DSPT v8 Compliance IT Services for Healthcare Organisations
The Data Security and Protection Toolkit deadline is 30 June 2026. We help healthcare providers meet all 10 National Data Guardian standards and submit with confidence.
Key Requirements
10 National Data Guardian Standards
Your organisation must demonstrate compliance across all 10 NDG standards covering leadership, staff training, data security processes, incident response, and technology controls. Version 8 increases governance expectations significantly.
Senior Officer Accountability
DSPT v8 requires a senior officer to actively own and direct your organisation's security approach, with regular documented discussions about data security across the whole organisation.
Digital Asset Register
Category 3 organisations must maintain a digital asset register recording all hardware and software. This means knowing every device, every application, and every data store across your organisation.
Multi-Factor Authentication
NHS England mandates MFA on all remote user access and all privileged accounts accessing cloud-hosted or SaaS applications. MFA blocks 99.9% of automated cyber attacks and is non-negotiable.
Cyber Assessment Framework Alignment
DSPT v8 is transitioning to align with the NCSC's Cyber Assessment Framework, raising the bar for incident detection, response capability, supply chain security, and lawful data sharing.
Cyber Essentials Plus Certification
NHS Supply Chain now mandates Cyber Essentials Plus under PPN 014 for suppliers handling personal data. This is a separate requirement from DSPT — both must be completed independently.
Why DSPT v8 Is Different
The Data Security and Protection Toolkit has been the NHS’s primary data security assurance mechanism since it replaced the Information Governance Toolkit. But version 8 represents a real step change. Released on 1 September 2025 with a submission deadline of 30 June 2026, it brings healthcare data security requirements closer to the rigour expected of financial services regulation.
The key shift is from compliance as documentation to compliance as operational discipline. DSPT v8 doesn’t just ask whether you have policies — it asks whether a named senior officer actively owns your security approach, whether you can evidence regular security discussions at leadership level, and whether your incident detection and response capabilities are genuinely effective.
If you’ve been treating DSPT as an annual tick-box exercise, version 8 will require a fundamentally different approach. Our healthcare IT support is built around making compliance operational, not aspirational.
The 10 National Data Guardian Standards
The DSPT maps to the National Data Guardian’s 10 data security standards. Each standard has specific assertions that your organisation must evidence:
Leadership and Culture — A named senior officer must own data security. Staff must receive annual data security awareness training. Security must be discussed regularly at leadership level, not relegated to an IT function.
Data Security Processes — Access to patient data must follow the principle of least privilege. Role-based access controls must be implemented and reviewed. Data sharing must be lawful, appropriate, and documented.
Technology Controls — Firewalls, malware protection, secure configuration, patch management, and encryption must be in place. Multi-factor authentication is mandatory for remote access and privileged accounts. Backups must be encrypted, tested, and stored securely.
Incident Management — You must be able to detect, respond to, and report security incidents. Near-miss reporting must be encouraged. Lessons learned must feed back into your security improvement programme.
The Cyber Essentials Plus Dimension
NHS Supply Chain’s adoption of Procurement Policy Note 014 has added a parallel compliance requirement. Cyber Essentials Plus certification is now mandatory for suppliers who handle personal data or deliver IT and digital services to the NHS.
The five Cyber Essentials controls — firewalls, secure configuration, access control, malware protection, and software updates — overlap significantly with DSPT technical requirements. But achieving CE+ doesn’t exempt you from DSPT, and vice versa. Both must be completed separately.
The April 2026 update to Cyber Essentials Plus assessment criteria adds further considerations for organisations planning certification. We coordinate both certification pathways to avoid duplicated effort and ensure your organisation meets both requirements on schedule.
The Synnovis Wake-Up Call
The Synnovis ransomware attack in June 2024 was the most significant cyber attack on NHS infrastructure in recent years. A pathology services provider serving multiple London NHS trusts was compromised, disrupting laboratory services for months. Thousands of patient appointments were cancelled. Blood test results were delayed. Clinical decision-making was impacted.
DSPT v8 increases supply chain security requirements directly in response to incidents like Synnovis. Your organisation must now demonstrate that you assess the data security practices of your suppliers and that your incident response plans account for supply chain disruptions.
This isn’t theoretical risk. It happened in London, to NHS services, within the last two years.
How Nerdster Delivers DSPT-Ready IT
We don’t sell DSPT compliance as a consultancy project separate from your IT management. Compliance is built into how we run your infrastructure:
Your digital asset register is maintained automatically through our endpoint management and monitoring platform. MFA is deployed and enforced as standard. Patch management follows a documented cycle. Backups are encrypted, tested, and stored in geographically separated locations. Access controls follow least-privilege principles and are reviewed quarterly.
When your annual DSPT submission is due, the evidence already exists because it is a natural output of properly managed IT. We compile the submission, identify any gaps requiring attention, and coordinate the process with your Data Protection Officer or senior information risk owner.
For healthcare organisations that want data security to be an operational reality rather than an annual panic, we provide the infrastructure, the cybersecurity expertise, and the ongoing management to make that happen.
FAQ
Frequently asked questions
Who needs to complete the DSPT?
Every organisation that has access to NHS patient data or NHS systems must complete the DSPT annually. This includes GP practices, dental practices, pharmacies, specialist clinics, care homes, NHS trusts, and any supplier or subcontractor that processes NHS data. If you connect to HSCN or access NHS Digital services, you need a current DSPT submission.
What is new in DSPT v8?
Version 8 was released on 1 September 2025 with a submission deadline of 30 June 2026. Key changes include increased governance requirements with mandatory senior officer accountability, digital asset register requirements for Category 3 organisations, alignment with the Cyber Assessment Framework, and increased focus on supply chain security, incident detection, and lawful data sharing.
How does DSPT relate to Cyber Essentials Plus?
DSPT and Cyber Essentials Plus have overlapping controls but are separate requirements. Both cover firewalls, access control, malware protection, secure configuration, and patch management. However, NHS Supply Chain now mandates CE+ separately under PPN 014, and achieving one does not exempt you from the other. We map shared controls to help you achieve both certifications efficiently.
What is the Synnovis breach and why does it matter for DSPT?
In June 2024, Synnovis — a pathology services provider to London NHS trusts — suffered a ransomware attack that disrupted laboratory services across multiple hospitals for months. It demonstrated how supply chain vulnerabilities can impact clinical operations at scale. DSPT v8 increases supply chain security requirements directly in response to incidents like this.
How long does DSPT compliance take?
For a GP practice or small clinic, a structured DSPT readiness programme takes 6-10 weeks covering gap analysis, policy development, staff training, technical controls, and submission support. Multi-site healthcare organisations or NHS trusts typically require 3-6 months. We recommend starting no later than March 2026 to meet the June deadline comfortably.
Can Nerdster manage our ongoing DSPT compliance?
Yes. DSPT is an annual submission, not a one-off exercise. Our managed IT service includes continuous compliance management: maintaining your digital asset register, delivering staff security awareness training, managing technical controls, monitoring for incidents, and preparing your annual DSPT submission. Compliance becomes a byproduct of how your IT is managed.
Need compliance guidance?
Book a free compliance review and we'll assess your readiness against the latest requirements.