Open source tools and public goods
Britain wrote the rules on open government code and remains Europe's top open source contributor; the sector produces over a quarter of UK digital value. Yet by 2026 the state is retreating from its own playbook: the NHS deleted its open source policy, government data rots unowned, and while Germany pays the maintainers of critical code, the UK buys AI equity stakes instead.
The gaps here are mostly about maintenance: the unglamorous work every funder skips. Nobody pays the volunteers whose code the state runs on, nobody audits the open-by-default rule, nobody keeps reference data current, and charities are locked out of platforms taxpayers already built. Almost every fix has a working model abroad, ready to copy.
Full landscape notes (July 2026)
The UK was an early leader: the 2012 Service Standard and Technology Code of Practice made government code "open by default", GDS's alphagov GitHub became a global reference, and OpenUK finds open source contributes 27% of UK digital GVA, with the UK the top OSS contributor in Europe. By mid-2026 policy and practice have diverged sharply. NHS England quietly deleted its open source policy pages (December 2025) and in May 2026 adopted a default-closed posture on its code over AI security concerns, prompting an open letter from 70+ signatories. data.gov.uk's own team admits over 25% of links are broken after "underinvestment since 2017"; GDS's canonical Registers programme was retired in 2021. There is no UK analogue of Germany's Sovereign Tech Fund (over €24.6m deployed to 60+ critical open source projects), and the EU dropped Next Generation Internet from Horizon Europe's 2025 work programme, closing the NLnet small-grant route. Counter-currents exist: the Software Sustainability Institute's £4.8m UKRI Research Software Maintenance Fund (2025) is the first of its kind; LocalGov Drupal's steward, Open Digital Cooperative, is profitably self-sustaining across ~60 councils; OpenSAFELY won £17m over seven years from Wellcome; DSIT's National Data Library completed discovery with £100m+ backing; UKRI contracted OpenUK (October 2025) to draft public-sector open source guidance; and GDS Local is consulting on an open source assurance process. Government money, however, flows to sovereign AI (a £500m equity fund) rather than the open infrastructure underneath it.
The gaps (13)
No UK Sovereign Tech Fund for maintaining critical open source infrastructure
Germany pays the maintainers of critical code. Britain free-rides.
No cross-government Open Source Programme Office to own the 'open by default' policy
Britain wrote the open-code playbook, then forgot to appoint anyone to run it.
No national assurance service giving public bodies confidence in open source products
Every council vets the same software alone. Most give up and buy proprietary.
No open national address file: PAF remains a proprietary Royal Mail asset
Royal Mail owns the country's address list. Everyone else rents their own geography back.
No statutory duty or function for maintaining canonical government reference data
A quarter of links on the government's own data site lead nowhere.
No UK small-grants vehicle for public-interest internet technology (NGI analogue)
Europe's small-grant tap for public-interest tech has closed. Britain never had one.
Research software maintenance funding is a one-off pilot, not a recurring budget line
British science runs on software funded to be born, never to be kept alive.
Charities and civil society are locked out of government platform infrastructure
Government built the tools, published the code, then locked charities out anyway.
No institutional home for open code in the NHS, and an active retreat from it
The NHS ran national Covid research on open code. Then it went closed by default.
No census of the critical open source dependencies underpinning UK government and CNI
No one has ever listed the open source code the British state actually runs on.
Open source procurement policy exists on paper but has no weighting, audit or skills behind it
'Consider open source' has been the rule since 2012. Nobody ever checked the homework.
No UK support scheme for open source maintainers facing EU Cyber Resilience Act obligations
New EU cyber rules bind UK open source maintainers. Nobody here helps them comply.
No bridge between crypto public-goods funding and UK civil society
Crypto funders give millions to public goods. British charities lack a way to accept it.
Who is already here: key actors (15)
- OpenUK (nonprofit industry body): Advocacy and research body for UK open technology; publishes State of Open reports (27% of digital GVA claim); contracted by UKRI in October 2025 to write public-sector open source guidance including a sovereign tech fund recommendation.
- Government Digital Service (GDS, within DSIT) (government body): Owns the Service Standard and Technology Code of Practice 'open by default' rules; GDS Local's 'Sourcing the Stack' (May 2026) is building the first cross-government open source assurance criteria.
- Department for Science, Innovation and Technology (DSIT) (government department): Owns the National Data Library, data.gov.uk reset, Software Security Code of Practice and commissioned OSS supply-chain research; currently funds sovereign AI, not open infrastructure.
- Software Sustainability Institute (SSI) (research institute/programme): Runs the £4.8m UKRI Research Software Maintenance Fund (13 projects in round 1, 2025; round 2 opened January 2026), the UK's only dedicated software maintenance fund.
- Open Digital Cooperative (LocalGov Drupal) (cooperative): Steward of LocalGov Drupal, used by ~60 councils and 23 vendors; became self-sustaining on member subscriptions after ~£1m of DLUHC Local Digital Fund grants ended in 2023; councils save £30k-£90k per website rebuild.
- Bennett Institute for Applied Data Science (University of Oxford) (university institute): Builds OpenSAFELY and OpenPrescribing, open source NHS data infrastructure; long-running funding precarity eased by £17m from Wellcome (2025), illustrating dependence on philanthropy rather than NHS core budgets.
- Open Data Institute (ODI) (nonprofit): Founded 2012 by Berners-Lee and Shadbolt; data stewardship training, standards and policy work; fed evidence into the National Data Library discovery phase.
- mySociety / SocietyWorks (charity with trading subsidiary): Runs TheyWorkForYou, WhatDoTheyKnow and FixMyStreet: de facto national civic infrastructure funded by foundations plus commercial income, with no dedicated UK funding stream for such infrastructure.
- Centre for Public Data (nonprofit): Anna Powell-Smith's non-partisan data-policy body; leads the Open Address File UK campaign and has asked Ofcom to review Royal Mail's Postcode Address File licensing.
- Society of Research Software Engineering (professional body/charity): Professional association for the UK's research software engineers; the RSE career track the UK invented still lacks recurring maintenance funding.
- National Cyber Security Centre (NCSC) (government body): Publishes SBOM and supply-chain guidance and warns of active dependency-compromise attacks, but runs no inventory of or support scheme for the open source the state depends on.
- Apperta Foundation (community interest company): Clinician-led CIC promoting open platforms in health (steward of the OpenEyes EPR); still operating but small, and now swimming against NHS England's 2026 default-closed code posture.
- UKRI / Innovate UK (funder): Funds the Digital Research Infrastructure programme (host of the SSI maintenance fund) and is the administering body proposed for a UK open-source fund by both OpenUK and the UK Day One paper.
- National Data Library (DSIT programme) (government programme): £100m+ programme; completed discovery January 2026 with five kickstarter projects; absorbing data.gov.uk and shifting it from passive aggregation to curation; details due spring 2026.
- Open Rights Group (campaign group): Running a 'Demand UK Digital Sovereignty' campaign pushing government away from proprietary hyperscaler dependence toward open alternatives.
Funders active or plausible here (12)
- UKRI (Innovate UK, EPSRC and the Digital Research Infrastructure programme; host of the SSI maintenance fund and proposed administrator of a UK open-source fund)
- DSIT (National Data Library £100m+, £500m Sovereign AI Fund, digital centre of government budgets; the natural home for a sovereign tech fund)
- Wellcome Trust (£17m to OpenSAFELY 2025; £600m with government for the Health Data Research Service)
- NHS England (platform and EPR budgets; currently funds almost no open source stewardship)
- MHCLG (former DLUHC Local Digital Fund, ~£1m to LocalGov Drupal, now closed; an obvious vehicle to revive)
- Nesta (innovation foundation; past digital/civic tech funder)
- The National Lottery Community Fund (ran a Digital Fund, now closed)
- Charitable trusts funding civic tech at the margins (Joseph Rowntree trusts, Paul Hamlyn, Worshipful Company of Information Technologists small grants)
- US/international philanthropy currently substituting for UK funders (Omidyar Network, Open Society, Sloan/Ford digital infrastructure funds)
- Corporate open source money (GitHub Sponsors, Google/Microsoft OSS programmes, Linux Foundation/OpenSSF Alpha-Omega)
- EU Horizon Europe (UK associated; NGI cascade-grant route via NLnet cut from 2025)
- Member subscriptions (the Open Digital Cooperative council/supplier model; proven self-sustaining route once seed-funded)
Policy notes
'Open by default' has been UK policy since 2012 (Service Standard; Technology Code of Practice point 3) but has no institutional owner, no compliance measurement and no funding arm: a policy without a programme. NHS England's 2025-26 retreat to default-closed code shows how easily it evaporates. The Procurement Act 2023 and G-Cloud 15 modernised process but created no duty to weigh open source. The Cyber Security and Resilience Bill (report stage June 2026) is, unlike the EU Cyber Resilience Act, silent on open source stewardship. DSIT's activity is analytic (commissioned OSS supply-chain research, a voluntary Software Security Code of Practice), not financial. The National Data Library (further details due spring 2026) is the main live data policy and the natural host for register reform and open address data. The 2026 Digital and Technologies Sector Plan update funds sovereign AI equity, not open digital infrastructure; OpenUK's UKRI-commissioned guidance is the nearest thing to an emerging strategy.