Blog
Compliance
DCB 0129
NHS DTAC v2
NHS DSPT v8
June 21, 2026
Approx 7 min read

What is DCB 0129 clinical risk management?

A health IT supplier closes a deal with an NHS Trust, then hits a wall before go-live. The Trust's clinical safety team asks for the DCB 0129 clinical risk management evidence: the Hazard Log, the Clinical Safety Case Report, the name of the Clinical Safety Officer who signed it off. Without that pack, the software does not get deployed. The contract is signed, but the product cannot ship.

This is the part of selling clinical software into the NHS that catches new entrants out. The technology can be excellent and the buyer keen, but English health and care procurement runs through a clinical-safety gate that sits outside the commercial conversation. NHS guidance puts it plainly: if your digital technology cannot meet DCB 0129, you will not be able to place it on the market, and adopters will not be able to use it in the NHS.

That makes the standard the entry ticket to the NHS market. The work you do to meet it also becomes evidence that shortens every Trust review that follows.

What is DCB 0129 clinical risk management?

DCB 0129 is an NHS information standard titled "Clinical Risk Management: its Application in the Manufacture of Health IT Systems." It sets the requirements for manufacturers building health IT so they can evidence the clinical safety of their products. It is published by NHS England and is mandatory under the Health and Social Care Act 2012.

The current published version is Amd 24/2018, in force since June 2018. Mandatory status matters here. DCB 0129 is law for health IT manufacturers operating in England, not optional good practice you can defer until a buyer insists.

Who needs DCB 0129, and how it differs from DCB 0160

DCB 0129 applies to manufacturers of health IT used in NHS care settings in England. That includes electronic patient record systems, triage and referral tools, clinical decision-support software, AI diagnostic products and patient-facing apps that handle clinical information.

Scope is wider than many founders expect. DCB 0129 applies whether or not your software is classified as a medical device. If it is also a medical device, MHRA regulation applies in parallel. One does not replace the other, and meeting MHRA requirements does not satisfy DCB 0129.

The most-confused point in health IT compliance is the split between the two clinical-safety standards. DCB 0129 and DCB 0160 are two halves of the same safety chain, one for the maker and one for the deployer.

DCB 0129DCB 0160Full titleClinical Risk Management in the Manufacture of Health IT SystemsClinical Risk Management in the Deployment and Use of Health IT SystemsWho it applies toThe manufacturer building the softwareThe deploying organisation (NHS Trust, ICB, GP practice)Current versionAmd 24/2018Amd 25/2018What it producesManufacturer's safety case for the productDeployer's safety case for using the product in its setting

You, the supplier, do DCB 0129. The organisation deploying your software does DCB 0160. The two safety cases connect, which is where the commercial value sits.

How DCB 0129 helps you grow

The growth case rests on four mechanisms, all of them about getting to revenue faster and keeping it.

It unblocks the deal. Without a DCB 0129 position, a Trust cannot procure or deploy your product. Meeting the standard is what turns a signed contract into a live deployment. The standard is the difference between a sale on paper and software in clinical use.

It opens a gated market. "Cannot place it on the market" is literal. DCB 0129 is the condition of entry to NHS and wider English health and care procurement. Clearing it once gives you standing to sell across that market rather than fighting the same objection at every door.

It speeds up clinical-safety review. Your DCB 0129 artefacts feed directly into the Trust's own DCB 0160 work. The deploying organisation's clinical safety team reuses your Hazard Log and Clinical Safety Case Report as input to its own assessment. A current, well-evidenced safety case shortens the back-and-forth between supplier sign-off and clinical go-live. The pack you build to meet the standard becomes a sales asset that moves the next deal along faster.

It builds buyer trust that compounds. DCB 0129 is the clinical-safety pillar of the Digital Technology Assessment Criteria, the assessment NHS commissioners and providers use to assure digital health products. DTAC asks manufacturers to confirm DCB 0129 compliance, name their Clinical Safety Officer and supply the Clinical Risk Management Plan, the Clinical Safety Case Report and the Hazard Log. A defensible safety case strengthens the whole DTAC submission and signals a serious supplier, which makes each subsequent Trust conversation easier than the last.

What getting there involves

Meeting DCB 0129 means standing up a clinical risk management system and maintaining it across the product lifecycle. At a high level, that involves:

  1. A named Clinical Safety Officer: a clinician with current professional registration, trained in clinical risk management, accountable for the clinical safety of your product.
  2. A Clinical Risk Management Plan setting out how you identify, assess and control clinical risk.
  3. A living Hazard Log that records hazards, their severity and the controls that reduce them.
  4. A Clinical Safety Case Report, defined by NHS England as a structured argument that a system is safe to release.
  5. Ongoing safety activity, so the case stays current as the product changes rather than going stale after launch.

The Clinical Safety Officer role can be outsourced, and most early-stage digital-health companies take that route because they rarely employ a registered clinician in-house. The practical question is whether your CSO support, your safety documentation and your wider compliance evidence sit together or scatter across separate suppliers and spreadsheets.

This is where keeping clinical safety connected to the rest of your compliance pays off. Naq runs DCB 0129 alongside the standards NHS buyers also ask for, including NHS DSPT, NHS DTAC, ISO 27001, Cyber Essentials and GDPR, in one connected system with in-house Clinical Safety Officers included. The same evidence feeds your DTAC submission and the wider stack, so you build the safety case once and reuse it across every standard it maps to. You can read the framework guide to see how the standards fit together.

Frequently asked questions

What is DCB 0129 and is it mandatory?

DCB 0129 is an NHS information standard for manufacturers of health IT, requiring them to evidence the clinical safety of their products. It is mandatory under the Health and Social Care Act 2012. Without it, you cannot place a health IT product on the NHS market in England.

What is the difference between DCB 0129 and DCB 0160?

DCB 0129 is the manufacturer's obligation, covering clinical risk management in building health IT. DCB 0160 is the deploying organisation's obligation, covering clinical risk management in using that software in a care setting. The two standards work together and their safety cases connect.

Do I need a Clinical Safety Officer for DCB 0129?

Yes. DCB 0129 requires a named Clinical Safety Officer: a clinician with current professional registration, trained in clinical risk management, who is accountable for the clinical safety of the product and signs off the safety case. The role can be outsourced to a third party.

Does DCB 0129 apply if my software is not a medical device?

Yes. DCB 0129 applies to health IT used in NHS care settings whether or not the software is classified as a medical device. MHRA medical-device regulation is a separate, parallel regime. Meeting one does not satisfy the other.

Written by
The Naq Team
Share
Share
Compliance
NHS DTAC v2
What You Need to Know About DTAC Version 2
March 4, 2026
Compliance
DCB 0129
NHS DTAC v2
NHS DSPT v8
Clinical Safety Officer Requirements Under DCB 0129
April 12, 2026
Compliance
NHS DSPT v8
NHS DTAC v2
DCB 0129
Our Compliance Therapy Webinar Series
July 26, 2024
Compliance
Navigating DART for SMEs: Tips to become a successful MoD supplier
February 25, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a demo
arrow_forward
See the framework set
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy