February 25, 2024
Approx 8 min read

A Guide to the NHS Digital Technology Assessment Criteria (DTAC)

Written by
Lorena Stuart

Digital health solutions now play an increasingly crucial role in the delivery of healthcare services. Mental health platforms, virtual GPs, wellness apps and even fitness wearables are now commonly used to provide care across the NHS, creating a rapidly growing market for those looking to build new digital healthcare solutions.

While the use of digital technologies in the NHS is not new, in recent years, the NHS and other health and social care organisations have made significant efforts to establish a baseline of safety, security, usability and accessibility standards for developers seeking to supply their digital health technologies to the healthcare market.

To ensure new digital health technologies are safe, the NHS has established the Digital Technology Assessment Criteria (DTAC). This comprehensive framework lays out the safety, security, interoperability, usability and accessibility standards which digital health technologies must meet before their adoption in the NHS. In this guide, we will explore the key aspects of the NHS DTAC, what the framework entails and what developers need to provide to meet compliance. 

Understanding the NHS DTAC

Introduced in 2021, the NHS DTAC serves as the national baseline criteria for new and existing digital health technologies used within the NHS. It brings together legislation and best practices in five core areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility. By adhering to these standards, both the NHS and patients can have confidence that the digital health tools they use are safe and secure.

Understandably, as the framework seeks to evaluate the safety of a solution that could be used by patients and, in some instances, hold their health information, the scope of the framework is expansive and requires meeting compliance with additional standards such as DCB 0129, NHS DSPT, Cyber Essentials and UK-GDPR.

It's important to note that the DTAC is not the only framework for standardising the evaluation of digital health technologies. The National Institute for Health and Care Excellence (NICE) has also established the Evidence Standards Framework for Digital Health Technologies, which aims to ensure that health technology developers follow best practices in developing solutions for use across the health and social care sector. Additionally, if your solution is considered a medical device, it must also comply with any relevant Medical Device Regulations.

Evidently, healthcare compliance is a broad field that can quickly become complex. This blog will focus on DTAC; however, if you have any questions about other healthcare compliance frameworks, click here to contact one of our experts.

The key components of the Digital Technology Assessment Criteria:

Developers looking to supply their solution to the NHS will be assessed against the five core categories of the NHS DTAC standard:

Clinical Safety

Proving the clinical safety of a product is, unsurprisingly, crucial when introducing new digital health technologies into the market. Digital solutions are now used in various aspects of healthcare, from managing the delivery of medications to assisting medical professionals in diagnosing patients. As digital health solutions become an essential part of our healthcare pathway, it is essential to minimise potential harms or risks to patient safety. Developers of new digital health solutions must meet and demonstrate their compliance with the NHS standards for clinical safety.

The NHS has two standards for clinical safety: DCB 0129 and DCB 0160. These two standards have almost identical requirements; however, DCB 0129 applies to the developer of the health solution, while DCB 0160 applies to the organisation buying or implementing the healthcare technology, such as the NHS trust. 

To meet the DCB 0129 standard, suppliers must complete a set of thorough clinical risk management exercises and provide evidence that they have implemented an effective Clinical Risk Management System. The risk assessments help developers identify, record, and outline any potential risks to patient safety while their Risk Management System details how they will manage and mitigate the identified risks. To meet DCB 0129 compliance, a Clinical Safety Officer (CSO) trained in identifying and managing clinical risks must oversee these risk management activities and sign off on any relevant documentation.

If you need a Clinical Safety Officer or for additional guidance on how to meet the DCB 0129 standard, get in touch with us here.

Data Protection

Ensuring the safety and confidentiality of patient information is a crucial aspect of any digital health technology. To meet the DTAC framework, suppliers and developers must adhere to NHS data protection standards, such as The Caldicott Principles and the 10 Data Security Standards, as well as local data privacy regulations, particularly the UK-GDPR. 

Developers must prove their solutions and their organisation's internal data processing methods are UK-GDPR compliant. Additionally, developers must conduct a Data Protection Impact Assessment (DPIA) to identify potential risks to individuals' rights and freedoms when using their digital health solutions. Solutions that process health information must register with the ICO and appoint a Data Protection Officer, which must be named within the DTAC documentation.

To meet the DTAC standard, developers must also comply with the Data Security and Protection Toolkit, an NHS framework applicable to all suppliers regardless of whether they provide digital health solutions. For more information on the NHS DSPT, click here.

Technical Security

To protect sensitive healthcare data, digital health technologies must be stable, secure, and continuously developing in line with best practices and new cybersecurity requirements. To ensure this, the DTAC evaluates the technical assurance of products, assessing their security measures and ability to mitigate potential vulnerabilities.

The technical security section of the Digital Technology Assessment Criteria requires businesses to provide proof of Cyber Essentials Certification. The Cyber Essential scheme was developed by the UK government to ensure businesses have the necessary basic security measures to protect the UK supply chain from emerging cyber threats. In addition to this, the DTAC also requires digital health solutions to have strong security measures, such as Multi-Factor Authentication, custom code security reviews, and proof of an annual penetration test.

Naq delivers everything digital health developers need to meet the NHS DTAC standard, including regular penetration tests. Our automated platform, combined with unlimited expert support, helps NHS suppliers achieve DTAC compliance faster and at 80% cheaper than using consultants for the same work.

Click here to learn why hundreds of customers choose Naq to take the complexity out of their healthcare compliance.


Effective communication and data exchange between healthcare systems is crucial for seamless and coordinated care delivery. The DTAC assesses the interoperability of products, ensuring that data can be communicated accurately, quickly, and securely to NHS systems while adhering to the security standards mentioned above.

Usability and Accessibility

Digital health technologies should be user-friendly and accessible to all individuals. The DTAC provides a conformity rating for usability and accessibility, benchmarking products against good practice and the NHS Service Standard. This ensures that products are designed with users' needs in mind, including those with disabilities.

An essential component of achieving compliance with this section of the DTAC framework involves conducting a User Journey Map. This map outlines how your health solution integrates into a patient's healthcare journey, detailing their path through your solution. By systematically mapping out the user's journey in this manner, you can demonstrate that your solution not only does what it intends to do but also has been built with its users in mind, taking into account their technological proficiency, ease of use and any accessibility issues. For an in depth guide on how to complete a User Journey Map, take a look at our blog here.

The NHS DTAC Process

Unlike frameworks such as the NHS Data Security and Protection Toolkit, no formalised DTAC assessment or certification process is currently available. Instead, developers must complete the DTAC questionnaire and submit all relevant evidence directly to the buyer for assessment. Because there is no centralised DTAC function for all applications, developers must first clarify who will conduct the review. This may be the specific buyer, such as an individual trust or an integrated care system.

It is crucial to note that every time a new feature is added to the digital health solution, a new DTAC must be submitted to ensure continuous compliance with the standards. This also includes updating any DCB 0129 documentation to ensure that new features have undergone a clinical risk assessment.

Once evidence is submitted, the responsibility of assessing and determining whether a digital health solution meets the DTAC standard lies on the buyer. There is no specific deadline for the review process, although developers should expect it to take between one and three months, depending on whether they already comply with some of the frameworks included within the DTAC. As the DTAC is not a static framework, developers must be prepared to regularly update their solutions to incorporate new legislative changes and developments in cyber security, data protection, and clinical safety.

Simplifying DTAC Compliance with Naq

Naq doesn't just tell you how to meet DTAC compliance; it actively helps you achieve it. Our platform automates 80% of the evidence required by the DTAC framework, removing the guesswork from what you need to meet compliance. 

Our NHS compliance experts and Clinical Safety Officers then guide you through the rest, ensuring you can prove your solution meets the rigorous standards needed to work with the NHS and other health and social care organisations. All this for one fixed monthly price. Click here to learn more.