By EJN Labs · 14 Jun 2026 · 13 min read
Selling software to the NHS in 2026 means clearing one assurance stack: pass NHS DTAC’s technical security section, hold a current Cyber Essentials (and usually Cyber Essentials Plus) certificate, complete an annual CAF-aligned DSPT if you process patient data, evidence clinical safety under DCB0129/DCB0160, and produce a recent CREST penetration test mapped to OWASP and scored with CVSS. This checklist sets out the order, the deadlines and the evidence.
Selling software to the NHS in 2026 is harder than it was eighteen months ago, and that is not an accident. A stack of UK mandates landed across 2024 to 2026 that all ask a health-tech vendor for the same thing: documented proof that your product is secure, that your organisation is run securely, and that an independent party has tested it. This guide is the complete security-assurance checklist for a software vendor selling into the NHS: what each framework asks for, the order to tackle them in, and the dates that make them real.
What does selling software to the NHS actually require in 2026?
If you build software-based digital health technology and want an NHS Trust, Integrated Care Board or GP practice to buy it, you are not selling into a single gate. You are assembling an assurance pack that a procurement team assesses before they sign. The framework that pulls the pack together is NHS DTAC, the Digital Technology Assessment Criteria, the baseline NHS England buyers apply before they procure, deploy or recommend a product. It bundles five disciplines into one assessment: clinical safety, data protection, technical security, interoperability, and usability and accessibility.
One nuance: DTAC is required in practice to sell to the NHS, but it is not legally mandatory. It is advisory at national level and a de-facto procurement threshold, so you will struggle to win NHS business without it even though no statute names it. The current form is DTAC version 2, published on 24 February 2026 and mandatory from 6 April 2026, after which the old form is retired. Two of its five sections, technical security and data protection, hold almost all the cyber evidence and are the focus of this checklist. For the full breakdown, see our guide to DTAC technical security: do you need Cyber Essentials, CE Plus or a pen test.
The 2024 to 2026 mandate timeline that changed the rules
The reason vendors feel the pressure is that the requirements stacked. No single law forces a penetration test on you, but a sequence of overlapping changes means that whichever NHS route you take, you arrive at the same evidence. These are the dated events worth tracking, because procurement teams cite them directly.
| When | Change | Why it matters to a software vendor |
|---|---|---|
| 24 Feb 2025 | PPN 014 effective | Cyber Essentials is required before contract award for central-government and NHS contracts, with Cyber Essentials Plus expected for higher-risk work. Renewed every 12 months. |
| 18 Sep 2025 | DSPT v8 published, CAF-aligned | The Data Security and Protection Toolkit moved from a tick-box exercise to outcome-based assessment against the NCSC Cyber Assessment Framework. Submission deadline is 30 June 2026. |
| 12 Nov 2025 | Cyber Security and Resilience Bill introduced to Parliament | Pulls NHS suppliers and managed service providers towards statutory scope. Still a Bill, with Royal Assent expected in 2026 to 2027, not yet law. |
| 5 Dec 2025 | G-Cloud 15: Cyber Essentials mandatory across all lots | Cyber Essentials Plus required for Lots 1a and 1b; subcontractors processing personal or OFFICIAL data also need certification. Anticipated award 17 September 2026. |
| 24 Feb 2026 | DTAC v2 published | Around 25% fewer questions, scope aligned to NICE for software-based digital health technologies. The form your NHS buyer now assesses you against. |
| 6 Apr 2026 | DTAC v2 becomes mandatory | The old form is retired. From this date every NHS DTAC assessment uses v2, so your evidence must be v2-aligned. |
| From 28 Apr 2026 | Cyber Essentials v3.3 assessments begin | Multi-factor authentication becomes mandatory for in-scope cloud services, with an auto-fail if it is missing. Your certificate must evidence MFA. |
| 30 Jun 2026 | CAF-aligned DSPT v8 submission deadline | If you process NHS patient data you submit annually. Category 2 IT suppliers face an independent assessment, conducted January to June 2026. |
Read across the table and one pattern stands out. Cyber Essentials appears under DTAC, PPN 014, G-Cloud 15 and as supporting evidence for DSPT. An annual penetration test appears under DTAC’s technical security section and under the CAF outcomes DSPT now expects. You are not buying eight different things. You are buying two recurring evidence artefacts, certification and testing, presented into several frameworks.
The NHS software security-assurance checklist
Here is the practical order. Tackle these top to bottom: the early items are prerequisites the later ones reference, and front-loading them stops you discovering a gap on the day a buyer asks.
- ☐ Map your product against DTAC’s five sections. Confirm you are selling a software-based digital health technology in scope of the v2 form, then identify which evidence you hold and which you need to build.
- ☐ Achieve Cyber Essentials. A current, valid, IASME-validated certificate is required in DTAC’s technical security section and under PPN 014. From assessments on 28 April 2026 you must evidence MFA on in-scope cloud services or the assessment auto-fails.
- ☐ Decide whether you need Cyber Essentials Plus. The independently audited tier is expected for business-critical NHS systems, and required for some government routes such as G-Cloud 15 Lots 1a and 1b.
- ☐ Commission a penetration test on the live product. DTAC asks for evidence of penetration and vulnerability testing and its frequency. The norm is an annual external test, full architecture, OWASP Top 10, CVSS-scored, with remediation and a retest.
- ☐ Complete the DSPT if you process patient data. Now CAF-aligned and outcome-based. Category 2 IT suppliers face an independent assessment, submission due 30 June 2026.
- ☐ Evidence clinical safety under DCB0129 and DCB0160. Appoint a Clinical Safety Officer and produce the clinical risk management system, hazard log and safety case. A separate discipline, but requested in the same gate.
- ☐ Complete your Data Protection Impact Assessment. A finished DPIA satisfies most of DTAC’s data-protection section and underpins UK GDPR compliance.
- ☐ Scope ISO 27001 to your NHS data environment. If you cite it as supporting evidence, the certificate scope must cover the systems that process NHS data, not just a head-office function.
- ☐ Document the cadence. DTAC and the CAF both ask how often you test and recertify, so record your annual schedule and keep the latest report within twelve months.
The rest of this guide walks the four cyber-heavy items, the ones a security partner delivers and the ones most vendors underestimate.
DTAC technical security: Cyber Essentials, CE Plus and the pen test
DTAC’s technical security section is the commercial heart of the assessment for a software vendor. It asks for a defined set of evidence: a valid Cyber Essentials certificate, Cyber Essentials Plus where the system is business-critical, evidence of penetration and vulnerability testing with its frequency, multi-factor authentication, secure development practices, and vulnerability management. ISO 27001 is accepted as supporting evidence, provided its scope genuinely covers the NHS data-processing environment. The version 2 form shortens these questions by around a quarter, but the substance is unchanged: an assessor wants to see that an independent, credible party has tested your product and that you fixed what they found. CREST is the quality signal NHS assessors trust, so a DTAC-compatible report comes from a CREST member company. We cover what that report must contain in our guide to how to get a DTAC-compatible penetration test report.
Do you need Cyber Essentials or Cyber Essentials Plus?
Cyber Essentials is the baseline of five technical controls, self-assessed then verified. Cyber Essentials Plus keeps the same controls but adds a hands-on technical audit of a sample of your real devices and cloud services. For NHS work, base Cyber Essentials is the floor and CE Plus is expected once your product is business-critical or handles significant volumes of patient data. The same split appears in government procurement, which we explain in our guide to Cyber Essentials vs Cyber Essentials Plus for government contracts. One trap from 2026: holding CE Plus no longer automatically satisfies the DSPT multi-factor authentication item, so MFA must now be evidenced separately.
What a DTAC-grade penetration test looks like
A penetration test that satisfies DTAC and the wider NHS assurance stack is not a quick automated scan. In practice it covers the full solution architecture, the web application, the APIs, the supporting infrastructure and the mobile client where one exists, rather than a token sample. Findings are mapped to the OWASP Top 10 and scored with CVSS so severity is comparable, and the report sets out clear remediation followed by a retest that evidences the fixes. The cadence is documented as at least annual, because both DTAC and the CAF ask how often you test. That combination is what people mean by a DTAC-compatible report.
DSPT, the CAF and clinical safety: the rest of the pack
If your software processes identifiable patient or care data, you also complete the Data Security and Protection Toolkit each year. The key change is that DSPT is now aligned to the NCSC Cyber Assessment Framework, moving from a tick-box self-declaration to outcome-based assurance, where you prove your controls work rather than simply asserting them. Category 2 IT suppliers carry the heavier obligation of an independent assessment, conducted January to June 2026, with submission due by 30 June 2026. The CAF outcomes for testing expect an independent test, which is why the same annual penetration test you produce for DTAC does double duty. We cover the supplier obligations in our guide to DSPT is now CAF-aligned: what suppliers must do before 30 June 2026.
Clinical safety sits alongside the cyber evidence rather than inside it. DCB0129 is the clinical risk management standard for manufacturers building health IT, and DCB0160 the equivalent for the organisation deploying it, with each side appointing a Clinical Safety Officer to own the hazard log and clinical safety case. A penetration testing firm does not deliver this, but buyers frequently request the clinical safety pack and the security pack together. Our explainer on DCB0129 and DCB0160 for digital health suppliers sets out who owns what. If your NHS route also runs through a government cloud framework, the G-Cloud 15 Cyber Essentials requirements for every lot determine whether you need base CE or CE Plus and whether your subcontractors need certifying.
First-hand: how we scope an NHS supplier engagement
The pattern we see most often is a digital-health SaaS vendor, typically a multi-tenant web application with an API layer and a managed cloud back end, asked by an NHS buyer for a pen test report “suitable for DTAC”. We start from the architecture, not a price list, mapping the in-scope components, then agree a grey-box approach so testers work with authenticated access. That choice is the genuinely consequential one: it surfaces the access-control and tenant-isolation issues that matter most in a multi-tenant health product, the failures a black-box scan never reaches. The deliverable is an executive summary plus a technical report with CVSS ratings and OWASP mapping, written so an NHS procurement reviewer can read it as DTAC evidence, with a retest once you have remediated. Cost follows scope, and the exact figure comes through the quote form below.
Why EJN Labs for NHS supplier security
EJN Labs fits this checklist because we deliver both recurring evidence artefacts in a single relationship: as a CREST member and an IASME-backed Cyber Essentials and Cyber Essentials Plus certification body, one engagement covers the whole technical-security half of DTAC rather than handing you off to a third party, with every test run by senior and principal practitioners. One honest boundary so you scope correctly: clinical safety under DCB0129 and DCB0160 is a separate clinical discipline we reference as context rather than deliver.
The service pages behind this work are our healthcare penetration testing page for the overall offer, our NHS DTAC penetration testing page for the technical security section, and our DSPT penetration testing page for the CAF-aligned test.
Frequently Asked Questions
What do I need to sell software to the NHS in 2026?
To sell software to the NHS you assemble an assurance pack that a buyer assesses through NHS DTAC. The core security evidence is a current Cyber Essentials certificate (Cyber Essentials Plus for business-critical systems), an annual penetration test mapped to OWASP and scored with CVSS, a CAF-aligned DSPT if you process patient data, and clinical safety evidence under DCB0129 and DCB0160. DTAC v2 became mandatory on 6 April 2026.
Is NHS DTAC legally mandatory?
No. DTAC is advisory at national level rather than statutorily mandatory, but it is required in practice to sell to the NHS. NHS buyers such as Trusts, Integrated Care Boards and GP practices apply it as a baseline assurance threshold before they procure or deploy a product, so it is near-impossible to win NHS business without demonstrating DTAC compliance. The current form, DTAC v2, became mandatory on 6 April 2026.
Do I need Cyber Essentials, Cyber Essentials Plus or both for the NHS?
A current, valid Cyber Essentials certificate is required in DTAC’s technical security section. Cyber Essentials Plus, the independently audited tier, is expected for business-critical or higher-risk NHS systems and is required for some government routes such as G-Cloud 15 Lots 1a and 1b. From assessments on 28 April 2026 you must also evidence multi-factor authentication on in-scope cloud services, and CE Plus alone no longer auto-satisfies the DSPT MFA item.
Does DTAC require a penetration test?
DTAC’s technical security section asks for evidence that vulnerability and penetration testing has been conducted on your product and at what frequency, so a test is required as evidence in practice. The established market norm is an annual external test covering the full solution architecture, mapped to the OWASP Top 10, scored with CVSS, with clear remediation and a retest. A report delivered by a CREST member company is the quality signal NHS assessors recognise.
How much does a DTAC-ready penetration test cost?
UK penetration testing is priced on a flat day rate of around £1,200 to £1,300, and the total depends on scope complexity, the number of tester days, rather than seniority, because all our testing is delivered by senior and principal practitioners. A focused web application and API test runs to a small number of days, while a full multi-application architecture runs longer. We provide an exact, scoped figure through the quote form rather than a fixed headline number.
What is the difference between DTAC and DSPT?
DTAC is a per-product assessment that an NHS buyer applies before procuring or deploying your software, covering clinical safety, data protection, technical security, interoperability and usability. DSPT is an annual organisation-level data-security self-assessment, now aligned to the NCSC Cyber Assessment Framework, that any organisation handling identifiable NHS data completes. They overlap on security evidence, and the same annual penetration test typically supports both.
Get a DTAC-ready penetration test quote
Tell us your product architecture, your web application, APIs, cloud footprint and any mobile client, and we will return a fixed-price quote for a CREST-delivered penetration test written as DTAC evidence, with OWASP mapping, CVSS scoring and a retest. We can also scope your Cyber Essentials or Cyber Essentials Plus certification in the same conversation, so the technical-security half of your NHS assurance pack is covered in one engagement. No obligation, just a clear figure.
Leave a Reply