Skip to content
Contact Us
All posts

NHS DSPT Audits: What to Expect in 2026 and Beyond

By  Craig Pepper  ·  3 minute read

What Could the Future Hold for the NHS DSPT?

The NHS Data Security and Protection Toolkit (DSPT) has long been central to cyber assurance in the health sector. Yet the changes introduced in 2024–25—most notably the alignment with the Cyber Assessment Framework (CAF) and the introduction of mandatory independent external audits—may prove to be just the beginning of a far larger transformation.

As we look towards 2026, NHS England’s cyber security strategy hints at broader audit requirements, deeper standards, and stronger assurance. But what might this actually mean in practice for IT suppliers? Here, we speculate on what could be coming next.

 

Could Independent Audits Expand Further?

Who’s in scope now
Currently, independent DSPT audits are compulsory for:

  • NHS Trusts, Integrated Care Boards, and Commissioning Support Units

  • Arm’s Length Bodies

  • Operators of Essential Services (OES)

  • Large IT suppliers handling NHS patient data (typically 50+ staff and £10m+ turnover)

Who could be added in 2025–26
It seems increasingly likely that smaller digital health companies, start-ups, or even niche suppliers could be drawn into the net. NHS England’s long-term cyber strategy points towards DSPT becoming an across-the-board standard, rather than something only major players need to worry about.

Possible implications
If this expansion materialises, suppliers who treat DSPT as a “box-ticking exercise” may struggle. Voluntary audits in 2025 could become the differentiator between those who are contract-ready and those who face last-minute disruption when requirements catch up with them.

A CAF Roadmap That Keeps Evolving

CAF isn’t a simple update; it’s a structural shift. Its focus on Identify, Protect, Detect, Respond, and Recover signals a move away from yes/no compliance and towards outcomes.

Why this matters
Suppliers might soon be assessed less on what they say they do and more on how well they can prove it works. By 2026, we could see:

  • Annual CAF refreshes baked directly into DSPT, forcing suppliers to continually adapt.

  • Sector-specific CAF profiles, tailored to health and care, making assurance more granular.

  • Stronger scrutiny of supply chains, extending expectations beyond the prime contractor.

The direction of travel suggests CAF will dominate the next decade of assurance—so those embedding its principles early may avoid future shocks.

Tougher Audits

The independent audit process itself could evolve rapidly. Instead of verifying policy documents, auditors may increasingly probe whether controls are effective in the real world.

We might see audit testing:

  • Supply chain resilience – asking not only if you vet third parties, but how quickly you could respond if one is compromised.

  • Identity and access management maturity – going beyond MFA adoption, to review privilege escalation pathways.

  • Incident response rehearsals – requiring evidence of live simulations or tabletop exercises.

  • Cyber culture – measuring whether staff training translates into behaviour change.

This shift could mark the end of “paper compliance”. Suppliers might need to evidence live, ongoing assurance activities rather than annual paperwork refreshes.

Preparing for the Next Wave of DSPT Obligations

Five practical steps suppliers can take now

Digital health IT suppliers can prepare for 2026 by treating DSPT as a strategic programme rather than an annual exercise:

  1. Adopt CAF early: Map your current controls to CAF objectives and address any gaps.

  2. Undertake a voluntary audit: Even if not mandated, this will highlight weaknesses before requirements expand.

  3. Invest in governance: Ensure policies are lived across the organisation and supported at board level.

  4. Strengthen supplier oversight: NHS England is increasingly focused on supply chain assurance.

  5. Plan improvement roadmaps: Use audit findings to build a culture of continuous improvement.

Need help preparing? Explore our DSPT audit services to ensure you are ready for the 2026 submission deadline.

Why Proactivity Matters

NHS England’s direction is clear: broader audit coverage, stronger CAF alignment, and more rigorous assurance.

For IT suppliers, the risks of delay include losing contracts, restricted access to NHS systems, or reputational damage. Conversely, the opportunities for proactive organisations are substantial. Suppliers who act early will:

  • Build greater trust with NHS partners

  • Gain an advantage in tenders and bids

  • Improve resilience against real-world cyber threats

The future of DSPT audits will be defined by expansion, depth, and maturity. By 2026, more organisations could be required to undergo audits, CAF will be fully embedded, and compliance will be assessed on effectiveness rather than paperwork.

For digital health IT suppliers, the message is clear: begin preparing today. By 2026, those who act now will stand apart as trusted, audit-ready partners in the NHS ecosystem.

Book a Call