UK Software Testing — Regulated System Guide (2025)

🧪 Testing💷 GBP⚖️ NHS DTAC🔒 FCA PS21/3🆓 Free Review
September 202512 min readJames Whitmore, CTO

Direct Answer

UK regulated software testing requires six test types: unit tests (CI/CD gate), integration tests (API contracts and third-party services), E2E tests (Playwright — user journeys), performance tests (k6 — FCA PS21/3 load and NHS/GDS performance standards), security tests (OWASP ZAP — PCI-DSS and Cyber Essentials), and accessibility tests (axe-core + NVDA — DTAC Domain 5, GDS, PSBAR). ClickMasters implements all six as standard on every UK regulated project.

Testing Pyramid — UK Regulated Software

Test TypeCoverage TargetFrameworkUK Regulatory ValueRun Frequency
Unit tests80%+ line coverageVitest / JestDTAC Domain 3 evidence — code qualityEvery PR (< 30 seconds)
Integration testsAll API contractsVitest + supertestFCA: API behaviour verifiableEvery PR (1–3 minutes)
Contract testsAll third-party APIsPactNHS FHIR R4 contract complianceDaily against sandbox
E2E testsAll critical user journeysPlaywrightNHS DTAC Domain 5 — user journey evidenceEvery PR (5–15 minutes)
Performance testsp95 < SLA targetk6FCA PS21/3 Impact Tolerance, GDS 3s standardWeekly + pre-release
Security testsOWASP Top 10OWASP ZAP + SemgrepPCI-DSS Req 6, Cyber Essentials patchingEvery release + quarterly DAST
Accessibility testsWCAG 2.1 AA — zero criticalaxe-core + NVDA manualDTAC Domain 5, GDS, PSBAREvery PR (axe automated) + quarterly manual

Performance Testing Standards — UK Regulations

StandardLoad TargetResponse Time TargetClickMasters Test Profile
GDS Service Standard1,000 concurrent usersp95 < 3 seconds on 3Gk6 ramp-up 0→1K in 60s, steady 30 min
FCA PS21/3 Impact Tolerance3× peak production loadIBS continues within tolerancek6 3× peak simulation + AZ failure injection
NHS DTAC Domain 3Normal production load99.9% availability targetk6 production load + 30-day availability monitoring
PCI-DSS (payment flows)Peak transaction volume< 3 seconds p99k6 payment journey with Stripe test cards
eCommerce (Black Friday)10× normal peakLCP < 2.5 seconds (Core Web Vitals)k6 10× spike + Lighthouse CI LCP monitoring

Security Testing — UK Compliance Requirements

OWASP ZAP Dynamic Application Security Testing (DAST): automated scan in CI/CD on every release — OWASP Top 10. ClickMasters: ZAP configured to scan all authenticated pages (ZAP with API key context). Critical findings block deployment.

Semgrep SAST (Static Application Security Testing): scans code for hardcoded secrets, SQL injection patterns, and insecure dependencies in CI/CD. Runs on every pull request.

Dependabot: automated dependency CVE monitoring — critical vulnerabilities create PRs automatically. Cyber Essentials: critical CVEs patched within 14 days.

CREST penetration test: annual external pen test by CREST-certified assessor. Required for: PCI-DSS, NHS DSP Toolkit, FCA operational resilience, ISO 27001. Cost: £3,000–£15,000 depending on scope.

Trivy container image scanning: scan Docker images for CVEs in OS packages and application dependencies. Runs in CI/CD on every Docker build. Blocks deployment if critical CVEs present.

Security testing for UK regulated software must be structured around specific compliance requirements:

Frequently Asked Questions

Common questions about uk software testing — regulated system guide (2025).

DTAC Domain 3 does not mandate a specific test coverage percentage. However: DTAC assessors expect evidence of a quality assurance process including automated testing. ClickMasters target: 80% line coverage for NHS applications (above the healthcare industry benchmark of 70%). Coverage evidence: Istanbul coverage report archived as CI/CD artefact — shows coverage percentage per file and the coverage trend over time. DTAC assessors are satisfied with 70%+ coverage and a CI/CD pipeline that blocks merges below the threshold.

ClickMasters testing investment as a percentage of total project cost: 15–25% for regulated UK software (NHS DTAC, FCA, GDS). Breakdown: automated test suite build (Vitest + Playwright + axe-core + k6 + ZAP configuration) — £5,000–£15,000 for a new project. Annual CREST pen test — £3,000–£15,000. Ongoing test maintenance — approximately 20% of new feature development cost. Total for a £100,000 NHS DTAC project: testing costs £15,000–£25,000 (15–25% of project). This is non-negotiable for regulated UK software — the alternative is a failed DTAC assessment.

About the Author

James Whitmore, CTO UK software quality and testing specialist ClickMasters implements a six-layer testing strategy on all regulated UK projects as standard.

Free Testing Architecture Review ClickMasters will...

Free Testing Architecture Review ClickMasters will review your testing strategy and confirm NHS/FCA/GDS compliance coverage. → clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation