National Institute for Health and Care Research

The Client

The National Institute for Health and Care Research (NIHR) is the UK's largest funder of health and care research, supporting a national ecosystem of researchers, clinicians, and the public. Its digital platform is central to that mission, driving awareness of and participation in health research, disseminating funded research outputs, and connecting clinical communities across the country. The platform serves more than 600,000 unique users every month across a web estate spanning multiple mission-critical sites.

The Situation

NIHR's legacy CMS had reached the end of life. Without vendor support or active security patching, the platform posed an escalating operational and cyber risk to services relied upon by hundreds of thousands of users each month. At the same time, fragmented hosting contracts, manual publishing workflows, and an inconsistent content experience across the estate were limiting NIHR's ability to grow its reach and operate efficiently.

The organization needed more than a platform swap. It needed a strategic digital foundation – one that could eliminate risk, consolidate a fragmented estate, automate content operations, meet the full range of NHS and government compliance requirements, and support API integration with research systems for years to come.

The Challenge

The scale and complexity of NIHR's digital estate made this a high-stakes undertaking on multiple fronts.

The most immediate pressure was risk. Operating on an unsupported platform in a health research environment – where data integrity and public trust are paramount – meant that standard security measures weren’t enough. NIHR needed to shift from a reactive security posture to a proactive, secure-by-design architecture, while navigating strict information governance frameworks and ensuring no vulnerabilities were carried into the new environment. Achieving this required deep-dive threat modeling, a full data protection impact assessment, and pre-launch penetration testing, rather than routine compliance checks.

Beyond security, the transformation demanded a complete overhaul of how content was managed and published. Workflows were manual and email-driven, publishing access was inconsistently governed, and the lack of a shared design system led to variations in brand coherence and accessibility standards across the estate. Replacing these fragmented processes with governed, automated workflows — while enabling more than 200 content authors across the organization — required as much change management as it did technical delivery.

Layered across all of this were non-negotiable compliance requirements. NIHR had to build full alignment with WCAG 2.2 AA, GDPR, NHS security standards, and Government Digital Service (GDS) principles into the platform's foundations from day one, not bolt it on after the fact.

The Solution

Much more than a simple CMS migration, NIHR set out to build a national digital publishing platform operating at enterprise and public-sector scale – and its team made every decision with that ambition in mind.

The team defined a full target architecture spanning business, data, application, security, and technology layers, treating the platform as a strategic digital asset aligned to cloud-first, API-first, and zero-trust principles. A technical design authority formally governed all architecture decisions, positioning the solution as a national reference implementation for future NIHR digital services.

NIHR selected Acquia Cloud Platform for its enterprise Drupal capabilities, SaaS operational model, and compliance posture, including ISO 27001, SOC 2, and GDPR certifications. Acquia provided auto-scaling and high availability for national traffic volumes, with built-in CI/CD and environment management through Acquia Pipelines. On top of that foundation, the team configured Drupal with a reusable design system aligned to GDS and NIHR branding, component-based content models, editorial workflows with role-based access control and audit trails, and enterprise search via Acquia Search powered by SearchStax. Acquia DAM handled compliant media governance across the estate, and a multi-site deployment model established shared infrastructure for all current and future NIHR sites.

Security ran through every layer of the build. The team conducted comprehensive threat modeling across the full Acquia ecosystem, implementing controls in real time as risks emerged rather than addressing them retroactively. They performed a detailed data protection impact assessment to identify data-related risks early, and extensive penetration testing to validate the platform's defenses before go-live. Post-launch, a dedicated SecOps function uses Acquia Cloud Edge firewall logs to drive continuous monitoring, threat detection, and rapid response.

Two integrations rounded out the solution. The API-led connection of NIHR's Journal Library into Drupal replaced legacy ETL processes with automated ingestion, indexing, and publication of research outputs — including exposure to Google Scholar and external discovery services. An enterprise SSO solution based on federated identity enabled role-based access control and multi-factor authentication for authors and administrators across the estate.

The Results

The migration delivered measurable gains across every dimension of NIHR's original objectives. The platform now supports 600,000+ unique users per month and more than 1.4 million monthly page views, with sub-second global performance via CDN and greater than 99.95% availability. Content publishing cycle times fell by 40-60% through workflow automation, templating, and role-based approvals, while the number of editors with publishing access was reduced by 80% to improve consistency and governance.

Additionally, all migrated sites achieved 100% compliance with security standards, with WCAG 2.2 AA accessibility built into a shared design system spanning 80+ reusable content components.

The shared platform model has also transformed the economics of future digital delivery, with projected cost reductions of 30-40% for new site launches through platform reuse. The estate currently manages 45,000+ pages and content items across five sites — including the NIHR Corporate site, Clinical Trials Toolkit, Research Delivery Network, James Lind Alliance, and Journal Library — alongside 5,300+ governed digital assets in Acquia DAM. What began as a risk remediation project has become a strategic national digital platform, and the blueprint for all future NIHR digital services.