Blog
Compliance
NHS DSPT
GDPR
Cyber Essentials
March 3, 2026
Approx 3 min read

NHS Compliance Requirements for Healthcare Practices: What Actually Applies to You in 2026

The Data Security and Protection Toolkit version 8 went live in September 2025. The submission deadline is 30 June 2026. And a significant number of pharmacies, dental practices and GP surgeries across the UK have not started the process.

The current compliance requirements facing healthcare SMBs are fragmented, poorly communicated and buried in language designed for enterprise IT departments. DSPT sits alongside UK GDPR obligations. Cyber Essentials certification is increasingly expected by NHS procurement under PPN 014. If a practice uses any digital health technology, DTAC and DCB 0129 may also apply. Each framework is managed by a different body, with different deadlines, different evidence requirements, and different consequences for getting it wrong.

The result is that most practice managers either do not know which frameworks apply to them, assume their IT provider has it covered, or believe compliance is optional until something goes wrong.

DSPT Version 8: What Has Changed

The DSPT is the primary mechanism through which NHS England assesses how safely organisations process personal data. Version 8, published for the 2025-26 cycle, introduced updated Outcomes, Assertions and Evidence items across every sector category. Pharmacies, GPs, dentists, opticians, IT suppliers and social care providers all face revised requirements. The standard is now aligned with the Clinical Assurance Framework version 3.4, which should reduce duplication for organisations working across both. But it also raises the bar on what counts as an acceptable submission.

Organisations that fail to submit, or submit below the expected standard, risk losing access to NHSmail, e-Referral, the Summary Care Record and other systems that most practices depend on daily. This is not a theoretical risk. NHS England has confirmed that system access is contingent on compliance, and access revocations have been documented across multiple NHS regions in previous cycles.

UK GDPR: The Obligation That Applies to Everyone

Every healthcare practice processing patient data is a data controller under the UK GDPR. That brings a set of obligations around lawful basis for processing, data subject rights, breach notification, Data Protection Impact Assessments and, critically, the requirement to implement appropriate technical and organisational measures to protect personal data.

The ICO's enforcement trajectory in 2025 should be a wake-up call for the sector. The average fine jumped from around £150,000 to over £2.8 million. In the first half of 2025 alone, the ICO collected roughly £5.6 million from just six fines, already double the entire amount collected across 18 fines throughout 2024. When the Capita settlement is included, the 2025 total reaches £19.6 million from just seven cases. The ICO has moved away from issuing frequent small penalties and is now targeting serious data protection failures with much heavier consequences.

For healthcare specifically, the March 2025 fine against Advanced Computer Software Group is particularly relevant. Advanced was fined £3.07 million after a ransomware attack that compromised the data of 79,404 people and disrupted NHS 111 services. The ICO found that the company had failed to implement basic security measures including consistent multi-factor authentication. It was the first time the ICO had fined a data processor under the UK GDPR, sending a clear signal that the regulator will pursue any organisation in the data handling chain, not just the controllers.

Cyber Essentials: From Nice-to-Have to Procurement Requirement

Cyber Essentials is a government-backed certification scheme that covers five core technical controls: firewalls, secure configuration, user access control, malware protection and patch management. It is deliberately straightforward and designed to be achievable for small organisations.

What has changed is the commercial context. Under Procurement Policy Note 014, any supplier bidding for government contracts involving the handling of sensitive or personal data must hold Cyber Essentials certification. NHS procurement increasingly follows this standard. For pharmacies with NHS contracts, dental practices tendering for NHS work, and GP surgeries engaging with Integrated Care Boards, the certification is fast becoming a commercial prerequisite rather than a voluntary good practice measure.

Cyber Essentials Plus, which adds an independent technical verification, is required for contracts involving higher-risk data handling. The certification also provides included cyber liability insurance cover of up to £25,000, which for a small practice represents a meaningful additional protection.

DTAC and DCB 0129: The Frameworks Most Practices Have Never Heard Of

The Digital Technology Assessment Criteria is NHS England's baseline standard for digital health technologies entering the NHS ecosystem. It covers clinical safety, data protection, technical security, interoperability and usability. DCB 0129 is the clinical risk management standard for manufacturers of health IT systems, while DCB 0160 covers organisations deploying and using those systems.

These standards are mandatory under the Health and Social Care Act 2012. They require organisations to nominate a Clinical Safety Officer, a registered senior clinician with appropriate training in clinical risk management. A 2025 cross-sectional study published in the Journal of Medical Internet Research found significant gaps in compliance, with many NHS organisations unable to confirm the assurance status of the digital health technologies they were using.

For practices using AI-powered appointment systems, clinical triage chatbots, automated patient messaging or voice transcription software, DCB 0129 and DCB 0160 obligations likely apply. Most practices do not know this.

The Overlap Problem

The real difficulty for practice managers is not any single framework in isolation. It is the overlap. CQC and GPhC inspectors ask about data governance and cyber security. Those questions map directly to DSPT and GDPR obligations. Cyber Essentials controls overlap with DSPT evidence requirements. DTAC covers data protection ground that is also within GDPR scope. Without a clear view of how these frameworks connect, practices end up either duplicating effort or missing requirements entirely.

This is the core problem that Naq's compliance platform addresses through the VoIP Shop partnership. For practices already using VoIP Shop's communications infrastructure, compliance is now available through the same team and the same relationship. Naq automates evidence collection, policy generation, framework mapping and ongoing monitoring across all the relevant standards. The result is that a pharmacy, dental practice or GP surgery can address DSPT, GDPR, Cyber Essentials and the broader digital health requirements through a single system, with fixed pricing and no consultant day rates.

The 30 June 2026 DSPT deadline is four months away. If your practice has not started, the time to act is now. Speak to VoIP Shop's team about which Naq compliance package fits your practice, and get a clear picture of exactly which requirements apply to you.

Written by
The Naq Team
Share
Share
Compliance
NHS DSPT
NHS DTAC
DCB 0129
What Compliance Requirements Do You Need to Sell into the NHS?
October 1, 2025
Compliance
NHS DTAC
ISO 27001
Cyber Essentials
Digital Health Compliance Trends: Top Standards for 2025
January 27, 2025
Compliance
NHS DSPT
What is the NHS Data Security & Protection Toolkit, and how to comply?
February 25, 2024
Compliance
ISO 27001
ISO 27001 Explained: Understanding the Fundamentals of Compliance
February 25, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy