Get DTAC-ready and sell to the NHS with confidence
Losing momentum on an NHS deal because their security review wants evidence you do not have yet? We are a Cyber Essentials certification body and a CREST-approved testing team, so your certificate, your penetration test, and a DTAC-compatible report come from one partner. Get your fixed quote in 24 hours.
TECHNICAL SECURITY SECTION
What DTAC’s technical security section asks for, in plain English
DTAC scores five areas. The one that needs an external partner is technical security. Here is what assessors look for, and how we cover it.
Cyber Essentials and Cyber Essentials Plus
DTAC expects a current Cyber Essentials certificate, and Cyber Essentials Plus for higher-risk or business-critical systems. As a certification body, we assess and certify you directly.
Independent penetration testing
DTAC expects evidence of penetration testing and how often it is carried out. Assessors want an external test against recognised standards, not an automated scan. Our CREST team tests your application, API and infrastructure by hand.
A DTAC-compatible report
An executive summary plus a technical report, each finding mapped to OWASP and scored with CVSS, with clear remediation advice. This is the artefact you hand to your NHS buyer.
Remediation and retest
DTAC is about demonstrating you fix what you find. We retest your Critical and High findings and confirm closure in writing, so your evidence pack stands up to scrutiny.
ONE ENGAGEMENT
One engagement, from scoping to a report you can submit
Both halves of DTAC’s technical security section, certification and an independent test, delivered and reported by one CREST team, in line with NCSC penetration testing guidance.
Scope in 24 hours
Tell us your stack (web app, API, mobile, cloud). We return a fixed quote and a clear scope within a day.
Certify
We assess your Cyber Essentials or Cyber Essentials Plus, so the certificate sits alongside your test evidence.
Test by hand
Senior CREST testers run a grey-box assessment against OWASP, focused on the risks DTAC and NHS buyers care about: authentication, access control, multi-tenant isolation and data exposure.
Report for DTAC
You receive an executive summary and a CVSS-scored technical report, written to drop straight into your DTAC submission and information governance due diligence.
Retest and confirm
We retest Critical and High findings and issue a remediation confirmation in writing.
NHS DTAC questions, answered
Is penetration testing mandatory for DTAC?
DTAC’s technical security section asks for evidence of penetration testing and how regularly it is performed. In practice, NHS buyers expect an independent test against recognised standards such as OWASP before they will progress procurement. We deliver a test and a report built for exactly this.
Do I need Cyber Essentials or Cyber Essentials Plus for the NHS?
DTAC expects a current Cyber Essentials certificate as a baseline, and Cyber Essentials Plus for higher-risk or business-critical systems that handle patient data. We are a certification body for both, so we can assess and certify you directly.
What is a DTAC-compatible penetration test report?
An executive summary plus a technical report, with each finding mapped to OWASP and scored using CVSS, clear remediation guidance, and confirmation that Critical and High findings have been retested. It is written to slot straight into your DTAC submission and your NHS buyer’s information governance due diligence.
What is the difference between DTAC and the DSPT?
Think of it like driving in the UK. DTAC is the MOT for a specific vehicle: it assures that one product is fit for purpose before an NHS buyer adopts it. The Data Security and Protection Toolkit (DSPT) is your driving licence: it assures that you, the organisation, are fit to handle NHS patient data, and you renew it every year. So DTAC applies if you are putting a specific digital product in front of an NHS buyer, the DSPT applies if your organisation handles NHS patient data, and both apply if you are doing the two together. They overlap on security evidence, and each expects an independent penetration test. We support suppliers with both. See our DSPT penetration testing page.
How long does a DTAC penetration test take?
For a typical single web application and its API, testing runs over several working days, with your report and retest following shortly after. We confirm exact timescales in your fixed quote within 24 hours.
Is DTAC a legal requirement?
DTAC is the NHS England assessment framework that buyers apply during procurement. It is required in practice to sell software into the NHS, and DTAC v2 became mandatory across NHS assessments on 6 April 2026. We help you meet its technical security expectations.
How often do I need to retest for DTAC?
NHS buyers typically expect a penetration test at least once a year, and again after any significant change to your application. DTAC asks how regularly you test, so an annual cadence with a retest of Critical and High findings is the safe baseline. We confirm the right cadence for your product during scoping.
What types of applications and systems can you test for DTAC?
We test the full range of digital health products: web applications, mobile apps for iOS and Android, APIs, cloud environments such as AWS, Azure and GCP, and the supporting infrastructure. Whatever your technology stack, we assess the areas DTAC and NHS buyers focus on most: authentication and session handling, access control, multi-tenant isolation, and the security of your APIs and third-party integrations. See our healthcare penetration testing service.
TRANSPARENT PRICING
Transparent, fixed pricing
Most providers hide pricing behind a sales call. We do not. Your price is your scope in days, every tester senior or principal, at a flat day rate of around £1,200. See the full UK pen test pricing guide.
3 to 5 tester-days
A single web app or API. Grey-box testing against OWASP, a CVSS-scored report and a retest of Critical and High findings.
5 to 9 tester-days
Web app, API and external infrastructure. The full DTAC technical-security evidence pack: Cyber Essentials or Cyber Essentials Plus, the pentest and a remediation retest.
9 to 14 tester-days
A multi-app platform with a cloud review and internal network. For larger digital health vendors with complex NHS deployments.
All figures are scope in days at a flat day rate of around £1,200. The price is fixed and agreed before we start, the quote is free with no obligation to proceed, and a CREST tester replies within 24 hours.
Get my exact quote in 24 hours“Thorough, well-documented and actionable findings, methodical and aligned with industry best practices.”
– IT Director, International Property Group
Related Testing Services
20+ CREST-certified testing services in one place
Web, mobile, API, cloud, AI, infrastructure, red team. Pick the test that fits your environment.
Get DTAC-ready before your next NHS deadline
DTAC v2 is mandatory and your buyer’s due diligence will ask for security evidence. Lock in a fixed quote in 24 hours, with a CREST tester on the other end.
