DSPT v8 (2025/26): The Complete Change Log and What Small Providers Need to Do Differently
DSPT v8 — the 2025/26 version of the Data Security and Protection Toolkit — is the biggest structural change to the toolkit in several years. NHS England aligned it with the National Cyber Security Centre's Cyber Assessment Framework (CAF), restructured how assertions and evidence are organised, and rewrote much of the supporting documentation.
For small providers — care homes, pharmacies, dental practices, opticians, GP practices — the volume of work is broadly similar to v7, but the shape of the work has changed. This guide walks through what is actually different, why each change exists, and what you need to do differently in your evidence collection.
If you want the deeper context on the framework underlying v8, we have a separate Cyber Assessment Framework guide — read that first if "CAF" is unfamiliar.
When v8 was released and the timeline that matters
DSPT v8 was announced on 18 September 2025. The full announcement is at dsptoolkit.nhs.uk/News/161, which also links to the downloadable assertion spreadsheets for each category.
| Date | Event |
|---|---|
| 18 Sep 2025 | DSPT v8 announced and v8 toolkit opens |
| Q4 2025 onwards | Providers begin v8 submissions |
| 30 Jun 2026 | Submission deadline for most Category 3 and 4 organisations |
| Sep 2026 (expected) | DSPT v9 announcement (annual cycle — exact timing varies) |
There is no "transition window" allowing v7 submissions in 2026. From the v8 toolkit opening date, v8 is the only path. Always verify the current deadline on the DSPT portal — NHS England occasionally publishes category-specific extensions for individual organisation types.
The headline change: CAF alignment
The single biggest change in v8 is that the entire toolkit is now structured around the NCSC Cyber Assessment Framework (CAF). Every assertion in the v8 toolkit maps to a specific CAF principle, identified by a letter–number code (A.1 Governance, A.2 Risk Management, B.1 Service Protection Policies, and so on). Per the official v8 announcement, DSPT v8 is aligned to CAF version 3.4. (NCSC has since published CAF version 4.0 as the current standalone framework, but the DSPT 2025/26 toolkit maps to v3.4 — so don't be thrown if the NCSC site shows a higher version number than the DSPT references.)
What this means in practice for a Category 3 provider:
- The toolkit looks different. Assertions are now grouped under CAF objectives (A: Managing Security Risk, B: Protecting Against Cyber Attack, C: Detecting Cyber Security Events, D: Minimising Impact of Incidents) rather than the old flat list of NDG standards.
- The wording of assertions is different. v7 assertions read like checklist items ("we have a data security policy"). v8 assertions read like outcome statements ("you have effective processes to manage data security risk"). The expected evidence is similar; the language has shifted.
- The evidence is more outcome-focused. v8 expects you to demonstrate that controls actually work, not just that they exist on paper. More on that in the next section.
What it does not mean:
- It does not mean small providers now do a full NCSC CAF assessment. NHS England has selected which CAF outcomes apply to each category and translated them into provider-friendly assertions. You complete the DSPT, not the raw CAF.
- It does not mean Cyber Essentials is replaced. Cyber Essentials remains useful evidence for certain v8 assertions, particularly under CAF principles B.1 (service protection policies) and B.4 (system security).
The "outcome-based evidence" shift
Across v7, an acceptable answer to "do you have a data security policy?" was often "yes, here it is" with the policy attached. v8 generalises this question and adds an implementation test: does the policy work?
Practically, this means most evidence items in v8 need two components:
- The control or document itself — the policy, the access list, the training material, the incident response plan.
- Proof of implementation — that the policy is followed, the access list is current, training is completed, the response plan has been tested.
Examples of what changed in evidence expectations:
| Evidence area | v7 typical answer | v8 typical answer |
|---|---|---|
| Data security policy | Upload policy document | Upload policy + sign-off date + most recent staff acknowledgement |
| Staff training | "All staff complete training" | Upload training material + completion records with names and dates |
| Access controls | "We control system access" | Upload access list + most recent review date + leaver process evidence |
| Patching | "We patch our systems" | Patching schedule or IT supplier letter confirming patch cycle and exceptions |
| Incident response | Upload IR plan | Upload IR plan + last test/exercise date + lessons learned |
If you completed v7 and still have all those policies and records, you mostly have the documents you need for v8 — but you'll need to add the implementation evidence in many places.
Specific structural changes you'll notice
1. Organised by CAF objective, not NDG standard
v7 grouped questions under the 10 National Data Guardian standards. v8 groups assertions under the four CAF objectives (A/B/C/D). The 10 NDG standards still exist as a parallel reference, and you'll see them mentioned in the assertion descriptions, but the navigation structure is CAF-first.
2. Outcomes → Assertions → Evidence items
The old v7 structure was effectively two-level: Standard → Question. v8 introduces a three-level structure:
- Outcome — a high-level security goal (mapped to a CAF contributing outcome)
- Assertion — a specific statement your organisation makes about how it meets the outcome
- Evidence item — the concrete proof attached to support the assertion
You'll see this in the toolkit UI: each assertion has its own page with an evidence-upload area, and the parent outcome is shown above for context.
3. Supply chain assurance is more prominent
CAF principle A.4 (Supply Chain) is more visible in v8 than the equivalent supplier-related questions in v7. You'll be asked to show:
- A list of IT suppliers and clinical system vendors
- Evidence that they meet basic data security standards (a Data Processing Agreement, a supplier security questionnaire, or — for larger suppliers — Cyber Essentials Plus / ISO 27001 certification)
- Where supplier risks are recorded (typically your risk register)
For most small providers, this is "have you got a list and a DPA?" rather than full supply chain risk management — but it is more explicit than v7.
4. Asset management is explicit
CAF principle A.3 (Asset Management) asks you to know what data you hold and what systems hold it. In v7, this was implicit across several questions. In v8, it's a discrete area with assertions about data flow mapping and system inventory.
For a small provider this can be as simple as a one-page table listing: every system holding patient data, what data it holds, and where (cloud / on-premises / paper). Our DSPT for care homes guide walks through a worked example.
5. Detection and monitoring (CAF objective C) is lighter for small providers
CAF objective C — detecting cyber security events — is heavyweight for Category 1/2 organisations (security operations centres, threat hunting, log analysis). For Category 3 providers it is largely covered by:
- Antivirus / endpoint protection running and reporting
- IT supplier or managed service confirming they monitor for incidents
- Logging on key systems (NHSmail, clinical systems) — usually the supplier's responsibility
You are not expected to run a 24/7 SOC.
6. Response and recovery (CAF objective D) is broader
CAF objective D covers incident response and recovery. v8 asks for slightly more than v7 here:
- A documented incident response plan (most providers had this for v7)
- Evidence of a test or tabletop exercise within the last 12 months (often new for small providers)
- Lessons-learned record from any actual incidents
- Business continuity plan covering IT failure and cyber attack
If you've never tested your incident response plan, a one-hour tabletop exercise with the management team — walking through "what would we do if NHSmail was compromised at 9am on a Monday?" — counts as evidence.
What does NOT change (despite the v8 noise)
It's easy to read about v8 and conclude that everything is different. It isn't. Here's what stayed the same:
- The deadline is still 30 June. The annual DSPT cycle has not moved.
- The 10 National Data Guardian standards still apply. They are now referenced from CAF assertions rather than being the primary navigation, but they have not been replaced.
- Categories 3 and 4 still don't need an independent audit. Self-assessment via the toolkit remains the model. Categories 1 and 2 audits are unchanged.
- NHSmail, NHS Spine, EPS access still depend on a current DSPT. Miss the deadline at "Standards Met" or "Approaching Standards" and you risk losing access — the consequence side has not changed.
- The portal address is unchanged. dsptoolkit.nhs.uk remains the single point of submission.
What you need to do differently for v8
If you completed v7 last year, here's the practical action list:
- Read the v8 announcement and assertion spreadsheet for your category. dsptoolkit.nhs.uk/News/161 links to the spreadsheets. These are your master reference.
- Plan to re-upload your evidence. Even where evidence is identical, it must be attached against the v8 assertion structure.
- Add implementation evidence where you only had documents before. If your v7 submission was "policy attached, done," check whether v8 wants additional proof.
- Check supply chain documentation. Make sure you have an up-to-date supplier list with DPAs in place.
- Test your incident response plan if you haven't recently. A one-hour tabletop exercise with the management team plus minutes is sufficient evidence.
- Refresh your data flow / system inventory. Ensure it lists every system with patient data and where it lives.
- Run staff training again before submission. Annual data security awareness training (free at e-Learning for Healthcare) — completion records are the easiest evidence wins.
For first-time providers, the how to complete the DSPT guide walks through the full process step by step. For a Category 3 worked example, see the DSPT for care homes guide.
v8 vs v9 — what's likely to come next
NHS England runs an annual DSPT cycle: a new version released each September. v9 will follow in September 2026 (expected). Based on the pattern of recent years, you can expect:
- v9 will be incremental. v7 → v8 was the structural break (CAF alignment). v8 → v9 is more likely to be evidence-pattern refinements, supplementary guidance, and minor assertion adjustments.
- The CAF foundation will persist. NHS England has invested heavily in the CAF mapping; it won't be reversed.
- Evidence carry-forward may be reintroduced. A "carry forward last year's evidence with a confirmation tick" pattern is likely once the structural change is bedded in. v9 may be the first version that supports this.
- Supply chain expectations will tighten. Across the public sector, supply chain cyber assurance is a rising area. v9 may add more granular supplier-side assertions.
This is an informed guess based on public direction-of-travel, not an NHS England announcement. Always check the official news page on the DSPT portal for actual v9 details when published.
FAQ
When was DSPT v8 released? DSPT v8 was announced on 18 September 2025. It is the version used for the 2025/26 submission cycle, with a deadline of 30 June 2026 for most Category 3 and 4 organisations.
Is DSPT v8 mandatory? Yes, for any organisation accessing NHS patient data or systems. The annual DSPT submission has been mandatory since 2018 and v8 is the version in use for 2025/26. Submitting v7 evidence is not an option for the current cycle.
Does my v7 evidence still count? No. Evidence does not automatically transfer from v7 to v8 — even where the underlying control hasn't changed. You'll need to re-upload or re-confirm evidence against the v8 assertion set. Many documents (policies, training records) can be reused; the toolkit just needs them attached against the new assertions.
Is the workload bigger in v8 than v7? For Category 3 organisations, the workload is broadly comparable to v7 — approximately 42 mandatory evidence items. The structure changed; the depth did not balloon. For Categories 1 and 2 the picture is different, but small providers should not expect a dramatic increase.
Where do I find the v8 assertion list for my category? The downloadable assertion spreadsheets are linked from the DSPT v8 announcement page. Choose the spreadsheet matching your category — Category 3 for most care providers and pharmacies, Category 4 for GP practices.
Next steps
- Read the Cyber Assessment Framework guide to understand the framework v8 is built on.
- Read the DSPT complete guide for the full overview tailored to small providers.
- Use the evidence checklist generator to build a structured list for your category.
- Take the readiness quiz to identify your biggest gaps.
- Check the deadline calculator and plan your milestones.
This guide is based on DSPT v8 (2025/26) as published by NHS England on 18 September 2025 and the NCSC Cyber Assessment Framework. Always verify current requirements on the official DSPT portal. This is not legal or compliance advice.
Sources
- DSPT 2025/26 v8 announcement — NHS England
- Data Security and Protection Toolkit portal — NHS England
- Cyber Assessment Framework — National Cyber Security Centre
- Cyber Assessment Framework — NCSC
- Introduction to the CAF — NCSC
- Data security and information governance — NHS Digital
- Government Cyber Security Strategy 2022 to 2030 — gov.uk
- Data Security Awareness e-Learning — NHS e-Learning for Healthcare