Skip to content
8foldgovernance master
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • Services
    • AI Governance
    • Medical Devices
      • Regulatory Roadmap
      • ISO 13485 Design & Build your QMS
      • Quality Management as a Service
      • Technical File Creation & Registration
      • UK Responsible Person
      • Post Market Surveillance
    • International Standards
      • ISO 13485 Certification
      • ISO 42001 Certification
      • ISO 9001 Certification
      • ISO 27001 Certification
    • DTAC
      • DTAC Management
    • Information Governance
      • Data Security & Protection (DSPT)
      • DSPT Audit
      • HIPAA Compliance
    • Clinical Safety and Risk Management
      • DCB0129
      • DCB0160
      • Clinical Safety Officers (CSO)
    • CQC Services
      • CQC Compliance Assessment
      • CQC Registration Support
      • CQC-as-a-Service
      • CQC Regulatory Review & Strategy
    • Cyber Security
    • Governance, Risk & Compliance Advisory
    • 8foldTraining
  • About
    • Meet the Team
    • Partnerships
    • Join Us
  • Blog
  • Case Studies
  • Contact
  • +44 (0)1273 569172
Book a Call

← From our blog

The Experts Guide to the NHS DTAC (Digital Technology Assessment Criteria)

  • Published: September 22, 2025
  • Category: DTAC

Share this post

Headshot of a man with reddish-blonde hair and a beard, wearing a checkered shirt
Ryan Palmer

Share this post

Table of Contents

Frequently Asked Questions

Developed as the national baseline for compliance in the NHS, the Digital Technology Assessment Criteria or DTAC provides a comprehensive list of requirements for early or late-stage innovators to build technology that is NHS-ready. It is made up of several critical compliance pillars for all digital technology suppliers to the NHS. 

With national priorities looking to technology to stem the flow of patients to primary care, urgent and emergency care and care for those with long-term conditions, the need to robustly assess technologies is crucial with many procurements now underpinned by DTAC compliance. 

In this guide, curated by our Commercial Director but contributed to by the wealth of knowledge and experience within the 8foldGovernance team, we break down the DTAC to help businesses make sense of the requirements. 

If you’re not familiar with the specification, you can download the full specification from the NHS England website here.

Book a Free Discovery Call

What is the NHS DTAC?

First deployed in 2021 by NHSX, the DTAC is the national baseline criteria for Health IT Systems which will be used to support the UK’s health and social care system. Encompassing many statutory, regulatory and policy requirements which apply to the UK’s health and social care system, its main focus is on safety and security. It is broken down into 5 key domains; Clinical Safety, Data Protection, Technical Security, Interoperability and Usability & Accessibility.

Some elements of the DTAC apply to the specific product (Health IT System) being assessed whilst others apply to the organisation (developer) which is responsible for the product’s development and maintenance. All requirements need to be maintained over time, particularly as organisations grow and develop and new versions or features are developed and released. It is therefore important to understand which of the compliance activities required by DTAC need to be completed for each product (and each version of a product) and which need to be completed at an organisational level in a way that applies to all products which are being developed, maintained and sold.

Guide to the NHS DTAC The Experts Guide to the NHS DTAC (Digital Technology Assessment Criteria) Guide to the NHS DTAC,nhs dtac process,nhs dtac assessment
Guide to the NHS DTAC The Experts Guide to the NHS DTAC (Digital Technology Assessment Criteria) Guide to the NHS DTAC,nhs dtac process,nhs dtac assessment

Why was the NHS DTAC developed?

The DTAC’s development was prompted by an influx of digital technology during the COVID-19 pandemic, and limited knowledge by both suppliers and NHS providers of the numerous mandated requirements essential to work with the NHS. 

Whilst it was developed as a national baseline for compliance, its intent was not only to standardise expectations but to develop a framework which early-stage companies could utilise to navigate the various regulations and compliance requirements to work with health and social care providers.

Who needs to comply with the
Digital Technology Assessment Criteria?

For its scope, the DTAC has adopted the definition of a ‘Health IT System’ as defined in DCB0129 and DCB0160 standards. The definition of a Health IT System is a:

“Product used to provide electronic information for health or social care purposes. The product may be hardware, software or a combination.”

For its scope, the DTAC has adopted the definition of a ‘Health IT System’ as defined in DCB0129 and DCB0160 standards. The definition of a Health IT System is a:

In practical terms, any technology which will be used to support publicly funded health or social care services is likely to fall within the scope of DTAC.  Any organisation seeking to sell technology to health or social care organisations in the UK should seek to comply with the DTAC and ensure their compliance can be evidenced.

What is included in the Digital Technology Assessment Criteria?

Under each of the 5 domains in DTAC there are several requirements:

Clinical Safety Officer

Clinical Safety

Ensuring healthcare technology is safe is a priority for both innovators and the healthcare system utilising them as part of care pathways. The Clinical Safety requirements set out in the DTAC relate to several key mandated requirements, namely:

  • Medical Device Registration (where required)
  • Registration with the Care Quality Commission (where required)
  • Compliance with DCB0129 
  • The Appointment of a Clinical Safety Officer (CSO)
  • Implementation of a Clinical Risk Management System
  • Risk Analysis of the Health IT System
  • Production of a Hazard Log
  • Production of a Clinical Safety Case Report
Post Market Surveillance for UK MDR post-market surveillance (PMS) rules for medical devices in the UK

Medical Device Registration

A Medical Device is any tool, machine, or material – from a simple bandage to a complex pacemaker – designed by the manufacturer for a medical purpose. These purposes can range from diagnosing and treating illnesses, preventing diseases and monitoring health, to aiding recovery. Many digital technologies sold to the NHS fall into the category of Medical Devices, including stand-alone Software as a Medical Device (SaMD). 

If your product is a medical device with a digital or software component, then you will be expected to comply with the NHS DTAC. However, if you have a medical device quality management system and technical file, these should already cover many DTAC requirements; it is simply a case of translating existing documents into an NHS-friendly format. For example, medical device manufacturers that already comply with ISO 14971 can use their Risk Management Plan to inform DCB0129 compliance (the NHS Clinical Safety Standard). You can learn more about the crossover between ISO 14971 and DCB0129 in our blog here. 

If you’re an International Business looking to sell in the UK, you will need to ensure you have a UK or EC Declaration of Conformity and if you do not have a company branch in the UK, you will need to appoint a UK Responsible Person.

Your UK Responsible Person will act as a bridge between your organisation and the UK medical device regulator – the MHRA – for registering your device in the UK, reporting safety incidents and handling MHRA enquiries or enforcement. Your UK Responsible Person will retain an up-to-date copy of your Technical File and may be named on product documentation and labels for products being distributed or sold in the UK market

CQC Registration

Registration with the Care Quality Commission (CQC)

If you provide health or social care services to citizens in England, you may need to be registered with the Care Quality Commission (CQC). Our blog, When does health IT cross into “regulated activities”, describes when this might be the case. 

Schedule 1 of the Health and Social Care Act 2008 (regulated activity) Regulations 2014 dictates the full range of health and social care activities in England that must be registered with the Care Quality Commission. As part of the DTAC submission, if you are a CQC registered provider, you must provide details about your registration, including the date of your last inspection (if you have had one) and a copy of the report, within the submission

DCB0129 DCB 0129

DCB0129 Compliance

DCB0129 is a clinical risk management standard issued by NHS Digital and the UK Department of Health & Social Care. It requires all Health IT system manufacturers to assess and manage clinical risks throughout the lifecycle of their product(s). It mandates the implementation of a Clinical Risk Management System, including thorough documentation and evidence of risk management activities through a Clinical Safety Case Report (CSCR) and an up-to-date Hazard Log. This mandate also includes the appointment of a Clinical Safety Officer or CSO to approve the documentation alongside Top Management. 

Crucially, many products which may not be classed as a medical device (and so are not subject to medical device regulations) but will be used by health and social care providers are likely to fall within the scope of DCB0129.  Complying with DCB0129 is also an excellent way for Health IT System manufacturers to demonstrate their commitment and robust approach to patient safety, particularly where they are not required to comply with medical device regulations.   

DCB0129 remains an important tenet of DTAC due to the parallel standard, DCB0160, which is designed for healthcare providers to compete in alignment with DCB0129. By combining both the manufacturer’s and the implementing organisations’ appraisal of risk and measures for mitigation, it presents a complete risk management framework for healthcare technology being used in a clinical setting.

Clinical Safety Officer

Clinical Safety Officer (CSO)

As part of the requirements for both DCB0129 and DCB0160, a Clinical Safety Officer or CSO must be appointed to sign off the Clinical Safety Case Report. The CSO must be an active and registered healthcare professional with experience and training in clinical risk management in order to sign off the documentation. 

By appointing a CSO, organisations can take a sector-specific view toward risk management, enabling the organisation to think about the possible ‘clinical risks’ inherent in the manufacture of their product. Whilst there may be crossover with a Quality or Regulatory Affairs function, the input of an experienced clinician, with an awareness of the NHS’s risk aversion, will aid all stakeholders to think critically about their risk management plans and appetite toward clinical risk in their product.

dspt toolkit icon, data security and protection icon

Data Protection

As a core component of any healthcare IT or technology-based solution, priority must be given to the protection and safe management of personal data (whether this relates to patients, staff or other individuals). This not only requires compliance with legislation at a national level (e.g. the UK GDPR and Data Protection Act) but also specific evidence expected by the health and social care organisations. 

As part of the Data Protection criteria within the DTAC, there are several legal and market-specific requirements which must be evidenced:

  • Registration with the Information Commissioner’s Office (ICO)
  • Appointment of a Data Protection Officer (DPO) 
  • Appointment of a UK Representative (UK GDPR)
  • Completion of NHS Data Security Protection Toolkit (DSPT) 
  • Development of a template Data Protection Impact Assessment (DPIA)

Registration with the Information Commissioner's Office (ICO)

The Information Commissioner’s Office (ICO) is the UK’s data protection watchdog. It ensures that organisations comply with UK data protection law, provides guidance, investigates complaints, and can issue fines for breaches. All businesses operating in the UK that handle personal data must be registered with the ICO. 

ICO registration is an important but often forgotten element of the DTAC submission as it is required to progress your submission of the NHS Data Security Protection Toolkit (DSPT), another of the mandatory requirements which we will discuss below.

Appointment of a Data Protection Officer (DPO)

As part of your obligations as an ICO-registered organisation, you must also appoint a Data Protection Officer or DPO. A DPO is a designated individual tasked with ensuring an organisation’s compliance with data protection laws. Their role involves advising on data protection matters, implementing policies, conducting assessments, cooperating with authorities, and acting as a contact point for data subjects. Whilst it is advisable to appoint an external DPO who can act impartially, it is permissible to appoint an individual internally. 

If you’re an international business based outside of the UK and are looking to work in the UK, alongside registration with the ICO and the appointment of a DPO, you will need to ensure you have a legal presence in the UK.  If you do not have offices, branches or other establishments in the UK then you will need to appoint a UK Representative for data protection purposes. A UK Representative is a designated individual or entity based in the UK that acts as a point of contact for data subjects and supervisory authorities. This can be the same person as your DPO if you choose to outsource this function, but their details will need to be shared in your DTAC submission, alongside those of your DPO.

NHS Data Security Protection Toolkit (DSPT)

The NHS Data Security Protection Toolkit (DSPT) is a self-assessment framework required for all suppliers that handle identifiable data as part of their engagements with health or social care. It is mandatory for Integrated Care Boards (ICB’s), NHS Trusts, innovative technology companies and CQC registered service providers working with the NHS. 

Its intention is to illustrate compliance and alignment with the National Data Guardian’s 10 Data Security Standards as well as UK GDPR. Businesses must therefore be registered with the ICO and have an appointed Data Protection Officer to complete the submission as these are both requirements under the UK GDPR. 

Submissions must be made annually with the submission deadline currently set for 30th June each year. Until Version 6 of the DSPT (2022-23), the majority of external companies working with the NHS were designated as ‘Category 3’ organisations and needed to comply with the minimum number of requirements. As of 2023-24, this has now changed and some larger IT suppliers are now classed as ‘Category 1’ organisations.  This places them on the same footing as large NHS Trusts and Commissioners and requires them to evidence compliance against a larger and more stringent set of criteria.   

For the most part, innovative technology companies will continue to make their submission under the ‘Other’ sector definition of the DSPT and will be required to comply with the Category 3 criteria as before. Technology or IT suppliers that employ over 50 staff and have at least £10 million of revenue must however now complete a Category 2 submission instead. This is a much more detailed and comprehensive set of requirements, focusing on both the expectations of the National Data Guardian and enhancing the technical and procedural controls in place. It includes a requirement for an independent audit of the DSPT submission and external penetration testing of business-critical infrastructure. This is covered in more detail as part of the Technical Security section below. 

NHS England has confirmed that in future versions of the DSPT, there will be greater alignment with the National Cyber Security Centre’s Cyber Assessment Framework (CAF).  This is being rolled out to different organisation types from 2024-25, starting with NHS Trusts and Commissioners, extending to large IT suppliers in 2025-26 and then finally to all organisations by 2026-27. This move to the CAF will be a significant change that organisations will need to be prepared for, particularly if they have been used to submitting against the current standards in previous years.

Data Protection Impact Assessment (DPIA)

A Data Protection Impact Assessment (DPIA) is a process designed to identify and minimise the risks to individuals’ privacy and personal data associated with a new project or initiative. It’s designed as a proactive step to ensure compliance with data protection laws like the General Data Protection Regulation (GDPR) and Common Law Duty of Confidentiality and is required for the implementation of any new digital technology within the NHS. 

As part of the DTAC, there is an expectation for the manufacturer to complete a DPIA as part of their submission. Whilst this may seem counterintuitive as it is usually the data controller that is required to complete a DPIA, the supplier will often have a greater understanding of data sharing and processing arrangements associated with their IT system.  Templating a high-quality DPIA for your product can therefore often expedite contracting discussions and customer compliance activities. 

As a publicly funded healthcare system, the preservation of individuals’ privacy and the safety of personal data is a priority for the NHS to maintain, meaning scrutiny of data sharing and processing arrangements will be significant. Failing to address any of the requirements, could result in a loss of confidence in your solution and ultimately prevent your DTAC from being signed off.

DSPT Services dspt toolkit , data security and protection, DSPT, ,nhs data security and protection toolkit

Technical Security

As a public organisation, the NHS takes guidance from the National Cyber Security Centre (NCSC) on activities manufacturers should undertake to assure their technology for use in clinical settings. The DTAC draws on several suggested actions from the NCSC to form the Technical Security component of the submission. This section requires manufacturers to:

  • Achieve a Cyber Essentials Certification. 
  • Undergo an External Penetration Test.
  • Implement Factor Authentication on all Account Types.

Cyber Essentials Certification

  • Establishing Firewalls – to help prevent malicious traffic from accessing your organisation’s network.
  • Configuring Devices – to ensure strong security settings are applied to all user devices including anti-virus software.
  • Patch Management – ensuring that updates to common systems and software are updated to stay up to date with the latest patches that may be released by developers e.g Google or Microsoft.
  • User Access Control – by establishing a hierarchy for access to business-critical systems, the business can assure themselves that only suitable individuals have access to privileged accounts.

As part of the DTAC, organisations must comply with the basic Cyber Essentials requirements which involves:

Cyber Essentials is a UK government-backed scheme designed to help organisations of all sizes protect themselves against common cyber threats. It provides a baseline of assurance for organisations working with the public sector that a set of basic technical controls have been implemented to safeguard IT systems critical for the business to operate. 

Once evidence of this is supplied, an organisation can receive a Cyber Essentials Certification. It’s important to note however that some NHS organisations will have an expectation for business-critical system providers to adhere to Cyber Essentials + which is an independently audited version of Cyber Essentials. This requires businesses to prove to a Cyber Essentials Assessor that they are following the principles set out in the policies and procedures aligned with the Cyber Essentials specification.

External Penetration Testing

The DTAC expects suppliers to conduct an annual, external penetration test on their product(s) against the Open Worldwide Application Security Project (OWASP) Top 10 vulnerabilities. For some larger organisations, as per the new requirements of the NHS Data Security Protection Toolkit (DSPT) there is also the expectation that businesses conduct business infrastructure penetration testing to validate the security of their firewalls and network. It is important that as part of this requirement, the manufacturer is clear on whether it is addressing a business requirement or a product requirement (or both). 

Product penetration testing can be achieved through a combination of White Box testing (undertaken from the perspective of the developer with access to knowledge about the design and architecture of the software), Black Box testing (undertaken without special knowledge of the software from the perspective of the end-user) or Grey Box testing (a combination of White Box and Blackbox testing) methodologies.  This will usually be dependent on the type of product, but it is recommended that suppliers pursue Black or Grey Box testing with an external partner for DTAC and conduct White box testing internally if they have the resources to do so. By showcasing the products’ defences against an external threat, with no prior knowledge of the system, manufacturers can assure the NHS of their safety and security. 

Based on the guidance issued by the National Cyber Security Centre (NCSC), it is recommended that the penetration testing is undertaken by a CHECK, CREST or Tiger Scheme accredited penetration testing provider. This will provide suitable assurance that the processes followed are ethical and in line with industry best practice. It is not permissible to only provide evidence of internal penetration testing for the purposes of DTAC: it must be completed by an external partner.

Key Changes in the DTAC V2

As part of the streamlining of requirements, organisations are now able to use evidence of acceptance and compliance with the NHS Cyber Security Charter to mitigate the need to respond to additional questions in the Technical Security section. More information about the Cyber Security Charter can be found Here.

Guide to the NHS DTAC The Experts Guide to the NHS DTAC (Digital Technology Assessment Criteria) Guide to the NHS DTAC,nhs dtac process,nhs dtac assessment

Interoperability

Interoperability, the ability of different systems to communicate and exchange data seamlessly, is a crucial concept in the healthcare sector. One of the key requirements of DTAC is for suppliers to evidence how well their system integrates with other systems. Digital health technologies must be able to exchange data seamlessly, integrate with existing systems, and utilise common methods for identification and retrieval of data which have been standardised across the NHS. 

The most important principle of interoperability for the NHS is the availability of two-way Open API’s, whether they are in REST or FHIR format. This is important because the NHS expects to be able to build a digital ecosystem within their estate, utilising existing systems or data exchanges, such as the NHS SPINE, to help locate and populate patient data whilst curating a full picture of a patient’s health and care outcomes. Whilst a complex topic to unpack fully in this blog, it’s critical for manufacturers to understand that data sharing is a basic principle of working with the NHS. 

Depending on your product and its intended use, this will dictate whether the Interoperability section of DTAC is in scope or not, but if it is considered to be out of scope there should be a carefully defined and well-reasoned justification for why this is the case for your technology. 

For wearable device manufacturers, there is also the requirement to evidence compliance with the ISO 11073 Personal Health Data Standards as part of this section.

Icon: connected network representing stakeholder collaboration

Usability & Accessibility

The final component of DTAC is Section D: Usability and Accessibility. It allows manufacturers to demonstrate their maturity in adopting accessibility standards and pursuing user-centred design approaches without the risk of being considered ‘compliant’ or not. 

This section is mainly centred around the NHS Service Standards which is an addendum to the GOV.UK Service standards for digital technology. The standards are a set of guidelines designed to ensure that NHS services are user-centred, efficient, and effective and are based on the principles of the NHS Constitution with the aim to improve health outcomes, people’s experience of care, and the overall efficiency of the health service.  

There is also a reference to International Accessibility Guidelines WCAG 2.1 AA for websites, setting a precedent for web-based solutions to meet the needs of a diverse array of service users.

How to address the NHS DTAC

As the detail above illustrates, DTAC is not a simple framework to address but is the culmination of several standards and certifications covering a vast array of subject matter. We often see businesses considering the DTAC as a single requirement and not accounting for the many dependencies of each domain. 

Based on working with hundreds of companies to become DTAC compliant, we would recommend the following:

Step 1

Treat DTAC as an Enabler for your Business and Product

DTAC has been designed to ensure developers and their products are safe and effective and draws on key legislative and regulatory requirements which support these outcomes.  Treating DTAC as a set of criteria your organisation wants to adopt and adhere to to build and cement value, rather than simply a ‘box ticking’ exercise to satisfy the UK’s Health and Social Care sector, will ensure the process brings maximum value to your business.

Step 2

Perform an Internal or External Gap Analysis

understanding where there are gaps in your compliance portfolio will help quickly identify the areas requiring the most focus for you to address the DTAC requirements.

Step 3

Address the Mandatory first

as we have set out above, there are a number of mandatory requirements set out in UK law which will need to be in place to do business with the NHS. By ensuring these are priority requirements, manufacturers can provide at a minimum, assurance to prospective customers that they fulfil their statutory obligations.

Step 4

Be proactive

rushing through a DTAC is a stressful process given its impacts and therefore requires resources from many different areas of a business. By taking proactive steps to identify gaps in your submission and plan activities to meet the requirements, businesses can prevent a hasty submission which is more likely to solicit questions from NHS stakeholders and delay commercial activity.

Step 5

Invest in Expertise

working with a trusted partner, invest in their expertise to expedite the process of DTAC compliance. This may save you valuable time and resources to be NHS-ready.

Guide to the NHS DTAC The Experts Guide to the NHS DTAC (Digital Technology Assessment Criteria) Guide to the NHS DTAC,nhs dtac process,nhs dtac assessment

Plan for continuity

DTAC is an ongoing process that requires maintenance throughout the product lifecycle. Ensuring there is a schedule aligned to review and internally audit your DTAC, will establish you’re in a ‘market ready’ position when the request is made from potential customers. Developing a compliance timeline or roadmap to meet the annual expectations can be a simple but highly effective means of ensuring all stakeholders know when investments need to be made in re-certification or resources to complete the necessary activities.

Frequently Asked Questions.

How do I know if my business needs to be DTAC compliant?

There has been some confusion in the supplier community about how DTAC compliance applies to certain products or industries with the criteria only initially being applied to digital health apps. As per the Transformation Directorates website, however:

“All new digital technology should be assessed using the DTAC, even if you are piloting or trialling it. If a developer has multiple products, each one would need to be assessed against the DTAC. Examples of products include: staff facing and patient facing digital health tech, health apps, medtech and devices with an associated app, systems, web based portals and more.” 

NHS Transformation Directorate, ‘Products that should be assessed using DTAC’. 

The application of the DTAC framework varies across the UK NHS with some organisations looking for evidence of compliance with the whole specification or just some key mandated parts.

In our experience, we would advise any digital health or digital solution provider at the very least to comply and/or complete:

  • NHS Data Security Protection Toolkit – there is the expectation that any business that processes NHS data follows the principles of the toolkit. Additionally, it is written into the NHS Standard Terms and Conditions Contract that compliance with the latest version of this framework is adhered to.
  • Cyber Essentials – this certification is nationally recognised by the UK public sector with all suppliers expected to evidence compliance with the basic requirements and achieve certification to comply with the DTAC. It is recommended that organisations consider completing the more robust Cyber Essentials + certification, involving a formal audit by an IASME-certified auditor, however, there is no mandatory expectation within the DTAC for compliance against the enhanced standard. 
  • DCB0129 with a Clinical Safety Officer – if your product meets the definition of a ‘Health IT System’ then it is considered to be inherently clinical in nature, and potentially capable of harming patients. Compliance with DCB0129 is therefore paramount. In addition, there must be a Clinical Safety Officer (CSO) taking responsibility for the ongoing management and due diligence of the Clinical Safety Case Report. If you’re not providing a solution which meets the definition of a ‘Health IT System’ or you can demonstrate that it cannot impact patient care, DCB0129 should not be a requirement. 
  • External Penetration Test – evidencing external due diligence on technical security, will bolster credibility and assurance. With the NHS and its suppliers increasingly being targeted and becoming victims of cyber attacks such as ransomware and DDOS attacks, it’s important businesses look to take best-practice approaches to ensure their infrastructure is secure. 

If you’re unsure about the applicability of the assessment criteria to your technology or business, we can help. Get in touch and speak with a member of the team who can help decode the requirements and NHS expectations.

How is the DTAC assessed?

The DTAC is independently assessed by each health or social care organisation wishing to procure the technology. Whilst there is no passport-ability of DTAC compliance between different organisations, this should not prevent a smooth sign-off process assuming documentation is well written and provides relevant assurance to subject matter experts. 

The DTAC assessment usually takes place at the point of procurement by an array of subject matter experts including but not limited to an Information Governance Professional, Clinical Safety Officer and IT Project Manager or CyberSecurity Lead.

Guide to the NHS DTAC The Experts Guide to the NHS DTAC (Digital Technology Assessment Criteria) Guide to the NHS DTAC,nhs dtac process,nhs dtac assessment

These experts will independently review each component and offer questions and or feedback ahead of final approval.

Do Medical Devices need DTAC?

Medical Devices are subject to significant scrutiny due to the potential risk of harm they can cause to patients compared to non-Medical Devices. Whilst they may have to comply with the Medical Device Regulations, enforced and managed by the Medicines and Healthcare Products Regulatory Agency (MHRA), there are still some business and UK-specific requirements they also must comply with. Therefore, DTAC compliance should be viewed as a necessary framework to adhere to for UK market entry. That being said, if you understand and meet the requirements of a medical device manufacturer you have a significant advantage.  

As standard practice, Medical Device companies should review their controls relating to the Data Protection, Technical Security, Interoperability and Usability & Accessibility requirements of the DTAC framework. Whilst some of the requirements may already be reflected in the Design and Development process, or elsewhere in the Quality Management System, there is the need to articulate the business’s approach in a way that is understandable to procurement and SMEs in health and social care settings. 

In addition, compliance with international standards acts as a competitive advantage for medical device manufacturers as we recently wrote about in another blog here: https://8foldgovernance.com/how-iso-standards-align-with-the-nhs-dtac/  

Furthermore, there is a broad alignment between the Clinical Safety Standards DCB0129 and Medical Device Regulations in terms of the Risk Management approach set out in ISO 14971 – the Medical Device Risk Management Standard. You can learn more about the crossover between these two standards in another blog here: https://8foldgovernance.com/how-iso-14971-helps-to-meet-dcb0129/ 

Do CQC-registered businesses need DTAC?

Depending on the activities provided by the organisation, this will determine whether DTAC becomes a requirement for them to comply with or a requirement for them to assess against. 

For Example: A remote, CQC registered tele-radiology provider utilising a bespoke software solution to send and receive DICOM scans, provide reporting and on-demand consultation if required. They are commissioned by the NHS to deliver NHS services. 

This organisation will need to complete a DTAC for the software solution utilised to send and receive DICOM scans as it forms part of their services offering and should be assured against the NHS requirements. As a standard expectation of CQC registration activities, the organisation should already have completed the NHS Data Security Protection Toolkit (DSPT) and be registered with the Information Commissioner’s Office (ICO).

We’re the experts that have your back.

8foldGovernance has been at the forefront of supporting businesses with compliance against the NHS Digital Technology Assessment Criteria (DTAC) for over 5 years. With a team of experts drawn from industry and the public sector, our experience enables us to support innovative businesses with more than a ‘tick-box’ approach enabling the double benefit of smoother procurement and a reduction in the time to reach patients.

Book a Call with our Expert Team

Other Articles​

Loading...
Blog post: NHS DTAC V2 - what has changed, and how will this affect you

DTAC V2: What has changed, and how will this affect you

Read More →

March 30, 2026
DTAC for enterprise

The NHS DTAC – Compliance for Enterprise Health-tech Companies Made Simple

Read More →

November 17, 2025
NHS DTAC Version 2 (DTAC V2): Navigating the Next Version of Digital Technology Assessment Criteria

NHS DTAC Version 2 (DTAC V2): Navigating the Next Version of Digital Technology Assessment Criteria

Read More →

September 4, 2025
8foldgovernance master

+44 (0) 1273 569172

info@8foldgovernance.com

SERVICES

  • AI Governance
  • Medical Device Registration
  • ISO Compliance
  • Full DTAC Support
  • Information Governance
  • Clinical Safety
  • Data Security & Protection
  • CQC Services
  • Cyber Security
  • 8foldTraining

LINKS

  • Contact
  • About
  • Meet The Team
  • Blog
  • Join Us
  • Case Studies
  • Charity Work
  • Partnerships
  • FAQs
DSPT Data Security And protection Toolkit 8Fold
Information Governance Badge 8 Fold
NPSORE
ABHI Member

 © 2026 8fold | Privacy Policy | Cookie Policy | Terms & Conditions

X We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies. However you may visit Cookie Settings to provide a controlled consent.
Read More ACCEPT Cookie settings
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
Save & Accept