Building for the NHS: What HealthTech Startups Need Before They Apply to NHS Digital
In this guide, you’ll learn:
- DCB0129 compliance is mandatory; you must appoint a Clinical Safety Officer (CSO).
- Digital Technology Assessment Criteria (DTAC) is the 'passport' to NHS procurement.
- Data security must be validated via the annual DSPT (Data Security and Protection Toolkit).
- NHS Login integration is standard for patient-facing digital health apps.
The Gold Standard of Digital Health: The NHS
Entering the NHS (UK National Health Service) market is often considered the peak of clinical validation globally. However, the path to procurement is blocked by rigorous technical and safety barriers. In 2026, the baseline for entry has become even more sophisticated.
Success in the UK market isn't just about build quality; it is about Assurance. The NHS doesn't just buy "features"; they buy evidence of clinical safety and data protection.
The Essential Trio: DTAC, DSPT, and DCB
1. DTAC (Digital Technology Assessment Criteria)
The DTAC is now the primary metric for assessing newly launched digital health technologies. If you don't pass the DTAC, you cannot be procured by a Trust. It covers five key areas:
- Clinical Safety: Evidence of DCB0129 compliance.
- Data Protection: Alignment with GDPR and ICO (Information Commissioner's Office) guidelines.
- Technical Security: Cyber Essentials Plus certification is practically mandatory.
- Interoperability: Proof that you use open standards (FHIR) to speak to other NHS systems.
- Usability: Adherence to WCAG 2.1 accessibility standards and the NHS digital service manual.
2. DSPT (Data Security and Protection Toolkit)
To handle and share patient data within the NHS, your organization must complete an annual self-assessment of its policies and technical controls.
- The Challenge: Completing the DSPT is not a "quick form." It requires proof of system-wide encryption, staff training records, and data breach incident response plans that are actually tested.
3. DCB0129: Clinical Safety Risk Management
This is where most software startups struggle. DCB0129 requires your company to manage clinical risk.
- Requirement: You must appoint a Clinical Safety Officer (CSO)—a healthcare professional—to work with your engineers.
- The Output: A Clinical Safety Case Report and a Hazard Log that identify every possible way your software could harm a patient and how you have mitigated that risk.
Pro Tip: Clinical Safety is Engineering
Clinical safety (DCB0129) is not a 'clinical job.' It is an engineering requirement. Your developers must be able to explain how their data validation logic preventing a double-prescription is a safety control.
Engineering Checklist for UK Launch
UK Engineering Readiness Checklist
HSCN Connectivity
Does your cloud infrastructure (AWS London or Azure UK South) need a connection to the Health and Social Care Network?
NHS Login
Implemented OpenID Connect (OIDC) integration for patient authentication via NHS Login?
UK Data Residency
Verified that all UK patient data (including backups and logs) stays strictly within UK sovereign borders?
FHIR UK Core
Is your API compatible with the 'FHIR UK Core' profiles specifically used by the NHS for patient demographics?
4. Interoperability & The Spine
The NHS is moving toward a "plug-and-play" architecture. To succeed, your platform should be designed to push data to the NHS Spine via the National Integration Adaptor. This ensures that a GP can see a summary of what happened on your platform in their own system (like EMIS or TPP).
Frequently Asked Questions
Frequently Asked Questions
Partnering for NHS Delivery
At SanoWorks, we’ve helped numerous startups from the US and GCC navigate the specialized hurdles of the UK market. We don't just "build apps"; we build compliant technical foundations that pass the DTAC on the first submission. Our leads have decades of experience in UK digital health standards.