NHS DTAC Technical Security: Do You Need Cyber Essentials, CE Plus or a Penetration Test?

If you sell software to the NHS, the NHS DTAC technical security section is usually where procurement stalls. The Digital Technology Assessment Criteria (DTAC) is the baseline NHS buyers apply to a digital health product before they purchase it, and the technical security part asks for evidence you cannot produce overnight. This guide explains what that section actually asks for, which evidence a health-tech vendor needs, and how one engagement can cover most of it. For the full service view, see our NHS DTAC penetration testing page.

What NHS DTAC technical security asks for

DTAC scores five areas: clinical safety, data protection, technical security, interoperability, and usability and accessibility. Technical security is the one that needs an external partner, because it is where Cyber Essentials, CE Plus, penetration testing and vulnerability management all sit. DTAC v2, the refreshed form published on 24 February 2026, became mandatory across NHS assessments on 6 April 2026, so your buyer now assesses you against the current version.

A quick point on status. DTAC is the NHS England assessment framework buyers apply during procurement. It is required in practice rather than legally mandatory, but that distinction rarely helps you, because Trusts, Integrated Care Boards and GP practices treat a completed, evidenced DTAC as a threshold gate. A missing Cyber Essentials certificate or pen-test report blocks the deal just as effectively as a law would.

Cyber Essentials, CE Plus or a penetration test: which do you need?

The honest answer for most software vendors is that these are not alternatives. The technical security section expects each piece of evidence to do a different job, and assessors notice when one is missing. Here is how the four core requirements break down.

DTAC technical security requirement	Status	Evidence a software vendor needs
Cyber Essentials	Required	A current, valid certificate, validated against the IASME database, covering the environment that processes NHS data.
Cyber Essentials Plus	Expected for business-critical or higher-risk systems	The independently audited CE tier, with a hands-on technical assessment, plus standalone multi-factor authentication evidence.
Penetration testing	Required as evidence, with frequency	An independent external test of the live product, mapped to OWASP, scored with CVSS, with remediation and retest.
Vulnerability management	Expected	An ongoing process to find, triage and fix vulnerabilities, linked to your CE controls and pen-test findings.

Cyber Essentials is the baseline

Cyber Essentials is the government-backed scheme owned by the National Cyber Security Centre and delivered through IASME. DTAC expects a current, valid certificate from any supplier handling sensitive or personal information, validated against the IASME database. One trap worth flagging: from assessments on 28 April 2026, Cyber Essentials v3.3 makes multi-factor authentication mandatory for in-scope cloud services, with an auto-fail if missing. If your certificate predates that change, plan a re-certification with fresh MFA evidence before your next NHS assessment.

Cyber Essentials Plus is expected for business-critical systems

Where Cyber Essentials is self-assessed, Cyber Essentials Plus adds an independent, hands-on technical audit. Many NHS organisations expect CE Plus from suppliers of business-critical or higher-risk products, particularly anything that touches patient data at scale. Whether it is hard-mandatory depends on the buyer’s risk assessment, but for a clinical SaaS platform or a patient-facing app you should assume it will be asked for. Note that the data security toolkit no longer treats CE Plus as an automatic substitute for separate MFA evidence, so keep your MFA pack ready as its own artefact.

Penetration testing is the evidence assessors want to see

DTAC asks for evidence that vulnerability and penetration testing has been carried out on your product, and how often. Assessors look for an annual external test that covers your whole solution architecture rather than a token sample, with findings mapped to the OWASP Top 10 and severities scored using CVSS. A raw automated scan does not satisfy this. They want a human-led test that confirms which weaknesses are genuinely exploitable, with clear remediation advice and evidence that high-severity issues were fixed and retested.

When we scope a DTAC-driven test, we focus on the risks NHS buyers care about most: authentication and session handling, access control between roles, multi-tenant isolation so one organisation cannot reach another’s data, and exposure of personal or clinical data through APIs. Multi-tenant isolation is where SaaS products most often surprise their own developers, because a logic flaw in how a tenant identifier is trusted can quietly expose another customer’s records without tripping any scanner. That is exactly the class of finding a manual test catches and an automated one misses. For what a buyer-ready report contains, see how to get a DTAC-compatible penetration test report.

Vulnerability management is the ongoing process behind it

The pen test is a point in time. Vulnerability management is the process that runs all year: regular scanning, a way to triage what it finds, and a patching cadence that closes high-severity issues quickly. DTAC increasingly expects to see this process operating, not just a single annual report. It links directly to your Cyber Essentials controls, which require timely patching, so treating the two as one programme keeps your evidence consistent.

One engagement that produces the technical security evidence

Because we are both a Cyber Essentials and Cyber Essentials Plus certification body and a CREST member for penetration testing, the two halves of the technical security section can come from one team and one engagement, rather than two vendors who never speak to each other. A typical engagement runs like this.

1. Scope and quote. You tell us your stack: web application, APIs, any mobile app and the cloud environment. We return a fixed scope and price, with every tester senior or principal.
2. Certify. We assess your Cyber Essentials or Cyber Essentials Plus directly, so the certificate sits alongside your test evidence and your MFA pack meets current rules.
3. Test by hand. Our CREST testers run a manual assessment against OWASP, focused on the authentication, access-control, isolation and data-exposure risks NHS buyers care about.
4. Report for DTAC. You receive an executive summary and a CVSS-scored technical report, written to drop straight into your DTAC submission.
5. Remediate and retest. We retest your Critical and High findings and confirm closure in writing.

That single thread covers Cyber Essentials, Cyber Essentials Plus, the penetration test and the start of a documented vulnerability management cycle, which is most of what the technical security section asks a software vendor to evidence. Clinical safety, data protection and interoperability remain separate disciplines. Clinical safety in particular, the DCB0129 and DCB0160 standards and the Clinical Safety Officer role, is not something we deliver; we leave the clinical side to its own specialists.

How DTAC technical security fits the wider NHS picture

DTAC does not exist in isolation. If you process identifiable NHS patient data you will also complete the Data Security and Protection Toolkit (DSPT), now aligned to the outcome-based NCSC Cyber Assessment Framework with a 30 June 2026 deadline. The DSPT shares much of its security evidence with DTAC and expects an independent penetration test too, so the work you do for one largely serves the other. The same evidence supports frameworks such as G-Cloud, where Cyber Essentials and, for some lots, CE Plus are mandatory. The takeaway is that one well-scoped technical security programme feeds DTAC, the DSPT and your framework bids at once. See our guide for DSPT CAF-aligned NHS suppliers and our healthcare penetration testing service.

Why EJN Labs for NHS DTAC technical security

NHS DTAC technical security is unusual because it asks one supplier to evidence two distinct things: a certification, Cyber Essentials and Cyber Essentials Plus, and a credible independent penetration test. Most firms do one or the other. EJN Labs does both. We are a Cyber Essentials and Cyber Essentials Plus certification body through our IASME relationship, so we certify you directly, and we are a CREST member for penetration testing, the accreditation NHS buyers and DTAC assessors recognise as a quality signal. That means the certificate and the test report come from one team, scoped together, with no gap between them for an assessor to query.

We also hold ISO 27001 and ISO 9001 ourselves, so we understand the assurance bar from the inside, not just as a tester. Every engagement is delivered by senior and principal testers based in the UK, never junior staff, and we write reports for a health-tech audience, mapping findings to OWASP and CVSS and framing them for the information governance due diligence your NHS buyer runs. We are fluent in the supplier side of NHS procurement: the DTAC v2 changes, the Cyber Essentials v3.3 MFA rules, and how the DSPT and frameworks reuse the same evidence. To be clear on scope, we do not hold NCSC CHECK and do not deliver CHECK or ITHC testing; our penetration testing is CREST-delivered.

Frequently Asked Questions

Do I need Cyber Essentials, CE Plus or a penetration test for NHS DTAC technical security?

For most software vendors you need all three working together, not one instead of another. DTAC’s technical security section requires a current Cyber Essentials certificate, expects Cyber Essentials Plus for business-critical systems, and asks for evidence of independent penetration testing and how often it is done, with vulnerability management as the ongoing process behind them. We produce all of this in one engagement.

Is penetration testing mandatory for NHS DTAC?

DTAC’s technical security section asks for evidence that penetration testing has been carried out on your product and how regularly. In practice NHS buyers expect an independent external test against recognised standards such as OWASP, scored with CVSS, before they progress procurement. So while DTAC is required in practice rather than by law, a pen test is effectively required to clear it for any product handling NHS data.

Is NHS DTAC a legal requirement?

No. DTAC is the NHS England assessment framework that buyers apply during procurement, not a statute. It is required in practice to sell software into the NHS, and DTAC v2 became mandatory across NHS assessments on 6 April 2026, so buyers now assess you against the current form. That means you should treat its technical security expectations as a hard threshold even though they are not written into law.

How much does the technical security evidence cost?

Penetration testing is priced by scope in tester days at a flat UK day rate, so a focused single web application and its API usually falls in a 4 to 6 day band, while a multi-app platform with cloud and infrastructure runs longer. Cyber Essentials and Cyber Essentials Plus are separate certification fees. We give you a fixed, scoped quote rather than a guessed figure, so you know the exact price before you commit.

What is the difference between DTAC and the DSPT?

DTAC is the product-level assessment an NHS buyer applies before adopting your software. The Data Security and Protection Toolkit is the organisation-level assurance your company completes annually, now aligned to the NCSC Cyber Assessment Framework with a 30 June 2026 deadline. They overlap heavily on security evidence, and both expect an independent penetration test, so the work you do for one largely serves the other.

Get DTAC-ready before your next NHS deadline

If your NHS buyer’s due diligence is asking for Cyber Essentials, Cyber Essentials Plus and a penetration test, EJN Labs can produce the full NHS DTAC technical security evidence pack in one engagement, delivered by senior, CREST-certified UK testers. To get a fixed scope and price, request a penetration testing quote, or read our NHS DTAC penetration testing service guide first.