DTAC Version 2: What Digital Health Organisations Need to Know Before 6th April 2026

If you supply digital health technology to the NHS, there's a significant update you need to be aware of. NHS England published Version 2 of the Digital Technology Assessment Criteria (DTAC) on 24th February 2026, and the deadline for compliance is fast approaching.

What is DTAC?

DTAC is the national baseline framework for assessing digital health technologies used within the NHS and social care. Introduced in 2021, it brings together requirements across five core domains: Clinical Safety, Data Protection, Technical Security, Interoperability, and Usability & Accessibility. Any software-based digital health technology being procured by an NHS organisation needs a completed and up-to-date DTAC form.

What's Changed in Version 2?

NHS England reviewed its DTAC in 2024, engaging with industry, and revised its approach to make it simpler and less demanding for both suppliers and NHS bodies. As of February 2026, the key changes are: a new DTAC form with a 25% reduction in questions, de-duplicated with processes such as the Data Security and Protection Toolkit and the Pre-Acquisition Questionnaire; clearer guidance explaining DTAC's purpose, scope and how to complete assessments; and confirmed scope alignment with NICE, focusing DTAC on software-based digital health technologies.

On the clinical safety side, the previous requirement for the named Clinical Safety Officer to undertake training provided by NHS Digital no longer stands. NHS England has also identified and removed elements in DTAC where there is overlap with Medical Device Regulations, specifically within the clinical safety sections, with further removal planned for Class IIa medical devices and above as part of future work.

In short, Version 2 removes much of the duplication and ambiguity that had made V1 burdensome for suppliers and NHS organisations alike.

What Are the Key Deadlines?

As of 24th February 2026, NHS England introduced the updated DTAC form. Manufacturers and buying organisations should retire the previous version and transition to the updated form before 6th April 2026, after which the old form must not be used.

As part of the updated submission, suppliers may be asked to complete and attach further documentation, such as a Data Protection Impact Assessment (DPIA) or a Pre-Acquisition Questionnaire (PAQ). Where a product is both a digital health technology and a medical device, both the DTAC form and the PAQ may need to be completed.

What Does This Mean for You?

If you currently hold a completed DTAC submission under V1, you will need to update it. The new form is leaner, but it still needs to be accurate, current, and accompanied by the right supporting evidence.

It's also worth noting that DTAC applies alongside, but does not replace, other required approvals. Products may still need medical device certification or registration with the Information Commissioner's Office. For products that have access to NHS systems or patient data, suppliers must also complete and return the Data Security and Protection Toolkit (DSPT).

As part of ongoing reform work, NHS England is exploring the use of a centralised repository for hosting and maintaining DTAC documentation for individual products, to further reduce overheads and drive standardisation.

Looking Further Ahead

Further reviews are still ongoing for some of the standards within DTAC, such as DCB0129 and DCB0160, which help manage clinical risks in Health IT systems. There are also commitments to set standards for technology used in social care, updates to medical device rules, and work to further simplify the approach to standards, with DTAC to be updated as those changes happen.

The direction of travel is clearly toward a more streamlined, portable compliance model, with the government announcing plans to introduce an Innovator Passport over the next two years, allowing technology assessed by one NHS organisation to be rolled out to others without repeated compliance checks.

How Periculo Can Help

At Periculo, we support digital health suppliers in navigating the NHS compliance landscape, including DTAC submissions, Data Security and Protection Toolkit (DSPT) audits, and Cyber Essentials certification, which remains a mandatory requirement within the DTAC technical security section. If you need to update your DTAC submission ahead of the 6th April deadline, or you're starting your compliance journey for the first time, get in touch with our team today.