Improvement plans - Instructions for 2024-2025

Guidance to support NHS Trusts, Integrated Care Boards (ICBs), CSUs, Independent Providers who are Operators of Essential Services (OES) under NIS, Key IT Suppliers, Local Authorities and DHSC Arm's Length Bodies to submit a 24-25 Data Security and Protection Toolkit (DSPT) improvement plan, if required.  
 

The improvement plan process is designed to support those organisations who have not achieved Standards Met on the DSPT and have outcomes where they do not meet the expected achievement levels. Organisations who have achieved Standards Met or Standards Exceeded for the 24-25 DSPT can ignore this guidance.

 

Organisations that have not met the expected achievement levels for all outcomes, should publish a Standards Not Met assessment and submit an improvement plan.

 

Your plan will be reviewed by the relevant NHS England and DHSC teams and, if approved, your 24-25 DSPT status will be amended to Approaching Standards. Once you have implemented all of the actions in your improvement plan, your 24-25 DSPT status will be amended to Standards Met.

 

How to complete your improvement plan
 

From the DSPT Assessment screen, click the publish assessment button. (Note: you can do this in advance of publication, and it does not commit you to publish at this point)
 

If you have not achieved Standards Met (i.e., have not met the expected achievement levels for all outcomes), you will be presented with the Provide an improvement plan screen.
 

After 1 June 2025, click the download an improvement plan template link. This will automatically list the outcomes where you have not met the expected achievement level. Or use the template attached to this news item.
 

If you are not ready to complete your DSPT Improvement Plan, you can click the back to assessment link and continue to work on your DSPT assessment.
  
Complete your Improvement Plan using the template to explain the steps your organisation is taking towards meeting the expected achievement level on the outcomes on the DSPT that it has not currently met.
 

Organisations who are aware they will not meet the requirements should inform the relevant teams (as set out below) in advance of the 30 June 2025 deadline, and work with them on developing an Improvement Plan.

Independent providers who are Operators of Essential Services under NIS should contact the Joint Cyber Unit via NIS.Authority@dhsc.gov.uk and DHSC’s arm’s length bodies should contact the Joint Cyber Unit via england.cyber@nhs.net.

NHS trusts, ICBs and CSUs should contact their NHSE Regional Security Lead (see contacts by region below):

Note: IT Suppliers and Local Authorities are not required to contact the teams in advance.
 

Regional Security Leads

 
Midlands

 Victoria Axon

Victoria.axon1@nhs.net

And

Deputy Regional Lead for the Midlands

Pete Robinson

peter.robinson12@nhs.net
   

South West

Ian Fletcher

ian.fletcher7@nhs.net
 
 

London

Peter Hartley

peter.hartley2@nhs.net
 
 

North East  

Matthew Lutkin

Matthew.lutkin@nhs.net
 

 
South East  

Daniel Oliver

daniel.oliver@nhs.net
 

 
North West  

Chris Quinn

cq1@nhs.net
 
 

East  

Mark Dimock

mark.dimock1@nhs.net

   
The improvement plan must include:

 

- all the outcomes where your organisation has not met the expected achievement levels. This must include outstanding actions raised as part of your DSPT audit

- the actions required to meet the outstanding evidence item/outcome

- the organisation’s plan for achieving the outstanding actions including milestones. This must include any outstanding activity to secure funding and resourcing to ensure the plan is achieved by the completion date

- the action owner for each action

- the priority of the actions

- any local references for the action, such as risk register or audit action number



- the planned completion date for each action

- the status of the action

There is also the opportunity on the template to confirm if any dependencies such as Electronic Patient Records implementation that have or may impact your organisation meeting the evidence item.    

 

When to submit your DSPT improvement plan
 

Your improvement plan should be uploaded at the point of publishing your DSPT assessment. Upload a copy of your plan on the Provide an improvement plan screen which is displayed when you click the publish assessment button.

The reviewers within NHS England and DHSC will also cross reference the improvement plan to your DSPT audit report and may require further information from the organisation on why actions raised in the DSPT audit were not included in the DSPT improvement plan.

The deadline for completing the 2024-2025 DSPT is 30 June 2025.
 

What happens once you have submitted your DSPT improvement plan?

 

The relevant NHS England and DHSC teams, namely the DSPT team, Regional Security Leads and Joint Cyber Unit, will review your plan for robustness and achievability. If approved, the DSPT team will update your 24-25 DSPT status to Approaching Standards. This will NOT publish any detail of which area requires improvement.

 

Where an organisation’s Improvement Plan is not initially agreed, an email will be sent to the organisation to arrange a call with the NHS England Regional Security Lead or Joint Cyber Unit to discuss what is required to agree an Improvement Plan.

 

Improvement Plans will not be agreed where:

 

- completion dates are not provided

 

- dates go beyond June 2026, unless there are exceptional circumstances agreed with NHS England and DHSC

 

- there is no realistic or robust plan to achieve the evidence/outcome requirement

 

You should continue to work on the actions in your plan and keep it up to date for monitoring purposes.

 
When you complete your outstanding actions, please send in your updated plan to: cybersecurity@nhs.net, so that your 24-25 DSPT status can be reviewed. Where you have successfully completed all the actions and met the requirements, your 24-25 DSPT status will be updated to Standards Met.

 
You will be contacted for a progress update on your improvement plan in September and December 2025 (unless you have already completed your improvement plan).

 
For more information, please see the improvement plan process overview below.

 
   
Overview and timeline of the DSPT improvement plan process

 

A DSPT Improvement Plan process is in place to assist those organisations which do not meet the 2024/25 DSPT Standards Met to demonstrate the plans they are making to achieve compliance. The process aims to minimise the administrative burden placed on organisations by providing clear expectations and touchpoints. The process also signposts support services provided by NHS England for NHS organisations and arm’s length bodies.

Organisations are encouraged to take reasonable steps at each point of the process to provide information as required or to make necessary improvements to meet the DSPT standard. Failure to engage with the DSPT team, Regional Security Leads and Joint Cyber Unit where required, will result in escalation to NHS England and DHSC as appropriate.
 
The following timescales will be applied and should be used to assist organisations with their DSPT improvement planning and to understand when updates will be requested by the NHS England DSPT team. Please note these timescales may be subject to change.

 

June 2025
  
Organisations who are aware they will not meet the requirements need to inform their contacts, where applicable (included above at How to complete your improvement plan) to discuss their plan in advance of the 30 June 2025 deadline.

Where relevant, the organisation will be directed to appropriate Cyber Security Operations Centre services and any exemplar organisations within the Region.

 

The NHS England Regional Digital Transformation teams may be informed and asked to work with any Trusts/CSUs/ICBs who fail to submit an improvement plan.  

   
July/August 2025

 
The NHS England DSPT team, in collaboration with the Regional Security Leads and Joint Cyber Unit, will review improvement plans and where they determine that a DSPT improvement plan meets the requirements of this guidance, the organisation will achieve the 24-25 DSPT status ‘Approaching Standards’, subject to agreement to deliver and provide updates on their approved DSPT improvement plan.

 
   
If the above fails:

 
- The organisation’s 24-25 DSPT status will remain at ‘Standards Not Met’ until a satisfactory DSPT improvement plan is provided.
     

- If required, the NHS England Regional Security Lead or Joint Cyber unit will work with the organisation to produce a satisfactory improvement plan.

     
- The organisation will produce an updated DSPT improvement plan, re-publish its DSPT including its updated plan and it will be reviewed again.

     
On an exceptional basis, where the National Chief Information Security Officer judges it to be appropriate, an improvement plan which does not meet the criteria set out in the guidance may be accepted.

     
September 2025 and December 2025
  

Organisations will be reminded to provide improvement plan updates by 30 September 2025 and 31 December 2025.

 
Where an organisation completes all actions within its improvement plan, they should email their completed plan to: cybersecurity@nhs.net. The completed plan is reviewed and if agreed the organisation’s 24-25 DSPT status will be amended to Standards Met.

 
October 2025 and January 2026

 
NHS England and DHSC will review improvement plan updates and if sufficient progress is being made but improvement plans are not complete, the organisation will remain at ‘Approaching Standards’ as their 24-25 DSPT status.

 
Where an improvement plan update has not been received, or progress is not sufficient:

- The NHS England Regional Security Lead, NHS England Regional Digital Transformation team and Joint Cyber Unit, where relevant, will be informed and will work with the organisation.

     
Ongoing
 
The NHS England DSPT team will review final improvement plan updates:
 
Where an organisation has met the standard:  

- Its status for its 24-25 DSPT will be updated to ‘Standards Met’.
 
Where an organisation has still not met the DSPT standard:

- The organisation’s 24-25 DSPT status will remain at ‘Approaching Standards’ until the plan is confirmed as completed.

- Where relevant, the organisation will be directed to appropriate Cyber Security Operations Centre services and best practice from exemplar organisations within the Region.
   

 Network and Information Systems Regulations 2018 (NIS Regulations)

 

NHS trusts and foundation trusts, ICBs, and certain independent providers of healthcare are designated as Operators of Essential Services (OESs) under the NIS Regulations. The Regulations require organisations identified as OESs to take appropriate and proportionate measures to:

 
- manage risks posed to the security of the network and information systems on which their essential services rely
 

- prevent and minimise the impact of incidents affecting the security of the network and information systems used for the provision of their essential services and

 
- report any incident which has an adverse effect on the security of network and information systems, and which has a significant impact on the continuity of an essential service that the OES provides.
 

The DSPT is a requirement for OESs to demonstrate their fulfilment of the security duties of the NIS Regulations, and failure to fully engage with the DSPT improvement plan process may result in regulatory action being taken under the NIS Regulations. For example, an OES may be issued an information notice to require them to provide information or an enforcement notice requiring them to take specified action. This may include cases where DHSC has insufficient reassurance because there is no plan or the plan is incomplete, the quality or detail of the plan is insufficient, or progress is slipping against agreed completion dates in the plan.
   
 
The NIS Healthcare sector guide can be accessed here for information.