Blog
Compliance
NHS DSPT v8
NHS DTAC v2
ISO 27001
June 21, 2026
Approx 7 min read

What is the NHS DSPT and who needs it

An NHS buyer rarely opens a supplier conversation by asking about your data security. It comes later, usually once the commercial fit looks right and the contract is close. The procurement team checks whether you have completed the NHS Data Security and Protection Toolkit, and the answer decides whether the deal can move forward. That is the practical reality of the NHS DSPT, and it is why anyone selling into the health service needs to understand it before the question lands.

This guide covers what the NHS DSPT is and who needs it, and how completing it opens healthcare revenue that stays closed without it.

What is the NHS DSPT?

The NHS Data Security and Protection Toolkit (DSPT) is an annual online self-assessment, published by NHS England, that lets an organisation measure and publish its performance against the National Data Guardian's 10 data security standards. Every organisation that handles NHS patient data or uses NHS systems must complete it. It replaced the Information Governance Toolkit in April 2018.

The toolkit runs on an annual cycle, with submissions due by 30 June each year, so a current submission must be refreshed every year rather than completed once. NHS England updates the toolkit each cycle, and recent editions align the standards with the National Cyber Security Centre's Cyber Assessment Framework, so the assessment reflects the same outcomes the wider public sector works to.

Who needs to complete the NHS DSPT?

NHS England's own guidance is direct on this. All organisations that have access to NHS patient data and systems must use the toolkit to provide assurance that they practise good data security and handle personal information correctly. That includes suppliers, data processors and joint controllers, not only the trusts and care providers themselves.

The point that matters commercially sits in the buyer's obligations. An NHS organisation is told it must check that every supplier, data processor and joint controller handling personal or confidential information has completed a toolkit. If a supplier has not, it must demonstrate an equal or higher standard. For a company selling to the NHS, that turns the DSPT from a recommendation into a condition of doing business. The buyer cannot simply take your word for it.

Completion is also written into the NHS England Standard Conditions contract, and it remains the standard route for organisations that use national systems such as NHSmail and the e-Referral Service. Without a current submission, both the contract and the connection become harder to sustain.

Category 2 or Category 3: which one are you

The toolkit sorts organisations into categories, and suppliers usually fall into one of two. Choosing the wrong one is a common and costly mistake.

Category 2 (IT Supplier)Category 3 (Other)Who it applies toAn organisation supplying digital goods or services to the NHS or care that meets all three thresholds belowSuppliers that do not meet all three Category 2 thresholds, including smaller software suppliers, charities and NHS business partnersThresholds50 or more staff, turnover of £10m or more, and supplies digital goods or services to the NHS or careOne or more of the three thresholds not metAssessmentMandatory independent assessmentSelf-assessment

Many smaller suppliers assume that selling NHS-facing software makes them an IT Supplier and select Category 2. Supplying digital services alone does not meet the bar. You qualify as Category 2 only when all three thresholds apply together. Most early-stage and mid-sized suppliers are Category 3, and that is the right place to start.

How the NHS DSPT opens healthcare revenue

The NHS is a large buyer that gates its market on assurance. A completed DSPT at Standards Met is one of the conditions that moves a supplier from outside that market to eligible to win work inside it. The growth comes from four practical mechanisms.

A current submission clears the contract. When a buyer is required to check your toolkit status before signing, a submission at Standards Met removes the blocker. Without it, the contract stalls on a condition you cannot satisfy after the fact.

Gated NHS work opens up. Holding the DSPT, and for digital health products the related assessments buyers ask for, is the entry condition for NHS work. It is the difference between bidding and being unable to bid.

It shortens due diligence. A current, exportable submission answers the data-security part of a buyer's assurance up front. The submission status is also publicly searchable, so a commissioner or procurement lead can verify your Standards Met record by name before they sit down with you. Onboarding moves faster when the proof is already on record.

Trust compounds over time. A maintained Standards Met record is a standing signal to every future NHS buyer. The evidence behind it reuses into the other standards those buyers ask for, so each added framework costs less than the last.

Where the DSPT sits alongside DTAC and DCB 0129

The DSPT proves your data security to the NHS standard. It is rarely the only assurance a buyer wants. NHS DTAC is the assessment buyers apply to digital health technology before they procure it, covering clinical safety, data protection, technical security, interoperability and usability. DCB 0129 is the clinical risk management standard that manufacturers of health IT systems must meet under section 250 of the Health and Social Care Act 2012.

Buyers commonly ask for these together, because each answers a different part of the same assurance question. Evidence proven for one standard supports another. An ISO 27001 certificate scoped to the relevant data processing supports applicable DSPT items, and Cyber Essentials supports the cyber-hygiene controls. Treating them as one connected body of evidence, rather than separate projects, is what keeps the cost of NHS readiness in check.

What getting to Standards Met involves

The path is straightforward in shape, even where the detail takes work. You register your organisation on the toolkit, work through the assertions and evidence items mapped to the National Data Guardian's standards, and submit your assessment. Category 2 suppliers book the mandatory independent assessment as part of that. The goal is a published Standards Met record, maintained year on year, because the toolkit is an annual commitment rather than a one-off.

This is where Naq runs the NHS Data Security and Protection Toolkit alongside the other standards NHS buyers ask for, including DTAC, DCB 0129, ISO 27001, Cyber Essentials and GDPR, with in-house Clinical Safety Officers and virtual DPOs where a framework needs specialist judgement. Because the standards run as one connected system, evidence proven once is reused across every framework it maps to, so a buyer's assurance check becomes an export rather than a fresh project each time.

Frequently asked questions

What is the NHS DSPT?

The Data Security and Protection Toolkit is an annual online self-assessment published by NHS England. It lets an organisation measure and publish its performance against the National Data Guardian's 10 data security standards. It replaced the Information Governance Toolkit in April 2018.

Who needs to complete the DSPT?

Every organisation with access to NHS patient data and systems, including suppliers, data processors and joint controllers. NHS organisations are required to check that their suppliers have completed it before contracting, so for a company selling to the NHS it is a condition of doing business.

Is the DSPT mandatory?

Yes for organisations handling NHS data. Completion is a contractual requirement under the NHS England Standard Conditions contract and is the standard route for using national systems such as NHSmail and the e-Referral Service.

What is the difference between a Category 2 and Category 3 supplier?

A supplier is Category 2 (IT Supplier) only if it meets all three thresholds: 50 or more staff, £10m or more turnover, and it supplies digital goods or services to the NHS or care. Category 2 must complete an independent assessment. Suppliers that do not meet all three are Category 3 (Other), which is the more common case for smaller suppliers.

Internal links: How compliance frameworks help your business grow (hub); NHS DTAC explained ; DCB 0129 explained ; NHS DSPT framework guide (naqcyber.com/frameworks/nhs-dspt).

Written by
The Naq Team
Share
Share
Compliance
NHS DTAC v2
ISO 27001
Cyber Essentials
Digital Health Compliance Trends: Top Standards for 2025
January 27, 2025
Compliance
NHS DSPT v8
The NHS DSPT 2023/24 is here - What's new in Version 6?
February 25, 2024
Compliance
NHS DTAC v2
ISO 27001
NHS DSPT v8
AI and Digital Health: Navigating Regulatory Requirements
November 27, 2024
Compliance
Cyber Essentials
NHS DSPT v8
The Role of Cyber Essentials in Achieving NHS DSPT Compliance
February 25, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a demo
arrow_forward
See the framework set
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy