Digital Technology Assessment Criteria (DTAC): guidance for buyers and suppliers

NHS England reviewed its Digital Technology Assessment Criteria (DTAC) in 2024, engaging with industry, and has revised its approach to assuring technology to make it simpler and less demanding for both industry and NHS bodies.

As of February 2026, NHS England has made the following changes stemming from the review and industry engagement:

A new DTAC form with a 25% reduction in questions, de-duplicated with processes such as the data security and protection toolkit and the preacquisition questionnaire
Clearer guidance explaining DTAC’s purpose, scope and how to complete assessments
Confirmed scope alignment with NICE, focusing DTAC on software based digital health technologies

These changes are explained further below.

Overview

The NHS Digital Technology Assessment Criteria (DTAC) is an assessment framework for care commissioners and providers to use when assuring digital health technology (DHT) products. It covers the core standards, policies and best practice required for use in the NHS and adult social care across 5 areas:

clinical safety
data protection
technical security
interoperability
usability and accessibility

DTAC brings together standards and policies that digital health products must meet to be used in the NHS. This helps buyers and manufacturers understand what is needed to use these products in England. It also means products are checked in the same way, so manufacturers face less uncertainty.

DTAC applies alongside, but does not replace, other required approvals. For example, products may still need medical device certification or to register with the Information Commissioner’s Office.

DTAC is also used alongside other checks like the Data Security and Protection Toolkit and the Pre-Acquisition Questionnaire for medical devices.

Further reviews are still ongoing to some of the standards within DTAC, such as the DCB0129 and DCB0160 standards, which help manage clinical risks in Health IT systems. There are also commitments to set standards for technology used in social care, updates to medical device rules and work to further simplify our approach to standards. We will update DTAC further to take account of changes when they happen.

Download and use the DTAC form

The DTAC form is available to download and print (ODT, 80KB).

Please download the form rather than opening in your browser. Ensure you download at the point of use, to make sure you’re using the most up to date version.

The previous version of the DTAC form should not be used from 6 April 2026 onwards.

How DTAC works

Care commissioners and providers must ensure any DHT products they use or recommend for use meet all national standards and requirements. When conducting assessment and assurance of products, care providers and commissioners should use a completed DTAC form provided by the manufacturer. Guidance on conducting assessment is covered in the next section.

DHT manufacturers must show their product meets DTAC’s minimum standards by keeping an up‑to‑date DTAC form and required supporting documents for each product version. Manufacturers should provide the DTAC form on request. If a different organisation (such as a reseller) supplies the product to the care provider, it must share completed DTAC documents, with manufacturer input if needed.

Manufacturers should provide the completed form and refrain from submitting incomplete forms or deleting sections and/or questions from the form. When a supplier’s service uses DHT products, they must ensure each product’s manufacturer provides a completed DTAC form for assessment.

Care providers and commissioners should request the DTAC form when acquiring a DHT. The form is used for due‑diligence assessment and risk management, covered in the next section.

Scope of DTAC

Digital health technology (DHT) products are defined by the NICE definition outlined in the Evidence Standards Framework.

Commissioners or providers of health and social care services should apply DTAC to any DHT products they are considering to use. This applies to technologies they plan to use themselves or make available to those receiving care.

DHT products are software products (including software-as-a-service and web/mobile apps) that are designed to be used by care recipients, clinicians, or staff. They are designed to improve either health outcomes or the provision/management of health and care services.

They may be offered as a standalone product or for use alongside hardware products, but do not include electronic hardware devices or software embedded in hardware devices (for example, firmware).

Some examples of products that DTAC may apply to are:

medical devices classed as software or AI as a medical device (for example, AI-driven clinical decision support tools, cognitive behavioural therapy web or mobile apps)
software, apps or wearables designed to help people manage their own health and wellbeing (for example, health tracking, remote monitoring)
software designed for use in or to help the health and care system run more efficiently or help staff manage their time, staffing or resources (for example, population health management tools, software for visualising and analysing imaging output)

DTAC is not intended to be used to assess:

software that is sold for a general purpose that happens to be used in healthcare settings (for example, generic HR system, finance systems)
onboard software (for example, firmware) or software embedded in hardware devices (for example, imaging diagnostics such as CT scanners)

Combined hardware and software packages

If a DHT product is to be used alongside hardware provided by the manufacturer as a whole system (such as an imaging device with analysis and viewing software sold as a package) then DCB0129 documentation in DTAC section C1 must cover the combined hardware–software system.

While some of the requirements covered by DTAC may also apply to products that are not DHT products, DTAC is designed specifically for DHT products. There may also be other standards and requirements that apply to specific categories of DHT products not covered in DTAC (for example, DHTs used as part of NHS Talking Therapies, or Ambient Voice Technologies). Providers and care commissioners should ensure that their governance approaches account for this and apply appropriate assurance where needed.

Using the NHS England DTAC form

Care providers should accept the standard DTAC form published by NHS England and should not create their own amended versions covering the same requirements, as this creates additional barriers and delays to procurement activities.

Where care providers and commissioners have additional requirements beyond what is covered within DTAC, these should be included as supplemental requests to manufacturers but should not duplicate anything covered in DTAC documentation.

As of 24 February 2026, NHS England have introduced an updated DTAC form. Manufacturers and buying organisations should retire the previous version of the DTAC form and transition to using the updated form before 6 April 2026.

As part of the DTAC form, suppliers may be asked to complete and attach further documentation, such as a Data Protection Impact Assessment (DPIA) or Pre-Acquisition Questionnaire (PAQ) form. As with the DTAC form itself, buying organisations should use the centrally produced standardised templates and avoid creating their own versions of these forms.

As part of reform work, NHS England is exploring the use of a centralised repository for hosting and maintaining DTAC documentation for individual products to further reduce overheads and drive standardisation.

Conducting a DTAC assessment

Care providers or commissioners should use the DTAC form when conducting an assessment as part of the assurance and due diligence checks before purchasing and deploying DHT products.

If the product is being offered on a trial basis or outside normal procurement activities, a DTAC assessment should still be conducted. The product, version number and result of assessments should be recorded for reference and audit purposes.

Care commissioners and providers should also put in place processes to re-assess elements that have an expiry date or change due to upgrades.

Roles and responsibilities in conducting an assessment

DTAC is intended to be used as part of care commissioners and providers overarching governance approach for managing risk and regulatory compliance of its technology.

While each provider organisation will have its own approach, it is important that DTAC assessment is conducted with appropriate professional oversight from subject matter experts for each part of DTAC.

The table below sets out examples of the expected accountable officer and subject matter expert (SME) roles.

DTAC section	Function and appropriate roles
C1 - Clinical safety	Accountable officer: Chief clinical information officer, chief nursing information officer, executive nurse or clinician SME role: Clinical safety officer or engineer
C2 - Data protection	Accountable officer: Data protection officer SME role: Information governance officer or manager
C3 - Technical security	Accountable officer: Chief information security officer, chief technology officer SME role: Technical architect, cyber security manager
C4 - Interoperability	Accountable officer: Chief information officer, chief technology officer, chief clinical or nursing information officer, chief nursing information officer SME role: Technical architect, business analyst, clinical/nursing informatician
D1 - Usability and accessibility	Accountable officer: Chief technology officer, chief information officer SME role: Technical architect, business analyst

Note: The previous version of the DTAC form required the clinical safety officer named in the Clinical safety section to undertake training provided by NHS Digital. This requirement no longer stands. The criteria for a clinical safety officer is outlined above.

'In-house' digital health technology products

Any DHT products built by in-house teams of healthcare organisations – or by third parties acting on their behalf – must be built to meet the standards and requirements in DTAC.

Where internal governance processes check and assure for these during the design and build stage, there is no need to conduct an additional assessment against the DTAC framework on completion.

Where a care organisation that has developed a DHT product in-house offers it to other health and care providers (whether it is charged for or not), it is now acting as a manufacturer and should maintain and provide corresponding DTAC documentation on request.

Purchasing on behalf of other organisations

If a 'lead' organisation is acquiring DHT products on behalf of one or more other provider organisation, the lead organisation has a responsibility to assess the product against DTAC to ensure that it meets requirements for use.

However, the organisations receiving and deploying the DHT retain their duty to ensure the products meet relevant requirements.

This can be achieved by ensuring that the corporate risk owners in the receiving bodies have appropriate oversight, input and participation in the assurance and assessment process of the lead organisation. Alternatively, the lead organisation can provide appropriate DTAC documentation to partner organisations for them to assess.

Third party certification for DTAC

The standards included in DTAC are underpinned by laws, regulations and policies that place a duty on care providers and commissioners to ensure compliance. There are third parties that offer assistance to both DHT manufacturers in completing documentation, and to NHS organisations in conducting DTAC assessments.

Although both manufacturers, care commissioners and providers may find these valuable, NHS England does not currently endorse any third-party certification schemes for DTAC.

Care providers or commissioners considering a third-party certification or outsourcing assurance should ensure that they have confidence in the third party’s assessment methods and appropriate guarantees.

NHS England is exploring a certification scheme for DHTs to further reduce the need for care commissioners and providers to conduct assurance activities. We will provide updates on this in future.

DTAC in relation to other regulatory and assurance processes

DTAC and medical device regulations

DTAC is not intended to replace or be an alternative to medical device regulations (MDR). DTAC should be used alongside it, as there are elements of DTAC that are not covered in MDR (for example, NHS specific standards such as the use of the Data Security and Protection Toolkit for assessing cyber security).

We have identified and removed elements in DTAC where there is overlap with MDR (for example, in clinical safety sections), and as part of future work are looking to extend this further for medical devices class IIa or higher.

In addition, NHS England provides the Pre-Acquisition Questionnaire (PAQ) for manufacturers of medical devices to complete ahead of procurement to facilitate clinical safety review in NHS organisations. Not all DHT products fall under MDR, however, where a product is both a DHT and a medical device, both forms may need to be completed.

DTAC and the Data Security and Protection Toolkit (DSPT)

For products that have access to NHS systems or patient data, suppliers must also complete and return the Data Security and Protection Toolkit. Care providers and suppliers to the NHS are responsible for understanding when DSPT is necessary. However, DTAC includes questions to help identify when this is required and removed questions that are covered in DSPT.

DTAC and DCB0129 Clinical Safety Standards

For products that meet the definition of a Health IT system:

manufacturers must comply with DCB0129
providers of services must comply with DCB0160
Find guidance on DCB0129 and DCB0160

Unlike DHT products, Health IT systems may be hardware products, or combinations of hardware and software. This means that DCB0129 may apply to some DHT products.

The DTAC form supports correct DCB0129 compliance for DHTs. If a DHT is being provided along with hardware as part of a Health IT system, DCB0129 must cover both the hardware and the software.

There are some Health IT systems that do not meet the definition of a DHT product. Health and care commissioners and providers are responsible for ensuring that their governance and assurance processes comply with DCB0129 and DCB0160 for these products.

NHS England is conducting a strategic review of DCB0129 and DCB0160, and any changes to these standards will be reflected in future updates to DTAC.

DTAC and cross public sector standards and assurance

DTAC covers the standards that generally apply to all or most DHT products. Public sector bodies must also follow any other standards that may also apply to the product and its use, such as the Government Service Standard and NHS Service Standard.

These often include duties, principles and criteria that public sector bodies must consider or meet when deciding what products to buy, and how they should be deployed to deliver public services.

DTAC is intended to complement, not replace these. Products that meet DTAC may be safe and appropriate to use within the health and care system generally, but care providers and commissioners must still apply appropriate standards when considering whether the purchase is good value for money or the right fit for the specific context.

DTAC and care technology standards for social care

DTAC provides a set of criteria for assessing DHTs for use across both health and social care. However, because of the variation across the social care sector and lack of digital infrastructure, some organisations are not equipped to provide the specialist assurance DTAC requires. Where local authorities or integrated care boards are purchasing technology for use in social care, DTAC should be still be applied.

The Department for Health and Social Care are currently exploring how assurance can be delivered for care technologies that are purchased by care providers or the general public, and we are working to ensure this is compatible and interoperable with DTAC in the future.

Download the DTAC form

Download the updated version of the DTAC form.

Please download the form rather than opening in your browser. The previous version of the DTAC form should not be used from 6 April 2026 onwards.

Contact us

If you have any questions about DTAC, please contact the DTAC team.