If you’ve been working in or around NHS digital teams over the last year, you’ve likely felt the ground shift. We have moved away from the era of the "checkbox" and into the era of the "outcome."
For years, the Data Security and Protection Toolkit (DSPT) was the yardstick. It was a long list of requirements where "Yes" was the goal. But as we head toward #CyberUK 2026 in Glasgow, the conversation has changed. With the 2025/2026 DSPT now fully aligned with the NCSC Cyber Assessment Framework (CAF), the question isn’t just "Do you have a policy?" It’s "Does your security actually work when it matters?"
Why the shift to CAF matters
CAF reframes security as capability. Its four objectives translate directly to operational resilience and patient care: manage security risk, protect against attack, detect events and minimise impact.
What good looks like in practice:
Manage security risk → Identify your “crown jewels” (clinical services and supporting systems), map dependencies and review quarterly at Board risk.
Protect against attack → Baseline controls to threat; prioritise identity, privileged access, segmentation, patching and secure configuration.
Detect events → Establish minimum logging coverage and use cases that surface patient‑impacting anomalies fast.
Minimise impact → Prove you can restore clinical services quickly with exercised runbooks and time‑to‑restore metrics owned by operations.
Clinical safety is a cyber outcome
This shift is directly tied to Pillar 4 of the Health and Social Care Cyber Strategy: Build Secure for the Future. It acknowledges a truth we’ve all known for a while: cyber security is a clinical safety issue.
When we talk about "Secure-by-Design," we aren't just talking about code. We are talking about ensuring that when a Trust buys a new patient record system or a connected medical device, security is baked into the procurement and implementation.
We want systems that are inherently resilient so that clinicians can focus on care, not workarounds.
The roadmap to June 30th
We are currently in the "baseline" and "audit" window for the June 30, 2026 deadline. This year is unique because many Trusts are undergoing independent audits to validate their CAF-aligned submissions.
It can feel like a lot of extra work, but there’s a silver lining here. The CAF gives us a better language to speak to the Board. Instead of talking about technical vulnerabilities, we can talk about business continuity and patient safety. It turns cyber security from a "cost centre" into a "resilience engine."
Meet us at CYBERUK?
We’ll be in Glasgow, 21-23rd April 2026. If you’re navigating the move to CAF or trying to figure out how to balance these new mandates with limited clinical resources, book time with the Methods team on-site. We’d love to help you translate outcomes into resilient operations.
The move from a checklist to an outcome-based model is a challenge, but it’s the right one if we want to build a safer, more resilient NHS.
#NHS #CyberSecurity #HealthcareIT #CyberUK #CAF #DSPT #PatientSafety #Methods