Talk to us!

‍

‍

‍

‍

The NHS is in the midst of a profound digital transformation. Wearable devices, AI-powered triage tools, app-based therapy platforms, digital referral systems; the scope of healthtech innovation continues to expand at pace, often with extraordinary promise for patient outcomes and operational efficiency.

This momentum reflects national ambition. The NHS Long Term Plan envisions a future where care is "digitally enabled at every level," and adoption is accelerating across Integrated Care Systems and NHS trusts. Yet while innovation races forward, the processes to ensure these solutions are safe and secure are struggling to keep pace.

A recent review published in BMJ Health & Care Informatics highlights the scale of the issue:

Of the 14,747 DHTs deployments across the NHS, only 17% have full documented clinical safety assurance across both DCB 0129 and DCB 0160.

Many of these tools directly inform clinical decision-making. Others manage sensitive patient data or integrate with systems supporting care delivery. In every case, risk is present (clinical, security, data protection, operational) yet for the vast majority, there's no formal record that these risks have been properly assessed.

Years of "light-touch" compliance have created a legacy: templated documentation, superficial risk assessments, checkbox exercises, overreliance on vendor assurances, and fast-tracked solutions that bypass critical detail. These shortcuts may accelerate market entry in the short term but they leave fundamental questions about safety, security, and accountability unanswered.

Too often, these shortcuts surface precisely when it matters most: during NHS procurement, at the point of integration, or in the aftermath of a security breach or safety incident.

The Illusion of Safety: Templates, Tick-Boxes, and Misinterpretation

One of the most persistent issues in digital health compliance today is that the appearance of compliance is often mistaken for the real thing.

It's not hard to find a digital health tool described as "NHS ready." A templated DCB0129 file can look complete at a glance. A supplier's website proudly declares "We're compliant", even when the underlying evidence tells a different story.

When these documents are reviewed, whether by a Clinical Safety Officer, a procurement team, or an ICS governance lead, issues often emerge quickly. Risks haven't been properly analysed. Roles aren't clearly defined. Data flows don't match what's actually happening in the product. 

In short: a product might look compliant, but it's not ready, not for real-world deployment, and certainly not for integration into a clinical pathway.

Healthcare Isn't Just Another Vertical

Part of the problem lies in how compliance has been packaged and sold. In many industries, compliance tooling is designed for speed: automated checklists, self-serve templates, and "click-to-certify" platforms that promise readiness in days.

That mindset has crept into digital health.

We're seeing tools built for generic governance workflows repurposed for healthcare, with the promise of helping innovators "tick the right boxes" or "get across the line" more quickly. For overwhelmed teams, this is understandably appealing. But the nuance of clinical risk, safety evidence, and NHS-specific expectations simply isn't built in.

As a result, many teams produce evidence that feels internally complete—but doesn't align with what NHS reviewers, CSOs, or regulators actually need. The consequences often show up later.

What makes this so costly is the delayed discovery. Teams invest significant effort completing templates and gathering evidence, only to find, usually at procurement stage, that their submission doesn't meet the requirements. Or that the evidence doesn't map cleanly to DTAC or DSPT expectations. Or that the safety case doesn't reflect real product use.

By that point, the pressure is on. A deadline is looming. And what was meant to save time adds weeks or months of rework.

In some cases, suppliers are asked to restart their safety documentation from scratch. Others have procurement paused while risk assessments are redone. For buyers, this creates significant friction and uncertainty. 

When Compliance Becomes Cosmetic

The deeper issue is that compliance, when treated as a formality, stops serving its original purpose. These frameworks—from DCB0129 to DTAC to DSPT—weren't created as paperwork exercises. They exist to ensure digital tools are safe, secure, and suitable for the environments they operate in.

But when approached with a mindset of minimum viable compliance, or just enough to “pass”, they become fragile. They don't reflect real clinical workflows. And they don't build trust with the people who rely on them.

Healthcare is different. Its systems are complex, its risks are real, and its standards exist for a reason.

If we want to build a stronger digital foundation, we need to stop mistaking filled-in templates for assurance and start treating compliance as a reflection of how things actually work.

The Path Forward: No More Compliance Theatre

No one sets out to treat compliance as a formality. Most suppliers and innovators are acting in good faith, trying to navigate complex requirements with limited support. Many NHS organisations are attempting to apply those requirements fairly, while juggling legacy systems, procurement pressure, and a flood of new digital tools.

But somewhere along the way, we've normalised a surface-level approach to assurance. It's not always deliberate. But we see it often enough from teams who believed they had the right evidence, only to find at procurement that their assurance doesn't hold up.

Internally we've started calling this compliance theatre: implementing minimum requirements to meet standards on paper, without the continuous assurance that makes them meaningful or keeps solutions safe.

As the NHS shifts to digital-first care, we need to move beyond last-minute, disconnected compliance and build the infrastructure to make real assurance achievable.

What Needs to Change

1. Create a unified view of digital health assurance

Right now, there's no central record of which digital health tools have been assessed across DCB0129, DTAC, and DSPT—or whether those assessments are still current.

This means suppliers duplicate effort across separate frameworks, NHS organisations can't verify comprehensive assurance, and there's no visibility when products are updated.

Platforms like ORCHA Verify are starting to bridge this gap. But we need this model expanded into a national assurance registry that brings together clinical safety, effectiveness evidence, and security attestations in one place. 

2. Strengthen the CSO role and governance structures

Clinical Safety Officers are critical to ensuring products are reviewed with real-world clinical context. But in many trusts and ICSs, CSOs are spread across dozens of tools, often with no formal allocation of time, no governance structure, and little connection to DTAC or DSPT review processes.

We need to:

• Define minimum expectations for CSO oversight across the product lifecycle
• Create formal pathways for CSO involvement in DTAC assessments and procurement decisions
• Ensure time is protected for meaningful safety review, not just sign-off
• Build support networks so CSOs aren't working in isolation

Treat the role as essential, not honorary. Without this, safety cases will remain patchy, and confidence in clinical oversight will continue to erode, regardless of how good the documentation looks.

3. Share learnings and build a knowledge base

Each ICS, trust, and supplier is building their own approach to assurance, often tackling the same problems in isolation.

A national library of example safety cases, DTAC submissions, and integrated assurance models would make a huge difference. This would:

• Help newer teams understand what "good" actually looks like
• Reduce duplicated effort and accelerate assurance timelines
• Surface patterns in risk that aren't visible when every assessment happens in isolation
• Create consistency in how frameworks are interpreted and applied

This doesn't need to be prescriptive, variation is sometimes necessary. But right now, teams are reinventing the wheel because there's nowhere to look for guidance beyond the standards themselves.

A Way Forward

Digital health is already shaping how care is delivered across the NHS. But the tools we're adopting, and the frameworks we rely on to assure them, are only as good as the thinking behind them.

When compliance is treated as a formality, the consequences don't show up immediately. They show up later: at procurement, at integration, when systems don't interoperate as expected, or worst of all, when something goes wrong.

The stakes are higher now. We're no longer talking about peripheral tools. We're talking about technologies that are embedded in clinical pathways, that influence treatment decisions, that manage sensitive patient data at scale. If the assurance underneath them is shallow, the impact when something goes wrong won't be.

Real assurance:

• Reduces rework and accelerates procurement
• Builds trust between buyers and suppliers
• Protects clinicians and patients from preventable harm
• Makes digital transformation sustainable, not just fast

And right now, with the DCB 0129 consultation underway, the DTAC review imminent, and national attention turning to governing AI in healthcare, we have a real opportunity to get this right.

Why We Built Acorn

These aren't abstract problems for me. I spent 25 years in healthtech before joining NHS X during the pandemic, where I assessed new digital health tools against the NHS DAQ, the forerunner to DTAC.

In my years in the NHS ecosystem, I've witnessed extraordinary innovations with the potential to genuinely transform healthcare delivery. Too many make it to market slower than they should because the path to assurance is unclear or resource intensive.

That's why we built Acorn. The question we wanted to answer was simple: can compliance be both rigorous and accessible?

Squirrel™ 2.0 was designed around that challenge. Teams get a smart, centralized compliance management platform backed by clinicians and former NHS reviewers who understand what "good" looks like across DCB0129, DTAC, SaMD, ISO 27001, and beyond.

The goal isn't to make compliance faster by cutting corners, but to make it faster by doing it right the first time.

And because we believe compliance should reflect reality (not just satisfy documentation requirements) we stand behind our work with the industry's only compliance warranty. If the evidence doesn't hold up under NHS review, we'll fix it.

If you'd like to discuss what smart, continuous, sustainable compliance looks like for your organisation, reach out to me here.