Frequently Asked Questions: NHS Medical Device Compliance

UKCA Marking & MHRA Registration

What is UKCA marking?
UKCA (UK Conformity Assessed) is the UK’s replacement for CE marking after Brexit. It confirms that a medical device meets the applicable UK regulatory requirements.

Do I still need CE marking for the UK?
CE marking is accepted in Great Britain until 30 June 2030, but all devices must also be registered with the MHRA. UKCA will become mandatory for all devices placed on the market in Great Britain after that date.

Who needs to register with the MHRA?
Any organisation placing medical devices on the UK market—including manufacturers, authorised representatives, and importers—must register with the MHRA.

What is a UK Responsible Person (UKRP)?
If you’re based outside the UK (including the EU), you must appoint a UK Responsible Person to handle your MHRA registration and regulatory compliance obligations.

📎 Read our full article on UKCA and MHRA

Digital Technology Assessment Criteria (DTAC)

Is DTAC mandatory?
Not currently mandatory by law, but widely required by NHS procurement teams for digital health technologies. It is becoming a de facto standard.

What products require DTAC compliance?
Any app, software, or connected device used by NHS staff or patients, especially those processing personal or health data.

What are the five DTAC domains?

• Clinical safety
• Data protection
• Technical security
• Interoperability
• Usability and accessibility

Do I need Cyber Essentials for DTAC?
Yes, a valid Cyber Essentials certificate is a baseline requirement for DTAC technical security compliance.

📎 Explore DTAC support services

Data Security and Protection Toolkit (DSPT)

What is DSPT?
The Data Security and Protection Toolkit is an annual self-assessment required for any organisation accessing NHS patient data or systems.

Who needs to complete DSPT?
All healthcare suppliers, technology vendors, and partners handling NHS data must complete and submit DSPT annually by 30 June.

What are the key DSPT requirements?

• Staff training
• Incident response planning
• Data protection policies
• Cybersecurity controls
• Use of supported software and antivirus

How do I register for DSPT?
You can register via the NHS DSPT Portal using your Organisation Data Service (ODS) code.

📎 Read our full DSPT guide

ISO 13485 – Quality Management Systems for Medical Devices

What is ISO 13485?
It’s an international standard for quality management systems specific to the medical device industry, supporting consistent compliance and product safety.

Is ISO 13485 mandatory in the UK?
Not by law, but it is strongly recommended for manufacturers, especially when seeking UKCA marking and engaging with NHS procurement.

Who needs ISO 13485?

• Device manufacturers
• OEMs and contract developers
• Software providers for medical devices
• Distributors and component suppliers

How long does certification take?
Typically 3–6 months, depending on your organisation’s readiness and the complexity of your products and processes.

📎 ISO 13485 consultancy at JVR

Cyber Essentials & Cyber Essentials Plus

What is Cyber Essentials?
A UK government-backed scheme that defines basic cyber security controls to protect organisations from common threats. It’s a requirement for DTAC and supports DSPT compliance.

What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials: Self-assessment verified by a certifying body
Cyber Essentials Plus: Includes independent technical testing

Do I need to renew it annually
Yes, both certifications are valid for 12 months and must be renewed annually.

📎 Cyber Essentials certification help

ORCHA Accreditation

What is ORCHA?
The Organisation for the Review of Care and Health Applications (ORCHA) reviews digital health apps for clinical safety, data protection, and usability. ORCHA is used by NHS Trusts and clinicians to find trusted apps.

Is ORCHA Accreditation mandatory?
No, but it’s a valuable trust mark that can increase NHS adoption and visibility in NHS App Libraries.

What does ORCHA assess?
Clinical assurance
Data privacy
Usability and accessibility
Compliance with UK GDPR and DCB0129 (if applicable)

How long does the process take?
Typically 4–6 weeks depending on the quality and readiness of your documentation and product.
Read more about ORCHA Accreditation

Still Have Questions?

At JVR Consultancy, we help suppliers, developers, and manufacturers across the UK, EU, and internationally to understand, implement, and comply with these vital frameworks.

📞 Contact us today
Let us simplify the complex and get you NHS-ready, fast.