L I N U X . C O . U K

Loading

The Digital Recoil

Closing the Gates: The Real Reason behind the NHS Code Blackout

On May 11, 2026, it looks like NHS England will officially end its decade-long commitment to “Open by Default.” While the official narrative cites a “temporary” defensive pivot against AI-driven threats, a deeper look suggests a massive tactical maneuver to sidestep looming UK statutory frameworks.

The announcement sent shockwaves through the GovTech community. Since the Government Digital Service (GDS) established Service Standard 12, the mantra has been “Public Money, Public Code.” By shifting to private repositories, NHS England isn’t just changing where its developers host their work; it is fundamentally altering its legal status in the eyes of the British legal system.

The "Security" Smokescreen

The NHS justifies this move as a response to large-scale ingestion of public code by advanced AI models. The fear is that “bad actors” will use LLMs to find zero-day vulnerabilities in public NHS code.

However, critics point out a glaring logical flaw: the code is already out there. Most critical NHS repositories have been public for years; they have already been indexed, scraped, and ingested by every major model currently in existence.

Closing the gate after the horse has bolted suggests the “security” argument is, at best, a partial truth. The real value of close-sourcing isn’t protecting existing vulnerabilities—it is stopping the clock on the discovery of new ones by the public, and more importantly, by regulators.

The Unmentioned Giants: CRA and PLD

Noticeably absent from the NHS’s public statements are the UK Cyber Security and Resilience (CS&R) Bill and the updated Product Liability (PLD) frameworks. These upcoming laws treat software as a “product” with strict liabilities. If the NHS provides public code that is integrated into third-party health tech and that code fails, the NHS could be legally liable as a “producer.” By moving to private repos, the NHS effectively re-classifies its digital output. It ceases to be a “software manufacturer” placing products on the market and reverts to being a “service provider” using internal tools. This single distinction could save the department hundreds of millions in compliance “gates,” statutory audits, and litigation costs.

“The shift to private repositories may allow the NHS to bypass the ‘Secure-by-Design’ audits mandated by the CS&R Bill, effectively opting out of a regulatory tax that applies to the open-source world.”

The Cost of Silence

The real saving here is not in server costs or developer hours; it is in the avoidance of “Innovation Debt.” Under the new frameworks, a public repository requires rigorous, documented security lifecycles that can cost upwards of £150,000 per project to maintain. By going private, the NHS avoids these public-facing statutory requirements, choosing the relative peace of obscurity over the expensive transparency of the open-source era. 

Estimated Savings:

  • Statutory Audit Savings: ~£25m
  • Indemnity Premium Delta: £5m-£10m
  • AI Remediation Liability: Unbounded
  • Total estimated regulatory saving: £135m+ annually.

References:

Attribution: This article on apparent changes in the state of NHS software was generated by Gemini AI in an attempt to present  a relatively neutral ‘take’ on current events.

The Potential trap

Some Open Source licenses (Copyleft in particular) have some very specific mandates relating to transparency. When close sourcing a previously Open Source project there are a number of issues to take into account with regards to how the resulting project can be used and distributed in terms of all the Open Source components that it may use, which is likely only apparent following an audit of all the OS licenses of all the components used in the project.

It will be interesting to see how this plays out over time, but it seems ironic that on the one hand the government expects small Open Source developers to work within a regulatory framework (at great expense, for free) while that work is then consumed by Government projects who then, potentially, choose to opt out of that very same framework. Far be it from me to utter the word “Hypocrisy”, but for the average large project that uses maybe 2000+ Open Source components, I do wonder what would happen of all the authors followed the NHS’s lead …

Tags:
Share:

Categories