Who controls the technology behind the NHS?
How much this sector depends on technology suppliers it cannot fully control — and where that matters most.
The big picture
NHS England runs on a small number of mostly US-owned technology suppliers. The standout exposure is the new national data platform, built and run by a single US company; the bright spot is identity, where the NHS runs its own systems. The everyday clinical record systems are a mix of US-owned and UK-owned providers.
We looked at seven building blocks of technology the NHS relies on, from the national data platform down to the chips. One structural fact sits behind the chip layer: the NHS’s AI hardware depends on a single dominant chip supplier and on overseas fabrication, with no UK alternative.[7] We scored each building block on four things — how few the suppliers are, whose laws they answer to, how hard they are to switch, and how essential they are.
Where the exposure sits
Who controls each layer
The building blocks this sector relies on, coloured by who ultimately controls each one:US-controlledMixed / otherUK-controlled
Two of the seven layers are genuinely under UK or NHS control — the NHS’s own staff and citizen identity systems, and the UK half of clinical records (TPP/SystmOne). The rest are US-dominated: the national data platform (Palantir), the public cloud, NHSmail (Microsoft) and the AI chips (Nvidia). Clinical records and AI are a US/UK mix rather than fully either.
What this means, in plain terms
If a supplier pulled the plug, how fast would it hurt?
| Speed of impact | Layer | What happens |
|---|---|---|
| Within days | Cloud · Clinical systems · Email | The shared foundation fails; patient-record systems and email degrade within days. Clinical systems take years to replace. |
| Days (cushioned) | Login & identity | Partly insulated — the NHS runs its own staff and citizen login; only the Microsoft email-identity layer is exposed. |
| Weeks | Data platform · AI | Waiting-list and scheduling management collapses; AI tools drop out (the most replaceable block). |
| Months+ | Computer chips | A national issue, not a single trust’s to fix. |
What organisations can do about this
| Building block | Practical steps |
|---|---|
| Data platform | Use the February 2027 break clause as leverage, develop a UK or in-house exit option, and keep the data model portable so the platform can actually be replaced.[2] |
| Cloud | Hold its own encryption keys, so the provider cannot read the data without the NHS, and use sovereign hosting for the most sensitive workloads — so a single jurisdiction cannot simply switch it off. |
| Clinical systems | On renewal, favour UK or EU-owned record systems (for example TPP, Nervecentre, Dedalus) and write data-portability and exit-assistance clauses into contracts.[5] |
| Email & office | Standardise on open file formats so documents are not locked to one supplier, and consider a UK-hosted email service for the most sensitive functions.[4] |
| Login & identity | Protect and extend the NHS-run identity systems — already the strongest block — and reduce reliance on the Microsoft email-identity layer.[3] |
| AI | Keep AI tools provider-agnostic and favour UK suppliers where they exist. It is the cheapest resilience on this list. |
Sources
- NHS England — Federated Data Platform: contract explainer (£330m, up to seven years, NHS-wide by 2028/29). https://www.england.nhs.uk/digitaltechnology/nhs-federated-data-platform/security-privacy/contract-explainer/
- Parliament — Science, Innovation and Technology Committee report (3 June 2026): ‘unacceptable point of weakness’; February 2027 break clause. https://publications.parliament.uk/pa/cm5902/cmselect/cmsctech/61/report.html
- NHS England Digital — NHS login (~46m users) and the Care Identity Service (~1.3m staff). https://digital.nhs.uk/services/nhs-login
- NHS England Digital — NHSmail on Microsoft 365 Hybrid (2.1m mailboxes; NHS Directory synced to Azure AD / Entra). https://digital.nhs.uk/services/nhs.net-connect/nhsmail-live-with-microsoft-hybrid-service-on-office-365
- Companies House — EMIS Group Ltd (foreign-controlled) and TPP / SystmOne (UK-owned); CMA clearance of the UnitedHealth–EMIS deal (gov.uk). https://www.gov.uk/government/news/cma-clears-nhs-healthcare-tech-deal
- Competition and Markets Authority — Cloud services market investigation (fewer than 1% of customers switch provider per year). https://www.gov.uk/cma-cases/cloud-services-market-investigation
- gov.uk — Council for Science and Technology, advice on a sovereign AI chip industry (single dominant GPU supplier ~90%; overseas fabrication). https://www.gov.uk/government/publications/building-a-sovereign-ai-chip-design-industry-in-the-uk
- NHS England / gov.uk — Digitising the frontline (EPR target: 95% of trusts by March 2026); AI Diagnostic Fund and £123m into 86 NHS AI technologies. https://www.gov.uk/government/news/ai-to-speed-up-lung-cancer-diagnosis-deployed-in-nhs-hospitals
How we did this. We scored each technology layer on four things — supplier concentration, whose laws they answer to, how hard they are to switch, and how essential they are — using the IM Sovereignty Framework and our UK vendor database. Control and hosting facts come from primary sources; the harder-to-quantify judgments are our reasoned view of a typical organisation. Scores are bands, not exact measurements. Full evidence record available on request.
This research consists of the opinions of the Information Matters team — human and AI — and should not be considered statements of fact.
Information Matters · informationmatters.net
If you have any questions or comments about this article please email info@informationmatters.net

