Classification: Official
Publication reference: PRN02540

To:

• NHS trusts and integrated care boards:
  • ­chief executive officers
  • ­chairs

cc.

• NHS trusts and integrated care boards:
  • ­chief information officers
  • ­data protection officers and information governance
• Regional communication leads

Dear colleagues,

Board and executive assurance: cyber security risk

The Government’s 10 Year Health Plan is transforming how services are delivered through greater digitisation. However, increased use of digital tools also brings new and enhanced risks that need to be managed. 

I am writing to ask boards and executives to assure themselves that cyber security risks are being managed effectively, with clear, sustained programmes for improvement.

Geopolitical events and technology developments are increasing the cyber security threats we face. As seen in well-documented incidents across the economy, the impact of a cyber attack is felt across the entire organisation, not just its digital function.

Consequently, plans to address cyber security risks need an organisation-wide response; this should receive proper scrutiny and assurance through organisational governance.

Data security and protection toolkit

The Data Security and Protection Toolkit (DSPT) is the standard that all frontline NHS organisations are expected to comply with and is aligned to the National Cyber Security Centre’s Cyber Assessment Framework (CAF). The next DSPT submissions are due at the end of June 2026. 

The DSPT details a range of outcomes, covering the following 5 objectives:

1. managing cyber risk
2. protecting against cyber-attack and data breaches
3. detecting cyber security events
4. minimising the impact of incidents
5. using and sharing information appropriately

Supporting guidance

Alongside the guidance for executive and non-executive directors: Cyber security guide for executive and non-executive directors – NHS England Digital, we have also identified the 7 foundational outcomes that have the greatest impact on organisational cyber resilience.

These outcomes, set out in Annex A, are relevant for submissions up to 30 June 2026.

New cyber policies from September 2026

From September 2026, we will produce a series of new and updated directive cyber policies to be included in the next DSPT. This will cover issues including multi-factor authentication, high-severity alerts and end-point detection. In addition, the DSPT will be updated to incorporate the next evolution of the CAF, namely 4.0.

We have also provided cyber practitioners with a roadmap for the tightening of requirements for complying with DSPT each year from now until 2030. We therefore expect incremental progress and investment, year on year.

Executive accountability for cyber security

We strongly recommend that each organisation formally appoint a member of the executive team responsible for cyber security to assist the organisation’s board of directors in meeting their accountabilities. They should ensure:

• the right cyber security measures are in place
• risks are checked and managed
• improvements are carried out across the organisation

We also recommend that organisations gain assurance of their emergency preparedness, with a particular focus on the operational impact of cyber incidents, which often have effects that last months and years. This should include exercises to assess clinical and operational readiness to cope with such disruptions.

In addition, we recommend that boards should receive an annual report outlining recovery plans for critical systems, including evidence that these plans have been tested.

All current evidence and advice suggest that organisations that put in place the right foundations are more resilient to the consequences of a cyber-attack. I hope this information helps you assure yourselves that the right measures are in place to protect the ongoing provision of services to the public.

Yours sincerely,

Tom Wechsler, Group Director for Cyber Security, NHS England | Department for Health and Social Care 

Annex A – Data security and protection toolkit (DSPT): key expectations and examples of good practice

The overall expectation is for NHS board members and executives to demonstrate grip and appropriate controls, proportionate to the risk and criticality; maintain evidence of compliance; and review and improve controls regularly. 

The requirements that boards and executives need to explore for assurance are set out in this Annex.

The detail of what should be submitted before or by the end of June 2026 is contained in this guidance: Cyber Assessment Framework (CAF)-aligned Data Security and Protection Toolkit (DSPT) guidance – NHS England Digital

Asset management

The organisation must identify, record and manage all assets that support essential functions.

The requirements to meet this expectation are:

• Maintain a complete and up-to-date asset inventory covering hardware, software, cloud services and data.
• Maintain and regularly review an Information Asset Register (IAR).
• Assign an owner for each asset.
• Classify assets based on their importance to essential functions.
• Identify and record dependencies (including supporting infrastructure where relevant).
• Define and enforce lifecycle management (onboarding, change, patching and decommissioning).
• Reconcile inventories against authoritative sources and resolve discrepancies.

Examples of good practice – asset management. All relevant assets are identified at an appropriate level of detail. Assets are prioritised by criticality. Ownership and accountability are clear. Assets are managed securely throughout their lifecycle.

Supply chain

The organisation must understand and manage cyber risks arising from suppliers and third parties.

The requirements to meet this expectation are:

• Maintain a register of all suppliers that support essential functions.
• Assess cyber risk before onboarding and at defined intervals thereafter.
• Apply controls proportionate to supplier criticality.
• Include security requirements in contracts, covering:
  • Minimum security standards
  • Incident notification
  • Audit rights
  • Secure offboarding
• Monitor supplier compliance and track remediation to completion.

Examples of good practice – supply chain. The organisation understands supply chain risks and dependencies. Third-party connections are known and controlled. Security and data protection obligations are built into contracts. Supply chain incidents are considered in incident response plans. Data shared with suppliers is protected.

Identity, authentication and access control

The organisation must control access to systems and data.

The requirements to meet this expectation are:

• Uniquely identify all users and services.
• Verify identity before granting access.
• Enforce multi-factor authentication (MFA) in line with national policy for:
  • Privileged access
  • Remote access
• Apply least privilege access controls.
• Review access rights at least quarterly and on role change.
• Implement secure credential management, including:
  • Strong password policy
  • Secure storage
  • Timely removal of access

Examples of good practice – identity, authentication and access control Shared accounts are not used unless risk-assessed and controlled.Joiners, movers and leavers are managed promptly.Access is role-based and regularly reviewed.Access is removed when no longer required.

Vulnerability management

The organisation must manage vulnerabilities to reduce risk to essential functions.

The requirements to meet this expectation are:

• Operate a documented vulnerability management process consisting of the following activities:
  • Identify
  • Prioritise
  • Remediate or Mitigate
  • Verify
• Scan systems at defined intervals and after significant change.
• Prioritise remediation based on severity and business impact.
• Identify unsupported or end-of-life systems and manage associated risk.
• Define remediation timescales and enforce them.
• Require formal approval for exceptions, with time limits and compensating controls.
• Track all remediation to completion and retain evidence.

Examples of good practice – vulnerability management. Vulnerabilities are identified from multiple sources. Risk-based prioritisation is applied consistently. Exceptions are controlled and time bound. Evidence of remediation is maintained.

Backups

The organisation must ensure data and systems can be restored.

The requirements to meet this expectation are:

• Backup systems and data required for essential functions.
• Align backup scope to recovery objectives (RTO/RPO).
• Protect backups from unauthorised access and tampering.
• Define retention periods and storage locations.
• Maintain segregated or offline copies where appropriate.
• Test backups and restores at planned intervals and after major change.
• Record and remediate restore failures.

Examples of good practice – backups. Backup arrangements reduce the risk of common failure. Backups are secure, automated and regularly reviewed. Restore capability is proven through testing.

Security monitoring

The organisation must detect potential security incidents affecting essential functions.

The requirements to meet this expectation are:

• Define monitoring requirements for critical services.
• Ensure monitoring covers:
  • Identity systems
  • Endpoints and servers
  • Network devices
  • Internet-facing services
  • Cloud environments (where used)
• Collect logs centrally.
• Ensure logs are time-synchronised, protected and retained.
• Regularly validate monitoring coverage.
• Tune alerts to reduce false positives and missed events.

Examples of good practice – security monitoring. Monitoring detects relevant security events in a timely manner. Critical log sources are onboarded and functioning. Detection rules are regularly reviewed and improved.

Incident response

The organisation must be able to respond effectively to cyber incidents.

The requirements to meet this expectation are:

• Maintain an incident response plan based on identified risks.
• Define roles, responsibilities, escalation paths and decision authority.
• Cover the full incident lifecycle consisting of the following stages:
  • Detection
  • Triage
  • Containment
  • Eradication
  • Recovery
  • Post-incident review
• Define internal and external communications, including regulatory reporting.
• Include plans for prolonged outages.
• Test the plan at planned intervals.
• Record lessons learned and update the plan.

Examples of good practice – incident response. The plan is accessible when needed. Responsibilities and decision-making are clear. Exercises are carried out regularly. Improvements are tracked and implemented.