The DSPT is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian’s 10 data security standards and must be reported yearly if interacting with patient data.
The DTAC is an assessment framework for care commissioners and providers to use when assuring digital health technology (DHT) product. It is a procurement step and as of Feb 26 has been reviewed and the form updated.
The CAF sits above both DSPT and DTAC. It’s the overarching cyber resilience framework that the DSPT now maps onto, while DTAC is specifically for procurement of new products & services
The Cyber Assessment Framework was built by NCSC for operators of essential services under the NIS Regulations. It’s structured around 4 objectives, 14 principles, and 39 contributing outcomes, assessed using Indicators of Good Practice (IGPs) rated as achieved, partially achieved, or not achieved. The four objectives are: managing security risk, protecting against cyber attack, detecting cyber security events, and minimising the impact of cyber incidents. CAF v4.0 (2025) added coverage for AI-related cyber risk, secure software development, and enhanced threat hunting.
The DSPT is now an outcome-based assessment that inherits the CAF’s structure but adds NHS-specific context.The CAF is the parent framework that the DSPT now aligns to. Since September 2024, NHS trusts, foundation trusts, ICBs, CSUs and DHSC arm’s length bodies must complete a CAF-aligned DSPT. The DSPT questions now map to the CAF’s objectives and principles, with 47 contributing outcomes (the 39 CAF outcomes plus additional health-specific information governance outcomes).
DTAC doesn’t reference the CAF at all. DTAC evaluates products; the CAF evaluates organisational cyber resilience. They operate at completely different layers.
| CAF | DSPT | DTAC | |
| Assesses | Org cyber resilience | Org cyber resilience + IG | Specific product |
| Structure | 4 objectives, 14 principles, 39 outcomes | 47 outcomes (39 CAF + 8 health IG) | 5 domains, pass/fail + % scores |
| Approach | Outcome-based, expert judgement | Outcome-based (since 2024), self-assessment + independent audit | Checklist + evidence-based |
| Covers | Risk management, supply chain, network security, resilience, detection, incident response | Everything in CAF + data protection, confidentiality, staff training, NDG standards | Clinical safety, data protection, technical security, interoperability, usability |
| Doesn’t Cover | Clinical safety, interoperability, usability | Product-level assessment | Organisational cyber maturity, incident response, network architecture |
| Mandatory For | Operators of essential services | All orgs handling NHS data | Digital health tech entering NHS |
| Independent Audit | Required | Required for Cat 1 & 2 orgs (from 2025/26) | No |
| Origin | NCSC | NHS England (built on CAF + NDG) | NHS England |
API Crazy 