Your web browser does not appear to have javascript enabled.

The Data Security and Protection Toolkit requires javascript to be enabled.

If you are unable to re-instate the javascript option on your browser please contact us and we will be able to help.

Improvement plan updates and Interim DSPT Assessment publications required by 31 December (11 December 2025)

Reminder to organisations completing a CAF DSPT that an Interim DSPT Assessment publication by 31 December and a reminder to organisations who have agreed to provide an Improvement plan update.

25/26 Interim DSPT Assessment publication by 31 December 2025.

The functionality to allow you to submit your DSPT Interim Assessment is now available on the DSPT.

There is an interim assessment section, including a ‘publish interim assessment’ button, on the assessment screen. The Interim assessment can be published by any administrator user of the DSPT in your organisation.

Expectations

The interim assessment is your organisation’s position at the time of publication. It is not a forecast of the expected position when you publish your full assessment by 30 June. The interim assessment is not formally assessed by NHS England and DHSC as part of performance management. It allows us to understand the current position of organisations against the CAF DSPT profile across the different outcomes, review interim responses, and determine whether further guidance or support is required.

Your SIRO should sign off your interim assessment.

What to include in your interim assessment

You should record your organisation’s current achievement level (not achieved, partially achieved, or achieved) against each outcome. It would be helpful to us if you included any evidence or supporting statements to provide context to the achievement levels, but this is not mandatory.

You do not need to wait until the 31 December 2025 deadline to publish your interim assessment. You can publish it as soon as you’re ready.

Further guidance on the interim assessment is available at: https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/caf-aligned-dspt-guidance/overview/caf-aligned-dspt-interim-assessment-guidance

Essential Functions for NHS Trusts, ALBs, CSUs, ICBs, Genomics organisations and independent providers who are designated as Operators of Essential Services

As part of the CAF-aligned DSPT assessment organisations are required to scope and upload their essential functions.

We have had a few questions about defining Essential Functions and DSPT and so will make it the focus of the 15th December DSPT Webinar, details at https://dsptoolkit.nhs.uk/News/webinars

Defining essential functions

Before you begin your Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT) submission, you need to conduct a scoping exercise to understand which information, systems and networks support your essential functions and should therefore be included in the scope of your DSPT return. Your essential functions are all the parts of your organisation that are necessary to deliver your organisation’s services.

Where relevant, this will include consideration of:

- any essential services for operators of essential services designated under the Network and Information System (NIS) Regulations
- any statutory purposes for statutory organisations
- the purposes for which your organisation is constituted

In practice, your essential functions may equate to all your critical business processes.

The phrasing of whether it is an essential function, service or critical business process should not matter, it is the fact that the compromise or failure of that function, service or process would lead to unacceptable consequences.

- You should include all information, systems and networks which support your essential functions and which could result in a significant impact on the continuity of an essential service if compromised by an incident.

- You should maintain a clear, demonstrable and risk-based justification of the scope, which should be considered an evolving document that will change over time in response to increased knowledge, changes in operating systems or following incidents.

The information required for your scoping assessment is likely to already exist in business continuity impact assessments, such as the emergency preparedness, resilience and response (EPRR) NHS business impact template, information assets and flows registers, asset registers, network architecture diagrams, and similar internal documentation which has been required under previous iterations of the DSPT.

Full guidance can be found on Scoping essential functions - NHS EnglandDigitalTemplate to use

The output of your scoping exercise which captures your essential functions and the information, systems and networks supporting them must be recorded on the prescribed template, which is available from the DSPT assessment screen or https://www.dsptoolkit.nhs.uk/News/Attachment/905 and must be uploaded for the final submission, but we would also encourage organisations to submit it as part of the interim submission. Your DSPT auditors, NHS England and the Department of Health and Social Care may ask to review, provide input and where necessary, challenge scoping assessments.

Based on the previous practical example template, the prescribed template allows organisations to systematically and consistently submit information on their essential functions, including third-party or supplier involvement in the delivery of essential functions.

This will enable DHSC and NHSE to:

- better understand the nature of the essential functions, and information, networks and systems that need protecting.
- collect structured data on third party and supplier dependencies in essential functions to inform future national and local oversight and assurance approaches.

DSPT Improvement plan updates to be submitted by 31 December 2025

If your organisation’s status for your 2024-25 (v7) DSPT publication is ‘Approaching Standards’ or ‘Standards Not Met’ you must submit an updated improvement plan to cybersecurity@nhs.net by 31 December 2025.

You should use the same template you used to submit the Improvement plan and should complete column S and T to provide your update.

Column S - Is the delivery date still valid, if not please provide an updated date.

Column T - December 2025 Comments This should provide progress updates or context on why dates may have changed.

The updates will be reviewed, and if you have completed all the actions on the Improvement plan, the DSPT team will update your 24-25 DSPT status to 'Standards met'. If sufficient progress is not being demonstrated 24-25 DSPT status may revert to 'Standards not met'.

Your Regional Security leads will be happy to discuss your Improvement plans.

For further information about the improvement plan process and contact details for your Regional Security lead, visit the DSPT news page on improvement plans.

Thanks DSPT Team