NHS England is in the process of transitioning from its long-standing Smartcard-based identity system to CIS2 — the Care Identity Service 2. The Smartcard system has been the backbone of NHS staff identity verification and role-based access to Spine-connected clinical systems since the early 2000s. CIS2 introduces modern authentication approaches while preserving the role-based access control model that NHS organisations depend on. For IG teams, the transition has significant implications for access policies, DPIA requirements, and your DSPT evidence.
What is CIS2?
The Care Identity Service 2 (CIS2) is NHS England's new national identity and authentication platform. It is designed to support modern authentication methods — including biometrics, authenticator apps, and device-bound credentials — as alternatives to the physical Smartcard and card reader combination that has been required for Spine access since the NHS National Programme for IT era.
CIS2 uses open standards (OpenID Connect and OAuth 2.0) and is integrated with the NHS Identity platform. It is designed to support: mobile and remote working without the need for physical card readers, high-assurance authentication using multi-factor approaches, and federation with other identity providers where appropriate.
What Stays the Same
The CIS2 transition does not replace the underlying role-based access control (RBAC) model that governs what NHS staff can access and do in Spine-connected systems. The Jobs and Role-Based Access Control framework — which maps staff roles, professional registrations, and job descriptions to permitted access rights — remains in place. What changes is the authentication mechanism: how staff prove who they are before the RBAC permissions are applied.
What Changes for IG Teams
Identity Assurance Policies
Your organisation's identity assurance policy — covering how staff identities are verified, how Smartcards or CIS2 credentials are issued, and how they are suspended or revoked when staff leave — will need to be updated to reflect CIS2 authentication methods. The policy should cover: how multi-factor authentication is enrolled and managed, what happens to credentials when a member of staff is suspended, and how credential compromise is detected and reported.
DSPT Implications
The DSPT requires organisations to demonstrate appropriate access controls for systems containing patient data. As CIS2 rolls out, DSPT submissions should reflect the authentication method in use (Smartcard, CIS2, or both during a transition period) and evidence that access rights are regularly reviewed and revoked for leavers.
DPIA Considerations
If your organisation is adopting CIS2-authenticated systems that process special category health data at scale, you may need to conduct or update a Data Protection Impact Assessment. Key risk areas to assess include: the security of CIS2 credential management, the implications of mobile and remote access to clinical systems, and your ability to detect and respond to unauthorised access.
Practical Steps for IG Teams
- Engage with your IT and Spine Registration Authority (RA) team to understand the CIS2 rollout timeline for your organisation
- Review and update your identity assurance and access control policy to reference CIS2
- Ensure your leaver process captures CIS2 credential revocation as well as Smartcard revocation
- Update your ROPA to reflect any new CIS2-connected systems introduced as part of the transition
- Review your DSPT submission to ensure access control evidence reflects the current authentication method
Folelse's NHS IG module includes access policy templates, DPIA guidance, and DSPT evidence tracking tools to support your CIS2 transition documentation.
Start free trial