DTAC V2 for NHS Suppliers: The 2026 Compliance Guide

NHS England replaced the DTAC form on 6 April 2026, and any supplier submitting on the old version will be rejected. For healthtech suppliers, DTAC is the first gate before a trust, ICB or GP federation will progress a procurement conversation. Most suppliers underestimate how much evidence it involves and how tightly it now couples to DSPT v8, DCB 0129, Cyber Essentials and ISO 27001.

This guide covers what DTAC is, what NHS England assesses in 2026, what changed in V2, the evidence buyers now expect across C1 to D1, and how suppliers without a full compliance team are getting DTAC-ready inside 90 days.

What is DTAC, and why it matters for NHS suppliers in 2026

The NHS DTAC, or Digital Technology Assessment Criteria, is the national assurance framework NHS England uses to assess digital health products before they are bought or deployed in care settings. It gives NHS buyers one consistent way of checking whether a product is clinically safe, data-compliant, technically secure, interoperable, and usable.

DTAC is not a statutory instrument. Burges Salmon describes it as a threshold requirement for many NHS procurements, which is the accurate framing. Trusts, integrated care boards and GP federations use DTAC as a pass-or-fail filter, and both the NHS Innovation Service and the AI and Digital Regulations Service reinforce that use.

For a healthtech supplier, that baseline is the difference between being on the shortlist and being excluded. Most NHS buyers will not progress a conversation without a completed DTAC on the current form. Suppliers can no longer submit an in-progress DTAC and promise to complete it later, and the annual review expectation from deploying organisations makes DTAC a living document.

DTAC is the access gate for NHS revenue. It pre-qualifies suppliers for national frameworks and catalogues, and the evidence it generates powers almost every subsequent procurement conversation.

The five DTAC criteria: what NHS England assesses

DTAC is structured around five assessment areas. Four are scored, one is reviewed comparatively.

C1 Clinical Safety

Owned by the Chief Clinical Information Officer in the assessing NHS organisation. It asks the supplier to demonstrate that clinical risk has been identified, assessed and managed through a formal clinical risk management system aligned with DCB 0129. The named Clinical Safety Officer, the Clinical Safety Case Report and the Hazard Log are the anchors.

C2 Data Protection

Owned by the Data Protection Officer and draws directly on the Data Security and Protection Toolkit. A supplier with a current DSPT v8 submission is carrying most of the evidence required here. UK GDPR and Data Protection Act 2018 compliance, a Data Protection Impact Assessment and a Record of Processing Activities sit inside this criterion.

C3 Technical Security

Owned by the Chief Information Security Officer. Cyber Essentials is the floor. A pen test within the last 12 months and evidence of remediated priority vulnerabilities are expected. Multi-factor authentication on privileged and supplier access is a specific line item.

C4 Interoperability

Owned by the Chief Information Officer. Suppliers document open APIs, align with recognised NHS interoperability standards where clinical data is in scope, and use a proper NHS Number validation method. Any out-of-scope claim must be justified against recognised NHS guidance.

D1 Usability and Accessibility

Changed most in V2. It is no longer individually scored, and is reviewed comparatively across vendors so strong evidence still influences buying decisions. WCAG 2.2 AA conformance and consideration of the Accessible Information Standard are the core asks.

The ownership map matters because it tells you who in the buying organisation reads each section. The language, detail and proof points should match the reader.

What changed in DTAC V2 and what it means in practice

NHS England published Form 2.0 in February 2026, and the previous version should not be used from 6 April 2026, according to the NHS Transformation Directorate. The headline changes were covered in our earlier DTAC V2 FAQ, so this section focuses on what V2 means operationally.

The form is around 25% shorter. NHS England deduplicated questions already covered in DSPT and the Pre-Acquisition Questionnaire, which sharpens the questions that remain. Vague answers that survived V1 will not survive V2.

The mandatory NHS Digital CSO training requirement was removed. The CSO still has to be a registered clinician with clinical risk management training.

A new decision tree helps suppliers determine whether their product is a medical device and which DCB standards apply. Scope aligns with NICE's definition of digital health technology: software only, including software used with hardware. Standalone hardware and embedded operational software are out of scope.

Interoperability language tightened. Out-of-scope claims need a justification tied to recognised NHS guidance, and NHS Number handling has to show a proper verification method. Accessibility moved to WCAG 2.2 AA, in line with the public sector standard, and the Accessible Information Standard now has to be actively considered.

V2 rewards evidence over text. Suppliers who copied old answers forward are finding reviewers asking for proof.

How DTAC sits alongside DSPT v8, DCB 0129, Cyber Essentials, and ISO 27001

DTAC is a wrapper assessment. It pulls evidence from four underlying frameworks, and a supplier who has those four in good order is most of the way through DTAC already.

DSPT v8 feeds DTAC C2

The deadline for v8 submission is 30 June 2026, according to the DSPT Toolkit. The material change in v8 affects DTAC submissions directly: Cyber Essentials Plus no longer provides equivalence to DSPT evidence item 4.5.3 covering multi-factor authentication. Suppliers who relied on CE+ as their MFA evidence need a separate control in place.

DCB 0129 applies to the manufacturer

The supplier carries this obligation. DTAC C1 requires DCB 0129 evidence: a named Clinical Safety Officer, a Clinical Safety Case Report, and a Hazard Log at a minimum. DCB 0160 is a separate standard that applies to the deploying NHS organisation, not to the supplier. Suppliers support deployers with their 0160 activities but do not own 0160 evidence. Conflating the two is one of the most common mistakes in supplier submissions.

Cyber Essentials feeds DTAC C3

A current certificate is expected, alongside a pen test within the last 12 months covering the OWASP Top 10 and evidence that high and critical vulnerabilities have been remediated.

ISO 27001 accelerates DTAC evidence

ISO 27001 is not required for DTAC, yet its controls map substantially across C2 and C3. Suppliers who already hold ISO 27001 can often reuse policies, risk assessments and control evidence to accelerate DTAC. The overlap is strongest around access management, incident response, supplier assurance, asset management and change control.

The practical consequence: the same evidence can count across multiple frameworks if it is collected, tagged and stored to allow clean mapping. Suppliers who maintain separate evidence folders per framework re-collect the same artefacts several times a year.

Evidence checklist: what NHS buyers expect to see

The DTAC form asks the questions. The buyer assesses the evidence. Here is what reviewers are looking for in 2026.

C1 Clinical Safety

• A nominated Clinical Safety Officer who is a registered clinician with current clinical risk management training
• DCB 0129 Clinical Risk Management System documentation, signed off
• A Clinical Safety Case Report specific to the product and its intended clinical use
• A Hazard Log that shows identified hazards, controls, residual risk and ongoing review
• Medical device classification evidence where applicable, including UKCA and MHRA registration
• NICE digital health technology category classification

Reviewers treat a single-page hazard log as a red flag. A realistic hazard log for a clinical product runs to multiple pages and is updated as the product evolves.

C2 Data Protection

• A current DSPT v8 submission, with the 30 June 2026 deadline front of mind
• A Data Protection Impact Assessment specific to the NHS deployment context
• A Record of Processing Activities aligned with Article 30 of UK GDPR
• A sub-processor list with international transfer safeguards where relevant
• A UK GDPR and Data Protection Act 2018 compliance statement
• Evidence that the Caldicott Principles have been considered

The common failure point is a DPIA that treats the NHS as a generic controller. NHS DPIAs need to consider the specific clinical context, the patient cohort, and the lawful basis under UK GDPR Article 9 for special category data.

C3 Technical Security

• A current Cyber Essentials certificate
• A penetration test report from the last 12 months covering the OWASP Top 10
• Documentation showing priority vulnerabilities remediated and retested
• Multi-factor authentication on privileged access and supplier access, evidenced directly against DSPT v8 item 4.5.3
• A security incident management policy with defined roles, response times and escalation paths
• Business continuity and disaster recovery evidence, including the last tested exercise

The MFA line has teeth in 2026. DSPT v8 changed the equivalence rules, so reviewers are asking for specific evidence of MFA on admin and supplier accounts rather than accepting a CE+ certificate as proxy.

C4 Interoperability

• Open API documentation, typically REST or FHIR
• Alignment with recognised NHS interoperability standards where NHS clinical data is handled
• A documented NHS Number validation method using the published algorithm
• Justified rationale for any interoperability requirement claimed as out of scope
• A mapping of your data standards against recognised NHS guidance

The out-of-scope justification is where V2 tightened most. A blanket statement that interoperability does not apply is no longer acceptable. Reviewers want a reasoned position tied to product type and use case.

D1 Usability and Accessibility

• A WCAG 2.2 AA conformance statement backed by actual testing evidence
• Evidence that the Accessible Information Standard has been considered in the product
• An NHS Service Standard alignment statement
• User research evidence, including users with access needs

WCAG claims without testing are the most common D1 weakness. Reviewers expect either a third-party accessibility audit or documented in-house testing with tools and results.

Why suppliers fail their first DTAC submission and how to avoid it

DTAC compliance failures repeat across submissions, and most are fixable before you press send.

• Submitting an incomplete form. Sections deleted or marked not applicable without justification are flagged immediately. If genuinely out of scope, say why with reference to product type and NHS guidance.
• A weak DPIA. Suppliers often assume the controller writes the DPIA. The supplier should carry their own, specific to the processing they perform as a processor or joint controller.
• Pen test older than 12 months. Reviewers check dates. Book the refresh before the old one lapses.
• Expired Cyber Essentials. Certificates run for 12 months. A lapse during assessment is a fail.
• DCB 0129 gaps. A single-page hazard log, a missing CSR, or a CSO who is not a registered clinician are the three most common C1 issues.
• Conflating DCB 0129 and DCB 0160. DCB 0129 is the supplier obligation. DCB 0160 is the deployer obligation. Submitting deployer evidence against C1 confuses reviewers and wastes assessment cycles.
• MFA evidenced through CE+. In 2026, this no longer works for DSPT v8 item 4.5.3. Suppliers need direct evidence of MFA on privileged and supplier access.
• WCAG claims without evidence. A statement of conformance without testing data is incomplete.
• Treating DTAC as one-off. The annual review expectation means DTAC evidence has to be maintained. A submission that looks cobbled together ages badly.

The underlying pattern is that DTAC V2 is built for suppliers with a working compliance operation. Treating it as a pre-procurement sprint is where submissions fail.

Getting DTAC-ready without hiring a compliance team

DTAC compliance is a full evidence programme expressed as a form. A supplier that already holds current Cyber Essentials, a v8-compliant DSPT submission, DCB 0129 artefacts, and a pen test in the last 12 months is typically a few weeks from a strong DTAC submission. A supplier starting from cold is looking at three to six months of work across four or five frameworks, a Clinical Safety Officer, legal review, and a security testing cycle.

The Naq platform is built to automate DTAC V2, DSPT v8, DCB 0129, Cyber Essentials and ISO 27001 from a single dashboard. Evidence is pulled directly from the tools suppliers already run: cloud infrastructure, identity providers, endpoint management, HR systems and code repositories. Controls are mapped across frameworks, so one piece of evidence satisfies requirements in DTAC, DSPT and Cyber Essentials at the same time, rather than being collected three times. The DTAC V2 evidence pack is generated against the live form, ready to submit.

Where suppliers want named expert support, Naq's in-house Clinical Safety Officers and virtual DPOs sit alongside the platform on the C1 Clinical Safety case and the C2 Data Protection narrative.

To see how DTAC V2 evidence maps across your existing tooling and frameworks, book a 15-minute demo.