What Is DTAC? A Guide to the NHS Digital Technology Assessment Criteria
Digital health has become a core part of how the NHS delivers care. From remote monitoring apps that allow clinicians to track patients' at home, to AI-powered diagnostic tools that help detect complex diseases earlier, tech is now reshaping healthcare delivery across the UK.
But with this rapid growth comes a critical challenge: ensuring that all digital products used in the NHS are safe, secure, usable and fit for purpose.
That’s where DTAC comes in.
What is NHS DTAC?
DTAC (Digital Technology Assessment Criteria) is the assurance framework used by the NHS to evaluate digital health technologies.
It acts as a “quality check” to ensure that any digital product used in health or social care meets requirements across five core areas. It's worth noting that NHS DTAC is due an update later this year, read more below for details on what these changes might include.
Note that the current version of DTAC is undergoing review, so watch this space. We'll be sure to let you know of the updates as soon as they're announced!
Who is NHS DTAC for?
According to NHS England...
"DTAC is designed to be used by healthcare organisations to assess suppliers [...] as part of a due diligence process, to make sure digital technologies meet our minimum baseline standards"
This means if you are an innovator trying to sell a tech product that the NHS will use, you have to comply with DTAC. It's worth noting that DTAC is normally required before pilots, or deployment to any NHS systems.
Even tools that might be considered “low-risk” often need DTAC because NHS buyers use it as the minimum due-diligence standard.
How Long does DTAC Compliance Take?
It depends! If you already have some of the required documentation or work completed, the process can move much faster.
We have seen companies take anywhere from a few months to at least six..! However, it doesn't have to be like that, it typically only takes anywhere from a few weeks to a couple of months using the Assuric platform with our support.
What are Core Requirements of DTAC?
DTAC is structured around five assessment categories, in which the requirements must be adequately met.
The image below shows a quick overview of what each component involves:
Clinical Safety, Data Protection and Cyber Security tend to be the most complicated, with clear legislation, standards, and certifications you need to adhere to. Here's a full breakdown of what you need for each of the components ⤵
DTAC Part 1: Clinical Safety
The clinical safety component of DTAC (also known as DCB 0129) can often be the most complicated. To meet DCB0129 requirements, you must produce and maintain the following core documents:
- Clinical Risk Management Plan
- Hazard Log
- Clinical Safety Case Report
These documents must be approved and overseen by a named Clinical Safety Officer (CSO), who is suitably qualified and has completed the clinical safety training (required under the DCB 0129 standard), in-house, or an external fractional CSO, which is a popular choice for health tech companies just starting their compliance journey.
DTAC Part 2: Data Protection
A key part of DTAC is data protection, ensuring that any data that the tech is using is appropriate and...
Under DTAC innovators must do the following..
- Understand and document how data flows through the product (Records of Processing Activities)
- Conduct a DPIA (Data Protection Impact Assessment)
- Comply with UK GDPR
- Appoint a Data Protection Officer (if processing special category data at large scale) or Data Protection Lead
- Meet the requirements of the NHS Data Security and Protection Toolkit (DSPT)
Read about more about data protection for Health Tech innovators here ⤵
DTAC Part 3: Cyber Security
The NHS and healthcare data is often a target for cyber attacks, hence evidence of technical security is an absolute requirement when processing NHS data. This section is where your engineering and security is assessed. For the section you will have to provide:
- A (in date) Cyber Essentials or Cyber Essentials Plus certificate
- Results of an external manual Penetration Test and an action plan
- Secure development lifecycle processes
- MFA and strong authentication controls
- Vulnerability management and patching procedures
- Evidence of secure hosting and architecture
DTAC Part 4: Interoperability
This section looks into how your product interacts with other systems, such as EHRs, devices, or data platforms.
You’ll need to demonstrate:
- Use of recognised data standards (e.g., FHIR), where applicable
- Clear API and data-model documentation
- Data-flow diagrams showing movement and dependencies
- Safe handling of failed integrations or data-exchange errors
- Justification if you don’t integrate with any other systems
DTAC Part 5: Usability & Accessibility
This section is focuses on how NHS digital tools should ideally meet usability and accessibility best practice, making sure everyone can use the product who needs to. This is the only scored section, and it is acceptable to be working towards a number of the areas.
To score highly in this section, you should provide:
- Accessibility support that meets WCAG 2.1
- A clear and thoughtful user journey map
- Some evidence of user testing (with real people)
- Documentation explaining how design choices help reduce potential clinical risks
Although this section can glossed over, it can both greatly help the deployment of your tool into the NHS and generally improve the user experience, so is worth paying attention to when developing your product!
How DTAC Works (The Practical Process)
There is not a central DTAC certification body, meaning there is no formalised assessment or certification process. Instead, the process looks like this:
- Once finishing each of the requirements (listed above ↑) you complete a DTAC questionnaire form
- Evidence packs are assembled for all five categories within this form
- The form & documentation is then submitted directly to the NHS buyer (trust, ICS, ICB, etc.)
- The buyer reviews the DTAC compliance
- Any gaps must be fixed before procurement can continue
Every time you update your product in a way that changes risk, architecture, or data flow, you must update your DTAC documents.
The DTAC form along with accompanying evidence is effortlessly created and compiled in your Assuric workspace.
What Happens if You Don’t Have DTAC?
Without DTAC, NHS buyers will typically pause or block procurement or deployment. This can lead to:
- Delayed deployments
- Blocked pilots
- Lost trust from clinical or commercial champions
- Potential concerns from investors
In short, it's better to start DTAC compliance early, and be fully aware of the requirements!
What Changes are Happening to NHS DTAC?
While we don't currently know the exact changes that will happen to DTAC, here's what we know so far:
In June 2025, NHS England announced the review of DTAC. They're in the process of consulting with suppliers & NHS trusts to improve the consistency, and efficiency in how digital health compliance is assessed. Issues previously highlighted include repeated work that DTAC causes, and inconsistent interpretation across organisations.
Watch this space. We will be publish details on the updates as soon as they are announced, and we'll ensure the Assuric DTAC framework is completely up to date!
How Assuric Makes DTAC Easy
DTAC doesn't have to be just a complicated compliance task! It can be a blueprint for building safer, more scalable tech, and at Assuric we think mastering DTAC early can help...
- Strengthen your product
- Speed up NHS sales cycles
- Reduce regulatory and clinical-safety risks
- Build trust with clinicians and healthcare orgs
- Position you in a great place for scaling 🚀
We provide an automated and streamlined DTAC process to make the compliance journey both easier and faster. Get in touch if you'd like to hear more about how Assuric can help with your DTAC compliance!
