‍

‍

‍

If you're a digital health company preparing for your first NHS pilot or scaling into new markets, you've almost certainly used, or considered using, a compliance platform to accelerate or streamline the process. 

And you should. Automation has made compliance faster, more accessible, and far less painful than the old world of manual policy writing, spreadsheet wrangling and searching through multiple folders to find your most recent information security policy. 

As someone who's been in this industry for over 25 years, I saw the benefit of digitising this process, and built a compliance platform too. Given how complex the market has become, and the types of products now in our care pathways, it's time the industry needs to systematise and streamline the management of these requirements.

Before I get myself in trouble though, I should clarify: there are absolutely cases where a manual approach is still necessary, very high-risk devices, complex medical equipment, novel interventions. But for most digital health innovators, centralising compliance in a platform saves significant time and money.

But there's a question most compliance platforms leave unanswered, and it's the one that matters most, especially for those going through compliance for the first time: 

Producing Evidence Is Not the Same as Being Accountable for It

When you use a compliance platform to generate your DTAC submission the platform helps you create the outputs. That's its job, and most do it well.

But producing evidence and being accountable for that evidence are two fundamentally different things.

A compliance platform can generate a clinical risk assessment. It can populate a hazard log. It can map your controls against DTAC, DCB0129, ISO 27001, or any number of frameworks. What it cannot do is guarantee that those outputs will hold up when they're scrutinised.

When you use a platform to produce your evidence, the responsibility for the accuracy and completeness of that evidence sits with you. The platform is a tool, but ultimately, if your evidence is called into question, you are the one who is accountable for it.

For some teams, that distinction may never become a problem. But if it does, it’s a painful, and time consuming process.

When the Platform Isn't in the Room

Picture this: your DTAC submission lands on the desk of an CIO, CISO or procurement officer. They want to understand the clinical safety rationale behind a particular design decision. They push back on a control mapping. They ask how you've evidenced data minimisation.

In that moment, the platform isn't in the room. You are.

Or consider the scenario every company founder dreads: a data breach or a security incident. The regulator won't ask which tool you used to produce your documentation. They'll ask whether the information security processes you’ve described are genuinely in place, and whether you can defend the decisions you've made.

The risk sits with you, not with the tool that helped you produce the outputs.

This isn't a criticism of automation, but a recognition of its limits. Compliance platforms are excellent at making the process faster and more structured. But getting compliant faster, without the assurance that your evidence is correct, is just running toward potential risk a little faster.

The Missing Layer: Assurance & Trust

The stand off as we know is no longer between manual and automated compliance. It's between simply producing outputs and ensuring those outputs are accurate and defensible.

And in healthcare, this distinction matters more than in any other sector. The healthcare industry human centered, so automated compliance needs human expert oversight.

The products we're putting into care pathways aren't just business tools. They're handling sensitive patient data, influencing clinical decisions, and sitting in critical healthcare workflows.

You're building a product that will inevitably operate in a high-stakes environment. That means you need to trust that whoever you've picked to help you with one of the most critical pieces is doing it properly.

This is why automation alone isn't enough. What's needed is a model where automation handles the repetitive, structured work it's good at, and specialist review provides the assurance layer that automation can't.

A review built into the workflow itself, where every completed task is checked by someone who understands the framework and knows the common failure points.

Not "automated or assured" but automated and assured.

What This Means in Practice

For early-stage innovators preparing for a first NHS pilot, this hybrid model means you're not just getting through DTAC or DCB 0129 faster, you're getting through it with outputs that have been reviewed by specialists who understand these frameworks, and you’re getting the piece of mind that you know your compliance has been done right the first time. 

For scale-ups managing multiple frameworks across markets, it means your ISO 27001, ISO 13485, and MDR evidence isn't just mapped and generated, it's checked for the kind of gaps that only surface during an audit, by specialists in medical device regulation and cyber security. 

For organisations at your stage, who are growing fast, you need the speed and efficiency of a robust compliance process, but also the confirmation that someone who understands your product is doing it properly.

For AI innovators and SaMD companies, ISO 42001, MDR Class I/II, and clinical safety evidence sit in a regulatory landscape that's still evolving and full of noise. Generic templates  alone don't account for AI-specific risk. You need specialist review from people who understand how AI model behaviour creates distinct compliance challenges, not just generic policy generation.

Accountability, Not Just Assurance

Even with specialist review, there's a question most providers leave unanswered: what happens if the evidence is challenged?

In most cases, you're left defending work that someone else helped you produce, with no recourse if it falls short. 

This is why, in addition to assurance, I believe there should be accountability from your compliance provider. If the evidence is challenged, the provider stands behind it, because ultimately they've already verified it meets the standard.

This moves compliance from something you hope is right to something you can be confident is defensible. Choosing a compliance provider is a huge risk. A warranty is a commercial commitment from that provider and proof that your compliance partner is confident enough in their process to put their money where their mouth is.

Choosing the Right Model

If you're evaluating compliance solutions, the question isn't whether to automate. If you can, you should. The cost and time gains from cutting hours of paperwork and centralising everything in one system are undeniable. We're in a sector that's diving headfirst into innovation, and the tools that enable compliance should be innovative too.

But the real question is whether automation alone gives you the level of confidence you need.

When you submit a DTAC application, apply for MDR certification, or go through NHS procurement, you need to know the evidence will hold up if questioned.

So before you choose a compliance partner, I'd recommend asking three questions of any provider, including us:

First: What happens after the platform generates an output?
Who is reviewing that work, and what is their background in the relevant regulatory framework? What have they actually reviewed before?

Second: If that output is challenged at procurement or audit, who is accountable?
Are you fixing it yourself, or is the provider standing behind the work? There's a meaningful difference between "we'll help you" and "we'll fix it."

Third: Are they willing to put a warranty behind the work?

Squirrel™  is the only compliance platform where completed outputs carry a warranty. Every task reviewed by our specialists is backed by a commercial commitment: if your evidence is challenged and it relates to work we've assured, we fix it at no cost.

We built it this way because we believe compliance partners should be accountable for the work they stand behind, not just the tools they provide.

To see how the Automated + Assured model works in practice, book a call with our team.

‍

‍