As of February 24, 2026, NHS England has officially released the updated Digital Technology Assessment Criteria (DTAC). This “DTAC 2.0” (or the 2026 Refresh) isn’t just a minor tweak; it’s a strategic pivot toward a “simpler, more trusted pathway” for digital health innovation.
For digital transformation in healthcare, this shift represents a move away from “box-ticking” and toward a more focused, risk-based approach.
The Evolution: DTAC 1.0 vs. The 2026 Refresh
The original DTAC, launched in 2021, was a comprehensive baseline. However, it often faced criticism for being repetitive, particularly where requirements overlapped with the Data Security and Protection Toolkit (DSPT) or Medical Device Regulations (MDR).
Key Differences at a Glance
| Feature | Original DTAC (2021) | DTAC 2.0 (2026) |
| Volume | High volume of questions. | 25% reduction in the total question set. |
| Overlap | Frequent duplication with DSPT and MDR. | Streamlined; removed questions covered by other frameworks. |
| Scope | Broad application across many tech types. | Sharper focus on software-based digital health technologies. |
| Alignment | Independent assessment criteria. | Closer alignment with NICE evaluation standards. |
| Deadline | Retired | Full transition required by April 6, 2026. |
Identifying the Gaps: What’s Changed?
The “gaps” in DTAC 2.0 are actually intentional removals designed to increase efficiency. Here is where the new criteria differ most:
1. Integration, Not Duplication
In the original version, software vendors often had to re-verify security protocols already submitted via the DSPT. In the 2026 version, if you’ve already cleared certain standards through the DSPT or hold a UKCA mark (for medical devices), the DTAC now largely defers to those, focusing instead on the clinical safety of the software application itself.
2. The NICE Nexus
DTAC 2.0 bridges the gap between “technical safety” and “clinical/economic effectiveness.” By aligning with NICE, the new criteria force suppliers to consider the value and outcome of the technology earlier in the procurement cycle, rather than just its security architecture.
3. Specialised Exclusions
The scope is now tighter. DTAC 2.0 is specifically not intended for:
- General-purpose software (e.g., generic HR or finance systems).
- Embedded software/firmware in hardware devices (e.g., CT scanner firmware).
Action Plan: How Clinical Software Vendors Can Stay Compliant
The grace period is short. With the April 6, 2026 deadline looming, here is what your team needs to do:
- Audit Your Current Evidence Pack: The original form should be retired immediately. Map your existing evidence to the new 2026 question set. You will likely find you have “excess” information that is no longer required, but you may need more specific documentation on software-specific clinical safety.
- Update Your Clinical Safety Case (DCB0129): While the questions have decreased, the rigor has not. Ensure your Clinical Safety Officer (CSO) has reviewed the latest guidance on DCB0129, as clinical safety remains a “Pass/Fail” gateway.
- Review NICE Alignment: If your product falls under the NICE Evidence Standards Framework (ESF), ensure your DTAC submission reflects that evidence. Adopters (Trusts and ICBs) are now trained to look for this synergy.
- Focus on Interoperability: Ensure your data-flow diagrams and API documentation are updated. The 2026 refresh emphasizes “connectivity and portability” as the NHS moves toward more integrated care records.
NHS Clinical Safety Officer
For the Clinical Safety Officer (CSO), the DTAC 2.0 refresh is a double-edged sword. While the overall administrative burden of the DTAC form has decreased, the accountability on the CSO has become more concentrated and technically demanding.
In the 2026 landscape, the CSO role is moving from “form-signer” to “safety strategist.” Here is what this shift means for them:
1. Removal of “Mandatory” NHS Digital Training
One of the most significant changes in DTAC 2.0 is the removal of the rigid requirement for the named CSO to undertake specific training provided only by NHS Digital.
- The Interpretation: This is not a lowering of standards. Instead, it acknowledges a more mature market of accredited training providers.
- The CSO Impact: CSOs now have more flexibility in how they maintain their competency, but the burden of proof is on them to demonstrate “equivalent and appropriate” clinical risk management training during audits.
2. From “Checklist” to “Clinical Risk Management System” (CRMS)
The original DTAC often treated clinical safety as a static document (the Safety Case). DTAC 2.0 emphasises the System over the Document.
- The Gap: Many vendors have a Safety Case but lack a functioning CRMS that governs how updates are handled.
- The CSO Action: CSOs must now evidence how clinical safety is integrated into the entire Agile development lifecycle. You can no longer just sign a report at the end of a sprint; you must prove there is a “living” hazard log that evolves with every software iteration.
3. The “Medical Device” Intersection
DTAC 2.0 has stripped away questions that overlap with Medical Device Regulations (MDR).
- The Impact: This clarifies the CSO’s focus. If the product is a medical device, the CSO must ensure the DCB0129 (clinical safety) and ISO 14971 (risk management for medical devices) are harmonised, not handled in silos.
- The Responsibility: The CSO is now the primary bridge between the regulatory affairs team (handling UKCA/CE marks) and the product team (handling clinical workflow).
4. DCB0129 vs. DCB0160 Alignment
With the 2026 update, there is a stronger emphasis on how the vendor’s safety information (DCB0129) supports the healthcare provider’s safety assessment (DCB0160).
- The Requirement: CSOs are increasingly expected to provide “ready-to-use” hazard logs that a Trust’s CSO can easily ingest.
- The Strategy: A successful CSO will now treat the Safety Case as a “customer-facing product,” making it as transparent and navigable as possible to speed up the Trust’s onboarding process.
Summary Checklist for CSOs in 2026
| Area | Action Required |
| Training | Ensure your certification is current and recognised, even if not through the old NHS Digital route. |
| Agile Integration | Verify that hazard identification happens during sprint planning, not post-release. |
| NICE ESF | Align your clinical safety findings with the evidence tiers required by the NICE Evidence Standards Framework. |
| Interoperability | Assess the clinical risk of “data failure” at the point of API integration, a high-priority focus in DTAC 2.0. |
Clinical Risk Management System (CRMS)
Choosing a Clinical Risk Management System (CRMS) in the new DTAC 2.0 era requires a shift from “document storage” to “integrated risk intelligence.”
For a CSO, the goal is to find a system that doesn’t just hold a PDF of your Hazard Log, but actually manages the live relationship between your software development (DCB0129) and the provider’s implementation (DCB0160).
Comparison of Top Clinical Risk Management Approaches (2026)
| System Type | Examples | Best For | Pros | Cons |
| Specialist Compliance Platforms | Squirrel 2.0, Acorn, 8fold | High-growth MedTech & AI Vendors | Built-in NHS-specific templates (DTAC, DCB); AI-assisted hazard mapping. | Higher cost; niche focus on UK health standards only. |
| Enterprise GRC Software | ServiceNow GRC, Centraleyes, AuditBoard | Large Scale/Global Health Tech | Deep integration with IT workflows; robust audit trails for ISO 27001 & DTAC. | Steep learning curve; requires heavy customization for DCB standards. |
| Modular EHS Systems | Evalu-8, SafetyCulture | SME Vendors & Small Trusts | Mobile-friendly; great for “in-the-field” incident reporting and spot checks. | Less focus on the technical “Software as a Medical Device” (SaMD) nuances. |
| Manual/Legacy Systems | Excel, SharePoint, Jira | Early-stage Startups | Zero additional cost; total control over formatting. | High risk of version-control failure; difficult to map to DTAC 2.0 interoperability. |
3 Critical Features to Look for in 2026
1. The “Interoperability Hazard” Library
DTAC 2.0 places heavy emphasis on data flows and APIs. Your CRMS should have pre-set hazard templates for common integration failures (e.g., API timeout causing missing allergy data). If you have to write these from scratch every time, you are wasting clinical time.
2. “Live” Hazard Logs (The Jira/Azure Integration)
In 2026, a static Excel sheet is a red flag for auditors. The best systems link directly to your engineering tickets. When a developer marks a “Safety Critical” bug as fixed, your CRMS should automatically prompt the CSO to review and update the Residual Risk score in the Hazard Log.
3. The DCB0160 “Export” Portal
To speed up procurement, your system should be able to generate a “Customer Safety Pack.” This is a filtered version of your internal DCB0129 data that gives the Trust’s CSO exactly what they need for their DCB0160 assessment without revealing your proprietary technical IP.
Recommendation
- If you are an AI/ML Vendor: Go with a specialist platform like Squirrel 2.0 or Acorn. They are currently leading the way in mapping “Data Drift” and “Algorithmic Bias” as clinical hazards, which is a key gap in the new DTAC.
- If you are an established Health Enterprise: Leverage ServiceNow GRC. Its ability to tie clinical risk to your overall cybersecurity posture (DSPT/ISO 27001) is unmatched for large-scale operations.
The Bottom Line
The 2026 DTAC refresh is a win for the industry. It reduces the administrative burden on suppliers while tightening the focus on what matters most: software safety and patient outcomes.
If you are a vendor currently in a procurement cycle or heading toward a contract renewal, now is the time to pivot to the new form to avoid delays in the “due diligence” phase.