With CAF, DSPT and NIS2 shaping 2026 requirements, running a tabletop exercise is one of the fastest ways to surface gaps and build maturity within the NHS.
NHS organisations are under increasing pressure to strengthen Cyber Security, Incident Response and Governance ahead of the new Cyber Assessment Framework (CAF) aligned Data Security and Protection Toolkit (DSPT) and NIS2 requirements for 2026. Yet one of the most effective tools for improving NHS cyber readiness remains underused: the Tabletop Exercise (TTX).
A TTX gives NHS teams a safe, structured way to rehearse a realistic cyber incident and uncover gaps in their processes without any technical risk or system disruption.
For NHS organisations aiming to demonstrate stronger cyber assurance, TTX sessions are one of the quickest, most strategic steps you can take.
Why TTX Matters for NHS Cyber Security
A well-designed NHS TTX brings together Cyber, IG, Digital, Operations and Communications teams to walk through a simulated incident. In less than an hour, it provides clarity that formal policies alone cannot deliver.
Most NHS organisations discover at least one of the following during a TTX:
• Unclear roles and responsibilities
• Communication delays or confusion
• Missing escalation paths
• Unrealistic or untested assumptions
• Limited or inconsistent evidence
• Gaps between policy and real-world response
These weaknesses directly impact CAF outcomes, DSPT submissions, NIS2 readiness, and Board-level assurance.
How TTX Supports CAF, DSPT and NIS2 Compliance
A single NHS TTX meaningfully improves:
CAF: Strengthens governance, operational cyber understanding, risk ownership and incident response capability.
DSPT: Supports incident planning, leadership accountability, staff readiness and evidence generation.
NIS2: Demonstrates proactive preparation, structured decision-making and clear response capability ahead of 2026 enforcement.
For organisations needing fast, tangible improvements, TTX sessions deliver measurable value.
When NHS Organisations Should Run a TTX
The optimal time for NHS teams to run a TTX is January to March, immediately after the Christmas change freeze and before key governance and reporting cycles begin.
This timing provides:
- Early-year clarity
- Improved DSPT evidence
- CAF alignment
- NIS2 preparation
- Stronger SIRO and Board reporting
It sets a confident baseline for the entire year.
Preparing for 2026
With new legislation emerging, including the UK Cyber Security and Resilience Bill, and rising expectations across NHS organisations, 2026 will require stronger, more demonstrable Cyber Security maturity.
Now is the ideal time to review:
- Your alignment with the DSPT, CAF and NIS2
- Your organisation’s ability to evidence assurance
- Governance maturity and overall cyber readiness
Acting early reduces risk and builds sustainable confidence.
What a High-quality NHS TTX Looks Like
A strong NHS TTX should be:
• Attended by Trust executives and frontline staff
• Realistic and scenario-based
• Aligned with NHS cyber security standards and regulatory requirements
• Collaborative and supportive
• Structured around decision-making, escalation and communication
• Tailored to the organisation, not generic
• Followed by a practical, actionable improvement plan
A good TTX strengthens confidence - not just documentation.
Why NHS Organisations Choose M8 Solutions
M8 Solutions delivers NHS-specific TTX grounded in real incidents, regulatory expectations and governance requirements.
Our approach is:
• NHS-first
• Governance-led
• Evidence-focused
• Aligned with CAF, DSPT and NIS2
• Integrated with wider CISOaaS and Managed Cyber Service support
We ensure every session leaves your organisation with clearer roles, stronger evidence and improved cyber readiness for 2026.
A View From the NHS
Here's what Neil Godfrey, Deputy Director of Digital at East of England Ambulance Service NHS Trust said after working with us:
Read more of our Cyber Security Testimonials here
Final Thoughts: NHS TTX Build Real Cyber Assurance
TTX give NHS teams something that policies alone can’t: a clear view of how their organisation responds under pressure. They highlight gaps quickly, build confidence, and create practical actions that strengthen CAF, DSPT and NIS2 readiness ahead of 2026.
If your NHS organisation would like to run a tailored TTX in the new year, or learn more about how we structure sessions, get in touch. We’d be happy to help.
