July 3rd, 2026 at 11:44 am
If your product is going into the NHS, DTAC compliance is a buyer requirement, not a nice-to-have. Version 2 was published on 24 February 2026; the older form should not be used after 6 April 2026, and the updated process is shorter but still demanding across the same five domains.
DTAC is the NHS’s digital assurance framework for healthtech vendors, and Version 2 became the new standard from 6 April 2026. It still covers clinical safety, data protection, technical security, interoperability, and usability/accessibility, but the question set was trimmed by about 25% and the guidance was refreshed to remove duplication. If your product is patient-facing, clinician-facing, or deployed by an NHS organisation, you should treat DTAC as part of your launch plan, not something to fix later.
What DTAC means
DTAC stands for the Digital Technology Assessment Criteria. It is the NHS buyer’s framework for checking whether a digital health product is safe, secure, usable, and appropriate for deployment in a care setting. It is not a central “approved app” badge; the deploying NHS organisation still has to review the evidence and make the local decision.
That matters because many founders assume NHS England signs off the product once and for all. In reality, the evidence pack needs to be strong enough for procurement, clinical review, and local assurance by the buying organisation.
What changed in Version 2
The updated DTAC form is version 2.0 and was last updated on 24 February 2026. NHS England says manufacturers must provide this version from 6 April 2026 when health and care organisations request DTAC evidence. The form was simplified, with around 25% fewer questions and less duplication with other assurance routes such as the DSPT and pre-acquisition questionnaires.
The important strategic point is that the process got shorter, but the underlying expectations did not disappear. The update is about clarity and consistency, not a lower bar.
DTAC Version 2 simplifies the assessment process while maintaining the same five core compliance domains.
The five domains
DTAC still centers on five domains: clinical safety, data protection, technical security, interoperability, and usability/accessibility.
Clinical safety
Clinical safety asks whether the product could create harm in real-world use. If your product affects care decisions, patient journeys, or clinician workflows, this domain is essential from day one.
Data protection
Data protection evidence should show how the product handles UK GDPR and DPA 2018 obligations, including data flows, privacy risks, and DPIAs where needed. NHS reviewers will want to understand how personal and special category health data moves through the system.
Technical security
Security evidence needs to demonstrate more than good intentions. A practical baseline often includes Cyber Essentials Plus, and stronger organisations may also show ISO 27001-aligned controls or other security governance.
Interoperability
If your product connects to NHS systems, you should be ready to show evidence for the standards you claim to support. That usually means things like HL7 FHIR UK Core, NHS Number, SNOMED CT, or NHS Login where relevant.
Usability and accessibility
DTAC still expects the product to work for real users in real contexts. Version 2 streamlines this area, but accessibility and usability still need evidence, not just a design statement.
DCB0129 and DCB0160
DCB0129 is the clinical risk management standard for manufacturers of health IT systems. It is the manufacturer-side safety standard, so if you build the software, this is your responsibility.
DCB0160 applies to the NHS organisation deploying or using the system. The deploying organisation must satisfy itself that the manufacturer has done the right clinical safety work before rollout.
A common failure point is leaving clinical safety until the end of the project. In practice, the Clinical Safety Officer, hazard log, and Clinical Safety Case Report should be set up early and maintained throughout development.
When MHRA also matters
DTAC is not the same as medical device regulation. If your software qualifies as Software as a Medical Device or AI as a Medical Device, MHRA requirements may apply alongside DTAC.
That means a product can be DTAC-ready but still not be ready for NHS sale if the MHRA side has not been addressed. For some products, the correct path is DTAC plus the pre-acquisition questionnaire plus any required medical device compliance work.
DTAC Version 2 simplifies the assessment process while maintaining the same five core compliance domains.
Cost and timeline
A realistic DTAC readiness effort usually takes 3 to 6 months if you are starting from scratch. The cost depends on the maturity of your product, but teams often need to budget for clinical safety work, security review, accessibility testing, documentation, and legal support.
Cyber Essentials Plus is often used as a security baseline, and 2026 UK pricing guides place it in the low-thousands-per-year range, with remediation and internal preparation adding more if the company is not already secure by design. The key point is that DTAC readiness should be part of product planning, not a last-minute procurement scramble.
Common failure points
Most DTAC delays come from a familiar set of mistakes.
- The Clinical Safety Officer is appointed too late.
- Security evidence is out of date or incomplete.
- The DPIA is missing or not fit for purpose.
- Interoperability claims are made without proof.
- Accessibility claims are made without testing evidence.
- The team confuses manufacturer duties with deploying-organization duties.
- Change-control evidence is weak or missing.
Pre-submission checklist
Use this as a readiness checklist before sending your product into NHS review.
- Confirm whether DTAC applies to the product scope.
- Check whether MHRA review may also apply.
- Use the current DTAC v2 form.
- Name the Clinical Safety Officer and prepare DCB0129 evidence.
- Complete or refresh the DPIA and data-flow documentation.
- Gather security evidence, including Cyber Essentials Plus where relevant.
- Collect interoperability evidence for every NHS integration claim.
- Run or update accessibility testing evidence.
- Document your change-control process.
- Map third-party suppliers and dependencies.
- Keep all supporting documentation in one review pack.
- Make sure the deploying NHS buyer knows what evidence already exists.
What buyers look for
NHS buyers want three things: safety, security, and deployability. They are not only checking whether the demo works; they want evidence that the product can operate safely in a live care environment.
That is why a complete evidence pack matters so much. The better your documentation, the faster the review usually moves.
FAQ
Is NHS DTAC mandatory?
Yes, for digital health technology being deployed in the NHS, DTAC is generally expected as part of the buyer assurance process.
What changed in DTAC Version 2?
Version 2 was updated on 24 February 2026, removed around 25% of the questions, and becomes mandatory from 6 April 2026.
What is the difference between DTAC and UKCA?
DTAC is the NHS buyer’s assurance framework. UKCA is a regulatory marking issue that applies when the software qualifies as a medical device.
Do I need DCB0129 for an MVP?
If the MVP touches clinical workflow or patient care, clinical safety evidence should be considered early, not left until later.
How long does DTAC compliance take?
A realistic estimate is 3 to 6 months if you are starting from scratch.
Can a non-clinician be the Clinical Safety Officer?
The role should be filled by someone with the right clinical competence and safety training for the NHS process.
What is the difference between DCB0129 and DCB0160?
DCB0129 applies to the manufacturer. DCB0160 applies to the deploying NHS organisation.
Is DTAC needed if my app is only patient-facing?
Often yes, if the NHS is commissioning or deploying it in a healthcare context.
Healthcare Founders Decision
DTAC Version 2 is simpler to navigate than the old form, but it still expects strong evidence across safety, security, interoperability, data protection, and accessibility. Healthtech founders who build the evidence pack while building the product will move faster through NHS procurement than teams that leave compliance until the end.
Book a free 30-minute DTAC readiness review with a Nordstone clinical compliance lead.