← All modules
Module 9

NHS DTAC — the procurement gate, not a regulatory approval

Intermediate45 to 60 min

What the Digital Technology Assessment Criteria actually are, the five domains, what an NHS reviewer is looking for in the C1 clinical safety pack, common failure modes, and how DTAC sits alongside (not instead of) UKCA classification.

Common issues: Suppliers and advisors routinely treat DTAC as a certification or as a substitute for MHRA clearance. It is neither. It is a locally-administered procurement gate, and the clinical safety domain is where most DMHT packs fail.

Progress: 0 of 9 sections complete0%

Educational content only — verify the current DTAC version before any submission

This module is educational and does not constitute formal regulatory or procurement advice. uk/services/digital-technology-assessment-criteria.

PDF guidance circulating in the sector is frequently outdated — always check the current version date before quoting it to a client or a deploying NHS organisation.

What DTAC actually is

DTAC (Digital Technology Assessment Criteria) is NHS England's procurement-facing assurance framework. Before an NHS organisation can formally adopt a digital health product, that product must demonstrate it meets a minimum threshold across five domains.

  • It is not a regulatory approval. It is not MHRA clearance. It is not a kite mark.
  • It is a procurement gate. The deploying NHS organisation is the gatekeeper — not a central regulator.
  • There is no independent DTAC certification body. NHS England publishes the criteria and toolkit; the local trust or ICS applies them.
  • Local variation in rigour is significant. The same evidence pack can pass one trust and fail another.
Self-assessment
Is a successful DTAC assessment a regulatory approval?

What DTAC is not

Confusion about what DTAC delivers is the single most common source of misaligned regulatory plans in early-stage DMHT.

  • Not ISO 13485 certification.
  • Not a substitute for MHRA registration where the product meets the definition of a medical device.
  • A product can pass DTAC and still need to be registered with the MHRA as a medical device.
  • Conversely, a product can hold MHRA registration and still fail a local DTAC review if the clinical safety documentation is thin.
  • For AI-enabled DMHT, DTAC alone is increasingly insufficient. The MHRA AI Airlock and evolving DSP Toolkit AI amendments are beginning to fill the gap, but there is no unified pathway today.

The five domains

The DTAC submission is organised under five domains. NHS England names them Clinical Safety, Data Protection, Technical Security, Interoperability, and Usability and Accessibility; the short codes used below (C1, D1, T1, I1, U1) are this module's shorthand for readability, not official DTAC labels.

Each domain has its own evidence expectations.

C1 — Clinical Safety
  • Evidence of compliance with DCB0129 (manufacturer's clinical risk management standard).
  • DCB0160 (the deployer's standard) where the NHS body is configuring the product for local deployment.
  • Clinical Safety Case Report (CSCR) signed by a certified Clinical Safety Officer.
  • Hazard Log with mechanism-level specificity.
  • Evidence that clinical risk has been managed to an acceptable level, with a justified residual risk statement.
  • Hardest domain for most DMHT suppliers: it requires a named, registered clinician holding CSO certification to sign. It cannot be outsourced to a layperson or a generic risk consultant.
D1 — Data Protection
  • Data Security and Protection Toolkit (DSPT) submission, or equivalent evidence.
  • Data Protection Impact Assessment (DPIA).
  • Confirmation of NHS-grade data handling. This is GDPR compliance expressed in NHS-specific language.
T1 — Technical Security
  • Penetration testing evidence — Cyber Essentials Plus as a typical minimum.
  • CHECK-certified penetration test for higher-risk products.
  • Infrastructure security, availability and resilience.
  • Requirements scale with the risk profile of the product.
I1 — Interoperability
  • Evidence the product can connect to NHS systems using NHS-standard formats: HL7 FHIR, SNOMED CT, NHS Number handling.
  • In practice this domain is softer for early-stage standalone DMHT — waivers and partial evidence are common.
  • Treat it as an aspiration that will harden over time, not a forgivable gap forever.
U1 — Usability and Accessibility
  • Evidence of user research with representative end users.
  • WCAG 2.2 AA as the accessibility standard (UK public-sector accessibility moved from WCAG 2.1 to 2.2 in late 2024; confirm the version cited in the current DTAC).
  • The most variably interpreted domain — quality of evidence matters more than volume.
Self-assessment
Who can validly sign the Clinical Safety Case Report submitted for C1?

The submission pack

The supplier assembles evidence for each domain and submits it to the deploying NHS organisation. uk/services/digital-technology-assessment-criteria.

The pack is reviewed by the organisation's digital, information governance and clinical safety teams. They can accept, request more evidence, or reject.

What the C1 pack must contain at minimum
  • Clinical Safety Case Report (CSCR), signed by a certified Clinical Safety Officer with a valid clinical registration.
  • Full Hazard Log with mechanism-level entries (not generic copy-paste).
  • Clinical Risk Management Plan (or equivalent live document).
  • Evidence of DCB0129 compliance traceable to the design and verification record.
Self-assessment
Can a product pass DTAC at one trust and still need MHRA registration?

Common C1 failure modes

These are the three patterns that most often cause a C1 pack to be returned by a rigorous NHS reviewer — and the ones that would certainly fail if the product subsequently came under MHRA scrutiny.

Failure modeWhy it fails
CSCR signed by someone without a valid clinical registrationDCB0129 sign-off authority is tied to the certified Clinical Safety Officer role, which requires a registered clinician. A signature from a software lead or a lapsed clinician is not a valid sign-off.
Hazard log copy-pasted from a generic templateHazards must be specific to the product's mechanism, intended purpose and user population. Generic entries reveal that no real hazard identification work has been done.
Residual risk statement that asserts acceptability without justificationAcceptability of residual risk must be argued against the benefit-risk balance, the affected population, and the counterfactual. An assertion of 'acceptable' with no supporting reasoning is not a clinical argument.

Responsibility split across the five domains

C1 is the only domain that requires a clinician with a specific certification. The other four are typically owned by IG consultants, DevSecOps teams and UX researchers inside the developer organisation.

DomainDeveloperF&G Strategy (DCB0129 Certified CSO)NHS Deploying Organisation
C1 Clinical SafetyProduces engineering inputs, mitigations, verification evidenceOwns the CSCR, Hazard Log and CRMP; signs off as Clinical Safety LeadApplies DCB0160 to local deployment; nominates its own CSO for the deployment-side risk file
D1 Data ProtectionOwns DSPT submission, DPIA, processor agreementsAdvisory — alignment with clinical risk arguments where relevantReviews DPIA against local data flows and IG policy
T1 Technical SecurityOwns penetration testing, infra security, resilience evidenceNot in scopeMay require additional assurance based on local risk appetite
I1 InteroperabilityOwns FHIR/SNOMED/NHS Number conformance and integration testingNot in scopeConfirms compatibility with local systems
U1 Usability and AccessibilityOwns user research, WCAG conformance, representative-user testingAdvisory — alignment with intended-purpose populationReviews against local accessibility duties

DTAC and AI-enabled DMHT

For AI-enabled and adaptive products, DTAC alone is increasingly insufficient. The framework was designed before contemporary AI/ML supply chains and does not yet handle drift, PCCP-style change control, or subgroup performance monitoring as first-class concerns.

  • The MHRA AI Airlock and the evolving DSP Toolkit AI amendments are beginning to fill this gap.
  • There is no unified pathway today. Treat DTAC as the procurement layer; treat the AI lifecycle controls covered in Module 8 (AAMI TIR34971) as the safety layer.
  • Verify the current published DTAC version before any submission. The PDF guidance documents circulating in the sector are frequently outdated.

How DTAC fits with the rest of this academy

DTAC sits downstream of UKCA classification, not in place of it. The classification and risk-file work done elsewhere in the academy is what makes a credible C1 pack possible in the first place.

  • Modules 1–3 (medical purpose, functionality, classification rules) determine whether MHRA registration is required at all.
  • Module 7 (ISO 14971) is the risk-management spine that feeds DCB0129 and therefore the C1 pack.
  • Module 8 (AAMI TIR34971) is the AI/ML overlay that an honest C1 pack for an adaptive product must reflect.
  • DTAC is the procurement-facing translation of that work into the format NHS reviewers expect.

Exercises

Form your own view first. Reveal the reference answer to compare reasoning.

Exercise 1 — The CSCR signature audit

A DMHT supplier is finalising its DTAC C1 pack. Three candidates are proposed as the signatory for the Clinical Safety Case Report. Which one can validly sign?

Valid CSCR signatory
Pick an option for each question to compare against the reference answer.

Exercise 2 — Hazard log triage

You are reviewing three sample hazard log entries from a draft C1 pack. Which entry would survive a rigorous NHS reviewer?

Which entry is acceptable?
Pick an option for each question to compare against the reference answer.

Exercise 3 — Which domain is the structural bottleneck?

A Class IIa adaptive AI DMHT is preparing its first DTAC submission. The developer team has a strong DevSecOps function, an experienced IG consultant, and a UX research lead. Which DTAC domain is the structural bottleneck — and why?

Bottleneck domain
Pick an option for each question to compare against the reference answer.

Educational resource. Not formal regulatory or legal advice.