NHS DSPT Toolkit Assessment
CREST-accredited penetration testing and Cyber Essentials Plus certification for NHS Trusts and suppliers. We deliver the security testing required by Data Security Standard 9, providing DSPT-ready evidence packs so you meet the 30th June 2026 deadline. Fixed-price from £5,000.
DSPT compliance that prevents Spine disconnection.
We deliver the two DSPT requirements that cannot be met in-house: a CREST-accredited penetration test and Cyber Essentials Plus certification, both scoped for Data Security Standard 9 with DSPT-formatted evidence packs. Backed by 24/7 NHS monitoring after your submission.
Book a Free Scoping CallDSPT Non-Compliance Risk Profile
Across 10 National Data Guardian standards. Every assertion requires documented evidence and senior management sign-off.
The annual DSPT submission deadline. Assessments take 6-12 weeks. Organisations should begin by April at the latest.
Non-compliance exposes organisations to ICO GDPR enforcement with fines up to £17.5M or 4% annual turnover.
What Your DSPT Submission Requires
Data Security Standard 9 requires annual penetration testing and Cyber Essentials Plus certification from accredited providers. These are the only DSPT assertions you cannot satisfy internally.
30th June 2026 Deadline & NHS Spine Disconnection
The NHS Data Security and Protection Toolkit is aligned with the National Data Guardian's ten data security standards across 42 mandatory assertions. Failure to achieve Standards Met by 30th June results in NHS Spine disconnection, blocking PDS, Summary Care Records, e-Referrals, GP Connect, and Electronic Prescription Service. Additional consequences include suspended data sharing agreements, CQC downgrades, and ICO fines up to £17.5M.
Cyber Security Controls & Penetration Testing
DSPT Data Security Standard 9 mandates Cyber Essentials Plus certification through IASME-accredited assessment with independent technical verification. Testing covers firewall configuration, secure configuration, user access controls, malware protection, and patch management. This is the one DSPT assertion you cannot complete in-house.
Incident Reporting & ICO Breach Notification
ICO breach notification within 72 hours for GDPR Article 33 compliance. NHS Digital reporting for significant breaches, root cause analysis, and validated incident response playbooks covering ransomware, unauthorised access, data exfiltration, and accidental disclosure. Mandatory for DSPT Standards 6 and 9.
DSPT Security Services
From mandatory Standard 9 testing to continuous NHS monitoring after your submission.
CREST-Accredited Penetration Test
Delivering the mandatory annual penetration test required by Data Security Standard 9. Conducted by CREST-accredited consultants and scoped to NHS DSPT requirements, covering external network perimeter and internal systems that handle patient data. The test report is formatted as DSPT submission evidence. Deliverable: CREST-standard penetration test report with DSPT evidence pack and 30-day free retest.
Cyber Essentials Plus Certification
Independent Cyber Essentials Plus assessment through our IASME-accredited assessors, satisfying the technical verification requirement of DSPT Standard 9. Covers boundary firewalls, secure configuration, access controls, malware protection, and patch management. The Plus level requires technical verification by an accredited assessor. Deliverable: Cyber Essentials Plus certificate valid for 12 months.
Continuous NHS Monitoring
After your DSPT assessment, we feed findings directly into our 24/7 Managed SOC with custom detection rules for healthcare-specific threats: ransomware, unauthorised access to patient records, and HSCN threats. Monthly board-level security reports support your SIRO and Caldicott Guardian. Deliverable: ongoing threat detection, incident response, and annual DSPT renewal testing.
CREST-Accredited DSPT Assessment
DSPT Data Security Standard 9 mandates a penetration test from a CREST or CHECK-accredited provider. Our CREST accreditation means your DSPT penetration test report is accepted by NHS England, CQC inspectors, and ICBs without question.
What your Standard 9 assessment delivers
Fixed-price from £5,000. No hidden costs.
Accepted for compliance with
Recognised by NHS England, CQC, ICO, and NHS procurement teams.
Continuous NHS Security.
After The Submission.
DSPT compliance is annual but NHS threats are constant. We feed your DSPT assessment findings directly into our 24/7 Managed SOC, building custom detection rules for ransomware, unauthorised access to patient records, and HSCN-specific threats. One provider for compliance and continuous protection.
Explore 24/7 NHS Monitoring24/7 Threat Hunting
Continuous monitoring of your NHS-connected infrastructure and endpoints.
Ransomware Protection
Healthcare-specific ransomware detection tuned to NHS threat intelligence.
Incident Response
Immediate containment and ICO breach notification support within 72 hours.
Board Reporting
Monthly security reports for your SIRO, Caldicott Guardian, and board.
Meet the 30th June deadline.
Book a free 30-minute scoping call. We confirm scope for your Standard 9 penetration test and Cyber Essentials Plus assessment, then provide a fixed-price quote. No obligation. No hidden costs.
Frequently Asked Questions
Common questions about DSPT compliance, the penetration testing requirement, and the 30th June deadline.
The DSPT requires an annual penetration test conducted by a CREST or CHECK-accredited provider to satisfy Data Security Standard 9. The penetration test must cover your external network perimeter and, depending on your organisation type, internal systems that handle NHS patient data. This is one of only two DSPT assertions that categorically require external specialist support: you cannot self-certify this requirement. The test report must be available as evidence to support your DSPT submission and may be audited by NHS England. If you are mid-submission and have reached the penetration testing requirement, we can complete the CREST-accredited penetration test and provide the evidence documentation your DSPT submission requires.
The NHS DSPT submission deadline for 2026 is 30th June 2026. All organisations accessing NHS patient data must submit their annual DSPT assessment by this date. The penetration testing and Cyber Essentials Plus certification required by Standard 9 typically take 4 to 8 weeks to complete, so organisations should commission testing by April at the latest.
Yes, Cyber Essentials Plus certification is mandatory for DSPT Data Security Standard 9 (IT Protection). All organisations processing NHS patient data must achieve Cyber Essentials Plus annually through IASME-certified assessments covering boundary firewalls and internet gateways, secure configuration of devices and software, access control and administrative privilege management, malware protection, and patch management. Cyber Essentials (basic self-assessment) is insufficient. The Plus level requires independent technical verification through vulnerability scanning and configuration review by accredited assessors. Certification must be maintained annually with evidence submitted as part of your DSPT assertion.
Yes. Any organisation supplying software, managed services, or consultancy to the NHS that handles or has access to NHS patient data must achieve DSPT 'Standards Met' status annually. NHS procurement teams increasingly require DSPT compliance as a condition of contract award and renewal. Suppliers connecting to NHS systems via the Health and Social Care Network (HSCN) are contractually required to maintain a current, compliant DSPT submission. Achieving 'Standards Exceeded' can serve as a competitive differentiator in NHS procurement processes.
All organisations with access to NHS patient data must complete DSPT annually including GP practices, dental practices, pharmacies, opticians, care homes, domiciliary care providers, ambulance services, mental health services, community health providers, and third-party suppliers processing NHS patient information. Non-compliance blocks NHS Digital connection, prevents data sharing agreements, and disqualifies organisations from accessing care.data and Summary Care Records.
The NHS Data Security and Protection Toolkit (DSPT) is an online self-assessment tool provided by NHS England that requires all organisations handling NHS patient data to demonstrate compliance with the National Data Guardian's ten data security standards. This includes NHS Trusts, GP practices, care homes, and NHS suppliers. Completing the DSPT and achieving 'Standards Met' status is mandatory for HSCN connection and NHS supplier contracts. The annual submission deadline is 30th June.
DSPT mandates 10 standards aligned with GDPR and cyber resilience requirements: (1) Personal Confidential Data: staff understand responsibilities for patient data protection. (2) Staff Responsibilities: clear accountability at board level. (3) Training: all staff complete annual data security awareness training. (4) Managing Data Access: role-based access controls. (5) Process Reviews: regular audits. (6) Responding to Incidents: ICO breach notification within 72 hours. (7) Continuity Planning: business continuity plans tested annually. (8) Unsupported Systems: no unsupported software processing patient data. (9) IT Protection: Cyber Essentials Plus mandatory. (10) Accountable Suppliers: third-party data security requirements.
Non-compliance with DSPT has severe operational and regulatory consequences. NHS Digital blocks connection to NHS Spine services (patient demographic services, e-Referrals, Summary Care Records, GP Connect), existing data sharing agreements are suspended, care.data access is revoked, CQC inspections may rate your organisation as inadequate, ICO investigations carry potential fines up to £17.5M or 4% annual turnover, and commissioners may withhold contract payments or terminate agreements. GP practices cannot access Choose and Book or SCR without DSPT compliance.