In September 2024 the DSPT changed to adopt the National Cyber Security Centre’s Cyber Assessment Framework (CAF) as its basis for cyber security and IG assurance. This led to NHS Trusts, CSUs, ALBs and ICBs seeing a different interface, which sets out CAF-aligned requirements in terms of objectives, principles and outcomes. The scope of the 24-25 DSPT includes additional cyber and information governance requirements compared to the 23-24 DSPT.

The new CAF-aligned DSPT is split into 47 contributing outcomes, each of which are supported by indicators of good practice, grouped into levels of achievement – ‘Not Achieved’, ‘Partially Achieved’ or ‘Achieved’.

To achieve Standards Met, NHS organisations will have to meet the expected achievement level set by NHS England for each outcome. This is called a profile and is available in the DSPT or at: https://www.dsptoolkit.nhs.uk/News/DSPT-Changes-in-24-25.

It is recognised that the move to a CAF-aligned DSPT is a significant change and will be a considerable challenge for many NHS organisations. This represents an increase in the data security requirements for organisations. The main areas of uplift are in the requirements to protect your organisation from cyber risk. There is understanding that this may take some time to meet all the requirements. Due to the significant change in how the DSPT is answered, organisations that rely on DSPT ‘Standards Met’ for contractual or data exchange purposes are advised to review the new standard and consider their security requirements in the context of the CAF. Organisations will be required to assess themselves against the updated requirements by 30th June 2025.

Organisations which are not yet able to meet the required achievement levels for each outcome will be required to submit an improvement plan setting out how they plan to meet the required achievement levels by 30th June 2026. The improvement plan, which organisations should work on with the Regional Security Leads (or DHSC for arm’s length bodies) ahead of the deadline 30th June deadline, must be timebound, credible, and sufficiently resourced. The plan will be subject to ongoing central monitoring, with the expectation of successful timely execution. Once the plan is agreed the organisation’s 24-25 DSPT Status will be ‘Approaching Standards’. Once the plan is completed it would be ‘Standards Met’. Having an agreed plan gives NHS England and DHSC, commissioners, stakeholders, service users and partner organisations confidence that the organisation understands what it needs to do to meet the cyber security and information governance standards, is committed to reaching the required achievement levels and is being monitored by NHS England to do so.

Organisations not agreeing an improvement plan will have a 24-25 DSPT status of Standard Not Met which would show that the organisation did not have an agreed plan to achieve the expected achievement levels of cyber security and information governance.

NHS England run dedicated Data Security and Protection Toolkit webinars for NHS organisations each month, further details are available at: https://www.dsptoolkit.nhs.uk/News/webinars.

For queries regarding the Data Security and Protection Toolkit help and support is available. [For queries regarding the NIS Regulations and designation of Operators of Essential services, please contact nis.authority@dhsc.gov.uk.]