If you sell technology or digital services into the NHS, you quickly learn there are two conversations happening at once. The first is the one you want to have: outcomes, users, clinical value, delivery. The second is the one procurement and onboarding teams need to have: “Are you safe to connect?”

That second conversation is where DSPT Compliance lives. Not as a badge to show off, but as a gate that either opens smoothly or stays firmly shut.

DSPT is less about paperwork, more about permission

The NHS Data Security and Protection Toolkit (DSPT) is a mandatory annual online self-assessment for organisations that access NHS patient data or NHS systems. It’s built around the National Data Guardian’s 10 Data Security Standards, and it’s designed to create a consistent, checkable assurance trail.

It’s also not a traditional “certification”. You’re expected to assess your controls, answer evidence questions, reference or upload supporting documentation, and publish an annual status that NHS organisations can see and use during procurement and onboarding.

That “published” element is the point. It turns security assurance from a set of claims in a tender response into something verifiable.

Who gets pulled into DSPT (and why it surprises smaller suppliers)

There’s a common misconception that DSPT is for NHS Trusts and big health bodies. In practice, many smaller suppliers get caught by it early, especially those who:

  • Sell IT or digital services into the NHS
  • Support, integrate with, or maintain NHS systems
  • Access NHSmail or other NHS platforms
  • Process personal, confidential, or health data under an NHS contract

For these organisations, DSPT isn’t “nice to have”. It’s often a prerequisite for working with the NHS at all.

The commercial risk is basic: “no status, no progress”

A missing or lapsed submission doesn’t just create compliance risk. It creates deal friction.

Without a published “Standards Met” status, suppliers can be excluded from procurement, refused access to NHS systems, and put existing contracts at risk – with non-compliance visible.

Even when a buyer wants to work with you, onboarding teams tend to be process-led for good reasons. If DSPT is part of the checklist, it becomes a stop/go control. That’s why organisations feel the pain most acutely at the worst possible time: late-stage procurement, pre–go-live, contract renewal.

Category 3 is “proportionate” – but still evidence-heavy

Most small IT and digital providers register as “Other” organisations and fall into Category 3 (often used for smaller suppliers). Category 3 is designed to be proportionate and doesn’t require an independent audit. But it still requires dozens of mandatory evidence items.

The difference between an easy submission and a stressful one usually comes down to whether you already run the business in a way that produces evidence, not whether you can write policies quickly.

What “evidence” actually looks like in day-to-day terms

DSPT asks you to show how you manage data security across people, process and technology. For many Category 3 organisations, that typically means documented evidence in areas like:

  • Data protection and information security governance
  • Staff roles, responsibilities and annual training
  • Access controls and user management
  • Incident and breach response
  • Business continuity planning
  • Technical controls such as MFA, patching and encryption
  • Supplier / third-party assurance
  • Digital asset management, including a digital asset register

The useful (and sometimes uncomfortable) detail is that you’re expected to show how risks are identified and reduced in practice, not simply that a policy exists.

This is where suppliers often trip. They can produce an Information Security Policy, but they can’t show how joiners/movers/leavers really works, or how patching is assured across endpoints, or which suppliers touch live data and what checks exist.

Why “annual” matters more than people expect

DSPT is an annual requirement, and the expectations move. From a supplier perspective, the operational implication is simple: you don’t “complete” DSPT once. You maintain it.

That might mean revisiting your evidence after platform changes (new HR system, new IT provider, new endpoint tooling), updating training records and incident logs, or refreshing documents so they match how you actually work now.

Treating DSPT as a recurring governance task reduces last-minute scramble and makes procurement less fragile.

A practical way to think about DSPT Compliance

If you want a clean mental model, don’t think of DSPT Compliance as a form to fill in. Think of it as your “NHS connection pack”.

It answers the questions NHS teams are implicitly asking:

  • Do you know what data you handle and where it flows?
  • Do you control who can access it, and can you prove it?
  • If something goes wrong, do you have a plan you’ve actually rehearsed?
  • Are your suppliers part of your security perimeter, or a blind spot?

When your evidence naturally falls out of normal operations, DSPT becomes routine. When it doesn’t, DSPT becomes a crash project – and those are rarely good for delivery teams or commercial timelines.