NHS England Cloud Centre of Excellence (CCoE) Responsibility Model

Cloud Centre of Excellence – Shared responsibility model

The programme and directorate will be responsible for the following;

• ownership of customer data, application and services
• ownership of application back up
• security (excluding physical data centre security, as illustrated in Layer 1)
• resilience
• architecture
• patching

The Cloud Centre of Excellence (CCoE) promotes a best practice approach to drive the adoption of cloud services. It provides a centralised enablement function and supports cloud service consumers across NHS England and the wider NHS.

The NHS CCoE will provide the follow capabilities:

• financial management / FinOps
• compliance/security
• vendor management performance
• guardrails and architectural patterns
• platform services
• engagement
• cloud consultancy
• programme management

Further information on these capabilities is available on the CCOE Foundations page. 

The cloud provider is responsible for the hardware, live services and data centre security (Please note that cyber security is a shared responsibility between the cloud provider and the NHS). An example of the cloud providers responsibilities are listed below;

Hardware management and provisioning

• compute
• storage
• network
• physical Infrastructure data centres

Live services ownership of incident management

• provision of IT operations centre
• onboarding of new services
• business continuity management
• supporting national services 

Data centre security

• protect NHS from cyber attacks 
• monitor of new threats 24 hours a day 
• security advice, assessments, and training

This model reflects the specific context of the NHSD CCoE.  For more generic models and principles, please see the shared responsibility model guidance section below