The National Health Service runs on data. Every patient record, test result, and appointment booking flows through digital systems. When NHS buyers evaluate tenders for healthcare IT, they are not just buying software. They are buying assurance. They need absolute certainty that your system will not leak patient data and will not cause clinical harm. If your bid response cannot prove this, you will not win the contract.
This guide explains the three critical compliance frameworks that govern NHS digital health procurement: the Data Security and Protection Toolkit (DSPT), DCB0129, and DCB0160. It details what NHS buyers look for in your tender response, when these standards apply, and how to structure your evidence. By understanding the relationship between supplier obligations and buyer responsibilities, you can write bids that make it easy for the NHS to choose you.
What this guide covers
- The Data Security and Protection Toolkit (DSPT) and the June submission deadline.
- The difference between DCB0129 (for manufacturers) and DCB0160 (for deployers).
- The role of the Clinical Safety Officer (CSO) and the required safety documents.
- How the Digital Technology Assessment Criteria (DTAC) unifies these standards.
- A worked example of a clinical safety method statement.
- Common mistakes suppliers make in healthcare IT tenders.
The Data Security and Protection Toolkit (DSPT)
The Data Security and Protection Toolkit (DSPT) is an annual online self-assessment. It allows organisations to measure their performance against the National Data Guardian’s ten data security standards. If your organisation processes NHS patient data or provides IT systems to the NHS, completing the DSPT is a mandatory contractual requirement under the NHS Standard Contract.
NHS buyers check your DSPT status during the procurement process. Your organisation must achieve a "Standards Met" status. If your status is "Not Published" or "Standards Not Met", NHS organisations cannot lawfully continue using your services, and you will be blocked from winning new contracts.
Categories and the Cyber Assessment Framework
The DSPT classifies organisations into different categories, which determines the specific assessment they must complete. For the 2025-2026 cycle, large IT suppliers (Category 2) and Operators of Essential Services must complete the DSPT using the National Cyber Security Centre’s Cyber Assessment Framework (CAF).
Category 2 IT suppliers are defined as external organisations that supply digital goods and services to the NHS with 50 or more staff and a turnover exceeding £10 million. For these suppliers, the CAF DSPT requires a mandatory independent audit covering specific evidence items. They must also submit a baseline assessment by 31 December 2025, ahead of the final deadline.
Smaller digital health companies and software providers (Category 3) complete the non-CAF DSPT. This involves responding to 35 assertions and providing 42 mandatory evidence items. However, they are also required to complete an independent audit.
The 30 June deadline
The annual deadline for DSPT submission is 30 June. Treating the DSPT as a last-minute tick-box exercise in June is a critical error. The assessment requires input from IT, HR, operations, and procurement departments. You must provide evidence of penetration testing, staff training, business continuity plans, and supplier due diligence. Gathering this evidence takes months, not days.
In your tender responses, state clearly that you maintain a "Standards Met" DSPT status and provide your ODS (Organisation Data Service) code so buyers can verify it on the public DSPT tracker.
The table below summarises the key DSPT obligations by supplier category for the 2025-2026 cycle.
| Category | Who it covers | Assessment framework | Independent audit | Deadline |
|---|---|---|---|---|
| Category 1 | NHS Trusts, ICBs, ALBs, Arm's Length Bodies | CAF DSPT | Mandatory | 30 June 2026 |
| Category 2 (CAF) | Operators of Essential Service (OES) Independent Providers | CAF DSPT | Mandatory | 30 June 2026 |
| Category 2 (non-CAF) | IT Suppliers (50+ staff or £10M+ turnover) | National Data Guardian standards | Mandatory | 30 June 2026 |
| Category 3 | Smaller digital health companies, software providers | National Data Guardian standards | Mandatory | 30 June 2026 |
| Category 4 | General Practitioners | National Data Guardian standards | Not mandatory | 30 June 2026 |
Clinical Safety Standards: DCB0129 and DCB0160
While the DSPT covers data security, DCB0129 and DCB0160 cover patient safety. Issued by NHS England under Section 250 of the Health and Social Care Act 2012, these two clinical risk management standards are legally mandated for health IT systems.
They are designed to ensure that software used in healthcare does not cause patient harm. The standards are distinct but interdependent: DCB0129 applies to the manufacturer, while DCB0160 applies to the deploying organisation. NHS England is currently conducting a strategic review of both standards to ensure they remain current and practical, but they remain fully in force during this review period.
The table below summarises the key differences between the two standards.
| DCB0129 | DCB0160 | |
|---|---|---|
| Who it applies to | The manufacturer or developer of the health IT system | The healthcare organisation deploying and using the system |
| Core obligation | Conduct clinical risk assessment of the product | Conduct clinical risk assessment of the local deployment |
| Key documents | Clinical Risk Management Plan, Hazard Log, Clinical Safety Case Report | Clinical Risk Management Plan, Hazard Log, Clinical Safety Case Report |
| CSO requirement | Mandatory — must be a registered clinician | Mandatory — must be a registered clinician |
| Relationship | Baseline documentation for the deployer | Built on top of the manufacturer's DCB0129 documentation |
DCB0129: The manufacturer's obligation
DCB0129 (Clinical Risk Management: its Application in the Manufacture of Health IT Systems) requires suppliers to conduct a clinical risk assessment of their product. You must identify potential hazards, evaluate the clinical risk, and implement controls to mitigate those risks to an acceptable level.
To comply with DCB0129, you must produce and maintain three core documents:
- Clinical Risk Management Plan (CRMP): This document details your organisation's governance framework for clinical safety. It explains how you will manage clinical risk throughout the product lifecycle, from design and development to deployment and decommissioning.
- Hazard Log: This is a dynamic register of all identified clinical hazards associated with your product. For each hazard, the log records the potential clinical impact, the initial risk score, the mitigations implemented, and the residual risk score.
- Clinical Safety Case Report (CSCR): This is a structured argument, supported by evidence, demonstrating that your product is safe for deployment. It summarises the findings of the hazard log and justifies the residual risks.
The Clinical Safety Officer (CSO)
DCB0129 requires you to appoint a Clinical Safety Officer (CSO). The CSO oversees the clinical risk management process, leads hazard workshops, and signs off on the CRMP, Hazard Log, and CSCR.
The CSO must be a senior clinician with current registration with a professional body, such as the General Medical Council (GMC) or the Nursing and Midwifery Council (NMC). They must also have sufficient training and experience in clinical risk management. A software developer with a background in healthcare cannot act as the CSO unless they hold a current clinical registration. If you do not have a suitable clinician in-house, you can contract an independent CSO.
DCB0160: The deployer's obligation
DCB0160 (Clinical Risk Management: its Application in the Deployment and Use of Health IT Systems) applies to the NHS organisation buying and deploying your software.
The buyer must conduct their own clinical risk assessment based on how they intend to configure, integrate, and use your product within their specific clinical environment. They must produce their own CRMP, Hazard Log, and CSCR, signed off by their own CSO.
This is where many suppliers fail in their tenders. The buyer cannot complete their DCB0160 assessment without your DCB0129 documentation. Your DCB0129 Hazard Log and CSCR form the baseline for their risk assessment. If your documentation is generic, incomplete, or missing, the buyer assumes the clinical risk. NHS buyers have a very low tolerance for digital risk. If you make it difficult for them to comply with DCB0160, they will reject your bid.
Digital Technology Assessment Criteria (DTAC)
The Digital Technology Assessment Criteria (DTAC) is the national baseline assessment for digital health technologies entering the NHS. It consolidates various standards and policies into a single framework, giving buyers a consistent way to evaluate suppliers.
In most NHS IT procurements, a valid DTAC evidence file is a threshold requirement. The DTAC assesses products across five core areas:
- Clinical safety: This section verifies your compliance with DCB0129. You must provide your CRMP, Hazard Log, and CSCR, and confirm the details of your CSO.
- Data protection: This section verifies your DSPT status and checks your Data Protection Impact Assessment (DPIA), privacy notices, and data processing agreements.
- Technical security: This section requires proof of Cyber Essentials Plus certification, penetration testing, and compliance with the Software Security Code of Practice.
- Interoperability: This section evaluates how your product integrates with other NHS systems, requiring justification for your chosen APIs and data standards.
- Usability and accessibility: This section checks your compliance with the Web Content Accessibility Guidelines (WCAG 2.2 AA) and the Accessible Information Standard.
The 2026 DTAC update
NHS England refreshed the DTAC form in early 2026. The updated version reduces duplication with the DSPT and the Pre-Acquisition Questionnaire (PAQ) for medical devices. It introduces a decision tree to help suppliers determine if their product is a medical device and clarifies the boundaries between DTAC and UK Medical Device Regulations.
The update also removes the requirement for the CSO to have completed specific NHS Digital training, relying instead on their professional registration and clinical experience. However, the expectations for technical security and data protection have increased, reflecting the growing threat of ransomware attacks on the NHS supply chain.
The NHS Cyber Security Supply Chain Charter
In addition to the DSPT and DTAC, NHS England introduced the Cyber Security Supply Chain Charter. This sets out eight mandatory expectations for suppliers, including:
- Maintaining DSPT "Standards Met" status without lapse.
- Enforcing Multi-Factor Authentication (MFA) across all systems, with no exceptions for remote access.
- Applying critical security patches within 14 days.
- Maintaining immutable, offline backups.
- Implementing 24/7 cyber threat monitoring.
Procurement teams evaluate compliance with these charter expectations during the tender process. Failing to demonstrate these foundational controls will result in your bid being disqualified.
How NHS buyers score clinical safety questions
Understanding what NHS evaluators are looking for is as important as understanding the standards themselves. In a typical healthcare IT tender, clinical safety questions appear in the technical quality envelope and are scored on a weighted basis. The weighting varies by buyer, but clinical safety questions in high-risk clinical systems commonly carry 15 to 25 percent of the total quality score.
NHS evaluators are trained to look for evidence, not assertions. A response that states "We comply with all relevant clinical safety standards" without supporting documentation will typically score in the bottom band. A response that names the CSO, references specific hazards, and explains the handover process for DCB0160 will score in the top band.
The table below shows a typical scoring rubric for a clinical safety method statement question, based on the standard quality scoring bands used across NHS procurement.
| Score | Descriptor | What evaluators typically see |
|---|---|---|
| 0 | Unacceptable | No evidence of DCB0129 compliance; CSO not named; no hazard log referenced |
| 1 | Poor | Generic compliance statement; CSO named but credentials not confirmed; no DCB0160 support offered |
| 2 | Acceptable | DCB0129 documents referenced; CSO credentials confirmed; basic DCB0160 support mentioned |
| 3 | Good | Version-specific hazard log provided; CSO credentials confirmed; structured DCB0160 handover plan described |
| 4 | Excellent | All of the above, plus evidence of continuous improvement, post-deployment safety monitoring, and proactive engagement with the buyer's clinical governance team |
The distinction between a score of 2 and a score of 4 is almost always the specificity of the evidence and the degree to which the supplier has thought about the buyer's workload. A buyer reading your response should be able to see exactly how they will achieve DCB0160 sign-off before go-live, without having to ask follow-up questions.
Worked example
When an NHS tender asks how you ensure clinical safety, a one-line answer stating "We are DCB0129 compliant" will score poorly. You must demonstrate your methodology, reference your CSO, and show how your DCB0129 documentation supports the buyer's DCB0160 obligations.
Here is an illustrative example of a strong response to a clinical safety method statement question:
Question: Detail your approach to clinical risk management and how you will support the Trust in meeting its DCB0160 obligations during the deployment of the proposed solution.
Response Extract:
Our clinical risk management system is governed by our DCB0129 Clinical Risk Management Plan (CRMP), which dictates safety activities across the product lifecycle. This process is led by our appointed Clinical Safety Officer, Dr. Sarah Jenkins (GMC 7654321), who brings 12 years of acute clinical experience and holds formal certification in health IT risk management.
For the proposed deployment, we have conducted a comprehensive risk assessment specific to Version 3.2 of our platform. Dr. Jenkins facilitated three hazard workshops involving our lead developers, UX designers, and external clinical advisors. We identified 14 potential clinical hazards, including the risk of delayed alert transmission due to network latency.
All identified hazards are documented in the attached DCB0129 Hazard Log (Appendix A). We have implemented technical and process mitigations for each hazard, reducing all residual risk scores to an acceptable level (score of 3 or below). The justification for these mitigations is detailed in our Clinical Safety Case Report (CSCR) (Appendix B).
We recognise that the Trust must complete its own DCB0160 assessment. Upon contract award, Dr. Jenkins will schedule a handover workshop with the Trust's CSO. We will provide our native Hazard Log files and assist the Trust in mapping our baseline hazards to your specific local configuration and clinical workflows, ensuring a seamless and compliant DCB0160 sign-off prior to go-live.
Common mistakes
NHS buyers review hundreds of tenders. They quickly identify suppliers who treat clinical safety and data security as an afterthought. Avoid these common mistakes to improve your win rate:
- Failing to appoint a qualified CSO.
A common error is naming a project manager or a developer as the Clinical Safety Officer. The CSO must hold a current clinical registration (e.g., GMC, NMC) and have relevant clinical experience. If your CSO does not meet these criteria, your DCB0129 documentation is invalid. If you lack internal clinical staff, engage an independent CSO early in the development cycle.
- Submitting generic safety documents.
Providing a boilerplate Hazard Log that does not reflect the specific features, integrations, or version of the software being procured is a red flag. Your DCB0129 documentation must be specific to the product version you are pitching. Buyers need to see that you have assessed the actual risks of the current deployment.
- Ignoring the buyer's DCB0160 burden.
Suppliers often focus entirely on their own DCB0129 compliance and ignore the buyer's DCB0160 responsibilities. A winning bid explicitly acknowledges the buyer's workload and offers practical support—such as joint hazard workshops and native file formats—to help the Trust's CSO complete their assessment.
- Treating the DSPT as a June tick-box exercise.
Rushing the DSPT submission in the weeks before the 30 June deadline leads to inaccurate assertions and missing evidence. NHS buyers check the DSPT tracker. If your status shows a history of late submissions or lapsed compliance, buyers will doubt your operational maturity. Embed DSPT evidence gathering into your monthly governance processes.
- Confusing DCB0129 with Medical Device Regulations.
Some suppliers assume that if their software is not classified as a Medical Device under UK regulations, DCB0129 does not apply. This is incorrect. DCB0129 applies to health IT systems that influence clinical care, regardless of their medical device status. Use the NHS England decision tree to confirm applicability, but default to compliance if your system touches patient pathways.
- Lacking Cyber Essentials Plus.
Suppliers often submit bids with basic Cyber Essentials or offer ISO 27001 as an alternative. NHS Supply Chain mandates Cyber Essentials Plus, which requires independent technical verification. ISO 27001 is excellent for governance, but it does not replace the specific technical controls verified by Cyber Essentials Plus. Secure the Plus certification before you bid.
Frequently asked questions
Do we need Cyber Essentials Plus if we have ISO 27001?
Yes. NHS procurement policies mandate Cyber Essentials Plus for suppliers handling patient data or providing IT systems. While ISO 27001 demonstrates a strong information security management system, it does not replace the independent technical vulnerability scanning required by Cyber Essentials Plus. You should hold both.
What happens if we miss the DSPT submission deadline?
If you miss the 30 June deadline, your organisation's status on the public DSPT tracker will change to "Not Published" or "Standards Not Met." This constitutes a breach of the NHS Standard Contract. Existing customers may suspend your services, and you will be blocked from winning new NHS tenders until compliance is restored.
Can we use an external Clinical Safety Officer?
Yes. Many digital health SMEs contract independent Clinical Safety Officers. This is a practical solution if you do not employ senior clinicians. The external CSO will review your product, lead hazard workshops, and sign off your DCB0129 documentation, providing the necessary clinical governance.
Does the DTAC replace DCB0129 and the DSPT?
No. The Digital Technology Assessment Criteria (DTAC) is an umbrella framework. To pass the clinical safety section of the DTAC, you must provide your DCB0129 documentation. To pass the data protection section, you must provide your DSPT status. The DTAC brings these requirements together; it does not replace them.
Does DCB0129 apply to administrative software?
It depends on the software's function. If the administrative software influences real-time or near-real-time direct patient care (e.g., an appointment booking system that prioritises urgent cases), DCB0129 applies. If it is purely for back-office functions like payroll or population-level statistical reporting, it may fall out of scope. However, NHS England strongly recommends adopting the standard as best practice regardless.
Further reading
- NHS England: Digital clinical safety assurance — authoritative overview of DCB0129 and DCB0160 from NHS England.
- DCB0129 standard and guidance documents — the full standard, specification, and implementation guidance.
- DCB0160 standard and guidance documents — the full standard, specification, and implementation guidance.
- NHS Digital: Step-by-step applicability guidance — the official decision tool for determining whether DCB0129 or DCB0160 applies to your product or organisation.
- DSPT toolkit portal — where you complete and publish your annual DSPT submission.
- Digital Technology Assessment Criteria (DTAC) — the national baseline assessment framework for digital health technologies.
- NHS Cyber Security Supply Chain Charter — the eight mandatory security expectations for NHS suppliers.
- Find a Tender service — the official portal for NHS and public sector contract notices published under the Procurement Act 2023.
