Skip to content
Contact Us
All posts

NHS Supply Chain and DSPT 2025–26 Updates – How to Stay Compliant and Competitive Now

By  Craig Pepper  ·  2 minute read

The NHS Data Security and Protection Toolkit (DSPT) for 2025–26 (version 8) is now live, introducing what are described as “minor changes.” However, NHS Supply Chain is adopting UK Government Procurement Policy Note 014 (PPN 014), which now mandates Cyber Essentials Plus certification for suppliers who process or handle personal data, including data related to staff or suppliers, or who deliver IT or digital products and services.

 

What’s Changed in DSPT 2025–26?

Although the updates in version 8 of the DSPT are officially labelled as “minor,” they reflect a maturing approach to data protection. Submissions must now align with revised expectations, and this may require organisations to update documentation or strengthen certain practices. The deadline for submitting your DSPT is expected to be 30th June 2026.

NHS Supply Chain Tightens Compliance Expectations

These developments show a clear trajectory: the NHS is strengthening its cyber resilience and increasing its compliance expectations across its supply chain. A key part of this is the new requirement for Cyber Essentials Plus certification under Procurement Policy Note 014 (PPN 014).

If your organisation handles NHS data or delivers digital health services, achieving and maintaining Cyber Essentials Plus will now be essential—not just for compliance, but also for securing future contracts and protecting your reputation.

What Is Cyber Essentials Plus and Why Is It Now Required?

The biggest update is the mandatory Cyber Essentials Plus certification for in-scope NHS suppliers. Unlike form-based schemes, this accreditation requires a hands-on technical review and yearly renewal. It’s designed to confirm that your organisation has implemented and actively tests the five essential cybersecurity controls in real-world conditions.

These controls include demonstrating a secure internet connection via robust firewalls, applying secure settings to all systems and devices, managing user access effectively to restrict unauthorised entry, ensuring systems are protected against viruses and malware, and regularly applying updates and patches to prevent vulnerabilities.

The introduction of this requirement signals that cybersecurity is now central to contract eligibility.

Who Needs to Act?

IT suppliers delivering digital services to the NHS will need to ensure their DSPT submission meets the updated standards and that they have achieved or are on the path to Cyber Essentials Plus certification.

Suppliers to the NHS, especially those handling personal data or providing IT systems, must now be certified under Cyber Essentials Plus. This requirement is being enforced under PPN 014 and represents a significant shift in supplier expectations.

How Can You Prepare?

Start by reviewing the DSPT change log published on the official site. Cross-reference the updates with your existing DSPT submission to identify any gaps or updates required. If you're unsure whether your organisation falls under the scope of the Cyber Essentials Plus, now is the time to perform a readiness assessment or gap analysis.

You should also prepare for the certification process if necessary. This will likely involve enhancing your technical controls, documenting processes, and arranging for an external audit.

You can book a strategy call with us where we can help you understand what you may or may not be required to do, as well as walk you through the process for an external DSPT Audit and Cyber Essentials.

Compliance Can Be Your Competitive Advantage

Rather than viewing these requirements as burdens, change your view and use them as a way to help you stand out. Demonstrating compliance with Cyber Essentials Plus and submitting a DSPT positions you well to work with the NHS and shows that you take patient data seriously, operate securely, and are a reliable partner.

Digital health providers that embrace these requirements will find themselves better positioned in NHS tenders, more resilient to cyber threats, and trusted by both customers and investors.

If you’d like support, Periculo offers DSPT audits and readiness assessments to help you stay on track.  Book a call today and take the first step toward a smoother, more secure 2025–26.

Contact Us...