Blog
Compliance
DCB 0129
NHS DTAC
NHS DSPT
April 12, 2026
Approx 7 min read

Clinical Safety Officer Requirements Under DCB 0129

Clinical safety officer requirements are a market access gate for every digital health company selling into the NHS. If you build software used in NHS care settings, you must comply with DCB 0129. If you deploy health IT, DCB 0160 applies. Both standards require a Clinical Safety Officer, and the distinction between these two obligations is the most frequently confused area in health IT compliance.

NHS England's position is unambiguous: "If your digital technology cannot meet standard DCB0129, you will not be able to place it on the market".

This guide covers what each standard requires, who needs a CSO, what qualifications that person must hold, and the practical options for companies that cannot hire one.

DCB 0129: the manufacturer's obligation

DCB 0129's full title is "Clinical Risk Management: its Application in the Manufacture of Health IT Systems." The current version is Amd 24/2018, published on 7 June 2018. It is mandated under the Health and Social Care Act 2012, Section 250.

The standard requires manufacturers of health IT systems to:

  • Establish a clinical risk management system with documented governance arrangements
  • Conduct clinical risk analysis throughout the development lifecycle, starting at the earliest stage
  • Provide evidence of effective risk management to potential adopters
  • Demonstrate clinical safety competence through appropriately trained staff
  • Plan for post-deployment monitoring, maintenance, and decommissioning

The key deliverables are a Clinical Risk Management Plan, a Hazard Log, and a Clinical Safety Case Report. The Hazard Log is a living document maintained throughout the product lifecycle. The Clinical Safety Case Report is described by NHS England as "a structured argument which is supported by a body of relevant evidence that provides a compelling, comprehensible, and valid case that a system is safe for release."

Adopting organisations will verify your DCB 0129 compliance before deploying your product. Without it, you are effectively locked out of the NHS market.

DCB 0160: the deployer's obligation

DCB 0160's full title is "Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems." The current version is Amd 25/2018, also published on 7 June 2018.

This standard applies to organisations responsible for deploying, using, maintaining, or decommissioning health IT systems within health and care settings. In practice, this means NHS Trusts, Integrated Care Boards, GP practices, and any health or care organisation that adopts health IT.

The deploying organisation must conduct its own clinical risk assessment of how the product will be used in its local context, maintain its own Hazard Log, and appoint its own Clinical Safety Officer.

The critical distinction

A manufacturer does DCB 0129. A deployer does DCB 0160. These are parallel obligations, not alternatives.

The logic is straightforward. A manufacturer cannot fully anticipate how their system will be used in every clinical setting. Local workflows, integration with other systems, training levels, and clinical context all introduce risks that only the deploying organisation can assess.

A manufacturer does not "do DCB 0160." However, the DTAC assessment asks manufacturers whether they support deploying organisations with DCB 0160, meaning whether you provide documentation that helps deployers complete their own clinical risk assessment. This is expected, not optional.

Both standards are needed because clinical safety depends on the full chain: how the product was built and how it is used in practice.

Clinical safety officer requirements: qualifications and training

A CSO is defined by NHS England as "a clinician with a current professional registration who has been trained in clinical risk management and is accountable for clinical safety."

The qualifications are specific and non-negotiable.

Professional registration. The CSO must hold current registration with an appropriate professional body: the GMC (doctors), NMC (nurses and midwives), GPhC (pharmacists), or HCPC (allied health professionals). This is a senior clinical role.

Training. CSOs must have completed NHS England's clinical safety training pathway. The Practitioner-level course is the key qualification: a six-hour workshop costing 475 pounds for NHS staff or 625 pounds for commercial organisations. Prerequisites include the Essentials course (free for NHS, 35 pounds plus VAT for non-NHS) and the Intermediate course (free for NHS, 50 pounds plus VAT for non-NHS).

Responsibilities. The CSO oversees clinical risk management activities including conducting or supervising hazard workshops, evaluating evidence of risk mitigation, documenting risk processes, and reviewing the Clinical Safety Case Report, Hazard Log, and Clinical Risk Management Plan.

DTAC Section C1.2 specifically requires manufacturers to provide details of their nominated CSO, including evidence of current professional body registration and training in clinical risk management.

When clinical safety officer requirements apply

The scope of DCB 0129 covers all health IT systems used in health and care settings in England. This is not limited to software classified as a medical device. A product that is not a medical device may still require DCB 0129 compliance if it is used in healthcare.

The legal basis is the Health and Social Care Act 2012, Section 250, which enables the Secretary of State or NHS England to set information standards for health services or adult social care in England.

The scope is broader than many companies realise. If your software is used in a clinical setting, even indirectly, you should assess whether DCB 0129 applies. NHS England provides applicability guidance to help organisations determine whether the standards apply to their specific product.

The relationship with MHRA regulation

MHRA regulation of Software as a Medical Device operates separately from the DCB clinical safety standards. These are complementary regimes.

MHRA regulation determines whether your software qualifies as a medical device based on its intended purpose. If it does, it must be registered with MHRA and comply with medical device regulations including UKCA marking.

DCB 0129 applies to all health IT systems used in care settings, whether or not they are classified as medical devices.

DTAC Section C1.3 asks manufacturers whether their product is classified as a medical device and requires supporting rationale. If it is, manufacturers should also consider ISO 14971:2019 for medical device risk management.

The critical point: DCB 0129 compliance is required even if your software is not a medical device. The MHRA route and the DCB route are parallel obligations.

DTAC and where clinical safety sits

The Digital Technology Assessment Criteria is the assessment framework NHS commissioners and providers use when assuring digital health technology products. It covers five areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility.

Clinical safety is Section C of DTAC. It requires manufacturers to confirm DCB 0129 compliance, provide CSO details, clarify MHRA medical device classification, and upload their Clinical Risk Management Plan, Clinical Safety Case Report, and Hazard Log.

DTAC v2.0 was released in February 2026 with a 25 per cent reduction in questions, de-duplication with DSPT and the pre-acquisition questionnaire, and clearer scope guidance. The previous version should not be used from 6 April 2026 onwards. NHS England has confirmed that further reviews of the DCB 0129 and DCB 0160 standards within DTAC are still ongoing.

What is changing

NHS England is conducting a formal review of both DCB 0129 and DCB 0160. The review is driven by the NHS's expanding Electronic Patient Record rollout and the emergence of AI-based health IT, which introduces new categories of clinical risk that the current standards were not designed to address. Changing clinical workflows as digital tools become embedded in practice are also a factor. Focus groups for DCB 0129 have been completed. Focus groups for DCB 0160 were scheduled for mid-2025. Insights will inform proposed revisions followed by a public consultation. No revised standards have been published yet.

The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, creates mandatory Information Technology standards for providers of IT and IT services in health and social care. This extends enforcement powers beyond NHS providers to IT suppliers directly. Private providers may face enforcement action for non-compliance. Commencement regulations are being phased in through 2026.

This is a significant expansion. Previously, the primary enforcement mechanism for IT suppliers was contractual and reputational. The new legislation introduces direct regulatory enforcement against suppliers.

The practical challenge

Small digital health companies rarely employ clinicians. The CSO must be a registered senior clinician with specific clinical safety training. The pool of trained CSOs is limited, the training pipeline has constrained throughput, and even outsourced CSOs command significant fees because demand outstrips supply and the role carries personal professional accountability.

DTAC explicitly acknowledges this by confirming the CSO role "may be outsourced to a third party." For most small and medium-sized digital health companies, outsourcing is the primary route.

The training costs alone are approximately 625 to 725 pounds per person for commercial organisations across the prerequisite and practitioner courses. But the training is only available to registered clinicians. If you do not have a clinician on staff, you cannot train someone internally.

The compliance stack for digital health companies

DCB 0129 does not exist in isolation. A digital health company selling into the NHS typically needs to satisfy:

  • DCB 0129 for clinical safety (requires a CSO)
  • DSPT v8 for data security (deadline 30 June 2026 for the current cycle)
  • DTAC for the broader technology assessment (includes clinical safety, data protection, security, interoperability, accessibility)
  • Cyber Essentials as a baseline cyber security certification
  • ISO 27001 for information security management (not mandatory but increasingly expected)
  • GDPR/UK GDPR for data protection
  • MHRA registration if the product qualifies as a medical device

Each framework overlaps with the others. DTAC covers clinical safety (DCB 0129), data protection (GDPR), and security (linking to DSPT and Cyber Essentials). DSPT v8 has de-duplicated questions with DTAC. ISO 27001 with appropriate scope can auto-complete applicable DSPT evidence items.

Managing each framework independently wastes time and money through duplicated processes and fragmented evidence collection. Treating them as one connected programme is significantly more efficient.

Naq automates compliance across DCB 0129, DSPT v8, DTAC, Cyber Essentials, ISO 27001, and 15 other frameworks from a single platform. Evidence gathered for one framework maps automatically to overlapping standards. Over 300 integrations handle evidence collection. Where automation is not enough, Naq's in-house Clinical Safety Officers, CREST-accredited pen testers, and compliance experts provide the specialist support digital health companies need.

Book a demo to see how it works for clinical safety compliance.

Written by
The Naq Team
Share
Share
Compliance
NHS DSPT
NHS DTAC
DCB 0129
What Compliance Requirements Do You Need to Sell into the NHS?
October 1, 2025
Compliance
What Will Define Success in Digital Health in 2026?
January 7, 2026
Compliance
NHS DTAC
DTAC Version 2: Your Questions Answered
March 26, 2026
Compliance
ISO 27001
ISO 27001 Explained: Understanding the Fundamentals of Compliance
February 25, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy