The assessment every NHS buyer now puts in front of your product, decoded: the five things it checks, how it ties to DCB 0129, and how to pass it first time.
By Dr Chiho Song · NHS clinician and contracted Clinical Safety Officer · 15 June 2026 · 6 min read
If DCB 0129 is the clinical safety gate, DTAC is the gate that contains it. The first time you try to sell a digital product into an NHS organisation, someone in procurement or the digital team sends you a spreadsheet called the DTAC and asks you to fill it in. Teams that have never seen it before lose weeks. Here is what it is and how to get through it cleanly.
DTAC stands for the Digital Technology Assessment Criteria. NHS England introduced it in 2021 as a single national baseline for digital health technologies entering the NHS. Before DTAC, every trust asked for slightly different evidence. DTAC consolidates the core requirements into one assessment so suppliers are not reinventing the wheel for each buyer.
Two things to understand up front. First, it is a self-assessment: you complete it and attach evidence, and the deploying NHS organisation reviews and scores it. Second, it is not a one-time national certificate you earn once and wave forever. Each NHS organisation can ask you to complete it, but the evidence pack you build is reusable, so the second and third time are far faster than the first.
DTAC is organised around five core areas. Think of them as five separate evidence folders.
The clinical safety, data protection and security sections are pass-or-fail in spirit: weak evidence there stops the conversation. Usability is scored rather than purely binary, but a poor score still hurts you in procurement.
The pattern is almost always the same. A team has built a good product and even has decent security, but the clinical safety folder is empty, because nobody told them DCB 0129 existed until the DTAC landed. That single gap stalls the whole assessment, because the clinical safety section cannot be completed without a safety case and a named CSO, and those take a few weeks to produce properly.
The fix is to treat DTAC as a checklist you start building against from early, not a form you discover at procurement. If you know the five folders, you can fill them in parallel while you build, instead of scrambling when a trust is ready to buy.
People conflate the two, so to be precise: DCB 0129 is the clinical safety standard, and DTAC is the broader assessment that asks for your DCB 0129 evidence as one of its five sections. You do DCB 0129 to produce a clinical safety case; you complete DTAC to package that safety case alongside your data protection, security, interoperability and usability evidence for a specific NHS buyer. No DCB 0129, no clinical safety section, no DTAC pass.
Before you start a DTAC, aim to have: a signed DCB 0129 clinical safety case and named CSO; a completed DPIA and a current DSPT; Cyber Essentials (ideally Plus) and a recent penetration test report; a short statement of which interoperability standards you support; and an accessibility statement plus evidence you followed the NHS service standard. With those in hand, the DTAC itself is mostly transcription, not new work.
Is DTAC mandatory? It is not one national certificate, but in practice most NHS organisations require a completed DTAC to buy, so treat it as required.
Can I reuse a DTAC across trusts? Yes. The underlying evidence pack is reusable; each buyer reviews it against their own deployment, but you are not starting from scratch each time.
Who fills it in? You, the supplier. The NHS organisation reviews and scores it.
What is the single most common blocker? The clinical safety section, because teams arrive without DCB 0129 in place.
That is the part I handle. As a practising NHS doctor and contracted Clinical Safety Officer, I produce the DCB 0129 evidence DTAC asks for, fixed scope and fixed fee, in four weeks.