On 24 February 2026, NHS England released an updated Digital Technology Assessment Criteria (DTAC) form, the first significant overhaul since the framework launched in 2021. If you're a digital health innovator preparing for NHS procurement, or an organisation who has met the previous criteria, here's what's changed and what you need to do before the 6 April 2026 transition deadline.

Why the NHS DTAC has been updated

To understand why this update is significant, you need to understand the frustration that's been building across the sector.

Since DTAC launched in 2021, the digital health community has been vocal about the friction it creates due to the duplication, inconsistency, and administrative overhead baked into how the framework was applied.

Suppliers were answering overlapping questions across DTAC, the DSPT, and trust-specific procurement questionnaires. Every time a framework changed, whether DSPT's migration towards the Cyber Assessment Framework, evolving clinical safety guidance, or even revisions to Cyber Essentials requirements, teams were forced to pause development, reinterpret requirements, and redo documentation they'd only recently finished. 

The medical device community had its own frustrations. DTAC asked manufacturers to evidence things already covered under MDR and the Pre-Acquisition Questionnaire, creating confusion about where one framework ended and another began. Companies building Software as a Medical Device were often unsure which DTAC questions applied to them and which were already addressed through their MHRA classification and technical file. 

Then, in mid-2025, things started moving. NHS England formally launched evaluation surveys for both suppliers and NHS organisations, asking directly whether DTAC was "fit for purpose" and whether it was consistently applied across trusts. The message from the market was unambiguous: simplify, de-duplicate, and standardise.

This update is NHS England's answer to that feedback, and it's arrived at a moment when the stakes couldn't be higher. A landmark study published in the Journal of Medical Internet Research in late 2025, based on Freedom of Information requests to 239 NHS organisations, found that the median compliance rate with DCB0129 and DCB0160 clinical safety standards was just 25.6%. If the NHS is serious about its 10-Year Health Plan goal of transitioning from analogue to digital care, the regulatory framework needs to support that ambition, not work against it.

The headline: 25% fewer questions

NHS England has cut roughly a quarter of the questions from the DTAC form. The stated goal is to make the framework simpler and less demanding for both industry and NHS buyers, something the sector has been asking for since DTAC became the de facto procurement gateway.

This reduction comes from a combination of three moves:

1. De-duplication with existing NHS processes.
2. Tighter scope alignment with NICE guidelines.
3. Removal of confusing questions that did not contribute to meaningful assurance.

For instance, the Technical Security section no longer includes questions regarding code-level security checks and load testing. Similarly, the Usability and Accessibility section (Section D) has been significantly streamlined. This section previously included many questions linked to the NHS Digital Service Manual, which often confused innovators about the assessment's purpose and criteria.

What has changed:

1. De-duplication with DSPT and the Pre-Acquisition Questionnaire

Previously, suppliers were answering overlapping questions across DTAC, the Data Security and Protection Toolkit (DSPT), and the Pre-Acquisition Questionnaire (PAQ) for medical devices. The updated form removes questions that are already covered by these separate processes.

In practice, this means several data protection and technical security questions that felt like double-handling (particularly around DSPT compliance and penetration testing) are either gone or cross-referenced rather than duplicated.

2. CSO training requirement removed

Under the old DTAC, the Clinical Safety Officer named in your submission was required to have completed training provided by NHS Digital. That requirement no longer stands.

However, your CSO still needs to be a registered clinician with appropriate competence in clinical risk management, that hasn't changed. But the specific NHS Digital training mandate has been dropped.

3. Scope aligned with NICE - focused on software-based DHTs

NHS England has confirmed that DTAC's scope now aligns with the NICE Evidence Standards Framework definition of digital health technologies. The practical effect is a clearer focus on software-based digital health technologies.

This matters if your product sits at the boundary between software and hardware, particularly wearables or connected devices. Questions specific to device standards (such as ISO/IEEE 11073 for personal health data) may no longer apply to purely software-based products.

4. Medical device overlap reduced

Several clinical safety questions that duplicated requirements already covered under medical device regulations (MDR) have been removed. If your product is a regulated medical device, you'll still need MDR certification, but generally, DTAC will no longer ask you to prove the same things twice,although there are some exceptions.

NHS England has signalled further work to extend this simplification for medical devices classified as Class IIa or higher.

5. Centralised repository in the works

NHS England is exploring a centralised repository for hosting and maintaining DTAC documentation for individual products. If delivered, this would be a significant step towards reducing overheads and enabling something closer to "assessment portability", a long-standing request from the sector.

What hasn't changed:

The five core assessment areas remain the same: clinical safety, data protection, technical security, interoperability, and usability and accessibility. DTAC is still the national baseline for digital health technologies entering the NHS. And it still sits alongside, not as a replacement for, medical device regulations, DSPT, and other required approvals.

What is still unfinished:

This update is a meaningful step, but anyone who works in this space knows it's not the end of the story. Several significant pieces of the puzzle remain in play.

DCB0129 and DCB0160 are still under review.

‍ NHS England's own DTAC guidance explicitly states that reviews of the clinical safety standards are ongoing. Focus groups on DCB0129 ran in early 2025, with DCB0160 sessions following in mid-year. The insights from those sessions are expected to shape proposed revisions, which will then go through public consultation. Until version 2 of these standards lands, the clinical safety requirements sitting underneath DTAC remain unchanged.

This matters particularly for AI. The current standards were written before AI-driven medical software became widespread, and they lack the rigour to effectively evaluate safety cases for machine learning systems. 

NHS England has pointed to AMLAS (Assurance of Machine Learning for use in Autonomous Systems) as a reference framework, and ISO 42001 for AI management systems is gaining traction, but neither is yet formally embedded in DCB0129 or DTAC.

Cyber security accountability should go further.

The DSPT's transition towards the Cyber Assessment Framework is a welcome move, raising the bar on how NHS organisations and their suppliers approach cyber resilience. 

The updated DTAC does now include a link to the Cyber Security Charter, which is a step in the right direction, but the update itself doesn't fundamentally change the cyber security expectations for suppliers. Those requirements still sit primarily with Cyber Essentials certification, DSPT compliance, and penetration testing. 

As the threat landscape evolves (healthcare organisations remain a prime target for ransomware and data breaches), there's a case for DTAC to set a higher and more specific bar for technical security evidence, rather than deferring entirely to other frameworks.

Trust-level inconsistency isn't fully solved.

The updated guidance now explicitly tells NHS organisations not to create their own amended versions of the DTAC form. But guidance and behaviour are different things. 

It will take time to see whether procurement teams actually standardise their approach, or whether local variations persist. The proposed centralised DTAC repository would be a game-changer here, but it's still described as "under exploration" rather than confirmed.

Social care is still catching up.

The Department of Health and Social Care is working on how assurance can be delivered for technologies purchased by care providers or the general public.

How Acorn can help

At Acorn, we've already mapped the changes across our Squirrel™ platform. Whether you're working through DTAC for the first time or updating an existing submission to the new form, Squirrel's  guided workflows and specialist-assured outputs mean you can meet compliance faster, with the peace of mind that all of your evidence has been assured, and warrantied, against the latest and developing requirements.

If you'd like a walkthrough of what's changed and how it affects your specific product, book a call with our team.