Logo

Assuric

Sign inBook a demo

DSPT v8 2025 updates - What’s changed and how Assuric can help you stay compliant

An overview of key changes to the 2025 DSPT and how Assuric can simplify the journey to compliance.

Assuric

Assuric

DSPT v8 2025 updates - What’s changed and how Assuric can help you stay compliant

The NHS Data Security and Protection Toolkit (DSPT) has been refreshed for 2025/26. Unlike last year’s major overhaul, this year’s changes are smaller but still notable - particularly for Category 3 organisations (smaller digital health companies).

The updates mainly refine evidence requirements and strengthen areas like governance, risk management, asset registers, and supplier contracts.

In this post, we’ll outline the key changes and explain how Assuric has already integrated these updates - so our customers can stay compliant seamlessly.

Key DSPT 2025/26 Updates

Here’s what digital health companies need to know:

🔑 𝗚𝗼𝘃𝗲𝗿𝗻𝗮𝗻𝗰𝗲 & 𝗥𝗲𝘀𝗽𝗼𝗻𝘀𝗶𝗯𝗶𝗹𝗶𝘁𝘆

  • Senior leaders now expected to own and direct security (1.1.5)

📜 𝗣𝗼𝗹𝗶𝗰𝗶𝗲𝘀 & 𝗥𝗶𝘀𝗸

  • Policies must align with national standards and good practice (1.3.1)
  • Organisations must identify their top three cyber/data risks and share conclusions with accountable leaders (1.3.6)

👩‍💻 𝗧𝗿𝗮𝗶𝗻𝗶𝗻𝗴 & 𝗔𝘄𝗮𝗿𝗲𝗻𝗲𝘀𝘀

  • Expanded requirement to use a range of training and awareness methods for reaching all staff effectively (3.2.1)

🛠️ 𝗦𝘆𝘀𝘁𝗲𝗺 & 𝗜𝗧 𝗢𝘃𝗲𝗿𝘀𝗶𝗴𝗵𝘁

  • IT support staff identities must be known and managed, with activities logged securely (4.4.1)

📊 𝗔𝘀𝘀𝗲𝘁𝘀 & 𝗖𝗼𝗻𝘁𝗶𝗻𝘂𝗶𝘁𝘆

  • New focus on a maintained asset register, detailing your organisations’s hardware, software and data. This is a list of the devices and computer software your organisation uses, reviewed in the last 12 months (7.1.1)
  • Business continuity plans must now include communications and data protection obligations (7.1.2)
  • New optional improvements: asset prioritisation (7.1.5) and lifecycle management (7.1.6)

🔍 𝗖𝘆𝗯𝗲𝗿 𝗥𝗲𝘀𝗶𝗹𝗶𝗲𝗻𝗰𝗲

  • Organisations will be asked if they are registered to use the NCSC Early Warning Service (8.3.8) - optional requirement
  • Vulnerability management wording strengthened to require regular testing (8.4.3)

🤝 𝗦𝘂𝗽𝗽𝗹𝗶𝗲𝗿𝘀 & 𝗖𝗼𝗻𝘁𝗿𝗮𝗰𝘁𝘀

  • Contracts must now comply with GDPR and DSPT completion requirements (10.2.2)

❌ 𝗥𝗲𝗺𝗼𝘃𝗲𝗱 𝗜𝘁𝗲𝗺𝘀

  • Staff monitoring notification (4.3.3)
  • Medical devices register (9.3.8)
  • Supplier DSPT completion requirement (10.2.5)

What these changes mean for digital health companies

For smaller digital health organisations, the changes mean:

  • More emphasis on leadership accountability.
  • Stronger evidence requirements around assets, risks, and suppliers.
  • Simpler compliance in some areas, with outdated requirements removed.

These updates aren’t disruptive, but they do require attention to ensure your well places to fly through submission before the June 30 deadline next year.

What do I need to do to resubmit v8 of the DSPT?

If you are already compliant with the DSPT having achieved "Standards Met" then you should complete and publish your annual assessment, ensuring it reflects your current security practices in good time before the deadline of 30 June 2026.

How compliance platforms like Assuric helps you stay compliant - seamlessly

One of the biggest challenges with frameworks like DSPT is keeping up with changes, generating evidence, and avoiding duplicating work each year. That’s where a compliance platform like Assuric comes in.

The Assuric team has been working since the announcement, and we’re pleased to say: all 2025/26 updates are already built into our platform.

Our customers don’t need to scramble to update spreadsheets or check compliance line by line - we do the heavy lifting.

Here’s how our modules align with the new DSPT requirements:

Supplier Management – Track supplier assurance, contracts, and GDPR/DSPT compliance.

Assuric Supplier Management


Information Asset Register & Staff Device Reporting – Maintain a live, up-to-date asset register that meets 7.1.1 requirements.

Create an Information Asset Register (IAR) in Assuric

Risk Register – Identify and track your top three risks, share with leadership, and align with DSPT 1.3.6 and ISO27005.

Risk Management in Assuric


Processing Activities – Evidence lawful data use and mapping for transparency.

Create a ROPA in Assuric


Incident Management – Prepare and evidence continuity planning, including comms and data protection.

Incident Management in Assuric


Staff Training – Deliver and evidence multi-method training for all staff.

With Assuric, your compliance is always up to date - because we track the changes for you.

What has changed for Category 2 Organisations ? (IT Suppliers)

Larger NHS IT suppliers (those with 50+ members of staff or an annual turnover exceeding £10 million) fall into the "Category 2" organisation type. These organisations can expect the following new assertions on their DSPT submission:

📱 Requirement for software to support Identity Federation or MFA

  • Software provided to health and care supports identity federation or multi-factor authentication to industry standards, or you have an approved, realistic and resourced plan to achieve this not later than 30 Jun 2027 (4.5.6).
"Identity federation (such as with the NHS Care Identity Service, NHSmail, Entra ID or similar services) is preferred. Where a software product maintains its own identity and authentication mechanism, a range of authentication factors should be supported."

🚨 Incident communications plan

  • You have a robust plan for communicating incidents to customers in a timely manner (7.1.5)
"Regulatory requirements for your own organisation and for your customers should be considered. At a minimum, all incidents affecting the development and/or hosting of software provided to health and care should be communicated to customers within 24 hours."

🔒 Secure Coding Standards

  • Software provided to health and care is developed in accordance with the government Software Security Code of Practice. (9.5.11)
Your evidence should ideally include an assessment against the Code of Practice principles and claims using the NCSC Template.

These additions represent a positive shift for larger NHS suppliers who must hold a high bar for distributing and maintaining secure systems.

Additionally, Category 2 organisations will no longer have to confirm that their organisation has a registered nominated member of the Cyber Associates Network (previously 2.1.1), or that their organisation uses the ‘Respond to an NHS cyber alert’ service to acknowledge each high severity cyber alert within 48 hours of issue (previously 6.3.2).

Conclusion

The 2025/26 DSPT updates may not be a complete overhaul, but they bring important shifts in evidence and accountability. For digital health companies, the challenge is less about what’s changed, and more about keeping pace with every change year after year.

With Assuric, you don’t need to worry - we’ve already implemented the new requirements so you can continue focusing on innovation, patient care, and growth.

👉 Ready to simplify DSPT compliance?

Book a demo

How do these change differ from last year?

NHS DSPT Version 7

The NHS DSPT update: What Digital Health companies need to know about CAF alignment

The NHS DSPT is undergoing a significant update in version 7, aligning with the National Cyber Security Centre's (NCSC) Cyber Assessment Framework

See all posts

Make your life easier
and talk to us to simplify compliance

Goodbye manual processes, hello automation. Let Assuric manage compliance and security, so you can focus on growth.

Talk to us
CTA Image