Blog
Compliance
NHS DSPT
NHS DTAC
February 27, 2026
Approx 3 min read

NHS Compliance Requirements for International Suppliers

International digital health companies entering the UK market face the same compliance obligations as domestic suppliers. The NHS does not operate a tiered system based on where your company is registered. If you are contracting with NHS Trusts, ICBs, or ICSs, you must meet the same baseline standards regardless of your location.

NHS compliance requirements exist because they protect patient data and clinical safety. Understanding what is required before you enter active tenders will determine whether your market entry takes two months or twelve.

The Core Requirements

Data Security and Protection Toolkit (DSPT)

All organisations that contract with NHS entities and handle NHS patient data must complete the Data Security and Protection Toolkit. This includes IT suppliers registered outside the UK.

The DSPT is an annual self-assessment against the National Data Guardian's 10 data security standards. For IT suppliers, this assessment is based on Category 3 evidence items. Organisations must achieve either "Standards Met" or "Standards Exceeded" to maintain their NHS contracts.

According to NHS England Digital, IT suppliers are defined as organisations external to the NHS contracting with NHS or care organisations to provide IT systems or services. The toolkit covers data handling, staff training, incident management, and technical security controls.

An independent audit is mandatory for IT suppliers to achieve "Standards Met" status. If you hold ISO 27001 or Cyber Essentials Plus certification, this will reduce your audit scope to cover only evidence items not already addressed by those certifications. However, you cannot substitute the DSPT with these standards alone.

Digital Technology Assessment Criteria (DTAC)

The DTAC sets national baseline standards for digital health technologies entering or already used in the NHS. NHS England states that DTAC is designed to give staff, patients, and citizens confidence that digital tools meet minimum standards on clinical safety, data protection, technical security, interoperability, usability, and accessibility.

During procurement, NHS organisations will request that you complete the DTAC by responding to the question set and providing evidence. This is not optional. The DTAC brings together legislation and recognised good practice covering five core areas:

  • Clinical Safety: Compliance with DCB0129, including appointment of a Clinical Safety Officer and production of a clinical safety case
  • Data Protection: ICO registration, UK GDPR compliance, and data processing agreements
  • Technical Security: Cyber Essentials certification, vulnerability testing, and secure configuration
  • Interoperability: API adherence to GDS standards, HL7/FHIR compliance where relevant
  • Usability and Accessibility: Alignment with NHS service standards

The DTAC is not a replacement for other compliance requirements. It is one component of procurement that should be supplemented with additional specifications including policy and regulatory requirements.

Clinical Safety Standards: DCB0129 and DCB0160

Compliance with DCB0129 and DCB0160 is mandatory under the Health and Social Care Act 2012. These standards apply to manufacturers and deployers of health IT systems respectively.

DCB0129 requires manufacturers to establish a clinical risk management system and produce a clinical safety case. This standard applies to all health IT systems used within the NHS and adult social care services in England. If your technology cannot meet DCB0129, you will not be able to place it on the market. NHS organisations will not be able to deploy it.

You must appoint a Clinical Safety Officer. This individual must be a senior clinician with current registration with a professional body such as the General Medical Council or Nursing and Midwifery Council. They must also have sufficient training in clinical safety and clinical risk management. The CSO can be an outsourced third party, provided they meet these requirements.

DCB0160 applies to organisations deploying and using health IT systems. Whilst this is primarily the responsibility of the NHS organisation buying your product, you will need to support them in their DCB0160 obligations by providing your DCB0129 documentation and working with their appointed CSO.

NHS England is currently reviewing both standards to ensure they remain practical and aligned with healthcare technology advancements. However, compliance remains mandatory whilst this review is underway.

Cyber Essentials Plus

Cyber Essentials Plus is required for suppliers handling personal information or providing IT or digital products and services to the NHS. This requirement is set out in Procurement Policy Note 014, which applies to all central government departments, executive agencies, non-departmental public bodies, and NHS bodies.

For international suppliers, the requirement is identical. According to NHS Supply Chain guidance published in August 2025, suppliers based overseas must demonstrate Cyber Essentials Plus compliance. ISO 27001 certification cannot be offered as an alternative to Cyber Essentials Plus. This is because Cyber Essentials is based on baseline security controls being in place, whilst ISO 27001 takes a more risk-based approach.

Cyber Essentials Plus includes external vulnerability testing to verify that the technical controls you have implemented actually defend against basic hacking and phishing attacks. The certification must be renewed annually.

If you cannot obtain Cyber Essentials Plus certification, you may be asked to complete an Information Security Third Party Questionnaire to demonstrate equivalent cyber security controls are in place. This is assessed on a risk-based basis depending on the products and services you provide.

Medical Device Registration

If your product is classified as a medical device by the MHRA, additional requirements apply.

Manufacturers based outside the UK must appoint a UK Responsible Person to register devices with the MHRA. The MHRA will only accept registration from manufacturers where the manufacturer is based in the UK. If you are not UK-based, your UK Responsible Person assumes certain responsibilities on your behalf, including registering the device and acting as the point of contact for regulatory matters.

The UK Responsible Person must provide written evidence that they have your authority to act in this capacity. A statutory fee of £240 applies per application when registering or making changes to existing registrations.

Devices must comply with the Medical Devices Regulations 2002 (UK MDR 2002) as they apply in Great Britain. Currently, CE marked devices can still be placed on the Great Britain market under transitional arrangements. However, the government is working towards requiring UKCA marking for medical devices. MHRA has stated that acceptance of CE marked devices in Great Britain will be extended beyond 30 June 2023, with specific timelines set out in implementation updates on the strengthened medical devices regime.

International suppliers should note that MHRA is testing an international reliance framework that would allow recognition of approvals from comparable regulators in Australia, Canada, the EU, and USA. This framework is not yet formally in force.

Information Commissioner's Office Registration

All organisations processing personal data in the UK must register with the Information Commissioner's Office unless they are exempt. ICO registration is a legal requirement under UK GDPR and is specifically requested as part of DTAC completion.

The ICO registration fee is based on your organisation size and turnover. Annual renewal is required. Your ICO registration number will be requested during NHS procurement processes.

International Data Transfer Agreements

If your organisation is based outside the UK and you will be processing NHS patient data, you must have appropriate data transfer mechanisms in place.

For organisations in countries without adequacy regulations (known as "third countries"), the ICO recommends using the International Data Transfer Agreement template. Where standard contractual clauses are already in place, you should complete the IDTA Addendum. These documents can be referenced within other agreements such as NHS standard contracts.

NHS organisations are required to conduct due diligence on suppliers to ensure compliance with data protection laws. This includes checking DSPT status and, for digital health technology suppliers, reviewing completed DTAC assessments. Contracts with suppliers must include appropriate clauses to cover UK GDPR requirements.

Common Misconceptions

"We have ISO 27001 certification, so we are covered."

ISO 27001 is recognised as good practice and will reduce the scope of your DSPT audit. However, it is not a substitute for completing the DSPT itself, nor can it replace Cyber Essentials Plus as set out in PPN 014. You will still need to achieve these certifications separately.

"EU MDR compliance is sufficient for the UK market."

The UK has its own regulatory framework under UK MDR 2002. Whilst transitional arrangements currently allow CE marked devices on the Great Britain market, you must still register with MHRA through a UK Responsible Person if you are a non-UK manufacturer. The timelines for transitioning to UKCA marking are subject to government announcements.

"The clinical safety standards only apply to medical devices."

DCB0129 applies to all health IT systems, not just those classified as medical devices. The applicability tool published by NHS England Digital can help you determine whether your product falls within scope. Many digital health technologies that are not medical devices still require DCB0129 compliance.

Timeline Considerations

Achieving NHS compliance readiness is not a process you can complete in a few weeks. Each requirement has its own timeline:

DSPT submission deadlines are typically 30 June each year. Completing the toolkit for the first time requires assembling evidence across all 10 data security standards, implementing any gaps, and arranging an independent audit. This process typically takes two to four months for organisations with existing information security maturity.

Cyber Essentials Plus certification, including the external assessment, can take four to eight weeks from application to certificate issuance, depending on assessor availability and any remediation required following the initial assessment.

DCB0129 clinical safety work must begin during product development, not as an afterthought before procurement. Creating a clinical safety case involves hazard identification, clinical risk assessment, and documentation of all hazards, impacts, mitigations, and controls. The time required depends on product complexity, but allocating two to three months for organisations new to the process is prudent.

MHRA medical device registration with a UK Responsible Person can be completed within a few weeks once you have appointed a suitable representative and gathered the necessary documentation. However, identifying and contracting with a UK Responsible Person may take additional time.

Companies with existing compliance maturity, such as ISO 27001 certification or EU MDR documentation, can leverage this work to accelerate NHS compliance timelines. However, they should not assume automatic equivalence. Each NHS requirement has specific evidence items and standards that must be met.

Practical Steps for Market Entry

Organisations entering the NHS market should assess their current compliance position against all requirements simultaneously rather than sequentially. Gaps in clinical safety cannot be addressed whilst you wait for DSPT audit results. These workstreams must run in parallel.

If you are participating in active NHS tenders, compliance requirements will be assessed during procurement. NHS organisations are required to request DSPT status, DTAC completion, and evidence of relevant certifications. Failure to provide these will eliminate you from consideration regardless of your product capabilities.

For companies with limited internal compliance resource, engaging specialist support can accelerate timelines. However, this support must be from providers who understand NHS-specific requirements, not generic compliance consultancies. The NHS compliance environment has unique standards that do not exist in other healthcare markets.

Compliance Is Not Optional

International digital health suppliers sometimes approach NHS compliance as a series of checkboxes to complete before winning contracts. This is the wrong framing.

These requirements exist because NHS organisations are legally obligated to protect patient data and ensure clinical safety. Your compliance readiness will be verified during procurement. If you cannot demonstrate that you meet the required standards, NHS organisations cannot contract with you.

The commercial impact of compliance readiness is straightforward. Suppliers who understand NHS requirements before entering tenders can provide accurate timelines and meet procurement obligations. Suppliers who discover these requirements mid-tender will either withdraw or provide commitments they cannot deliver.

For international companies with strong existing compliance frameworks, NHS market entry is achievable within realistic timelines. The requirements are clear, the standards are published, and the assessment processes are defined. Success depends on understanding what is required before you need it.

Sources cited:

NHS England Digital. (2024). Data Security and Protection Toolkit. Retrieved from https://www.dsptoolkit.nhs.uk/

NHS England Digital. (2024). Data Security and Protection Toolkit Assessment Guides. Retrieved from https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/data-security-and-protection-toolkit-assessment-guides

NHS Transformation Directorate. (2025). Digital Technology Assessment Criteria (DTAC). Retrieved from https://transform.england.nhs.uk/key-tools-and-info/digital-technology-assessment-criteria-dtac/

NHS England. (2025). Digital Clinical Safety Assurance. Retrieved from https://www.england.nhs.uk/long-read/digital-clinical-safety-assurance/

NHS England Digital. (2025). DCB0129: Clinical Risk Management: its Application in the Manufacture of Health IT Systems. Retrieved from https://digital.nhs.uk/data-and-information/information-standards/information-standards-and-data-collections-including-extractions/publications-and-notifications/standards-and-collections/dcb0129-clinical-risk-management-its-application-in-the-manufacture-of-health-it-systems

NHS England Digital. (2025). DCB0160: Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems. Retrieved from https://digital.nhs.uk/data-and-information/information-standards/information-standards-and-data-collections-including-extractions/publications-and-notifications/standards-and-collections/dcb0160-clinical-risk-management-its-application-in-the-deployment-and-use-of-health-it-systems

NHS England Digital. (2025). Clinical Risk Management Standards. Retrieved from https://digital.nhs.uk/services/clinical-safety/clinical-risk-management-standards

UK Government. (2025). PPN 014: Cyber Essentials Scheme. Retrieved from https://www.gov.uk/government/publications/ppn-014-cyber-essentials-scheme/ppn-014-cyber-essentials-scheme-html

NHS Supply Chain. (2025). Cyber Security: Expectations of Suppliers. Retrieved from https://www.supplychain.nhs.uk/news-article/cyber-security-expectations-of-suppliers/

UK Government. (2025). Regulating Medical Devices in the UK. Retrieved from https://www.gov.uk/guidance/regulating-medical-devices-in-the-uk

UK Government. (2020). Register Medical Devices to Place on the Market. Retrieved from https://www.gov.uk/guidance/register-medical-devices-to-place-on-the-market

NHS England Digital. (2025). Cyber Security and Resilience for Health or Care Services. Retrieved from https://www.digitalregulations.innovation.nhs.uk/regulations-and-guidance-for-adopters/all-adopters-guidance/cyber-security-and-resilience-for-health-or-care-services/

Information Commissioner's Office. International Data Transfer Agreement. Retrieved from https://ico.org.uk/

NHS England Digital. (2025). Your Suppliers and Contracts. Retrieved from https://digital.nhs.uk/cyber-and-data-security/guidance-and-assurance/data-security-and-protection-toolkit-assessment-guides/guide-10---accountable-suppliers/your-suppliers-and-contracts/

Written by
The Naq Team
Share
Share
Compliance
GDPR
The 7 Step Guide To Mastering GDPR Compliance Across Your SME
February 25, 2024
Compliance
NHS DSPT
NHS DTAC
DCB 0129
What is the ROI of Automated Compliance vs Consultants?
October 9, 2025
Compliance
Navigating DART for SMEs: Tips to become a successful MoD supplier
February 25, 2024
Compliance
NHS DTAC
A Guide to the NHS Digital Technology Assessment Criteria (DTAC)
February 25, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy