%20(1)%20(1).png?width=309&height=69&name=image-001%20(2)%20(1)%20(1).png "periculo")
NHS DSPT 2025-26: Audit Requirements, Exemptions and 11 Mandatory Controls
The 2025-26 DSPT Is Live — Here’s What You Need to Know
The Data Security and Protection Toolkit (DSPT) for 2025-26 (version 8) is now live.
Every organisation that handles NHS or adult social care data must complete its annual self-assessment by 30 June 2026.
This year’s version brings a major shift: IT Suppliers must complete an independent audit covering 11 key cybersecurity and governance areas.
If you supply digital products or services to the NHS, this update directly affects your compliance obligations.
What’s Changed in Version 8
While the DSPT framework still covers the familiar pillars of governance, training, and technical controls, NHS England has introduced audited verification for higher-risk suppliers.
The goal is to ensure organisations demonstrate evidence-based security rather than simple form-filling.
The new requirement helps raise assurance levels across the health and care supply chain, ensuring the systems processing sensitive data are genuinely secure and well-managed.
Who Needs a DSPT Audit
If your organisation supplies digital software or hardware to the NHS or care sector and meets both criteria below, you’re classed as an IT Supplier:
50 or more employees, and an annual turnover above £10 million
As an IT Supplier, you’ll now need an independent audit that verifies your compliance with 11 mandated assertions.
If you provide digital services but do not meet both thresholds, you should remain under the “Other” sector category, covering smaller companies, charities, and NHS business partners.
This distinction is crucial, as only IT Suppliers are subject to the audit requirement.
The 11 Mandatory Audit Assertions
Each assertion corresponds to a critical control area within cybersecurity, governance, and resilience.
The table below summarises the focus for each:
| Assertion No. | Theme | Focus |
|---|---|---|
| 1.3 | Governance | Accountability and oversight for data protection and security |
| 4.2 | Access Control | Identity and access management for systems and networks |
| 4.4 | Privileged Access | Strict management of admin and elevated permissions |
| 6.1 | Incident Reporting | Confidential system for reporting breaches and near misses |
| 6.3 | Vulnerability Management | Addressing NHS Digital advisories and learning from past incidents |
| 7.2 | Continuity Testing | Regular testing of continuity and disaster recovery plans |
| 7.3 | Incident Response | Capability to enact and contain incidents effectively |
| 8.3 | Patch Management | Keeping all supported systems fully up-to-date |
| 8.4 | Network Defence | Managing vulnerabilities to prevent disruption |
| 9.3 | System Security | Protecting key systems from exploitation |
| 9.6 | Firewall Management | Maintaining a well-managed firewall infrastructure |
| 10.1 | Supplier Assurance | Documenting all suppliers, contracts, and durations |
(Note: Assertions 9.3 and 9.6 are grouped under network security controls.)
If your organisation already holds Cyber Essentials Plus (CE+) or ISO 27001 certification, some evidence items may be exempt from additional auditing.
However, you must confirm that the certification’s scope covers all health and care data you process.
Why the DSPT Audit Matters
Independent verification represents a significant shift in how NHS England expects suppliers to demonstrate trustworthiness.
This isn’t just about compliance, it’s about confidence.
An external DSPT audit helps:
-
Expose security blind spots in access, network, and supplier management
-
Reassure NHS customers that your security practices meet national expectations
-
Reduce duplication, aligning DSPT evidence with CE+ and ISO 27001 controls
-
Build credibility for tenders, bids, and framework renewals
For IT Suppliers, the message is clear: auditable assurance is now a prerequisite for NHS trusts.
Preparing for Your 2025-26 Assessment
Early preparation is key to avoiding last-minute stress.
Here’s how to stay ahead of the June 2026 deadline:
-
Review your 2024-25 submission — identify evidence gaps and outdated policies.
-
Confirm your sector classification under Organisation Profile.
-
Map your audit scope against the 11 mandatory assertions now.
-
Update documentation for continuity, incident response, and supplier assurance.
-
Align with CE+ or ISO 27001 if applicable — this can reduce duplication.
-
Schedule your audit early to avoid end-of-year bottlenecks.
-
Assign ownership — designate internal leads for each evidence area.
Beyond Compliance: Building Resilience
The new DSPT audit approach highlights a wider industry trend: proactive resilience over reactive compliance.
By embedding real-world testing and external validation, health and care suppliers can better withstand the growing threat landscape from ransomware attacks to supply-chain compromise.
Organisations that treat DSPT as a live security framework rather than an annual checkbox exercise gain faster recovery capabilities, reduced incident impact, and higher procurement confidence.
How Periculo Can Help
At Periculo, we help digital-health suppliers and NHS partners prepare, assess, and improve their DSPT readiness.
Our team can support you at every stage from pre-audit preparation to independent verification and evidence mapping.
We offer:
-
Independent DSPT audits aligned to the 11 mandatory assertions
-
Cross-mapping with ISO 27001 and Cyber Essentials Plus to reduce duplication
-
Incident-response and continuity testing support
-
Gap analysis and remediation planning to strengthen assurance
If your organisation processes NHS or care data, now’s the time to plan your 2025-26 assessment.
Don’t wait for the deadline — start securing your evidence base today.
Book a DSPT Review with Periculo to help you navigate the audit process with confidence and ensure your organisation stays fully compliant before June 2026.
