents that show how the existing DSPT requirements align with CAF outcomes. Leveraging these can help you understand where you might already meet the new expectations and where gaps could exist. Identify areas where your policies or controls might be weak relative to the CAF guidance. For example, Objective A puts new emphasis on supply chain security and risk management governance; if those weren’t a focus in your previous DSPT submissions, you’ll want to assess and strengthen them. 

3. Engage Leadership and Assign Responsibilities: The CAF-aligned approach requires strong governance. Under the CAF’s Objective A, demonstrating management ownership of cyber risk is critical. Now is the time to brief your board or executives on what the DSPT changes mean. Ensure that there is a named senior owner (e.g. a Caldicott Guardian, SIRO, or CIO) who is accountable for data security. If you have a Data Protection Officer or Chief Information Security Officer, involve them deeply in this transition. You may also need to establish or reinvigorate a governance group or steering committee to oversee your organisation’s progress against the CAF outcomes. Internally, clarify who will collect evidence for each outcome area – for instance, IT might handle technical controls, HR might handle training records, etc. Clear ownership and oversight will make the self-assessment process much smoother and more credible.
   
   
4. Focus on High-Priority Controls (the “Must Dos”): While the CAF allows flexibility, certain controls are so vital that they remain non-negotiable. Make sure you have all baseline security controls firmly in place. These include multi-factor authentication (MFA) for remote access and privileged accounts (as noted, NHS England has made MFA an expected requirement), up-to-date anti-malware protection, timely software patching for critical vulnerabilities, encrypted devices and data transfers, and regular data backups. Additionally, robust incident response procedures (Objective D) are a high priority so ensure you have clear plans for detecting, reporting, and responding to security incidents or data breaches. Conducting a tabletop exercise or drill can be a great way to test your incident response plan’s effectiveness and your team’s readiness. 

5. Embrace a Culture of Continuous Improvement: Change your mindset from viewing the CAF and the DSPT as an annual checkbox submission to an ongoing improvement cycle. Under the new framework, you should regularly evaluate how well your measures are working and seek ways to improve. Set up a routine to assess progress on your security outcomes. For example, if you rated a particular outcome as “Partially Achieved” this year, what would it take to reach “Achieved” in the future – is it further staff training? New technology investment? Process refinement? Build those steps into your IT or data governance strategy. Also, document any security incidents or near-misses and what you learned from them; demonstrating a feedback loop where lessons lead to stronger controls is exactly in the spirit of continuous improvement. Over the next 3–5 years, small but steady improvements will likely be expected (and audited), so having an internal improvement plan will put you ahead of the curve.
   
   
6. Leverage Expert Support and Tools: Navigating regulatory change can be challenging, but you don’t have to do it all alone. Consider tapping into external compliance support to make the transition easier. For example, Naq’s platform and compliance experts help healthcare organisations and suppliers streamline their DSPT compliance. This kind of solution can automate the mapping of your existing controls and policies to the new CAF outcomes, highlight gaps, and even provide templates or recommendations to fill those gaps. Naq’s platform is designed to simplify complex requirements – it can centralise your evidence collection (policies, risk assessments, training certificates, etc.), send you notifications for tasks like staff training or upcoming audits, and track your progress toward meeting each DSPT requirement. Leveraging such tools not only saves time but also reduces the risk of oversight, ensuring you don’t miss any critical requirement in the new framework. 

Moreover, Naq’s experts stay up-to-date with NHS policy changes, enabling them to offer informed guidance and clarity on the more complex aspects of the CAF. Engaging with compliance specialists or leveraging an automated platform is especially helpful for smaller digital health innovators who may not have large in-house compliance teams. It allows you to focus on your core mission— delivering health services or innovative solutions —while staying confident that your data security and compliance are on the right track.

‍

Conclusion

‍

The transition from the traditional DSPT to a CAF-aligned DSPT marks a pivotal evolution in NHS data security standards. It reflects a broader trend: as cyber threats grow more sophisticated, compliance regimes too must become more rigorous and outcome-focused. Embracing the CAF principles can ultimately make your organisation safer and more resilient, which means better protection for your solutions and ultimately the people who use them.

For organisations navigating this shift, having the right tools and guidance is essential. That’s where Naq can make a real difference. By combining up-to-date NHS compliance intelligence with automated workflows, expert guidance, and readiness for both current and future requirements, Naq enables healthcare providers and suppliers to meet CAF standards with confidence—not complexity.

Support for Smaller Organisations

‍

Even if you're not yet mandated to follow CAF, Naq helps smaller organisations adopt best practices early, strengthen their cyber posture, and futureproof for upcoming NHS requirements.

Explore further guidance and official resources on the CAF-aligned DSPT on NHS Digital's website.

Whether you're already part of the CAF rollout or planning ahead, Naq helps you stay compliant, secure, and prepared for what’s next. Need help preparing your organisation? Book a demo with one of our compliance experts, or, explore our 2025 DSPT-readiness checklist here.