Why This Article Exists
NHS England published an updated DTAC form on 24 February 2026. The previous version must not be used after 6 April 2026.
If your practice uses digital health technology — and every practice does — this matters to you. Not because you need to fill in the DTAC form yourself, but because DTAC and DCB0160 overlap in ways that are easy to misunderstand.
This article explains the relationship between DTAC and DCB0160, what the 2026 refresh actually changes, and what your practice should do about it.
What is DTAC?
The Digital Technology Assessment Criteria (DTAC) is an NHS England framework that sets baseline standards for digital health technologies used in NHS care. It was introduced in 2021 and applies to software-based digital health products — from patient-facing apps to clinical decision support tools.
DTAC covers five areas:
- Clinical safety — including compliance with DCB0129 and DCB0160
- Data protection — adherence to Caldicott Principles and Data Security Standards
- Technical security — protection against cyberattacks, penetration testing, Cyber Essentials
- Interoperability — data exchange with NHS systems
- Usability and accessibility — design for all users, including those with disabilities
The clinical safety pillar is where DTAC and DCB0160 intersect. But they are not the same thing, and understanding the difference matters.
How DTAC and DCB0160 Relate
DTAC is an assessment framework for products. It asks: "Does this digital health technology meet NHS baseline standards?"
DCB0160 is a clinical safety standard for deploying organisations. It asks: "Have you assessed whether this technology is safe in your specific environment?"
Here is how they connect:
DTAC is primarily a supplier obligation
When an NHS organisation considers adopting a digital health product, the buying organisation asks the supplier to complete the DTAC form. The supplier provides evidence that their product meets the five DTAC criteria, including clinical safety.
For the clinical safety section, the supplier must demonstrate DCB0129 compliance — that they have assessed risks in their product, appointed a Clinical Safety Officer, and produced a safety case.
DCB0160 is your obligation as the deploying organisation
DTAC does not replace DCB0160. Even if a product passes DTAC with flying colours, your practice must still conduct its own clinical safety assessment under DCB0160.
Why? Because DTAC assesses the product in general. DCB0160 assesses the product in your practice, with your workflows, your staff, and your patients. A product that is safe as designed can be unsafe as deployed if your configuration, training, or processes introduce risks the supplier did not anticipate.
The common misconception
"Our supplier has DTAC approval, so we are covered for clinical safety."
This is wrong in exactly the same way as saying "our supplier has DCB0129 compliance, so we are covered." DTAC approval means the product meets baseline standards. It does not mean the product is safe in your specific deployment. That is your responsibility under DCB0160.
For a detailed explanation of this distinction, see Why DCB0129 is Not a Substitute for DCB0160.
What the 2026 DTAC Refresh Changes
The updated DTAC form (version 2.0), published on 24 February 2026, makes several changes:
Fewer questions, less duplication
The new form has approximately 25% fewer questions than the previous version. NHS England has removed questions that duplicated requirements already covered by the Data Security and Protection Toolkit (DSPT) and the pre-acquisition questionnaire. If a supplier already demonstrates compliance through another recognised process, DTAC no longer asks them to prove it again.
Clearer guidance
The updated form includes clearer explanations of DTAC's purpose, scope, and how to complete assessments. This should make it easier for suppliers to understand what is being asked and for buying organisations to evaluate the responses.
Scope aligned with NICE
DTAC now explicitly focuses on software-based digital health technologies, aligning its scope with NICE's Evidence Standards Framework. This clarifies which products need DTAC assessment and which do not.
CSO training requirement relaxed
Under the previous DTAC, the named Clinical Safety Officer was required to have undertaken training provided by NHS Digital. That specific requirement has been removed. CSOs must still be suitably qualified and experienced — the change is that DTAC no longer mandates a particular training provider.
Medical device overlap removed
NHS England has identified and removed elements where DTAC overlapped with Medical Device Regulations. Products already regulated as medical devices no longer need to duplicate that evidence within DTAC.
What Has Not Changed
The 2026 refresh streamlines the DTAC form. It does not change the underlying clinical safety standards.
Specifically:
- DCB0160 still applies. Your obligation to assess clinical risk when deploying digital health technology is unchanged.
- DCB0129 still applies. Suppliers must still provide clinical safety documentation.
- You still need a Clinical Safety Officer. The CSO role, responsibilities, and authority are unchanged.
- You still need a clinical safety management system. The requirement for hazard identification, risk assessment, control implementation, and ongoing monitoring remains.
The DTAC refresh makes it easier for suppliers to demonstrate compliance. It does not reduce your responsibilities as a deploying organisation.
What This Means for GP Practices
If you are procuring a new digital health product
Ask the supplier for their completed DTAC form (version 2.0). Check that the clinical safety section demonstrates DCB0129 compliance — a named CSO, a clinical safety case, and a hazard log.
Then conduct your own DCB0160 assessment for how you will deploy the product in your practice.
If you have existing digital health products
The DTAC transition affects your suppliers, not you directly. But it is a good prompt to ask two questions:
- Has your supplier updated their DTAC submission? If they completed DTAC under the previous version, they should be transitioning to version 2.0 before 6 April 2026. Ask them for their updated documentation.
- Have you conducted DCB0160 assessments for your existing systems? Most practices have deployed digital tools — electronic prescribing, online consultations, patient messaging, clinical decision support — without formal clinical safety assessments. The DTAC refresh does not change this obligation, but it is a timely reminder.
If your ICB is coordinating DTAC assessments
In many areas, ICBs coordinate DTAC assessments on behalf of GP practices. This is sensible — it avoids every practice independently assessing the same product. But even where an ICB leads the DTAC process, individual practices retain their DCB0160 obligations.
The ICB's DTAC assessment confirms the product meets baseline standards. Your DCB0160 assessment confirms the product is safe in your specific setting.
The Overlap Between DTAC and DCB0160 Evidence
There is good news: much of the evidence you gather for DCB0160 can support your DTAC-related obligations, and vice versa. The work is not entirely separate.
| Evidence | Used for DTAC? | Used for DCB0160? |
|---|---|---|
| Supplier's clinical safety case (DCB0129) | Yes — clinical safety section | Yes — starting point for your own assessment |
| Your clinical safety case | No — DTAC is a product assessment | Yes — your deployment-specific assessment |
| Hazard log (supplier's) | Yes — clinical safety section | Yes — informs your hazard identification |
| Hazard log (yours) | No — DTAC is a product assessment | Yes — your deployment-specific hazards |
| CSO appointment evidence | Indirectly (supplier's CSO) | Yes — your organisation's CSO |
| Staff training records | No | Yes — a key control measure |
| Incident monitoring data | No | Yes — ongoing DCB0160 requirement |
The supplier's DCB0129 documentation feeds into both DTAC (for the product assessment) and your DCB0160 assessment (as your starting point for identifying deployment-specific risks). Request it early.
Action Checklist
Use this checklist to ensure you are covered for both DTAC and DCB0160:
- Understand the distinction. DTAC assesses the product. DCB0160 assesses your deployment. You need both.
- Ask suppliers for updated DTAC documentation. The previous version must not be used after 6 April 2026. Request version 2.0 submissions.
- Request DCB0129 documentation from suppliers. Their clinical safety case and hazard log are your starting point for DCB0160 assessments.
- Appoint a Clinical Safety Officer. If you do not have one, see how to set up the role without extra headcount.
- Conduct DCB0160 assessments for your digital systems. Start with your highest-risk deployments. See how to conduct a DCB0160 assessment.
- Build a clinical safety management system. This gives you the framework to manage assessments, track hazards, and monitor incidents across all your systems.
Where Protect Clinical Fits
Managing DCB0160 compliance across multiple digital systems is the kind of work that starts manageable and quickly becomes difficult to maintain. Each system needs its own hazard log, safety case, and review schedule. Staff training records and incident monitoring need to be tracked. Documentation needs to be version-controlled and audit-ready.
Protect Clinical provides a structured platform for managing this work — from hazard logs and safety case documentation to CSO oversight and ongoing monitoring. If your practice is building clinical safety governance for the first time, or if you have been managing it through spreadsheets and shared drives and want something more sustainable, talk to us about how we can help.
Resources to Bookmark
- A Simple Guide to DCB0160 — Understand the deploying organisation standard
- Why DCB0129 is Not a Substitute for DCB0160 — The distinction between supplier and practice responsibilities
- How to Conduct a DCB0160 Assessment — Step-by-step assessment guide
- What is a Clinical Safety Officer? — The role responsible for clinical safety
- DTAC Guidance for Buyers and Suppliers (NHS Transformation Directorate) — Official DTAC guidance
- Updated DTAC Form and Guidance (NHS Innovation Service) — The February 2026 update announcement
- DCB0160 Standard (NHS England) — The clinical safety standard
Key Takeaways
DTAC and DCB0160 are related but distinct. DTAC is a product assessment framework — it confirms that a digital health technology meets NHS baseline standards across five areas, including clinical safety. DCB0160 is a deployment standard — it requires you to assess whether a product is safe in your specific practice.
The 2026 DTAC refresh streamlines the form with fewer questions and clearer guidance, but it does not change your DCB0160 obligations. Supplier DTAC approval does not replace your responsibility to conduct your own clinical safety assessments.
The transition deadline is 6 April 2026. Use it as a prompt to check that your suppliers have updated their DTAC submissions and — more importantly — that your practice has the clinical safety governance in place to meet your own obligations under DCB0160.