Content and expertise verified in partnership with Holly Ward at Oxtavia
NHS DTAC, ISO 27001, SOC 2: the digital health compliance roadmap that doesn’t cost £200k
If you’re building a digital health product for the NHS and you’ve asked a consultancy what ISO 27001 certification costs, you’ve probably been quoted somewhere between £120k–200k. That number is real — but it’s not what compliance has to cost.
Step 1
ICO registration and GDPR fundamentals — your legal obligation, done in days
ICO registration is your legal obligation if you’re processing personal data — do it first, it takes minutes. Then get your GDPR basics in place: privacy policy, lawful basis documented, data processing agreements with any third parties. This takes 2–3 weeks of focused work and doesn’t require a consultant.
Step 2
Cyber Essentials — cheap, fast, and required for most public sector work
Cyber Essentials costs £300–£500 and takes about a fortnight. It signals basic security hygiene to every funder and NHS partner you’ll meet.
Step 3
DTAC — build toward it before a trust asks for it
The Digital Technology Assessment Criteria is increasingly non-negotiable for NHS adoption. If you’ve already done Cyber Essentials and your GDPR basics, you’ve covered a significant portion. The beauty of DTAC is that it’s self-asserted and only needs updating when things in the business change or certificates are renewed. A strong operational lead can complete it in half a week.
Step 4
ISO 27001 — a serious commitment, but it doesn’t have to be a £200k one
The standard can be self-implemented by a founder or operational lead who’s willing to learn the framework, build the documentation, and run the internal audits. With someone working on it around 80% of their week, expect about 12 weeks to get certification-ready. The certification audit itself costs £5k–15k — and can be cheaper still if you use accredited auditors outside the UK. The expensive part has always been the consultants, not the certification.
Step 5
SOC 2 — once you’ve done ISO, you’re about 80% there
The overlap between the two frameworks is substantial. If you’re targeting US markets, SOC 2 Type II becomes important — but if you’ve already built your information security management system for ISO 27001, you’re most of the way there.
MHRA
Medical Device classification — know what class you are early
This is one of the most consequential decisions in healthtech, and getting it wrong — or discovering late that you need a classification you didn’t plan for — is one of the most expensive retroactive fixes. Companies either need an MHRA classification and don’t know the correct class, or believe they need to be a medical device when they actually don’t. Either mistake costs time, money, and ongoing monitoring overhead. For MHRA Class 1, expect around 20 weeks of work with a consultant guiding you through it while you do the actual implementation.
The Honest Question
Can a founder really do this themselves?
The answer is yes — but the real constraint isn’t capability, it’s time. A founder’s job is fundraising and pipeline. Your first 100 sales should come from you, not from someone else while you’re writing information security documentation. Most founders who’ve done this successfully had someone else driving compliance — whether that’s a strong early hire, a co-founder with operational instincts, or an advisor who knows the frameworks. The key qualities: organised, comfortable working across multiple domains, and capable of tracking renewal dates so nothing falls through the cracks.
The principle: do the cheap things now (ICO, GDPR, Cyber Essentials), plan the serious things around your commercial timeline (DTAC, ISO, MHRA), and know that the six-figure consultancy quote is one option — not the only option.