The arrival of the long-awaited Version 2 (V2) of the Digital Technology Assessment Criteria (DTAC), updated by NHS England, marks the first major review since the framework’s 2021 launch. However, it’s a far cry from the complete overhaul into an innovation passport system (although this is still being worked on) or a removal of swathes of NHS requirements.
So what does this really mean? What has actually changed and how will this impact organisations working with the NHS or looking to in the future?
25% reduction in the number of questions.
DCB0129 has not been dropped in favour of ISO 14971 as some medical device manufacturers had hoped.
Clearer guidance on DTAC’s purpose, scope and how to complete the assessment
More alignment with NICE for software-based digital health technologies.
Updates per section
Clinical Safety
What has changed?
Section C1 now includes some alignment with NICE terminology, some clarification around hardware products versus “whole systems”, and the scope of the DCB0129 documentation for whole systems. There is also a new “in and out of scope” list for different system types.
The framework now places a greater emphasis on demonstrating both risk identification and mitigation. It is no longer enough to simply acknowledge risks exist; you must demonstrate an active, systematic approach to how they are being managed and mitigated throughout the product lifecycle.
What this means
This clarification of what is in and out of scope is a massive win; the guidance aims to curb the historical issue of developers trying to force-fit DTAC onto hardware. However, the terminology is not yet aligned with DCB0129 itself, so don’t be surprised if you see some lingering terminology mismatches while the standards catch up.
The whole system update effectively extends the requirements of DCB0129 to cover physical hardware safety. This move blurs the boundaries between traditional health IT information risk and medical device hardware risk, meaning your clinical safety case should now reflect the safety of the hardware-software interaction, not just the code.
Data Protection
What has changed?
Section C2 has removed references to your Data Protection Officer or DPO as this is found in your Data Security Protection Toolkit (DSPT) submission as well as some questions on data transfers. DSPT compliance is now mandatory for new products before release. ICO registration is now a firm requirement, removing the self-assessment option, aligning with DSPT.
Suppliers must also now provide ‘product transparency information’, detailing how patient data is used. Health tech companies will also be required to provide a copy of the product’s data usage terms and end-user licenses.
Finally, products must indicate if they process deceased individuals’ data.
What this means
The new transparency requirement means suppliers will need to think about the best way to clearly explain how patient data moves through their systems; however, companies already completing DPIAs comprehensively – and making them available to their customers – should already be meeting this requirement.
New to market products likely won’t have processed patient data yet, but will still be required to complete the DSPT, which may appear to be a catch-22; considering the DSPT as a readiness audit is likely to be the best way to understand how to answer questions when no processing has happened yet.
By removing the wiggle room around DSPT, ICO registration and historical data gaps, we think the NHS is signalling that compliance is no longer a destination you reach after winning a contract — it is the prerequisite for the conversation even starting.
Technical Security
What has changed?
The Cyber Security Charter is the main addition to this section, which is otherwise largely unchanged. Organisations that have Cyber Essentials and sign up to the Charter are no longer required to complete the remaining questions in this section, supporting the de-duplication goals of DTAC V2.
The addition of the Software Security Code of Practice (also found in the Cyber Security Charter) is significant, requiring suppliers to ensure an effective secure software development lifecycle.
What this means
Overall, the changes within the technical security component of DTAC are a positive development. They reduce duplication and facilitate the alignment of best practices and industry standards. This streamlines the process for organisations and demonstrates a commitment to a unified security approach.
Section D: Interoperability, Usability and Accessibility
What has changed?
This section has been streamlined, reducing the number of questions and offering better recognition for the diverse range of products completing the DTAC. The revised guidance provides better support for products that did not ‘fit the mould’ previously, allowing them to use ‘Not Applicable’ (NA) where appropriate and move through the subsequent sections with clearer direction.
Crucially, the scored component of this section has been removed. There is now a greater emphasis on APIs and interoperability, rather than accessibility.
These changes make the process fairer for companies that previously had numerous ‘NA’ scores in the assessment and ensure greater inclusivity for the different technologies emerging since the development of DTAC V1.
What this means
Overall, the adjustments in this section demonstrate a strategic push for increased interoperability across the healthcare system, which is expected to lead to better and more efficient patient care.
Why has it been updated?
The DTAC framework has been updated in response to significant feedback received. It was originally released to ensure the safe adoption of digital technology in what was a largely unregulated “Wild West” environment. The intention was to ensure that the technology would enable better, more efficient patient care.
However, concerns arose regarding inconsistent deployment, overlapping requirements, and administrative burdens on suppliers and deploying organisations. In 2025, NHS England’s formal surveys confirmed the market’s demand for simplification, de-duplication, and standardisation. This need is supported by a late 2025 study which revealed a median compliance rate of only 25.6% with key clinical safety standards (DCB0129 and DCB0160) among 239 NHS organisations.
If the NHS is serious about its 10-Year Health Plan goal of transitioning from analogue to digital care, the regulatory framework needs to support that ambition, not work against it.
How can we help?
DTAC V2 introduces moderate adjustments that require updates to your existing documentation and processes. To ensure compliance and meet the April 6th deadline, it is essential to promptly review, implement, and integrate these changes.
If you are unsure about the necessary actions or how to approach implementation, contact our team today. We offer step-by-step guidance to ensure you confidently meet all new DTAC requirements, including the Cyber Security Charter and Software Security Code of Practice by the deadline.
Don't wait to be asked for an updated DTAC submission - get ahead now!
Schedule a call with our team to review your compliance approach and get actionable insights on preparing for NHS DTAC Version 2.