Skip to content
All posts

The NHS DSPT Deadline Has Passed

Here's What Happens Next

The 30 June deadline for the 2025-26 NHS Data Security and Protection Toolkit has passed. If you're a Category 2 IT supplier 50+ staff or £10M+ turnover, classified as an Operator of Essential Services under NIS, and you haven't published, you're not locked out.

You can still submit. But because Category 2 status comes with a mandatory independent audit against the CAF-aligned assertions, "just submit late" isn't always straightforward.

What changes the moment the deadline passes

Once 30 June ticks over without a published toolkit, your status on the public DSPT register automatically drops to "Standards Not Met." For a Category 2 supplier, that carries specific consequences:

  • You're in breach territory. DSPT completion is a contractual requirement under NHS Standard Contract Clause 21.2. NHS commissioners are technically in breach themselves if they continue using a supplier without a compliant DSPT status, which means they have a direct incentive to pause or terminate rather than wait for you.
  • Procurement and renewals stall. New contract signings, renewals, and DTAC approvals for any digital health products you supply can all be paused until your status resolves.
  • Your NIS exposure doesn't pause. As an OES-designated supplier, NIS Regulations penalties (up to £17 million) can apply for inadequate security measures alone, independent of whether a breach actually occurs. A lapsed DSPT is exactly the kind of gap NHS England and regional security leads now flag in supplier reviews.

None of this happens instantly or uniformly across every contract, but NHS England has been explicit that "Standards Not Met" is being checked in procurement and supplier assurance reviews.

The two ways back

Which pathway applies depends on where your independent audit and evidence actually stand.

1. Submit with an Improvement Plan → "Approaching Standards"

If most of your CAF-aligned assertions are evidenced but you're waiting on specific items' audit sign-off, remediation of a finding, or an outstanding control, you publish what you have alongside a formal improvement plan with specific completion dates. Plans without dates, or with dates pushed unrealistically far out, get rejected by NHS England's DSPT team on review.

Plans are reviewed through July and August by the DSPT team working with Regional Security Leads and the Joint Cyber Unit. If accepted, your status moves to "Approaching Standards," which keeps most contracts and procurement live while you finish the work. You then report progress at checkpoints on 30 September and 31 December, and once every action closes out, status updates to "Standards Met."

2. Complete the full submission → "Standards Met"

If your independent audit is done and your evidence is genuinely complete, the toolkit just wasn't published in time to finish and publish it in full. Once processed, your status updates to "Standards Met" and the compliance flag against your organisation clears.

For Category 2 suppliers specifically, this route only works if your independent audit has actually concluded. If it hasn't, the Improvement Plan is very likely your real option, whatever the evidence gaps look like on paper.

What to do

  1. Check your recorded status on the DSPT portal. Don't assume; confirm it directly.
  2. Establish exactly where your independent audit stands. This is the gating item for Category 2 suppliers and determines which of the two pathways is actually available to you.
  3. If you're building an Improvement Plan, get the dates right first time. A rejected plan costs you a full extra review cycle you don't have room for before the September checkpoint.
  4. Flag this to whoever owns your NHS contracts commercially.  Procurement teams are checking DSPT status now, not at renewal.

Where this gets harder

The two-pathway system is simple to describe and harder to execute when you're the one deciding whether your audit evidence actually clears the CAF-aligned bar, or whether NHS England will accept your improvement plan on first submission.

We audit Category 2 IT suppliers against DSPT and see the same gaps repeatedly: MFA not enforced across every privileged account, penetration testing that's lapsed past 12 months, or evidence that exists somewhere in the business but isn't documented in the form the toolkit requires.

If you've missed the deadline and aren't sure which pathway fits, talk to us. We'll look at where your audit and evidence actually stand and tell you plainly whether a late full submission is realistic or whether you need a defensible improvement plan.