For digital health companies entering the NHS market, meeting the NHS Digital Technology Assessment Criteria, commonly known as DTAC, has become a critical requirement. DTAC is not simply an administrative checklist. It is a structured framework designed to ensure that digital healthcare technologies are safe, secure, interoperable and appropriate for use within NHS and social care environments.
For software as a medical device developers, digital therapeutics companies and health technology startups, understanding DTAC early can significantly reduce procurement delays and strengthen NHS adoption pathways. As NHS procurement increasingly depends on DTAC compliance, organisations must treat it as a core part of market access strategy rather than a late stage compliance exercise.
What DTAC Actually Is
DTAC stands for the Digital Technology Assessment Criteria. It is a framework used by the NHS to assess digital healthcare technologies before procurement and deployment. The framework applies primarily to digital products used within health and social care settings, including software as a medical device, healthcare applications, digital platforms and wearable technologies. The purpose of DTAC is to ensure that technologies entering NHS systems meet minimum standards in areas such as clinical safety, cybersecurity, interoperability and accessibility. The ultimate aim is to ensure that products are safe, secure and effective for both patients and healthcare professionals.
Why DTAC Matters for NHS Procurement
DTAC has become a mandatory component of many NHS procurement processes. Without evidence of DTAC compliance, digital health technologies may struggle to progress through NHS onboarding and procurement pathways. This is particularly important because NHS organisations operate within highly interconnected digital environments. Technologies that fail to meet standards for security, interoperability or accessibility can create operational risks and patient safety concerns. DTAC therefore acts as both a quality filter and a risk management framework for NHS buyers. Companies that understand DTAC requirements early are often better positioned to secure NHS engagement and commercial adoption.
The Core DTAC Domains
Although DTAC is commonly described as having four main domains, many organisations break it into five areas because technical assurance and interoperability are often managed separately in practice. The core areas include clinical safety, data protection, technical security, interoperability and usability and accessibility. Together, these domains assess whether a digital health product can operate safely and effectively within NHS environments while protecting patient data and supporting user needs.
Clinical Safety and DCB0129
Clinical safety is one of the most important DTAC domains. This area focuses on identifying and managing clinical risks associated with digital technologies. DTAC clinical safety requirements are closely linked to DCB0129, the NHS clinical risk management standard for manufacturers of health IT systems. Organisations are expected to use outputs from DCB0129 activities as supporting evidence within DTAC submissions. This includes documentation of hazard identification, risk assessment and mitigation strategies. Clinical safety management should demonstrate that risks to patients and users have been systematically considered throughout the product lifecycle. For software as a medical device, this area overlaps significantly with broader risk management and regulatory requirements under UK medical device regulations.
Data Protection and DSPT Alignment
The DTAC framework also includes data protection requirements designed to ensure that patient and organisational data are handled appropriately. This area aligns closely with the NHS Data Security and Protection Toolkit, commonly known as DSPT. Organisations must demonstrate that they have appropriate governance structures, policies and controls for managing sensitive information. Data protection within DTAC overlaps heavily with standards such as ISO 27001 and ISO 27002, particularly in relation to confidentiality, integrity and access control. For digital health companies, this means that strong information security governance not only supports regulatory compliance but also strengthens NHS procurement readiness.
Technical Security and Cybersecurity Requirements
Cybersecurity forms a major component of DTAC. NHS systems require assurance that digital technologies will not introduce unacceptable cyber risks into healthcare environments. DTAC cybersecurity requirements often include penetration testing, Cyber Essentials certification and broader technical assurance activities. Organisations may need external specialists to conduct security testing and validate system resilience. The cybersecurity domain overlaps substantially with ISO 27001 aligned information security management systems and broader software security frameworks. Manufacturers must demonstrate that appropriate security controls are in place to protect systems, users and patient data from unauthorised access or disruption.
Interoperability and NHS Integration
Interoperability refers to a product’s ability to work effectively within NHS systems and care pathways. Digital health technologies rarely operate in isolation. They often need to exchange information with electronic health records, hospital systems or other healthcare platforms. DTAC therefore requires organisations to demonstrate how their product integrates into existing healthcare workflows and supports continuity of care. This includes both technical integration and operational compatibility with NHS processes and infrastructure.
Usability and Accessibility Requirements
One area that is frequently misunderstood is usability and accessibility. DTAC usability requirements are not the same as usability engineering under IEC 62366-1. Within DTAC, usability focuses more broadly on how technologies fit into healthcare systems and care pathways and whether they are accessible to intended users. Organisations must provide evidence of usability validation activities involving intended users. This may include workflow testing, accessibility reviews and validation studies demonstrating that the product can be used safely and effectively within NHS environments. Companies can often reuse information generated through IEC 62366 activities and other validation testing to support DTAC submissions, but additional accessibility considerations may also apply.
Products That Fall Outside DTAC Scope
Not all products fall within the scope of DTAC.
The framework is primarily intended for digital healthcare technologies. Certain categories, such as onboard embedded software within hardware devices, may fall outside direct DTAC assessment depending on context. Systems used solely for operational or administrative purposes, such as payroll software, are also generally outside scope. Understanding whether a product requires DTAC assessment is an important early step in NHS market planning.
The Relationship Between DTAC and Other Standards
One of the most important aspects of DTAC is that it does not exist in isolation. Many DTAC requirements overlap with existing standards and regulatory frameworks. Clinical safety aligns with DCB0129. Data protection and cybersecurity overlap with ISO 27001, ISO 27002 and DSPT requirements. Usability activities may align partially with IEC 62366-1. This means organisations should avoid treating DTAC as a completely separate process. Instead, evidence generated through broader regulatory and quality activities should be leveraged wherever possible. An integrated approach reduces duplication and creates a more efficient compliance framework.
Upcoming Changes to DTAC
The DTAC framework continues to evolve. NHS guidance indicates that a new DTAC website and updated framework arrangements are being introduced from April 2026. This highlights the importance of maintaining awareness of evolving NHS digital health expectations. Organisations should monitor updates and ensure that compliance activities remain aligned with the latest NHS guidance.
Strategic Implications for Digital Health Companies
For digital health companies, DTAC is now a core market access consideration rather than an optional procurement exercise. Organisations that integrate DTAC thinking early into product development, cybersecurity planning and clinical safety management are likely to achieve smoother NHS onboarding and stronger commercial positioning. Those that delay DTAC preparation often encounter avoidable procurement barriers and duplicated compliance work later in development.
LFH supports digital health and MedTech companies in preparing for DTAC compliance, integrating clinical safety, cybersecurity and interoperability requirements into practical NHS market access strategies. Our team helps organisations align DTAC with broader regulatory frameworks, reducing duplication and supporting successful NHS adoption.
FAQs – DTAC
What does DTAC stand for?
DTAC stands for Digital Technology Assessment Criteria.
Is DTAC mandatory for NHS procurement?
In many NHS procurement pathways, yes, DTAC compliance is expected or required.
Does DTAC apply to software as a medical device?
Yes, DTAC commonly applies to digital health technologies including SaMD products.
Is DTAC usability the same as IEC 62366 usability engineering?
No, DTAC usability focuses more broadly on accessibility and integration into care pathways.
Does DTAC overlap with ISO 27001?
Yes, there is significant overlap in cybersecurity and information security requirements.
What is the relationship between DTAC and DCB0129?
DCB0129 clinical safety activities often provide supporting evidence for DTAC submissions.
