Contact Us Today 01642 716680

DTAC (Digital Technology Assessment Criteria): Technical Security

In this blog post, we discuss the technical requirements for DTAC, aiming to assist health-related tech developers pass with flying colours. If your company needs a technical assessment for DTAC. We can help.


As we move into a digital age, keeping track of your health has become a lot easier with the rise of new apps and websites. These products aim to be accessible and useful to the general public, and the NHS relies on certain companies to assist patients with their medication, symptoms, etc. As you can imagine, these new products aren’t just created overnight. They must undergo rigorous testing to ensure the product is safe and secure. They test this with the DTAC, a set of criteria created by the NHS for organisations looking to create their own digital health products. 

As a cyber security company specialising in penetration testing, we assist clients with testing their digital products’ security to ensure they are DTAC compliant. If you are a company interested in making a new health-related application or website, we’ve got all the information you need here in this blog!

What is DTAC?

Firstly, let’s talk about what it means. DTAC, or Digital Technology Assessment Criteria for health and social care, is a standard that organisations have to abide by when creating digital products relating to health care. Digital advancements have always been present within the NHS but are especially more prevalent in recent times. With the rise of more apps and websites aimed to help the regular person stay on top of their health, it became a necessity that these new technologies had to be reliable. That is why the DTAC was created!

By merging pre-existing certifications and standards already in place by the NHS, tech developers aiming to make their own health-related products can now utilise the criteria to make sure their product is safe for public use. Assessments using the DTAC must be undertaken with any new product too, no matter if it’s ready for launch or merely a trial/pilot version of the tech. This is because maintaining good confidentiality practices and prioritising patient and staff safety is an important objective for the NHS. Using DTAC to prove that you, as a supplier, guarantee that your products also aim to uphold these principles will go a long way in making your clients and the NHS Foundation Trust confident that your product will be reliable and safe to use.

The 5 core areas of the Digital Technology Assessment Criteria

For your product to pass the DTAC, you must assess five main areas: clinical safety, data protection, technical security, interoperability, usability, and accessibility. 

In this section, I will briefly expand upon each of the DTAC’s core segments, focusing on why and how they are tested.  

Clinical Safety  

The clinical safety section focuses on removing the clinical risk to patients. To complete this section of the DTAC, you must identify any hazards that may be present with your product and put in place proper mitigations against these risks. 

For tech developers assessing their tech with DTAC, to pass, you must match the requirements of the DCB0129. The DCB0129 will require you to take a formal risk assessment on the digital product you are developing and, from it, have three documents detailing the outcome of that assessment: the Clinical Risk Management Plan, Hazard Log, and Clinical Safety Case Report. 

If you wish for your product to be procured by the NHS, you must guarantee that it meets these clinical risk management standards. To make sure you are meeting these standards, you have appointed a Clinical Safety Officer (CSO) who will be responsible for your company meeting the requirements set in place by the DCB0129.

For more information on fulfilling the clinical safety section of the DTAC, visit the NHS website.

Data protection

As you may have determined from the name of this section, the data protection criteria focus on how the app is designed to protect the data and privacy of the people using the product. It also wants to see if client/staff/patient rights are protected. Since the products tested with DTAC are concerned with health care, you can see how data protection is of the utmost importance. 

To complete this part of the DTAC, you must fulfill the Data Protection Impact Assessment (DPIA). You must complete one as, if you are successful on the DPIA, you will also meet the requirements of the DTAC. This is because the two share the same criteria. A DPIA’s main purpose is to detect any risks that may be present within the data processing and will help identify any measures you can take to reduce these risks.

Technical security

This section can also be known as technical assurance, but the premise is always the same. To comply with DTAC, your apps must be assessed to ensure they are both secure and stable. Unlike the previous two areas that use pre-existing processes that also meet the requirements of DTAC, the technical security section uses its own process. This is called the DTAC technical elements V1 2023, a document you can use to see if your product/company has met the level of security the NHS wants. This is the section we’ll focus on later in this blog, as this is the section we can directly help with.  

Do you need help with DTAC’s technical security requirements? Use the contact form below to get in touch.


Interoperability refers to when different computer systems or software exchange data with each other and then use the data received. Therefore, regarding the DTAC, you must test your product to see if your data is being communicated accurately and quickly. It also makes sure that, whilst being exchanged, the data is both safe and secure. Since this is also a section focusing on technology, it can sometimes come under the technical security section, and its criteria can also be found in the DTAC technical elements V1 2023 document.

Usability and accessibility

This part of the criteria aims to check that you have taken user requirements into account and designed your product accordingly. It also looks at how you plan to get user feedback and emphasises utilising that feedback to improve your app for them in the future. 

In this section of the DTAC, your product will receive a compliance rating. This rating will allow you to see if there are any areas of non-compliance which you will need to improve upon. Your compliance score will be based on the NHS service standards and conformity against NHS best practices. 

Technical security requirements

Now, let’s break down the requirements in the technical security section of the criteria. While some aspects can be done by your own company, there are others you may need help with. And that’s where we come in!

In the following section of the blog, we will detail each of the key steps involved with technical security, using our knowledge of cyber security to give you all the information you need to prepare for the DTAC.

Cyber Essentials Certification

Companies must have a Cyber Essentials certificate to pass the technical security criteria. This certificate must be current and validated against the IASME database. Ideally, if you are a supplier to the NHS, you should aim for a Cyber Essentials Plus certificate to guarantee that there will be no risk to the supply chain. 

The Cyber Essentials certificate will show that your organisation has taken precautions against more common cyber threats. It is a requirement as Cyber Essentials is now necessary to obtain for any and all NHS organisations. This is because it shows that the chances of the supply chain getting compromised by a cyber attack are low, as your company has proof that it has measures to avoid such threats.

For more information on the Cyber Essentials certification and how to obtain it, you can visit the NCSC website here.

Penetration testing

A key step to becoming DTAC compliant is ensuring your product has been penetration tested. Penetration testing involves a group of security experts who operate similarly to an actual cyber attacker to evaluate your company’s infrastructure and systems. The penetration test will uncover any critical vulnerabilities within your app or website, allowing you to enforce stronger measures to protect yourself from cyber threats. To comply with the DTAC, the penetration test must include the OWASP’s top 10 vulnerabilities.

After the penetration testing, you will receive a summary report of any findings. To move on to the rest of the criteria, no vulnerabilities must be found that score 7.0 or higher on the Common Vulnerability Scoring System (CVSS). If there are, you must rectify any issues and re-test your product. 

You must prove that a penetration test has occurred to pass this part of the criteria. You may use the report you obtained after the test as evidence. Don’t worry; the NHS Trust will sign an NDA to ensure that no sensitive information is shared with a third party. 

If you need a penetration test for DTAC, Sencode has you covered! Find out more here

Custom Code Review

A code review helps programmers ensure high code quality. The goal of a code review is to find any bugs or errors within the code and assist developers in developing and improving their skills. 

Whilst you may do an internal code review conducted by your peers within the same company as you, the DTAC would prefer an external code review. These are done by specialists outside of your organisation. They prefer this as it means the review will not be biased, and the specialist may find more issues that others within the company may overlook or miss.  

Multi-Factor Authentication (MFA)

Multi-factor authentication, or MFA, is an account login process that aims to enhance security by requiring users to provide two or more verification factors, such as a code sent to their email address or scanning their fingerprint. This ensures that the user is truly who they say they are and reduces the risk of compromised passwords. 

To meet the DTAC, all privileged accounts must have MFA implemented. Alongside that, the company should be able to employ MFA on all user accounts that also access the system.

Logging and Reporting 

Logging refers to keeping logs of an event in a computer system. These logs can be used to record errors or monitor account activities. By logging and reporting, you can identify activity patterns on your network. This means that if there were a compromise, it would be easier to detect the source of the issue and how bad the damage was.

To pass, the developer must have a defined strategy across multiple device types and document the current logging and reporting systems already in place. 


Designing a digital product that is DTAC compliant may seem daunting, but by protecting yourself and your systems, you can reduce the risk of cyber-attacks and guarantee to your users that their information is safe. Consistent penetration testing and implementing extra security layers such as MFAs and logging strategies will make passing the technical security criteria a little easier.

Once again, if you are a tech developer needing help penetration testing your app or website, look no further than Sencode!