What is NHS DTAC? Digital Technology Assessment Criteria — A Complete Guide

Digital health technology is transforming how care is delivered across the NHS. From AI-powered diagnostics to remote patient monitoring platforms, the pace of innovation in healthtech has never been faster. But with that pace comes an important question: how does the NHS know which technologies are safe, secure, and genuinely fit for purpose?

That is what DTAC is designed to answer. If you are selling or deploying a digital health product within the NHS, DTAC is almost certainly in your future — and the sooner you understand it, the better prepared you will be.

What is NHS DTAC?

DTAC stands for Digital Technology Assessment Criteria. It is the NHS's assurance framework for evaluating digital health technologies before they are adopted or deployed across health and social care settings.

Think of DTAC as the NHS's minimum quality standard for digital products. It assesses whether a technology meets baseline requirements across five key areas: clinical safety, data protection, cyber security, interoperability, and usability and accessibility.

DTAC was developed by NHS England and NHS Improvement to create consistency in how NHS organisations evaluate digital products during procurement. Rather than every trust running its own ad hoc assessment, DTAC provides a shared standard that any NHS buyer can use to evaluate any supplier.

Who is DTAC For?

DTAC applies to innovators and suppliers offering digital health technologies that the NHS will use. NHS England describes DTAC as:

"Designed to be used by healthcare organisations to assess suppliers as part of a due diligence process, to make sure digital technologies meet our minimum baseline standards."

In practice, if you are building a product — whether software, an app, an AI tool, or a connected device — that an NHS organisation will use in any care setting, you will likely need to demonstrate DTAC compliance before you can deploy or go live. Importantly, DTAC is required before pilots as well as before full procurement. Even seemingly low-risk tools often fall within scope, because NHS buyers use DTAC as their standard due diligence benchmark.

DTAC 2.0: What Changed in 2026?

In February 2026, NHS England released an updated version of DTAC — widely referred to as DTAC 2.0. The update introduced important changes to the DTAC form and revised the scope of the framework. Key changes include:

• A revised and clarified DTAC questionnaire form, designed to reduce ambiguity and improve consistency in how suppliers evidence compliance
• Updated scope definitions, with clearer guidance on which technologies and organisations are in scope
• Ongoing NHS England consultation with suppliers and NHS trusts to improve consistency and reduce duplicated effort across assessments

If you completed DTAC prior to 2026, it is worth reviewing your documentation against the updated DTAC 2.0 requirements. Some sections may need to be updated or re-evidenced.

The Five Components of DTAC

DTAC is structured around five assessment areas. Each must be addressed in your compliance submission. Here is what each component involves:

Component 1: Clinical Safety — DCB0129

Clinical safety is the most complex component of DTAC and is governed by NHS information standard DCB0129. This standard requires any manufacturer of a health IT system to systematically identify, assess, and mitigate clinical risks that might arise from using the software.

To meet DCB0129, you must produce and maintain three core documents:

1. A document setting out how your organisation will manage clinical safety throughout the product's lifecycle, including roles, responsibilities, and governance.Clinical Risk Management Plan (CRMP) —

2. A structured record of all identified clinical risks, their potential causes and consequences, the likelihood and severity of each, and the controls put in place to mitigate them.Hazard Log —

3. A formal argument, reviewed and signed off by a qualified Clinical Safety Officer (CSO), that your product is sufficiently safe for its intended clinical use.Clinical Safety Case Report —

All three documents must be approved by a named Clinical Safety Officer (CSO) — a registered clinician who has completed NHS-recognised clinical safety training. Many early-stage healthtech companies use an external or fractional CSO to fulfil this requirement cost-effectively.

Component 2: Data Protection

Data protection is a core pillar of DTAC, reflecting the sensitivity of health and care data and the legal obligations that come with processing it. To meet this component, you need to:

• Understand and document how data flows through your product — a Record of Processing Activities (ROPA)
• Conduct a Data Protection Impact Assessment (DPIA) for any high-risk processing activities
• Demonstrate compliance with UK GDPR, including appointing a Data Protection Officer or Data Protection Lead where required
• Complete and maintain a valid submission to the NHS Data Security and Protection Toolkit (DSPT) with a "Standards Met" status
• Have a published, clear Privacy Notice explaining how data is used

DSPT and DTAC are closely linked: DSPT is embedded within DTAC as a data protection requirement. You cannot achieve DTAC compliance without also completing DSPT.

Component 3: Cyber Security

Healthcare data is one of the most targeted by cybercriminals, making cyber security a non-negotiable element of DTAC. The cyber security component assesses whether your technology and organisation have the technical controls needed to protect NHS data from attack. Requirements include:

• A current Cyber Essentials or Cyber Essentials Plus certificate
• Results of an external, manual penetration test and a documented action plan for any findings
• Evidence of a secure development lifecycle (SDL) with security built in from the start
• Multi-factor authentication (MFA) and strong authentication controls across your systems
• Vulnerability management and patching procedures — evidence that your systems are kept up to date
• Secure hosting and cloud architecture, with evidence of relevant security configurations

Component 4: Interoperability

Interoperability assesses how well your product integrates with the broader NHS digital ecosystem. The NHS has a strong interest in avoiding siloed tools that cannot share data with other clinical systems. This component requires you to demonstrate:

• Use of recognised health data standards such as HL7 FHIR where applicable
• Clear API and data model documentation
• Data flow diagrams showing how data moves between your system and others
• Safe handling of integration failures or data exchange errors
• A clear justification if your product does not integrate with any other systems

For products that are genuinely standalone and do not integrate with other clinical systems, the justification for this approach must be clearly evidenced.

Component 5: Usability and Accessibility

Usability and Accessibility is unique within DTAC: it is the only scored section, and it is acceptable to be "working towards" compliance in some areas rather than fully meeting all requirements from day one.

This component recognises that digital health tools must be genuinely usable by all clinicians, patients, and carers who need them — including those with disabilities or lower digital literacy. To score well, you should demonstrate:

• Accessibility support that meets WCAG 2.1 AA standards as a minimum
• A clear and thoughtful user journey map for all key user types
• Evidence of user testing conducted with real users — not just internal testing
• Documentation explaining how design decisions support safe and effective clinical use

Do not overlook this section. Strong usability and accessibility is not just a compliance requirement — it directly supports safer and more effective clinical use of your product.

The DTAC Compliance Process

Unlike ISO 27001 or Cyber Essentials, there is no central DTAC certification body and no formal accreditation. DTAC compliance is demonstrated directly to the NHS buyer, typically a trust, Integrated Care Board (ICB), or commissioning organisation.

Here is how the process typically works:

Work through all five components, producing the required documentation and evidence for each. Complete the DTAC requirements.

The DTAC 2.0 form guides you through each component and requires you to provide evidence against each requirement. Complete the DTAC questionnaire.

Compile supporting documentation, policies, certificates, test results, clinical safety documents, and so on, alongside your completed form. Assemble your evidence pack.

Your DTAC form and evidence are submitted directly to the NHS organisation you are working with, not to a central body. Submit to the NHS buyer.

The NHS buyer reviews your submission and may raise questions or ask for additional evidence. Respond to queries.

Any changes to your product that affect clinical risk, data flows, or security architecture require you to update your DTAC documents. Keep it current.

How Long Does DTAC Take?

The honest answer is: it depends. Companies with little existing compliance documentation can take three to six months or more for a first DTAC submission. Those with existing policies, Cyber Essentials certification, and some clinical safety groundwork can move considerably faster — often within six to eight weeks with focused support.

Starting DTAC early, before an NHS buyer asks for it, puts you in a far stronger position during procurement conversations.

What Happens If You Do Not Have DTAC?

Without DTAC, most NHS procurement teams will pause or decline to proceed. In practice, missing DTAC can mean:

• Blocked or delayed pilots
• Stalled procurement processes
• Loss of trust with clinical or commercial champions inside NHS organisations
• Reputational risk with investors and partners who understand the NHS market

The message from the NHS market is consistent: DTAC is the entry ticket, not an optional extra. Companies that treat it as such lose deals to competitors who are already prepared.

DTAC and DSPT: Understanding the Relationship

One of the most common points of confusion for digital health companies is the relationship between DTAC and DSPT. Here is a simple way to think about it:

DTAC is the overarching NHS assurance framework for digital health products. DSPT is one of the specific requirements within DTAC's data protection component. You cannot be DTAC compliant without having a valid DSPT submission. But DSPT alone does not make you DTAC compliant.

Achieving both DSPT and DTAC compliance together, ideally alongside Cyber Essentials and DCB0129, represents a strong, comprehensive compliance position for any digital health company selling to the NHS.

Common DTAC Mistakes

From our experience supporting digital health companies through DTAC, these are the pitfalls that cause the most delays:

• DTAC takes time, especially the clinical safety component. Start at least three months before you need it. Not starting early enough.
• Evidence quality matters. A superficial submission that does not reflect genuine practice will struggle under scrutiny. Treating DTAC as a form-filling exercise.
• Companies focused on clinical safety and cyber security sometimes underestimate the documentation required for interoperability. Overlooking interoperability.
• Your Clinical Safety Officer must be a registered clinician who has completed the required NHS training. This is non-negotiable. Using an unqualified CSO.
• DTAC is not a one-time submission. Significant changes to your product, especially changes affecting clinical risk or data flows, require document updates. Not updating documents after product changes.
• DTAC is not a certificate you receive. It is evidence-based assurance you provide to NHS buyers. There is no badge or logo, just a well-evidenced submission. Confusing DTAC with a certification.

How Periculo Helps with DTAC

Our team combines clinical safety expertise, data protection knowledge, and cyber security experience to help you build a DTAC submission that genuinely reflects your product's safety and security posture.

• DTAC gap analysis and readiness assessment
• DCB0129 clinical safety documentation with access to qualified fractional CSOs partner
• DSPT submission support (embedded within DTAC)
• Cyber Essentials certification guidance
• DTAC questionnaire completion and evidence pack assembly
• Ongoing DTAC maintenance as your product evolves