Skip to content
Contact Us
All posts

NHS DSPT 2025-26: Guide for Category 2 IT Suppliers

By  Craig Pepper  ·  3 minute read

Category 2 IT suppliers providing critical services to the NHS, the Data Security and Protection Toolkit (DSPT) 2025-26 brings changes that could directly impact your business.

We'll break down everything you need to know about new requirements, mandatory audits, and how to ensure your organisation meets the enhanced standards.

Understanding Your Position as a Category 2 IT Supplier

Category 2 organisations are classified as Operators of Essential Services (OES) under the NIS Regulations, which include IT suppliers to the NHS. If your organisation provides essential IT infrastructure, software solutions, or digital services that the NHS depends on, you fall into this category.
 
You're not just another supplier, you're part of the critical infrastructure that keeps NHS services running. This means higher expectations, more rigorous requirements, and enhanced scrutiny of your data security and protection measures.
 

Understanding Your Category

NHS England uses specific DSPT evidence categories to distinguish organisations based on their role and risk level. If your company delivers essential IT systems, platforms, infrastructure, or software used by the NHS — and meets the criteria of 50+ staff and £10 million+ turnover — then you are classified as a Category 2 IT Supplier.

Importantly, this DSPT Category 2 designation is not the same as being an Operator of Essential Services (OES) under the NIS Regulations. OES status is determined separately by the Department of Health and Social Care (DHSC) and only applies to a select list of independently notified organisations. For DSPT v8, you should understand yourself as a Category 2 IT supplier — and this blog focuses entirely on that group.

What's New for IT Suppliers in DSPT 2025–26?

There are two key requirements that IT Suppliers must plan for in this DSPT cycle: the reaffirmed mandatory independent audit and the new interim baseline submission deadline.

Independent Audits

The requirement for independent audits remains a core expectation for 2025–26. IT Suppliers must complete a DSPT audit conducted by an accredited external assessor. This is an in-depth process. Auditors will review and assess your submitted evidence, may conduct interviews with your team, and can perform technical validation such as penetration testing, analysis of system logs, or configuration reviews where relevant.

The focus is not just on having the right documents or policies—it’s about demonstrating real, active compliance. Generalised or outdated evidence will not meet the standard. You must provide clear, specific proof that your security and data protection practices are implemented and embedded across your organisation. 

What the Audit Will Cover

The independent DSPT audit is comprehensive. It will begin with a thorough review of your submitted evidence, ensuring all documentation is accurate, up to date, and demonstrably implemented. Auditors may also conduct interviews with your technical, operational, and senior staff to assess whether they understand and follow the relevant procedures.

In addition, technical validation could include configuration reviews, penetration testing results, or analysis of log data and system alerts. The audit isn't only about what’s on paper, it’s about what’s actually happening across your organisation.

What Evidence Is Required?

IT suppliers must submit individual evidence items, the majority of which are mandatory. These span across several core areas:

  • Technical controls, such as network segmentation, endpoint security, vulnerability management, and access control.

  • Governance and risk, including security policies, risk assessments, incident response plans, and third-party risk management.

  • Data protection and privacy, covering data sharing agreements, DPIAs, consent mechanisms, and breach response processes.

  • Operational security, such as security training, physical access controls, change management, and monitoring processes.

The documentation must be accurate, clearly labelled, version-controlled, and directly mapped to DSPT requirements. NHS England has made clear that generic policies or tick-box submissions are no longer acceptable. 

Future-Proofing: Preparing for CAF Alignment

While Category 2 suppliers are not currently required to adopt the Cyber Assessment Framework (CAF) — which applies to Category 1 organisations — NHS England has indicated that broader adoption could be on the horizon.

To stay ahead, many IT suppliers are already aligning their security frameworks with models such as NIST, ISO/IEC 27001:2022, CIS Controls, and Cyber Essentials Plus. Preparing for CAF alignment now will reduce a future burden and signal a strong maturity level to both NHS and commercial partners.

 

5 Steps to Prepare (Before December 2025)

  1. Appoint a dedicated DSPT lead — someone with both NHS-specific knowledge and cyber security expertise. This may be your CISO, DPO, or an external partner like Periculo.

  2. Conduct a detailed gap analysis — assess how your current posture compares against the full v8 DSPT requirements and identify gaps in documentation, technical controls, and governance.

  3. Implement missing controls — fix what’s missing or out of date, and ensure staff are trained and systems are monitored effectively.

  4. Prepare audit-ready evidence — make sure every document is clear, current, and linked directly to a requirement. Use implementation evidence where possible (e.g. logs, screenshots, system outputs).

  5. Run a mock audit — simulate the real thing with internal or third-party support to catch any issues early.

 

Get Support from Periculo

If you’re a Category 2 IT Supplier facing a mandatory audit and new interim submission deadline, Periculo can support every step of the process. We offer:

  • Full DSPT gap analysis and remediation planning

  • Technical control implementation and governance design

  • Audit-ready documentation preparation

  • Mock audits and evidence reviews

  • Final delivery of your independent audit

The NHS DSPT 2025-26 requirements for IT suppliers represent a significant step up in expectations, but they also reflect the critical importance of your services to the NHS. 

Begin your gap analysis, start gathering evidence, and consider engaging extra support to ensure you're fully prepared for the audit.
 

Book a Call or Contact Us to find out more...