What is the NHS DTAC?

In short: The NHS Digital Technology Assessment Criteria (DTAC) is the baseline assessment that health and care organisations use to evaluate digital health products before buying or onboarding them. It covers five areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility.

The five DTAC assessment areas

1. Clinical safetyEvidence of clinical risk management — typically a DCB0129 clinical safety case and hazard log.
2. Data protectionUK GDPR compliance, a DPIA where required, and clear lawful bases.
3. Technical securitySecurity testing, secure development and, where relevant, DSP Toolkit alignment.
4. InteroperabilityHow the product exchanges data — standards such as FHIR and HL7, and EPR integration.
5. Usability and accessibilityMeeting accessibility standards (WCAG 2.2 AA) and a usable design.

Why DTAC matters commercially

For suppliers, DTAC is not a box-ticking afterthought — it is often the gate to selling into the NHS. A strong, well-evidenced DTAC response shortens procurement and builds buyer confidence. For NHS organisations, it is a consistent way to compare products and reduce risk.

How to prepare a strong DTAC response

Map your evidence to each of the five areas, identify gaps early, and present it clearly. The most common weak spots are an incomplete clinical safety case, a missing or thin DPIA, and vague interoperability claims. Preparing these in parallel — rather than at tender time — is what separates fast approvals from stalled ones.

A practical sequence: define your product's intended use precisely (this anchors clinical safety and regulatory scope); produce or commission the clinical safety case under DCB0129; complete a DPIA and confirm your lawful basis; assemble security evidence and your DSP Toolkit status; document interoperability against FHIR/HL7 and EPR targets; and test accessibility to WCAG 2.2 AA. Keep each artefact current — buyers notice stale documents.

How DTAC relates to other standards

DTAC is not a standalone certificate; it is an assessment that references other standards. Clinical safety draws on DCB0129 (manufacturer) and DCB0160 (deployment); data protection draws on UK GDPR and your DPIA; security draws on recognised testing and the DSP Toolkit; interoperability draws on HL7 standards. Thinking of DTAC as the "index" to your assurance evidence — rather than a separate task — makes preparation far more efficient.

Common mistakes that stall a DTAC review

• Over-claiming clinical capability — implying the product diagnoses or triages when it informs or supports a decision raises the regulatory and safety bar unnecessarily.
• Leaving the DPIA to the buyer — suppliers who hand over clear information speed up the deploying organisation's own assessment.
• Vague interoperability — "FHIR-ready" without specifics invites questions; name the resources, profiles and EPRs.
• Stale documents — a safety case or DPIA that no longer matches the current product undermines confidence.

What happens after DTAC

A completed DTAC supports onboarding, but the deploying NHS organisation still conducts its own local clinical risk management under DCB0160 and may run a pilot before wider rollout. Treating your DTAC evidence as reusable — kept current and ready for each buyer — turns it from a one-off hurdle into a commercial asset.