The 30 June deadline for the 2025-26 NHS Data Security and Protection Toolkit has passed. If you're a Category 2 IT supplier 50+ staff or £10M+ turnover, classified as an Operator of Essential Services under NIS, and you haven't published, you're not locked out.
You can still submit. But because Category 2 status comes with a mandatory independent audit against the CAF-aligned assertions, "just submit late" isn't always straightforward.
Once 30 June ticks over without a published toolkit, your status on the public DSPT register automatically drops to "Standards Not Met." For a Category 2 supplier, that carries specific consequences:
None of this happens instantly or uniformly across every contract, but NHS England has been explicit that "Standards Not Met" is being checked in procurement and supplier assurance reviews.
Which pathway applies depends on where your independent audit and evidence actually stand.
1. Submit with an Improvement Plan → "Approaching Standards"
If most of your CAF-aligned assertions are evidenced but you're waiting on specific items' audit sign-off, remediation of a finding, or an outstanding control, you publish what you have alongside a formal improvement plan with specific completion dates. Plans without dates, or with dates pushed unrealistically far out, get rejected by NHS England's DSPT team on review.
Plans are reviewed through July and August by the DSPT team working with Regional Security Leads and the Joint Cyber Unit. If accepted, your status moves to "Approaching Standards," which keeps most contracts and procurement live while you finish the work. You then report progress at checkpoints on 30 September and 31 December, and once every action closes out, status updates to "Standards Met."
2. Complete the full submission → "Standards Met"
If your independent audit is done and your evidence is genuinely complete, the toolkit just wasn't published in time to finish and publish it in full. Once processed, your status updates to "Standards Met" and the compliance flag against your organisation clears.
For Category 2 suppliers specifically, this route only works if your independent audit has actually concluded. If it hasn't, the Improvement Plan is very likely your real option, whatever the evidence gaps look like on paper.
The two-pathway system is simple to describe and harder to execute when you're the one deciding whether your audit evidence actually clears the CAF-aligned bar, or whether NHS England will accept your improvement plan on first submission.
We audit Category 2 IT suppliers against DSPT and see the same gaps repeatedly: MFA not enforced across every privileged account, penetration testing that's lapsed past 12 months, or evidence that exists somewhere in the business but isn't documented in the form the toolkit requires.
If you've missed the deadline and aren't sure which pathway fits, talk to us. We'll look at where your audit and evidence actually stand and tell you plainly whether a late full submission is realistic or whether you need a defensible improvement plan.