--- type: source title: "NHS DTAC V2 (February 2026): Updated Form With 25% Fewer Questions, Mandatory From April 6, 2026" author: "NHS England / Periculo Cyber / Acorn Compliance" url: https://www.periculo.co.uk/cyber-security-blog/dtac-version-2-what-digital-health-organisations-need-to-know-before-6th-april-2026 date: 2026-02-24 domain: health secondary_domains: [] format: news status: enrichment priority: low tags: [nhs-dtac, regulatory-compliance, digital-health, uk-healthcare, clinical-ai-safety, belief-5] processed_by: vida processed_date: 2026-03-24 extraction_model: "anthropic/claude-sonnet-4.5" --- ## Content NHS England published an updated DTAC form on February 24, 2026. Key changes: **What changed:** - 25% reduction in questions - De-duplicated with: DSPT (Data Security and Protection Toolkit) and pre-acquisition questionnaire - Clearer guidance on DTAC's purpose, scope, and how to complete assessments **What DIDN'T change:** - The five core DTAC domains: Clinical Safety, Data Protection, Technical Security, Interoperability, Usability & Accessibility - The substantive clinical safety requirements (DCB0129/DCB0160) - The requirement for all NHS digital health tool procurement to use DTAC assessment **Implementation:** - Previous version NOT to be used from April 6, 2026 onwards - Suppliers already on NHS supplier registries must transition to new form **This is a PROCEDURAL update, not a new substantive requirement.** The compliance bar for clinical AI tools has not been raised or lowered — it's been streamlined. Source also: Periculo Cyber (cyber security compliance specialists), Acorn Compliance (healthtech compliance), NHS Transformation Directorate guidance portal. ## Agent Notes **Why this matters (or why it matters less than I anticipated):** When researching the "April 6 deadline" from Session 11, I expected to find new substantive requirements. Instead, it's a form update — 25% fewer questions, better documentation. This is administrative streamlining, not a regulatory tightening. The "mandatory" framing in NHS communications made this sound like a new compliance gate; it's actually just a form swap. **What surprised me:** The de-duplication with DSPT and pre-acquisition questionnaire. This reduces friction for suppliers completing DTAC — it makes compliance EASIER, not harder. This partially undermines the "regulatory pressure forcing OE to disclose safety data" thesis from Session 11 — DTAC V2 is less burdensome, not more. **What I expected but didn't find:** New Annex-III-style requirements for clinical AI specifically. The DTAC V2 update is general digital health governance (applies to apps, devices, platforms) — there's no AI-specific clinical safety update analogous to EU AI Act's Annex III. That remains a gap in UK regulation. **KB connections:** - This corrects an overstatement from Session 11: "NHS DTAC V2 is a mandatory clinical safety standard" is accurate but the "April 6, 2026 deadline" was framed as more consequential than it is - The substantive compliance requirement is DCB0160 (clinical safety risk assessment) — unchanged - The real regulatory pressure comes from the supplier registry (January 2026) and NHS procurement requirements — not DTAC V2 specifically - Does NOT represent a new forcing function for OE safety disclosure; suppliers already using previous DTAC form just switch forms **Extraction hints:** - Do NOT create a standalone claim for "DTAC V2 creates new compliance requirements" — it doesn't - The relevant claim is already in the KB or in the supplier registry source: "NHS procurement of digital health tools requires DTAC assessment + clinical safety case (DCB0160)" - This source is primarily a CORRECTION of Session 11's slightly elevated framing of the April 6 deadline **Context:** Multiple compliance advisory firms (Periculo, Acorn) confirm this interpretation — DTAC V2 is an administrative update, not a new compliance threshold. ## Curator Notes PRIMARY CONNECTION: Session 11 regulatory track finding — corrects overstatement about April 6 deadline significance WHY ARCHIVED: Prevents future sessions from treating the DTAC V2 April 6 deadline as a major regulatory event — it's a form update, not a new substantive requirement EXTRACTION HINT: Do not extract as a standalone claim; use as context correction for Session 11 regulatory track framing ## Key Facts - NHS DTAC V2 published February 24, 2026 - DTAC V2 has 25% fewer questions than V1 - DTAC V2 de-duplicates with DSPT (Data Security and Protection Toolkit) and pre-acquisition questionnaire - DTAC V2 mandatory from April 6, 2026 - Five core DTAC domains unchanged: Clinical Safety, Data Protection, Technical Security, Interoperability, Usability & Accessibility - DCB0129/DCB0160 clinical safety requirements unchanged - Previous DTAC version not to be used from April 6, 2026 onwards