Logo

Assuric

Sign inBook a demo

DTAC 2.0: Key Changes and What Healthtech Teams Need to Know

Key changes to the updated DTAC in February 2026, including the changes to the DTAC form and updated Scope

Cordi Mahony

Cordi Mahony

DTAC 2.0: Key Changes and What Healthtech Teams Need to Know

On February 24th 2026, NHS England updated the Digital Technology Assessment Criteria (DTAC).

The changes are intended to simplify the framework and reduce duplication across compliance frameworks, while keeping the core safety and governance requirements in place.

If you supply or plan to deploy digital health technologies (the NHS refers to these as 'DHTs') in the NHS, here is a break-down of what has changed, and what hasn't..!

What Has Changed in the 2026 NHS DTAC Form?

Possibly the biggest change in this new update, the NHS have released an updated the DTAC form, with the new form containing (around) 25% fewer questions.

Questions that duplicated information already covered in other processes have been removed, particularly where evidence was being collected through:

  • The Data Security and Protection Toolkit (DSPT)
  • The Pre-Acquisition Questionnaire (PAQ)

So, what are the actual changes to the DTAC form itself..?

Clearer Medical Device Triggers

You must now explicitly confirm whether your product qualifies as Software or AI as a Medical Device. If yes, completion of the PAQ is triggered, classification can no longer be implied.

Secure Development Explicitly Referenced

Suppliers must confirm adherence to the DSIT/NCSC Software Security Code of Practice. Secure design, build, deployment and maintenance are now formally declared within DTAC.

Stronger Multi-factor Authentication Expectations

The updated DTAC form includes stronger multi-factor authentication (MFA) requirements. You must confirm a plan for MFA across account types.
Additionally, privileged supplier access must have MFA enabled or equivalent controls in place.

New Identity Standard in Interoperability

Products used in public health or adult social care must consider compliance with DAPB3051. Identity verification and unified digital authentication are now explicitly referenced.

Usability is No Longer Scored - But Still Required

Usability, Section D, is no longer numerically scored in the DTAC assessment.
However, suppliers must confirm consideration of the NHS Accessible Information Standard alongside WCAG.

What does the changed form mean for healthtech innovators?

In practice, for innovators this should mean less repeated evidence when submitting DTAC, less overlapping information across DSPT and the PAQ, and a shorter form and time to completion.

While the updated form was only published in February 2026, importantly the previous DTAC form must not be used after 6 April 2026.

Innovators should ensure:

  • They are using the latest version of the form
  • Older versions are withdrawn from circulation
  • Internal compliance teams are aware of the change

A Clear Definition of Who DTAC Applies To

DTAC is now explicitly aligned with the NICE definition of digital health technologies. This is a key change, aimed to clarify exactly who DTAC covers.

It applies to software products designed to improve health outcomes or support the delivery of health and care services, including SaaS platforms, web and mobile apps, AI as a medical device and clinical decision support tools.

DTAC does not apply to:

  • Generic corporate systems (e.g. HR or finance software)
  • Firmware or software embedded in hardware devices

If your product is software intended for clinical or care use, DTAC almost certainly applies.

DTAC 2.0: What are the Smaller Changes?

While innovators may notice these changes less than the updates to the DTAC form itself, the new guidance outlines several other key points, including:

  1. Clear Roles and Responsibilities, including removal of mandatory NHS Digital CSO training
  2. Standardisation of DTAC nationally, ensuring the removal of 'local variations'
  3. Where DTAC sits alongside other frameworks

Mandatory NHS Digital CSO training has been removed

The previous version of DTAC required the named Clinical Safety Officer (CSO) to have completed specific training provided by NHS Digital. The updated guidance states that this requirement no longer stands.

However, this does not remove the requirement to have a suitably qualified and competent Clinical Safety Officer. It simply removes the mandatory link to a specific NHS-provided course.

Innovators must still comply with clinical safety standards, including DCB0129 where applicable.

Standardisation of DTAC, ensuring the removal of local variations

In this version of DTAC, the NHS now makes it clear that care providers and commissioners should both accept the standard national DTAC form, and avoid creating amended or local variants covering the same requirements

While additional requirements can be requested from innovators, healthcare organisations must not duplicate what is already covered by DTAC.

For innovators, this should reduce the number of slightly different “DTAC-like” forms requested by different organisations.

Does DTAC2.0 Replace Other Frameworks?

No, the 2026 DTAC does not replace any other regulations or frameworks needed for procurement! The updated guidance reinforces that DTAC:

  • Sits alongside medical device regulation, and does not replace the Medical Device Regulations (MDR), the PAQ ensures compliance with medical device requirements
  • Does not replace the DSPT or any other data protection requirements
  • Does not replace DCB0129 or DCB0160 where applicable

If your company is required to do both DTAC and is a regulated medical device, you will still need to complete both MDR processes and DTAC documentation!

DTAC Compliance: What You Need to Do

For innovators, the changes mean:

  • A shorter form
  • Less duplication with other compliance processes
  • Clearer boundaries about when DTAC applies
  • Removal of the NHS specific training requirement
  • Stronger national standardisation

What has not changed:

  • The overall structure and requirements, although the DTAC form is shorter, the requirements themselves are not! There are still 5 clear sections you must meet.
  • You must still meet clinical safety standards, including DCB0129, and the data protection and cyber security requirements
  • You must still comply with medical device law if applicable

Read more here to learn about exactly what DTAC is and how it's structured!

WHAT IS DTAC? A Complete Guide to the NHS Digital Technology Assessment Criteria

What Is DTAC? A Guide to the NHS Digital Technology Assessment Criteria

A practical overview of NHS DTAC, breaking down the requirements, compliance process, and what digital health innovators need to know before selling into the NHS.

How Assuric Helps with DTAC2.0

At Assuric we've helped 70+ NHS suppliers complete their compliance, and ensure our templates and frameworks are up-to-date with the latest regulatory changes.

Autofill your DTAC 2.0 form

With the Assuric platform you can...

-> Automatically complete the updated 2026 DTAC form directly within Assuric's automated and mapped form flow

-> Automatically structure responses against the latest NHS England DTAC template

-> Reuse evidence across DTAC, DSPT, PAQ and DCB0129 - avoiding duplicated work

-> Use smart automated templates for required supporting documentation

-> Readily share up-to-date DTAC documentation securely with NHS stakeholders via your Trust Centre and notify key stakeholders of updates

-> Maintain a single, structured source of assurance documentation

Book a demo to learn how we could support you, and get started today ⤵

Get in touch

See all posts

Make your life easier
and talk to us to simplify compliance

Goodbye manual processes, hello automation. Let Assuric manage compliance and security, so you can focus on growth.

Talk to us
CTA Image