Blog
Compliance
NHS DTAC v2
NHS DSPT v8
DCB 0129
June 28, 2026
Approx 8 min read

NHS compliance for healthtech suppliers

The contract is agreed in principle. The trust wants your product, the clinical team is keen, and then procurement sends the email: send us your completed DTAC and confirm your DSPT before we can sign. The deal that felt done is now sitting behind an assurance gate, and nobody on your side has the evidence ready. This is the point where NHS compliance for healthtech suppliers decides whether revenue lands this quarter or slips to the next.

It is a familiar pattern. An ICB tender lists a Digital Technology Assessment Criteria submission as a condition of award. A trust buyer asks for proof of clinical safety sign-off before onboarding. A security questionnaire arrives mid-procurement and stalls a contract that was otherwise ready to close. On a first NHS deal, the evidence that proves the product is safe to buy is usually what holds things up.

What compliance do you need to sell to the NHS?

Selling software to the NHS usually requires a completed DTAC, a current DSPT submission, clinical safety evidence under DCB 0129, and security assurance through Cyber Essentials or ISO 27001, all underpinned by UK GDPR. These requirements interlock, so evidence assembled once supports several of them at the same time.

That interlock is the part most suppliers miss on a first NHS deal. Each requirement looks like a separate project with a different form, owner and deadline. Handled as separate projects, the first contract takes months to clear and every contract after it repeats the same effort. Handled as one connected body of evidence, the first deal is slower but every deal after it gets faster.

What NHS compliance for healthtech suppliers actually involves

A trust or ICB does not assess one standard. It assesses a stack, and each layer answers a different buyer question: is it clinically safe, is patient data protected, is the system secure, and is the supplier handling NHS data to a known standard. Here is how the pieces map.

StandardWhat it proves to the buyerWho it applies toWhere it appears in the dealNHS DTACA single assessment across clinical safety, data protection, technical security, interoperability, and usability and accessibilityThe supplier of the digital health technologyThe assurance gate most trusts and ICBs ask you to clear before sign-offNHS DSPT v8The supplier handles NHS patient data and systems to a recognised standardAny organisation with access to NHS patient data, including suppliers and data processorsBuyer must verify it; feeds the DTAC data protection answersDCB 0129The clinical risk of the software has been assessed and signed off by a named Clinical Safety OfficerThe manufacturer of the health IT systemThe clinical safety domain of DTAC, and a gate on deploymentISO 27001 + Cyber EssentialsThe security controls behind the product are managed and certifiedThe supplier organisationThe technical security domain of DTACUK GDPRPersonal and confidential data is processed lawfullyThe supplier as controller or processorThe data protection domain, sitting under DSPT and DTAC

The current DTAC is version 2.0, published by NHS England in February 2026. The previous form must not be used from 6 April 2026 onwards. The refresh cut roughly a quarter of the questions and removed items that duplicated other routes, which is why a current DSPT now answers much of the DTAC data protection section before you start.

DCB 0129 sits closest to an absolute gate. It is the manufacturer obligation under clinical risk management, and it requires a nominated Clinical Safety Officer, a suitably qualified clinician with current registration, to produce and sign the clinical safety case report. Without that report, clinical software cannot be deployed in the NHS even after a contract is signed. The 2026 update removed the mandatory NHS-provided training course, but the supplier still has to demonstrate the officer's competence.

DSPT v8 is the annual submission, version 8 of the toolkit, due by 30 June 2026. Most smaller healthtech suppliers complete it as a Category 3 organisation, and version 8 adds a requirement for Category 3 organisations to maintain a digital asset register. The toolkit aligns to the NCSC Cyber Assessment Framework version 3.4, which is the basis it is measured against.

On security, the DTAC technical security domain expects Cyber Essentials where the product handles sensitive or personal data, plus vulnerability and penetration testing evidence. An ISO 27001 information security management system strengthens those answers and evidences most of the controls behind them. It does not replace Cyber Essentials for NHS procurement; the two sit together rather than one standing in for the other.

One thing this stack does not cover. If your product is a medical device, you will also need UKCA or CE marking under the UK medical devices regulations, assessed through the MHRA route. DTAC asks medical-device software to show that marking and its risk-management system, but the marking itself is governed by the MHRA, not by DTAC. That device-conformity route runs in parallel to the data, security, information-governance and clinical-safety evidence described here. It sits outside that stack and outside what Naq handles.

Map NHS compliance for healthtech suppliers once, reuse it on every deal

The reason the stack interlocks is that the underlying evidence overlaps. An access-control policy is an ISO 27001 control, a Cyber Essentials answer, a DSPT line, and a DTAC technical security response at the same time. A data-flow map supports your UK GDPR records, your DSPT submission, and the DTAC data protection domain. The clinical safety case authored for DCB 0129 is the same evidence the DTAC clinical safety domain asks for.

Assembled once and kept in one place, each piece of evidence pays out across every framework it touches. The first NHS deal carries the cost of building the evidence base. Every deal after it reuses that work, so clearing the gate is mostly a matter of refreshing and exporting what already exists. The compounding effect is the commercial argument for treating NHS compliance as one programme rather than a queue of separate forms.

That only works if the evidence stays current. A DSPT lapses annually. Cyber Essentials renews. Policies drift. If the evidence base is a folder of documents that ages quietly between deals, the reuse advantage erodes and the next buyer's questionnaire surfaces gaps you thought were closed.

What getting there involves

The path is the same for most suppliers: appoint a Clinical Safety Officer and produce the clinical safety case, stand up an information security management system and certify it, complete the DSPT, and assemble the DTAC submission from evidence the other three already generate. The difficulty is rarely any single item. It is keeping all of them connected and current while you also build and sell the product.

This is the gap Naq is built for. It runs the NHS deal stack as one connected system, so a control completed once counts across every framework it maps to, with real-time progress per framework and exportable evidence to clear a security review quickly. The expert support is included rather than invoiced separately: in-house Clinical Safety Officers to author and sign the clinical safety case, and virtual Data Protection Officers for the information governance work. Cyber Essentials certification sits under one roof because Naq is an IASME Certifying Body, with Cyber Essentials Plus assessment and penetration testing through an accredited external partner network. The built-in AI assistant is read-only by design, so it summarises evidence and flags gaps without ever editing the formal record.

The result is the position you want to be in when procurement sends that email: the evidence is current and ready to export, and the gate becomes a formality instead of a delay.

If an NHS deal is sitting behind a DTAC or DSPT request right now, start with a free DTAC assessment. We map your product against the current criteria, show you exactly which evidence you already have and which is missing, and use that as the basis for a discovery session on the fastest route to clearing the gate, across both the platform and the expert support to get you there. Get in touch and tell us which NHS deal is in play.

Frequently asked questions

What compliance do you need to sell to the NHS?

Selling software to the NHS usually requires a completed DTAC, a current DSPT submission, clinical safety evidence under DCB 0129, and security assurance through Cyber Essentials or ISO 27001, all underpinned by UK GDPR. These interlock, so evidence assembled once supports several at the same time.

What is the current version of NHS DTAC?

The current version is DTAC 2.0, published by NHS England in February 2026. The previous form must not be used from 6 April 2026. It assesses five domains: clinical safety, data protection, technical security, interoperability, and usability and accessibility, and references DCB 0129, DCB 0160 and the DSPT.

When is the NHS DSPT v8 deadline?

The Data Security and Protection Toolkit 2025-26, version 8, must be submitted by 30 June 2026. Every organisation with access to NHS patient data or systems must complete it, including suppliers and data processors. Most smaller healthtech suppliers complete it as a Category 3 organisation.

Does a medtech supplier need MDR as well as DTAC?

If your product is a medical device you will also need UKCA or CE marking under the UK medical devices regulations, assessed via the MHRA. That device-conformity route runs in parallel to the DTAC, DSPT, clinical-safety and security evidence and is separate from it.

Written by
The Naq Team