New NHS Digital Technology Assessment Criteria: What Health Tech Suppliers Need to Know

The NHS’s Digital Technology Assessment Criteria ("DTAC") has been refreshed, with the updated form replacing the previous version from 6 April 2026. For suppliers of digital health technologies to the NHS, this is a notable development. DTAC is widely used as a baseline assurance in NHS procurements, and the changes reshape both the compliance burden and the commercial expectations that go with it. 

What is DTAC?

DTAC is NHS England's assessment framework for software-based digital health technologies, including apps, websites, platforms and other digital tools that handle health and care data. It consolidates core standards into a single, nationally recognised framework, replacing the previously fragmented approach where individual NHS organisations conducted their own evaluations with varying expectations.

DTAC applies alongside but does not replace other required approvals. For example, products may still need medical device certification or registration with the Information Commissioner's Office. DTAC is intended to be used in conjunction with other checks such as the Data Security and Protection Toolkit ("DSPT"), which assesses how organisations protect data, and the Pre-Acquisition Questionnaire ("PAQ"), which is a separate checklist specifically for medical devices.

February 2026 Revisions 

Following a review conducted in 2024 and subsequent engagement with the industry, NHS England has introduced three key changes aimed at making DTAC simpler and less burdensome.

• First, NHS England states that the form has been shortened by 25%, with questions that duplicated the DSPT, PAQ and other processes removed.
• Second, NHS England has published clearer guidance explaining DTAC's purpose, scope and governance, including practical instructions on when and how DTAC should be completed for pilots and multi-organisation procurements, and the roles responsible for each assessment area.
• Third, DTAC's scope now aligns with the definition of Digital Health Technologies as set out by the National Institute for Health and Care Excellence. It covers standalone software and software used with hardware. It won’t include hardware devices and embedded operational software, such as firmware. Where a system includes both, DTAC applies to the software element, and the relevant clinical risk management documentation must cover the whole system.

The new DTAC form can be accessed and downloaded here. The previous DTAC form should not be used from 6 April 2026 onwards. 

Changes to the Five Key Assessment Areas 

The five assessment areas remain the same, however, the requirements within each have been modernised.

1. C1 Clinical safety: A new step by step decision tree helps suppliers work out whether their product is classified as a medical device and which clinical safety standards (i.e., DCB0129 or DCB0160) they need to follow. Software that does qualify as a medical device now automatically triggers the PAQ, and the previous requirement for NHS specific Clinical Safety Officer training has been removed.

Why does it matter? The medical device boundary has long caused confusion and incorrect self-assessments. The new decision tree should reduce the risk of non-compliance surfacing late in a procurement and mean fewer delays from NHS buyers querying incomplete documentation.

2. C2 Data protection: Questions that overlapped with the DSPT and data protection officer checks have been removed, and a new filter allows lower risk products to skip further questions. Data Protection Impact Assessment expectations now match NHS England's standard template, suppliers must provide transparency materials (such as privacy notices) and their terms and conditions, and the rules around transferring personal data internationally have been expanded to reflect the UK's latest requirements (the International Data Transfer Agreement and Transfer Risk Assessment).

Why does it matter? Whilst there is less duplication, there are higher expectations. Suppliers must demonstrate clear, compliant and sufficient data governance. Those storing or processing data overseas should also pay particular attention to the expanded international transfer rules: getting these wrong exposes NHS buyers to regulatory risk.

3. C3 Technical security: Suppliers must now confirm they meet the government's Software Security Code of Practice (published by the Department for Science, Innovation and Technology and the National Cyber Security Centre). Those who have signed the Cyber Security Supply Chain Charter can skip some checks. Multi-factor authentication requirements (requiring more than just a password to log in) have been expanded to cover administrator and remote access accounts.

Why does it matter? Cybersecurity expectations are higher, but more predictable. However, suppliers should expect scrutiny well beyond DTAC itself; the June 2024 Synnovis ransomware attack, which disrupted over 10,000 hospital appointments and was linked to a patient's death, has intensified regulatory focus across the sector.

4. C4 Interoperability: Suppliers must now explain why their chosen technical interfaces (APIs) and data standards are appropriate, using recognised NHS guidance. NHS Number validation now requires a proper verification method, NHS Login sits within a broader identity-checking framework, and outdated device-specific rules (e.g. for wearables) have been removed.

Why does it matter? Suppliers must now justify their technical choices. This will require more than just listing those choices. This will need to be an area of focus as, in competitive tenders, a weak interoperability narrative will become an easy basis on which an NHS buyer could mark down a submission.

5. D1 Usability and accessibility: This section is no longer scored and is only reviewed comparatively. It has been updated to the latest web accessibility standard (WCAG 2.2 AA) and now requires suppliers to show they have considered the Accessible Information Standard, which ensures that information is provided in formats people can understand. Irrelevant NHS Service Standard questions have been removed.

Why does it matter? The removal of scoring should not be mistaken for reduced importance. The explicit inclusion of the Accessible Information Standard highlights that NHS buyers will expect evidence that accessibility has been designed in, not merely considered or asserted.

Operational Implications for Suppliers

For many NHS procurements, DTAC compliance is a threshold requirement. With many NHS Trusts maintaining a low tolerance for digital risk, suppliers must ensure that each version of their product is supported by an up‑to‑date DTAC form and accompanying evidence. NHS Trusts will expect reassessment where evidence expires or product updates trigger revalidation. Suppliers should therefore embed DTAC into product development and release processes from the outset, rather than treating it as a final administrative step before sale. Any mismatch between a product's functionality and its DTAC documentation undermines buyer confidence and could amount to a misrepresentation of the product's compliance position.

Further reform – Innovation Passport

The DTAC update comes as part of DHSC’s “innovation passport” scheme, which is designed to prevent the need for suppliers to demonstrate the same compliance multiple times each time they sell to different NHS entities. NHS England is exploring whether they can introduce an online DTAC repository as part of the innovation passport scheme, so suppliers could point different NHS buyers to a single DTAC form, rather than needing to complete it multiple times. 

How We Can Help

The intersection of health technology, data protection, clinical safety, cybersecurity and procurement law is complex, and getting it right from the start can save considerable time, cost and reputational risk further down the line. 

If you would like advice on how DTAC and the broader regulatory landscape may affect your product or procurement decisions, please contact Patrick Parkin, Rory Trust, Lucy Pegler or Madelin Sinclair McAusland.

This article was written by Ben Randall, Madelin Sinclair McAusland and Rory Trust.