The Target Architecture

The diagnosis explains why NHS Wales’ digital infrastructure failed. The interventions explain what to change about the conditions that produced the failure. This page describes what the resulting technical estate looks like once those interventions have run.

It is the destination state, not the migration path. The migration path is on the 36-month timeline. The destination is what the timeline aims at.

Every component on this page is in operational use somewhere in northern Europe today. None of them is a Welsh invention. The novelty of the Welsh target architecture is the combination — and the discipline of refusing to build anything the international evidence does not already endorse.

Five Design Principles

The architecture is not a wish-list of features. It is the application of five design principles, each of which the international evidence has validated and the current Welsh arrangement has violated.

1. Standards are separated from delivery. A small national body sets and certifies interoperability standards. It does not build clinical applications. Health boards procure clinical applications within those standards. Denmark, Estonia and Finland operate this separation; the DHCW monopoly model collapses it. Separation breaks L11: Captured Governance at the technical layer — the standards-setter is no longer judge-of-its-own-delivery.

2. Federation, not centralisation. Patient data lives in the system that generated it: the GP record sits with the GP system, the hospital record sits with the EPR, the prescription record sits with the dispensing system. A national interoperability backbone makes the federation queryable — the patient record looks unified, but no monolithic database exists. Estonia has operated this pattern since 2001. The architectural consequence is that no single supplier outage can take the estate offline — the failure mode the PSBA March 2026 outage demonstrated.

3. Open standards by default. HL7 FHIR R4, SNOMED CT International, dm+d, ICD-10/11, OpenID Connect, OAuth 2.1, IHE profiles, X-Road or equivalent. Where a Welsh standard is required (bilingualism, devolved policy), it is an extension of an international standard, not a replacement. Procurement specifications cite international standards by name; non-compliant tenders are non-compliant on technical grounds, not on policy preference.

4. Open source as the default for shared infrastructure. The interoperability backbone, the terminology services, the audit ledger, the national identity broker, the patient-facing app — these are open source by default. Source code is published under permissive licence. Procurement of proprietary software at the application layer remains a health-board choice, but the layers that hold the federation together are sovereign, inspectable, and forkable. Estonia and Finland share X-Road through the Nordic Institute for Interoperability Solutions on exactly this basis; the same pattern is available to Wales as a member or a fast-follower.

5. Building blocks, not platforms. Every national component does one thing — identity, messaging, terminology, audit, indexing — and exposes a typed API. There is no “national platform” that does everything. The international failure cases (Care.data, NPfIT) were platforms; the international successes (X-Road, sundhed.dk, NHS Login, FHIR-based health information exchanges) are building blocks. A platform is unkillable because everything depends on the platform-as-a-whole; a building block remains replaceable because every consumer talks to a contract, not an implementation.

These five principles are upstream of every architectural decision on this page. Where a decision below seems arbitrary, it is almost always an application of one of these five.

The Six-Layer Stack

The target architecture has six layers. Each layer is independently procurable, independently testable, and independently replaceable. Each layer talks to the layers above and below it through typed, published APIs. No layer “owns” the layers above or below.

Layer 1 — Sovereign Infrastructure. UK-resident cloud (hyperscaler with sovereign zones plus on-prem for the regulated minority), high-availability networking, a successor to PSBA designed with explicit redundancy, the .nhs.wales DNS authority, a public-sector certificate authority, and the cyber-defence operations centre. The lesson of three consecutive years of infrastructure failure — near-identical data centre cooling failovers in 2024 and 2025, then the PSBA network outage of March 2026 — is structural: a single shared dependency must not have the power to take the estate offline. Redundancy at this layer is statutory, not discretionary.

Layer 2 — Identity, Security, Audit. A national citizen identity service (NHS Wales account, OpenID Connect-based, federable with GOV.UK Verify successor and NHS Login where appropriate). A national clinician identity service (smartcards transitioning to FIDO2/passkeys, OAuth 2.1 + SCIM for federation). An immutable, append-only audit ledger that every other layer writes to and no layer can rewrite. A national public-key infrastructure for service-to-service authentication. National cyber-defence runs at this layer; it is operationally separate from delivery.

Layer 3 — The Wales Health Interoperability Backbone. An X-Road-equivalent federated data exchange. A FHIR API gateway that handles routing, versioning, conformance, rate-limiting and replay. A clinical-event pub/sub bus (admit, discharge, transfer, prescription issued, prescription dispensed, referral made, referral closed). National terminology services (SNOMED CT, dm+d, ICD-10/11) exposed as API endpoints, not local copies. This is the thinnest, most load-bearing, most-international-of-the-stack layer. It is the single best candidate for direct adoption of an existing open-source stack — X-Road, Mirth Connect, HAPI FHIR — rather than bespoke Welsh code.

Layer 4 — National Shared Services. A small set of national services that genuinely benefit from national operation: the Welsh Demographics Service (NHS number, residence, registration — successor to the eMPI patient index that has mixed up patient records), the National Practitioner Index, the National Electronic Prescription gateway (transmission and dispensing, not the prescribing UI inside the EPR), the National Referral and Booking gateway, a federated Welsh Care Record (a virtual record assembled at query time from the systems that hold the source data — not a centralised database), and a Population Health Data Platform for analytics, research and commissioning. Each of these is a building block, not a platform; each exposes a typed FHIR API; none of them holds the clinical record itself.

Layer 5 — Health-Board Clinical Applications. EPRs, theatre management, maternity systems, mental health systems, endoscopy, ophthalmology, cancer pathways, community care, the Welsh Community Care Information System (WCCIS) successor — procured by health boards within the national standards. Health boards may choose Epic, Cerner, Better, Cynerio, an open-source system or a domain-specific best-of-breed product. Procurement compliance with layers 2–4 standards is the gating criterion; brand of EPR is a health-board decision. Some boards may cooperate on joint procurements; cooperation is a board-level choice, not a national mandate.

Layer 6 — Patient and Clinician Experience. The NHS Wales App (citizen-facing, mobile and web, statutory bilingual parity, accessibility-first). A citizen consent surface giving granular control over who can see what and when. A clinician workspace that aggregates views across the EPRs the clinician has access to, not a parallel record system. A public population dashboard publishing waiting times, performance, vendor portfolio status and digital incidents at statutory frequency. This is the layer the citizen and the clinician actually touch; everything below is plumbing in service of this layer working.

The six-layer stack is the destination map. The next four sections describe how it works: what owns what, how data flows, how it compares to the current arrangement, and what a real clinical journey looks like passing through it.

Component Responsibility Map

Distributing oversight is a governance principle; distributing technical responsibility is its operational consequence. The standards body must not own what the health boards own; the health boards must not own what citizens own.

The map has three columns because the architecture has three principals: the standards body, the health board, and the citizen. Each principal owns specific components; the boundary between columns is where conformance testing happens; the conformance tests are public and automated.

The standards body owns the interoperability backbone, the terminology services, the national patient index, the conformance test suites, the audit ledger and the national cyber-defence operation. Its headcount is bounded — Estonia’s TEHIK runs the equivalent function for 1.3 million people on roughly 200 staff. A Welsh equivalent for 3.1 million people should not exceed 400 staff at steady state, against the DHCW headcount that grew to over 1,200 without commensurate delivery. The standards body does not build clinical applications. Health boards do.

The health boards own the clinical applications, the local procurement, the embedded engineering teams, and the post-implementation review of every system they put into clinical use. Health boards are the accountable delivery body for clinical workflow; the standards body is the accountable delivery body for the connective tissue. The EPMA gap — DHCW measured for delivery that local organisations actually control — is resolved by this re-assignment, not by re-stating accountability against the same incoherent boundary.

Citizens own their identity, their consent, their full record access, their prescription self-service and their right to complain, request rectification and obtain a copy of the audit log showing who accessed what. The citizen layer is not a courtesy; it is a constitutional component of the architecture. The Welsh language interface is not an add-on; it is a layer-6 invariant.

Conformance testing happens at the boundary between columns. Every clinical application a health board procures must pass the conformance suite the standards body publishes. Every national service the standards body operates must pass the citizen-rights conformance suite the patient council ratifies. Failure to conform is grounds for procurement termination, not a soft “improvement plan.”

Federation, Not Monopoly

The architectural inversion of the current model is the move from monopoly delivery to federated standards. The two architectures look superficially similar in a high-level diagram; they behave entirely differently under load, under failure, and under political pressure.

The diagram understates the difference. In operational practice, federation produces five properties that monopoly delivery cannot:

• Failure is local. A health-board EPR outage stops that health board, not all seven. A PSBA-class shared-infrastructure failure cannot reach the application layer because applications no longer share the dependency. The three-year infrastructure failure pattern — two near-identical data centre cooling failovers in 2024 and 2025 followed by the March 2026 PSBA outage taking O365, EPMA, RISP and radiology offline simultaneously across all of NHS Wales for hours — is the failure mode federation is designed to prevent.
• Procurement is competitive. A health board dissatisfied with a clinical application has a credible exit: re-procure within the standards. The vendor is on notice; the standard is the contract. Under monopoly delivery, the health board has no exit and the vendor knows it.
• Comparability is structural. Seven health boards running different EPRs within the same standards produces seven natural experiments. Outcomes are comparable because the data model is the same. Under monopoly delivery, there is only one experiment and only one outcome, and “what good looks like” is whatever the monopoly produced this quarter — the structural mechanism behind Drift to Low Performance.
• Capability accumulates locally. Embedded engineering teams operating inside health boards under clinical leadership (Flip the Model) build deep clinical-domain capability that the monopoly never could. Six pilot teams shipping at six health boards produces six independent stocks of clinical engineering competence; under monopoly delivery, those staff would be one pool, one culture, and one set of habits.
• National capacity is conserved. The standards body, freed from the impossible job of building everything everywhere, does the small set of things that genuinely benefit from national operation — and does them well. Estonia does this with 200 staff for 1.3 million people. Wales does not need 1,200 to do the same job for 3.1 million.

The federated pattern is not a compromise between national consistency and local control. It is the only architecture that delivers both — because national consistency lives in the standards, and local control lives in the procurement.

A Real Clinical Journey, Through the Architecture

The architecture is operational. A real clinical journey passes through it like this. The scenario below is deliberately not exotic: a stroke patient admitted at one health board, transferred to a tertiary unit at another, discharged to a GP in a third area, prescriptions filled at a community pharmacy. It is the everyday cross-boundary case the current Welsh estate handles badly and the target architecture handles routinely.

The journey illustrates three operational properties of the architecture worth naming:

• No single system holds the patient’s record. The Swansea EPR holds the admission. The Cardiff EPR holds the thrombectomy. The GP system holds the discharge. The pharmacy system holds the dispensation. The Welsh Care Record is a query, not a database — it assembles the unified view at the moment a clinician asks for it, and it presents whatever the consent record permits the asking clinician to see.
• Every state transition is a published event. Admission, transfer, discharge, prescription issued, prescription dispensed — each is a typed event on the clinical-event bus. Subscribers (the patient app, the population dashboard, the audit ledger, the GP record) consume the events without being coupled to the system that produced them. Adding a new subscriber requires no change to the publisher.
• The citizen sees the journey. The NHS Wales app shows the admission, the transfer, the procedure, the discharge summary, the prescription and the dispensation, all in chronological order, all in the citizen’s chosen language, all with a visible audit trail of which clinicians accessed which records and why. The citizen’s right to see is enforced by the architecture; it is not contingent on the goodwill of the body running the systems.

The current Welsh estate cannot run this journey as a routine. The target architecture runs it as a baseline.

Standards Adopted

The architecture is built on international standards. Every standard listed below is in operational use in at least one comparator jurisdiction at production scale. The Welsh choice is which standards to adopt, not which standards to invent.

Several deliberate omissions:

• No bespoke Welsh interoperability standard. Where Wales needs an extension (bilingual terminology, devolved policy fields), it is an extension of an international standard, not a parallel standard.
• No “Welsh FHIR profile” maintained as a separate stream. Wales adopts NHS UK Core FHIR profiles where they exist; contributes Welsh-specific extensions upstream where they do not; does not fork.
• No proprietary national platform. Open source by default at layers 1–4. Proprietary clinical applications at layer 5 are health-board procurement choices, not national mandates.

Operating Model

The architecture is operated, not just owned. Six operating disciplines are non-negotiable.

1. API contracts are published, versioned and free. Every API the standards body exposes has an OpenAPI specification, a published versioning policy, a deprecation calendar and a public conformance test suite. Access is free at the point of use for any NHS Wales body; commercial access is on published terms.

2. Conformance is automated, not negotiated. The conformance test suite runs against any candidate clinical application as part of procurement. Pass/fail is publicly published. A failing vendor cannot be procured; a passing vendor cannot be excluded on opaque grounds. This is the structural protection against L8: Loyalty Selection at the technical layer.

3. Procurement runs on four-year cycles with mandatory recompetition. No contract above £1M renews without an open recompetition. The 51 instances of board approval without scrutiny become structurally impossible because the procurement event itself is the scrutiny event.

4. Strangler-fig migration, never big-bang replacement. New capability is built behind the national API gateway. The existing system continues to operate. Once the new capability is demonstrably stable in clinical use, the old system is retired one boundary at a time. NPfIT and Care.data were big-bang failures; X-Road’s incremental rollout, NHS Login’s incremental rollout, and Kanta’s incremental rollout were not.

5. Open source by default for the standards body’s own work. Source code published under permissive licence. Contributions accepted under a Developer Certificate of Origin. The Nordic Institute for Interoperability Solutions model is the operational template — a small consortium of countries amortising open-source infrastructure across borders.

6. Public, machine-readable observability. Every layer publishes its operational metrics — availability, latency, error rates, incident counts — to a public dashboard at statutory frequency. The Radical Transparency intervention is given operational form here: the dashboard is not an annual report, it is a live API.

These six disciplines are not separate from the architecture. They are the architecture, operationalised. A federated, standards-led, API-driven estate that is not run with these disciplines reverts to the failure modes the architecture was supposed to prevent.

What This Architecture Is Not

The architecture rejects four patterns by design, each of which has a documented international failure case:

• Not a national platform. Care.data, NPfIT, every “single national EPR” proposal of the past twenty years. A platform tries to be the whole answer and becomes structurally unkillable. The Welsh estate has neither the funding nor the political mandate to attempt a platform; the architecture does not require one.
• Not a monopoly delivery body. Once for Wales is the model under critique. The standards body is small, tightly scoped, and operationally separate from the boards that procure applications.
• Not a Welsh-bespoke standards stack. Wales adopts international standards. Where a Welsh extension is required, it is contributed upstream. The Welsh user base is not large enough to operate a parallel standards stack credibly, and the cost of trying would consume the budget the architecture is designed to release.
• Not a closed-source national infrastructure. Open source by default at the layers where sovereign capability matters. Closed source remains a legitimate procurement choice at the clinical application layer, where the health board is the procurer and the conformance is to a public standard.

The architecture is a translation of the international evidence into the Welsh constraint set. It is opinionated about what to build; it is more opinionated about what not to build.

The Welsh Translation

Wales has constraints the comparator countries do not, and the architecture must accommodate them. Three are material; the architecture handles each explicitly.

• Bilingualism is statutory. Welsh-language and English-language parity is a layer-6 invariant. Terminology services support Welsh-language clinical terms where established. The citizen app defaults to the citizen’s preferred language. Procurement specifications include Welsh-language acceptance criteria.
• Market depth is limited. Some specialist supplier negotiations require coordination with NHS England rather than independent Welsh procurement. The architecture interoperates with the NHS UK-wide API estate — NHS Login, GP Connect, the NHS App where appropriate — rather than building parallel infrastructure.
• Devolved-and-reserved boundaries. Several digital-health functions sit at the intersection of devolved and reserved competence. The architecture is explicit about the boundary: Welsh national services for devolved functions; interoperation with UK reserved-function infrastructure; no duplication of either.

These constraints shape implementation choices within the international pattern. They do not invalidate the pattern. The destination remains the same.

The Decision the Architecture Crystallises

The architecture clarifies what the six interventions are aiming at. Every intervention has a technical destination this page makes specific:

• Competent Leadership recruits the people who can run a federated, standards-led architecture — not a monopoly delivery body.
• Radical Transparency operationalises layer-6 public observability and the conformance-publication regime.
• Portfolio Ruthlessness stops building anything that does not fit the target architecture — the immediate cost-saving move that funds the migration.
• Flip the Model builds the embedded engineering teams that own layer-5 delivery, and shrinks the standards body to layers 2–4 scope.
• Break the Annual Trap provides the multi-year programme funding the migration requires — building blocks ship on multi-year horizons, not annual budgets.
• Reform the Funder reconciles the accountability boundary with the architectural boundary — health boards accountable for layer 5, standards body accountable for layers 2–4, citizens with statutory rights at layer 6.

The architecture is the picture of where the system arrives once the interventions have run their course. The 36-month timeline is the route. The cost of inaction is what continues to accrue every month this picture remains a picture rather than the operating estate of NHS Wales.

Every component on this page is operational in at least one comparator jurisdiction. The question is not whether the architecture can work. The question is whether Wales chooses to build it.