FAQs

Compliance Provider supports digital health innovators by simplifying compliance with key frameworks such as DSPT, DTAC, DCB0129, ISO 13485, and GDPR. The platform reduces the complexity of healthcare compliance by organising requirements in one place, saving organisations hundreds of hours each year and lowering overall compliance costs, so teams can focus on product development while remaining compliant.

The NHS offers a range of online resources, toolkits, and official guidance to help organisations meet DTAC requirements. In addition, industry bodies and professional networks provide advice, while health innovation networks and accelerators, including the NHS Innovation Accelerator, assist innovators with compliance to help them reach market faster.

Not meeting DTAC standards does not permanently prevent you from supplying to the NHS. You can resolve the issues identified by the procurement team and resubmit. However, multiple resubmissions can cause delays and added expense. Working with experienced compliance specialists can help reduce these risks and improve first-time success.

The most effective approach is to embed DTAC requirements early in your product lifecycle. If you intend to sell to the NHS or similar bodies, it is best to consider DTAC, DSPT, and Cyber Essentials from the start. Building security and data protection controls into your product from day one supports ongoing compliance with GDPR and DSPT and avoids costly redesigns later.

DTAC costs depend on whether the work is done internally or outsourced. Managing it in-house can take around 200 hours. Penetration testing typically costs between £800 and £2,500 per day, while Cyber Essentials pricing varies by organisation size. Using a consultancy can cost approximately £10,000–£30,000.

The time and effort required depend on your product complexity and current compliance maturity. The process usually includes gap analysis, evidence collection, and assessment across all five DTAC pillars. In most cases, organisations can achieve compliance within three to six months.

1. Clinical Safety: Based on DCB0129, ensuring digital health solutions are clinically safe and do not introduce new risks.
2. Data Protection: Compliance with GDPR and NHS DSPT to ensure personal and patient data is handled securely.
3. Technical Security: Demonstrates protection against cyber threats through controls such as penetration testing and Cyber Essentials.
4. Interoperability: Confirms the technology can exchange data effectively across NHS systems to support patient care.
5. Usability and Accessibility: Ensures products meet NHS standards for accessibility and ease of use, supporting inclusive design.

DTAC applies to digital health technologies used in the NHS, including software, applications, and platforms that process patient data, support clinical decision-making, or deliver digital health services.

Begin with clinical risk management. Establishing these processes early in your product lifecycle is essential. After this, develop strong information security and privacy policies and integrate technical security controls from the outset.

DTAC is not a one-time exercise. It is reviewed during NHS procurement and should be embedded throughout the product lifecycle. A new assessment is required whenever there are major updates or changes to the technology, ensuring continued compliance and patient safety.

DTAC helps identify risks and weaknesses in digital health technologies, protecting patients from unsafe or ineffective solutions and supporting consistent, high-quality care. It also requires organisations to appoint a Clinical Safety Officer who understands clinical risk and can assess potential hazards that may affect patients.

DTAC improves patient safety and healthcare outcomes. If a product falls short in any of the five DTAC areas, there is a higher risk of issues such as cyber incidents, data breaches, clinical harm, or accessibility barriers. DTAC provides a standardised framework to ensure all NHS digital technologies meet strict quality and safety expectations.

DTAC stands for Digital Technology Assessment Criteria. It is an NHS framework used to assess digital health technologies across five areas: Clinical Safety, Data Protection, Technical Security, Interoperability, and Usability & Accessibility. It ensures NHS-procured technology is safe, secure, robust, and accessible.

The DSPT has three compliance levels:

1. Approaching Standards – some requirements are met, but full compliance is still in progress.
2. Standards Met – all required controls are in place.
3. Standards Exceeded – higher maturity, often supported by certifications such as ISO 27001 or Cyber Essentials Plus.

Your status is recorded in the public DSPT database each year, whether you fall short, meet, or exceed the standard.

Two common challenges are:

1. Supplier Management: Organisations must confirm that their suppliers meet security and data protection standards, often through due diligence questionnaires and reviews.
2. DPIAs (Data Protection Impact Assessments): Required under GDPR, DPIAs involve detailed risk assessments and regular updates, which can be complex for teams new to the process.

In a cloud-first environment, cybersecurity underpins all other compliance activities. Any organisation handling NHS data, including suppliers and care providers, must comply with DSPT. Meeting DSPT standards ensures data is managed securely, legal obligations are met, and trust in NHS digital services is maintained.

Yes. UK GDPR Article 25 requires data protection by design and by default. By embedding privacy and security controls into systems from the start—such as encryption and routine security testing—organisations can reduce effort later and simplify ongoing compliance.

Submitting the DSPT is free, but meeting the requirements may involve investment in tools, training, and specialist support. Penetration testing typically costs £800–£2,500 per day, Cyber Essentials costs around £300–£500, and consultancy support can range from several thousand to tens of thousands of pounds.

This depends on organisational size and security maturity. Starting from scratch may require around 200 hours, with more time needed for complex systems. DSPT requires continuous updates to policies, controls, and evidence throughout the year, not just at submission time.

Start by reviewing the DSPT criteria available on the NHS website. Carry out a gap analysis of your current controls, identify where external support may be required, and create a realistic plan to close the gaps. Progress should be reviewed regularly as requirements evolve.

DSPT must be submitted every year by 30 June. Because the toolkit changes annually to reflect new risks, organisations must keep their controls and evidence up to date throughout the year.

DSPT supports patient safety in two keyways:

1. It ensures organisations handling health and care data have strong security controls, reducing the risk of cyberattacks and data breaches.
2. It reinforces data protection obligations, ensuring patients’ rights are respected through transparency and secure, proportionate data use.

Penetration tests (ethical hacking) are used to validate security controls. The NHS typically requires three types:

1. Infrastructure Testing – protects networks, servers, and internal systems.
2. Application or Product Testing – secures websites, apps, and digital services.
3. API Security Testing – ensures system integrations cannot be exploited.

GDPR is a legal requirement, and DSPT incorporates its principles into NHS compliance. This includes data minimisation, strong access controls, and protection of data subject rights. Digital health organisations must also meet additional GDPR obligations when handling special category health data.

The National Cyber Security Centre (NCSC) has introduced its Cyber Assessment Framework (CAF), which is less rigid than Cyber Essentials and the current DSPT. From September 2024, DSPT will split into two versions: one for suppliers and smaller organisations, and another for large NHS bodies such as Trusts, ICBs, and CSUs. Smaller organisations will remain on the existing model, while larger organisations will align with the CAF, gaining greater flexibility like ISO 27001.

No. DTAC evaluates individual digital health products used within the NHS, whereas DSPT focuses on your organisation’s overall data security and privacy posture. DSPT covers areas such as data protection, technical security, incident response, staff training, and information governance.

If you supply any service or product to the NHS that processes data of any kind—including basic details like names, usernames, or email addresses—you must comply with DSPT. You can confirm this requirement through official NHS guidance and resources.

DSPT is essential for protecting patient data and maintaining public trust. With cyber incidents in healthcare increasing significantly since 2019, strong security controls are more critical than ever. DSPT helps both NHS organisations and their suppliers maintain robust cybersecurity and data protection practices.

These are mandatory standards for all health and social care organisations and their suppliers. They are grouped into three main areas: people, processes, and technology. The standards address core security controls, including staff training, access management, monitoring, business continuity, and continuous improvement.

DSPT stands for the Data Security and Protection Toolkit. Formerly known as the Information Governance (IG) Toolkit, it is an online self-assessment used to measure compliance with the National Data Guardian’s 10 data security standards. It ensures organisations meet legal and regulatory requirements around data protection, confidentiality, technical security, staff training, and incident management.

• GDPR
• Cyber Essentials
• Cyber Essentials Plus
• ISO 27001
• NHS DSPT
• DTAC
• DCB0129 / DCB0160
• ISO 9001
• ISO 13485
• NEN 7150
• ISO 82304-2
• SOC 2
• HIPAA
• MOD Secure By Design…and more.

Compliance Provider is suitable for startups, SMEs, large enterprises, and government organisations that need to meet strict compliance requirements without high cost or complexity. It supports organisations at any stage, from those starting their compliance journey to large teams managing multiple frameworks in one place.

The platform automates the creation of policies, procedures, and training materials needed for compliance and centralises evidence management. It acts as a single compliance hub where you can run risk assessments, generate DPIAs, train staff, and manage audit findings to strengthen and maintain your quality management system (QMS).

Compliance Provider is an automated compliance management platform designed to make achieving and maintaining compliance simpler. It supports standards ranging from data protection and cybersecurity (such as GDPR and Cyber Essentials) to quality and clinical frameworks like DTAC and ISO standards. The platform enables organisations to manage security, privacy, quality, risk, and clinical safety requirements within one integrated system.