Blog
Compliance
NHS DTAC v2
NHS DSPT v8
DCB 0129
June 21, 2026
Approx 7 min read

What is NHS DTAC and How It Opens NHS Deals

A digital health product is close to its first NHS contract. The trust likes it, the clinicians want it, the budget is there. Then the buyer asks for the completed DTAC, and the deal stops moving. Procurement cannot progress a digital tool through onboarding until the supplier produces the assurance the NHS recognises. No DTAC, no signature.

That single request decides whether the contract lands this quarter or drifts into the next one. Understanding what is NHS DTAC and how it opens NHS deals is the difference between a sale that stalls at the assurance gate and one that clears it in a document handover. This guide explains the framework plainly, then shows why a current DTAC is what gets a digital health product into the NHS market at all.

What is NHS DTAC

DTAC, the Digital Technology Assessment Criteria, is NHS England's assessment framework for digital health technology. NHS commissioners and providers use it to assure software-based products before they buy or deploy them, covering clinical safety, data protection, technical security, interoperability, and usability and accessibility in a single form the NHS already recognises.

It is the consolidation point. Instead of each trust running its own assurance questionnaire, DTAC brings the standards and policies a digital health product must meet into one place. The supplier completes it. The buyer reads it as the evidence that the product is safe, secure and well governed.

NHS England updated the criteria to version 2, known as DTAC v2, which it published in February 2026 and required from 6 April 2026 in place of the earlier version. The refresh trimmed and tidied the form and removed items that duplicated other assurance routes such as the Data Security and Protection Toolkit. The shape of the assessment, and what it gates, did not change.

Who needs a DTAC, and what it gates

Any supplier selling software-based health technology to the NHS will meet DTAC at some point. That covers apps, web platforms, clinical tools and other products that handle health and care data. The buyers using it are the trusts, integrated care boards and other NHS organisations doing their due diligence before a purchase.

DTAC sits alongside other approvals rather than replacing them. A supplier may still need to complete the Data Security and Protection Toolkit for data security, register with the Information Commissioner's Office, hold the relevant clinical risk management evidence, and, where the product is a medical device, meet the requirements regulated by the MHRA. DTAC pulls the assurance picture together; the underlying obligations still stand.

On many NHS procurements, a completed DTAC is the assurance gate the deal has to clear. It is not a universal legal mandate in the way a statute is, but in practice a product without one struggles to progress through NHS onboarding. The market treats it as the threshold for entry.

How DTAC opens NHS deals

The commercial value of DTAC is access to a market that stays closed without it. Four mechanisms do the work.

Market access - A current DTAC is, in practice, the credential that gets a product considered by NHS buyers at all. Without one, there is no realistic route through onboarding.

Faster assurance - A completed form answers the buyer's clinical safety, data protection, security, interoperability and usability questions in the format the NHS recognises, turning a multi-week back-and-forth into a document handover.

Compounding trust - Clearing DTAC for one trust signals that the product is safe and well governed, which makes the next trust's assurance easier and supports multi-organisation procurements.

Evidence reuse - Because DTAC draws on work done for data security and clinical safety standards, the evidence assembled for those feeds the form instead of being produced a second time.

The faster-assurance point is where deals are won or lost on timing. On the buyer's side the procurement lead has a product they want, a board that wants proof it is safe, and a queue of other approvals to clear. A complete, current DTAC lets them move the assurance step in days rather than weeks, because the answers are already in the form they trust. The supplier who hands a complete form over keeps the deal moving; the one still drafting it loses the timing advantage.

Trust then compounds. A current DTAC removes the duplication a buyer would otherwise have to chase, making the pathway quicker to clear. One cleared DTAC then becomes a reference point for the next buyer. Over time it supports the larger framework and multi-trust contracts where the cost of assurance, if repeated from scratch each time, would be prohibitive.

What getting to DTAC involves

DTAC is an assembly job more than a single test. The five areas each draw on standing work a supplier should already be doing.

  • Clinical safety rests on the clinical risk management standards DCB 0129 for the manufacturer and DCB 0160 for the deploying organisation, including a named Clinical Safety Officer to author and sign the clinical safety case.
  • Data protection draws on UK GDPR and the Data Protection Act 2018, ICO registration, and the data security assurance evidenced through the Data Security and Protection Toolkit.
  • Technical security covers the controls a buyer expects, where an ISO 27001 information security management system or Cyber Essentials certification provides much of the evidence.
  • Interoperability and usability and accessibility cover how the product exchanges data and how safely people can use it.

The work that makes DTAC quick is the work done once for those underlying standards, then reused. A supplier who already holds the DSPT and the clinical safety case is most of the way through the form. The efficiency comes from not answering the same question three times across three frameworks.

This is the part a compliance platform handles well. Naq runs DTAC alongside the standards NHS buyers ask for together, the DSPT and DCB 0129 in particular, with in-house Clinical Safety Officers and virtual DPOs on hand, so evidence proven once for those standards carries across into the DTAC instead of being assembled again. You can read the framework guide for the detail, no form required.

Frequently asked questions

What is NHS DTAC?

DTAC, the Digital Technology Assessment Criteria, is NHS England's assessment framework that buyers use to assure digital health technology across clinical safety, data protection, technical security, interoperability, and usability and accessibility. Suppliers selling software-based products to the NHS complete it; commissioners and providers read it as part of procurement.

Is DTAC mandatory for selling to the NHS?

It is the assurance gate on many NHS procurements. Without a completed DTAC, a product struggles to progress through NHS onboarding, even where it is not a universal legal requirement. In practice the market treats a current DTAC as the threshold for being considered at all.

What are the five areas DTAC assesses?

DTAC assesses clinical safety, data protection, technical security, interoperability, and usability and accessibility. Each area draws on established standards and obligations, so the form consolidates work a supplier is doing elsewhere into a single assessment the NHS recognises.

How does DTAC relate to NHS DSPT and DCB 0129?

DTAC pulls in data security evidence from the Data Security and Protection Toolkit and clinical safety evidence from DCB 0129 and DCB 0160. The work done for those standards feeds the DTAC rather than being repeated, which is why holding them first makes the form far quicker to complete.

Related reading:- Compliance as a way to grow, not a cost (hub overview)- NHS DSPT: the data security assurance that feeds your DTAC- DCB 0129: building the clinical safety case the NHS expects- ISO 27001 for SMEs: evidence that carries across the NHS stack

Written by
The Naq Team
Share
Share
Compliance
NHS DSPT v8
What is the NHS Data Security & Protection Toolkit, and how to comply?
February 25, 2024
Compliance
DCB 0129
DCB 0129: Navigating your solution's clinical safety requirements
March 6, 2024
Compliance
Cyber Essentials
NHS DSPT v8
The Role of Cyber Essentials in Achieving NHS DSPT Compliance
February 25, 2024
Compliance
NHS DSPT v8
NHS DTAC v2
What NHS readiness actually looks like
February 16, 2026
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a demo
arrow_forward
See the framework set
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy