Are GP practices required to submit?

Yes — annually via the PCSE platform. PCNs typically submit collectively via the lead practice. Federations may submit on behalf of constituent practices.

Are MSPs serving NHS in scope?

Yes — any organisation processing NHS data must submit + must maintain controls evidence (CE+ or ISO 27001 typically). NHS auditors will request your MSP's evidence.

DSP Toolkit 2026 submission guide for NHS organisations

The Data Security and Protection (DSP) Toolkit is the annual mandatory submission for any UK organisation accessing NHS data. The 2025-26 version refreshed multiple assertions, increased evidence expectations, and tightened cloud + supply-chain assertions. This is the practical NHS field guide for IT + DPO teams.

DSP Toolkit — 10 standards (2026 update)

Who submits + when

NHS Trusts + Foundation Trusts — annual submission by 30 June.

GP practices, PCNs, federations — annual submission via PCSE platform.

NHS-commissioning organisations + ICBs.

Suppliers + processors accessing NHS data (including software vendors, MSPs, third-party clinical service providers).

The 10 standards (refreshed for 2025-26)

•1. Personal Confidential Data — staff understand their responsibilities.
•2. Staff Responsibilities — training + awareness.
•3. Training — annual data security training for all staff.
•4. Managing Data Access — RBAC + JML processes.
•5. Process Reviews — incident learnings + improvement.
•6. Responding to Incidents — 72-hour breach reporting capability.
•7. Continuity Planning — BCP + DR + tested recovery.
•8. Unsupported Systems — risk register + remediation plan for EOL kit.
•9. IT Protection — technical controls + patching.
•10. Accountable Suppliers — third-party assurance + contracts.

The 2025-26 changes that bite

Stronger cloud assertions — explicit evidence of CSP's SOC 2 / ISO 27001 / Cyber Essentials Plus.

Backup integrity tested — annual restore evidence required.

MFA on privileged access — mandatory.

Joiner / Mover / Leaver process evidenced — quarterly account review.

Unsupported systems risk register — every EOL Windows 7 / Server 2012 / EMIS LV box documented with mitigation.

Standards Met or Approaching Standards?

The 5 most common failure points

Backup not actually tested — DSP requires annual restore evidence.

JML not evidenced — auditors want quarterly account review with leavers actually offboarded.

MFA missing on admin accounts — particularly for SaaS clinical systems (EMIS, SystmOne, S1).

EOL Windows / SQL Server still in production without documented mitigation.

Third-party processors (MSPs, software vendors) without current Cyber Essentials Plus / ISO 27001 evidence.

What Servnet does

Servnet supports NHS organisations through DSP Toolkit submission — gap analysis, evidence pack preparation, controls deployment for the IT-side assertions.

Typical engagement: 8-12 weeks from kick-off to submission for trusts; 4-6 weeks for PCNs / smaller orgs.

See our Healthcare IT practice for the broader NHS supply chain context.