A Guide to the NHS Digital Technology Assessment Criteria (DTAC)

As digital health solutions become integral to healthcare, compliance with DTAC's safety, security, usability, and accessibility standards is essential. Discover the ins and outs of the NHS Digital Technology Assessment Criteria in our comprehensive guide.

A Guide to the NHS Digital Technology Assessment Criteria (DTAC)

Digital health solutions now play an increasingly crucial role in the delivery of healthcare services. Mental health platforms, virtual GPs, wellness apps and even fitness wearables are now commonly used to provide care across the NHS, creating a rapidly growing market for those looking to build new digital healthcare solutions.

While the use of digital technologies in the NHS is not new, in recent years, the NHS and other health and social care organisations have made significant efforts to establish a baseline of safety, security, useability and accessibility standards for developers seeking to supply their digital health technologies to the NHS.

To ensure new digital health technologies are safe, the NHS has established the Digital Technology Assessment Criteria (DTAC). This comprehensive framework assesses the safety, security, usability and accessibility of digital health technologies. In this guide, we will explore the key aspects of the NHS DTAC, what the framework entails and what developers need to provide to meet compliance. 

Understanding the NHS DTAC

Introduced in 2021, the NHS DTAC serves as the national baseline criteria for new and existing digital health technologies used within the NHS. It brings together legislation and best practices in five core areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility. By adhering to these standards, both the NHS and patients can have confidence that the digital health tools they use are safe and secure.

Understandably, as the framework seeks to evaluate the safety of a solution that could be used by patients and, in some instances, hold their health information, the scope of the framework is expansive and requires meeting compliance with additional standards such as DCB0129, NHS DSPT, Cyber Essentials and UK-GDPR.

It's important to know that the DTAC is not the only framework for standardising the evaluation of digital health technologies. The National Institute for Health and Care Excellence (NICE) has also established the Evidence Standards Framework for Digital Health Technologies, which aims to ensure that health technology developers follow the best practices in developing solutions for use across the health and social care sector. Additionally, if your solution is considered a medical device, it must also comply with an additional framework called the Medical Device Regulation. 

Evidently, healthcare compliance is a broad field that can quickly become complex. This blog will focus on DTAC; however, if you have any questions about other healthcare compliance frameworks, click here to contact one of our experts.

The key components of the Digital Technology Assessment Criteria:

Developers looking to supply their solution to the NHS will be assessed against the five core categories of the NHS DTAC standard:

Clinical Safety

Proving the clinical safety of a product is crucial when introducing new digital health technologies into the market. Nowadays, digital solutions are utilised in various aspects of healthcare, from managing the delivery of medications to assisting medical professionals in diagnosing patients. Therefore, it is essential to minimise potential hazards or risks to patient safety. Developers of new digital health solutions must meet and demonstrate their compliance with the NHS standards for clinical safety.

The NHS has two standards for clinical safety: DCB0129 and DCB0160. These two standards have almost identical requirements; however, DCB0129 applies to the developer of the health solution, while DCB0160 applies to the organisation buying or implementing the healthcare technology, such as the NHS trust. 

To meet the DCB0129 standard, suppliers must complete a clinical risk management exercise. This exercise helps them identify, record, and outline how they will mitigate any potential clinical safety hazards. To meet DCB0129 compliance, a Clinical Safety Officer trained in identifying and managing clinical risks must carry out this exercise and complete the relevant documentation required by the standard. For guidance on how to meet the DCB0129 standard, get in touch with us here.

Data Protection

Ensuring the safety and confidentiality of patient information is a crucial aspect of any digital health technology. To meet the DTAC framework, suppliers and developers must adhere to NHS data protection standards, such as The Caldicott Principles and the 10 Data Security Standards, as well as local data privacy regulations, particularly the UK-GDPR. 

Developers must prove their solutions, and their organisation's internal data processing methods are UK-GDPR compliant. Additionally, developers must conduct a Data Protection Impact Assessment (DPIA) to identify potential risks to individuals' rights and freedoms when using digital health technology. Solutions that process health information must register with the ICO and appoint a Data Protection Officer, which must be named within the DTAC documentation.

To meet the DTAC standard, developers must also comply with the Data Security and Protection Toolkit, an NHS framework applicable to all suppliers regardless of whether they provide digital health solutions. For more information on the NHS DSPT, click here.

Technical Security

To protect sensitive healthcare data, digital health technologies must be stable, secure, and continuously developing in line with best practices and new cybersecurity requirements. To ensure this, the DTAC evaluates the technical assurance of products, assessing their security measures and ability to mitigate potential vulnerabilities.

The technical security section of the Digital Technology Assessment Criteria requires businesses to provide proof of Cyber Essentials Certification. The Cyber Essential scheme was developed by the UK government to ensure businesses have the necessary basic security measures to protect the UK supply chain from emerging cyber threats. In addition to this, the DTAC also requires digital health solutions to have strong security measures, such as Multi-Factor Authentication, custom code security review, and proof of an annual penetration test.

Naq delivers everything digital health developers need to meet the NHS DTAC standard, including regular penetration tests. Our automated platform, combined with unlimited expert support, helps NHS suppliers achieve DTAC compliance faster and at 80% cheaper than using consultants for the same work.

Click here to learn why hundreds of customers choose Naq to take the complexity out of their healthcare compliance.


Effective communication and data exchange between healthcare systems is crucial for seamless and coordinated care delivery. The DTAC assesses the interoperability of products, ensuring that data can be communicated accurately, quickly, and securely to NHS systems while adhering to the security standards mentioned above.

Usability and Accessibility

Digital health technologies should be user-friendly and accessible to all individuals. The DTAC provides a conformity rating for usability and accessibility, benchmarking products against good practice and the NHS Service Standard. This ensures that products are designed with users' needs in mind, including those with disabilities.

The NHS DTAC Process

Unlike frameworks like the NHS Data Security and Protection Toolkit, no formalised DTAC assessment or certification process is currently available. Instead, developers must complete the DTAC questionnaire and submit all relevant evidence directly to the buyer for assessment. Because there is no centralised DTAC function for all applications, developers must first clarify who will conduct the review. This may be the specific buyer, such as an individual trust or an integrated care system.

It is crucial to note that every time a new feature is added to the digital health solution, a new DTAC must be submitted to ensure continuous compliance with the standards. This also includes updating any DCB0129 documentation to ensure that new features have undergone a clinical risk assessment.

Once evidence is submitted, the responsibility of assessing and determining whether a digital health solution meets the DTAC standard lies on the buyer. There is no specific deadline for the review process, although developers should expect it to take between one and three months, depending on whether they already comply with some of the frameworks included within the DTAC. As the DTAC is not a static framework, developers must be prepared to regularly update their solutions to incorporate new legislative changes and developments in cybersecurity, data protection, and clinical safety.

If the evidence provided is insufficient, unclear or outdated, developers may have to provide further clarification or evidence before their submission is approved. 

Developers can seek assistance from third-party organisations such as Naq to ensure that their DTAC evidence is presented in a manner that makes it easier for the NHS to evaluate their solution. Click here to learn how Naq can help get your solution "nhs-ready".

Simplifying DTAC Compliance with Naq

Naq doesn't just tell you how to meet DTAC compliance; it actively helps you achieve it. Our platform automates 80% of the evidence required by the DTAC framework, removing the guesswork from what you need to meet compliance. 

Our NHS compliance experts then guide you through the rest, ensuring you can prove your solution meets the rigorous standards needed to work with the NHS and other health and social care organisations. All this for one fixed monthly price. Click here to learn more.