Blog
Compliance
DCB 0129
NHS DTAC
March 4, 2026
Approx 4 min read

Your Practice Is Probably Using AI. It Probably Is Not Compliant. Here Is What DCB 0129 and DTAC Require.

A dental practice uses an AI-powered appointment system that triages patients by urgency. A pharmacy runs automated messaging to remind patients about repeat prescriptions. A GP surgery has a chatbot on its website that handles initial patient queries before routing to a clinician. A practice uses voice transcription software during consultations.

Every one of these tools is a digital health technology. And every one of them may fall within the scope of clinical safety standards that most practice managers have never heard of. DCB 0129 and DCB 0160 are not new frameworks. They have been mandatory under the Health and Social Care Act 2012 for years. But their relevance to high-street healthcare practices is new, because the adoption of AI tools in primary care has accelerated far faster than awareness of the compliance obligations that come with them.

The Evidence Gap: Most NHS Organisations Cannot Confirm Their Tools Are Compliant

In 2025, researchers sent freedom of information requests to 239 NHS organisations in England, asking how many digital health technologies they were using and whether those technologies were assured against DCB 0129 and DCB 0160. The results, published in the Journal of Medical Internet Research, raised serious concerns. Despite it being a legal requirement that NHS organisations must not procure a digital health technology without DCB 0129 assurance and must not deploy one without DCB 0160 assurance, no public data existed on how many technologies were in use or how many were properly assured.

The study's findings pointed to significant gaps. Many organisations could not confirm the assurance status of the technologies they were actively using. The researchers concluded that these findings represent a real risk to patients and to one of the core ambitions of the NHS 10-Year Health Plan: safely transitioning from analogue to digital care models.

If NHS trusts with dedicated governance teams are struggling to track and assure their digital health technologies, the picture for smaller healthcare practices is likely to be considerably worse.

DCB 0129: What It Requires and Who It Applies To

DCB 0129, formally titled Clinical Risk Management: its Application in the Manufacture of Health IT Systems, requires manufacturers and developers of health IT systems to implement a structured clinical risk management process throughout the product lifecycle. This means identifying hazards, assessing their potential clinical impact, documenting mitigations and controls, and maintaining a Clinical Safety Case Report.

The standard applies to any organisation responsible for developing or maintaining health IT systems used within UK healthcare. That includes patient-facing apps, clinical decision tools, appointment management systems with triage functionality, and any software that processes patient data or could influence clinical outcomes.

DCB 0160 is the companion standard for organisations deploying and using these systems. This is the one that applies directly to healthcare practices. If your practice deploys a digital health technology, you have an obligation to assure its clinical safety in your specific deployment context. That requires your own clinical safety assessment, separate from whatever the vendor has done. You cannot simply rely on the manufacturer's DCB 0129 compliance to cover your deployment obligations.

Both standards require the appointment of a Clinical Safety Officer: a senior clinician with current registration at an appropriate professional body and sufficient training in clinical safety and clinical risk management. For a small dental practice or pharmacy, this is an entirely unfamiliar requirement. Most have never appointed a CSO and have no internal capacity to conduct a formal hazard analysis.

DTAC: The NHS Procurement Baseline You Should Be Asking About

The Digital Technology Assessment Criteria is NHS England's baseline standard for any digital health technology entering the NHS ecosystem. It covers five domains: clinical safety, data protection, technical security, interoperability and usability. DCB 0129 compliance sits within the DTAC framework as part of the clinical safety domain.

DTAC is primarily aimed at vendors and developers, but practices need to understand it for a practical reason. If a practice is using a digital health tool that has not completed a DTAC assessment, there is no assurance that the tool meets the minimum standards the NHS considers acceptable. That creates both a compliance exposure for the practice and a patient safety concern that could surface during a CQC or GPhC inspection.

NHS England has also started a review of DCB 0129 and DCB 0160 to bring them up to date with current healthcare technology, including AI and machine learning applications. Version 2 of the standards is on the horizon. Practices that establish compliance processes now will be in a stronger position when the revised requirements come into effect.

What You Should Be Asking Your Technology Suppliers

Before continuing to use any AI or digital health tool in your practice, there are specific questions you should be putting to your suppliers. Has the product completed a DTAC assessment? Is there a current DCB 0129 Clinical Safety Case Report? Who is the designated Clinical Safety Officer for the product? What patient data does the tool process, and where is it stored? What happens to the data if you stop using the service? Can the vendor provide evidence of their clinical risk management process?

If your vendor cannot answer these questions clearly, that should prompt further investigation. If they are unfamiliar with the frameworks entirely, that is a serious concern and a strong indicator that the tool may not meet NHS standards.

Where This Sits Alongside Your Other Compliance Obligations

AI compliance does not exist in a vacuum. It sits on top of DSPT, GDPR and Cyber Essentials requirements. The data processed by AI tools is still personal data under the UK GDPR. The systems those tools run on still need to meet DSPT evidence requirements. The infrastructure still needs to pass Cyber Essentials controls. The layers are cumulative, not alternative.

This is where the Naq and VoIP Shop partnership delivers particular value for healthcare SMBs. Naq's platform includes Clinical Safety Officer services for DCB 0129 and DCB 0160, DTAC readiness support, and integration with the full compliance stack across DSPT, GDPR and Cyber Essentials. Through VoIP Shop, practices can access these services as part of a managed compliance package. In many cases, VoIP Shop supplied the communications technology the practice is already using, so the conversation about AI compliance starts from a position of understanding your existing setup rather than starting from scratch.

The AI tools are already in your practice. The regulatory requirements are already in force. The gap between the two is the risk. Speak to VoIP Shop about adding AI compliance coverage to your Naq package, and get a clear assessment of which digital health obligations apply to you.

Written by
The Naq Team
Share
Share
Compliance
NHS DSPT
What Happens When Healthcare Organisations Don't Comply: The Real Cost of Getting It Wrong
March 3, 2026
Compliance
NHS DSPT
Cyber Essentials
Supply Chain Security and the new Cyber Resilience Bill
July 18, 2024
Compliance
NHS DSPT
NHS DTAC
DCB 0129
What Compliance Requirements Do You Need to Sell into the NHS?
October 1, 2025
Compliance
ISO 9001
NHS DTAC
NHS DSPT
ISO 9001 and Digital Health: Why Innovators Are Opting In To The Standard
October 31, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy