Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

DTAC V2: What has changed, and how will this affect you

  • Published: March 30, 2026
  • Category: DTAC

Share this post

Avatar photo
Annie Marsh

Share this post

The arrival of the long-awaited Version 2 (V2) of the Digital Technology Assessment Criteria (DTAC), updated by NHS England, marks the first major review since the framework’s 2021 launch. However, it’s a far cry from the complete overhaul into an innovation passport system (although this is still being worked on) or a removal of swathes of NHS requirements.

So what does this really mean? What has actually changed and how will this impact organisations working with the NHS or looking to in the future? 

Learn More
NHS DTAC V2

Headline Updates

DTAC V2: What has changed, and how will this affect you

25% reduction in the number of questions.

DTAC V2: What has changed, and how will this affect you

Removal of duplicate questions, e.g. who is the DPO from DSPT, medical device questions from the PAQ.

DTAC V2: What has changed, and how will this affect you

DCB0129 has not been dropped in favour of ISO 14971 as some medical device manufacturers had hoped.

DTAC V2: What has changed, and how will this affect you

Clearer guidance on DTAC’s purpose, scope and how to complete the assessment

DTAC V2: What has changed, and how will this affect you

More alignment with NICE for software-based digital health technologies.

Updates per section

Clinical Safety Officer

Clinical Safety

What has changed?

Section C1 now includes some alignment with NICE terminology, some clarification around hardware products versus “whole systems”, and the scope of the DCB0129 documentation for whole systems. There is also a new “in and out of scope” list for different system types.

The framework now places a greater emphasis on demonstrating both risk identification and mitigation. It is no longer enough to simply acknowledge risks exist; you must demonstrate an active, systematic approach to how they are being managed and mitigated throughout the product lifecycle.

What this means 

This clarification of what is in and out of scope is a massive win; the guidance aims to curb the historical issue of developers trying to force-fit DTAC onto hardware. However, the terminology is not yet aligned with DCB0129 itself, so don’t be surprised if you see some lingering terminology mismatches while the standards catch up.

The whole system update effectively extends the requirements of DCB0129 to cover physical hardware safety. This move blurs the boundaries between traditional health IT information risk and medical device hardware risk, meaning your clinical safety case should now reflect the safety of the hardware-software interaction, not just the code.

dspt toolkit icon, data security and protection icon

Data Protection

What has changed?

Section C2 has removed references to your Data Protection Officer or DPO as this is found in your Data Security Protection Toolkit (DSPT) submission as well as some questions on data transfers. DSPT compliance is now mandatory for new products before release. ICO registration is now a firm requirement, removing the self-assessment option, aligning with DSPT.

Suppliers must also now provide ‘product transparency information’, detailing how patient data is used. Health tech companies will also be required to provide a copy of the product’s data usage terms and end-user licenses. 

Finally, products must indicate if they process deceased individuals’ data.

What this means

The new transparency requirement means suppliers will need to think about the best way to clearly explain how patient data moves through their systems; however, companies already completing DPIAs comprehensively – and making them available to their customers – should already be meeting this requirement.

New to market products likely won’t have processed patient data yet, but will still be required to complete the DSPT, which may appear to be a catch-22; considering the DSPT as a readiness audit is likely to be the best way to understand how to answer questions when no processing has happened yet.

By removing the wiggle room around DSPT, ICO registration and historical data gaps, we think the NHS is signalling that compliance is no longer a destination you reach after winning a contract — it is the prerequisite for the conversation even starting. 

DTAC V2: What has changed, and how will this affect you

Technical Security

What has changed?

The Cyber Security Charter is the main addition to this section, which is otherwise largely unchanged. Organisations that have Cyber Essentials and sign up to the Charter are no longer required to complete the remaining questions in this section, supporting the de-duplication goals of DTAC V2. 

The addition of the Software Security Code of Practice (also found in the Cyber Security Charter) is significant, requiring suppliers to ensure an effective secure software development lifecycle. 

What this means

Overall, the changes within the technical security component of DTAC are a positive development. They reduce duplication and facilitate the alignment of best practices and industry standards. This streamlines the process for organisations and demonstrates a commitment to a unified security approach.

DTAC V2: What has changed, and how will this affect you

Section D: Interoperability, Usability and Accessibility

What has changed?

This section has been streamlined, reducing the number of questions and offering better recognition for the diverse range of products completing the DTAC. The revised guidance provides better support for products that did not ‘fit the mould’ previously, allowing them to use ‘Not Applicable’ (NA) where appropriate and move through the subsequent sections with clearer direction.

Crucially, the scored component of this section has been removed. There is now a greater emphasis on APIs and interoperability, rather than accessibility.

These changes make the process fairer for companies that previously had numerous ‘NA’ scores in the assessment and ensure greater inclusivity for the different technologies emerging since the development of DTAC V1.

What this means

Overall, the adjustments in this section demonstrate a strategic push for increased interoperability across the healthcare system, which is expected to lead to better and more efficient patient care.

Why has it been updated?

The DTAC framework has been updated in response to significant feedback received. It was originally released to ensure the safe adoption of digital technology in what was a largely unregulated “Wild West” environment. The intention was to ensure that the technology would enable better, more efficient patient care.

However, concerns arose regarding inconsistent deployment, overlapping requirements, and administrative burdens on suppliers and deploying organisations. In 2025, NHS England’s formal surveys confirmed the market’s demand for simplification, de-duplication, and standardisation. This need is supported by a late 2025 study which revealed a median compliance rate of only 25.6% with key clinical safety standards (DCB0129 and DCB0160) among 239 NHS organisations. 

If the NHS is serious about its 10-Year Health Plan goal of transitioning from analogue to digital care, the regulatory framework needs to support that ambition, not work against it.

How can we help?

DTAC V2 introduces moderate adjustments that require updates to your existing documentation and processes. To ensure compliance and meet the April 6th deadline, it is essential to promptly review, implement, and integrate these changes.

If you are unsure about the necessary actions or how to approach implementation, contact our team today. We offer step-by-step guidance to ensure you confidently meet all new DTAC requirements, including the Cyber Security Charter and Software Security Code of Practice by the deadline.

Don't wait to be asked for an updated DTAC submission - get ahead now!

Schedule a call with our team to review your compliance approach and get actionable insights on preparing for NHS DTAC Version 2.

Speak to an Expert

Other Articles​

Loading...
DTAC for enterprise

The NHS DTAC – Compliance for Enterprise Health-tech Companies Made Simple

Read More →

November 17, 2025
Guide to the NHS DTAC

The Experts Guide to the NHS DTAC (Digital Technology Assessment Criteria)

Read More →

September 22, 2025
NHS DTAC Version 2 (DTAC V2): Navigating the Next Version of Digital Technology Assessment Criteria

NHS DTAC Version 2 (DTAC V2): Navigating the Next Version of Digital Technology Assessment Criteria

Read More →

September 4, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept