Domain 2 of 18

Open source tools and public goods

Britain wrote the rules on open government code and remains Europe's top open source contributor; the sector produces over a quarter of UK digital value. Yet by 2026 the state is retreating from its own playbook: the NHS deleted its open source policy, government data rots unowned, and while Germany pays the maintainers of critical code, the UK buys AI equity stakes instead.

The gaps here are mostly about maintenance: the unglamorous work every funder skips. Nobody pays the volunteers whose code the state runs on, nobody audits the open-by-default rule, nobody keeps reference data current, and charities are locked out of platforms taxpayers already built. Almost every fix has a working model abroad, ready to copy.

Full landscape notes (July 2026)

The UK was an early leader: the 2012 Service Standard and Technology Code of Practice made government code "open by default", GDS's alphagov GitHub became a global reference, and OpenUK finds open source contributes 27% of UK digital GVA, with the UK the top OSS contributor in Europe. By mid-2026 policy and practice have diverged sharply. NHS England quietly deleted its open source policy pages (December 2025) and in May 2026 adopted a default-closed posture on its code over AI security concerns, prompting an open letter from 70+ signatories. data.gov.uk's own team admits over 25% of links are broken after "underinvestment since 2017"; GDS's canonical Registers programme was retired in 2021. There is no UK analogue of Germany's Sovereign Tech Fund (over €24.6m deployed to 60+ critical open source projects), and the EU dropped Next Generation Internet from Horizon Europe's 2025 work programme, closing the NLnet small-grant route. Counter-currents exist: the Software Sustainability Institute's £4.8m UKRI Research Software Maintenance Fund (2025) is the first of its kind; LocalGov Drupal's steward, Open Digital Cooperative, is profitably self-sustaining across ~60 councils; OpenSAFELY won £17m over seven years from Wellcome; DSIT's National Data Library completed discovery with £100m+ backing; UKRI contracted OpenUK (October 2025) to draft public-sector open source guidance; and GDS Local is consulting on an open source assurance process. Government money, however, flows to sovereign AI (a £500m equity fund) rather than the open infrastructure underneath it.

The gaps (13)

13urgency 4fundingShort (0–2y)State-led

No UK Sovereign Tech Fund for maintaining critical open source infrastructure

Germany pays the maintainers of critical code. Britain free-rides.

14urgency 1institutionalShort (0–2y)State-led

No cross-government Open Source Programme Office to own the 'open by default' policy

Britain wrote the open-code playbook, then forgot to appoint anyone to run it.

15urgency 2toolingShort (0–2y)Build together

No national assurance service giving public bodies confidence in open source products

Every council vets the same software alone. Most give up and buy proprietary.

16urgency 3policyMid (2–7y)State-led

No open national address file: PAF remains a proprietary Royal Mail asset

Royal Mail owns the country's address list. Everyone else rents their own geography back.

17urgency 2institutionalMid (2–7y)State-led

No statutory duty or function for maintaining canonical government reference data

A quarter of links on the government's own data site lead nowhere.

18urgency 2fundingShort (0–2y)Build now

No UK small-grants vehicle for public-interest internet technology (NGI analogue)

Europe's small-grant tap for public-interest tech has closed. Britain never had one.

19urgency 2fundingShort (0–2y)State-led

Research software maintenance funding is a one-off pilot, not a recurring budget line

British science runs on software funded to be born, never to be kept alive.

20urgency 2institutionalShort (0–2y)Build now

Charities and civil society are locked out of government platform infrastructure

Government built the tools, published the code, then locked charities out anyway.

21urgency 4institutionalMid (2–7y)Build together

No institutional home for open code in the NHS, and an active retreat from it

The NHS ran national Covid research on open code. Then it went closed by default.

22urgency 2knowledgeShort (0–2y)Build together

No census of the critical open source dependencies underpinning UK government and CNI

No one has ever listed the open source code the British state actually runs on.

23urgency 4policyShort (0–2y)State-led

Open source procurement policy exists on paper but has no weighting, audit or skills behind it

'Consider open source' has been the rule since 2012. Nobody ever checked the homework.

24urgency 3coordinationMid (2–7y)Build now

No UK support scheme for open source maintainers facing EU Cyber Resilience Act obligations

New EU cyber rules bind UK open source maintainers. Nobody here helps them comply.

153urgency 1coordinationMid (2–7y)Build now

No bridge between crypto public-goods funding and UK civil society

Crypto funders give millions to public goods. British charities lack a way to accept it.

Who is already here: key actors (15)
  • OpenUK (nonprofit industry body): Advocacy and research body for UK open technology; publishes State of Open reports (27% of digital GVA claim); contracted by UKRI in October 2025 to write public-sector open source guidance including a sovereign tech fund recommendation.
  • Government Digital Service (GDS, within DSIT) (government body): Owns the Service Standard and Technology Code of Practice 'open by default' rules; GDS Local's 'Sourcing the Stack' (May 2026) is building the first cross-government open source assurance criteria.
  • Department for Science, Innovation and Technology (DSIT) (government department): Owns the National Data Library, data.gov.uk reset, Software Security Code of Practice and commissioned OSS supply-chain research; currently funds sovereign AI, not open infrastructure.
  • Software Sustainability Institute (SSI) (research institute/programme): Runs the £4.8m UKRI Research Software Maintenance Fund (13 projects in round 1, 2025; round 2 opened January 2026), the UK's only dedicated software maintenance fund.
  • Open Digital Cooperative (LocalGov Drupal) (cooperative): Steward of LocalGov Drupal, used by ~60 councils and 23 vendors; became self-sustaining on member subscriptions after ~£1m of DLUHC Local Digital Fund grants ended in 2023; councils save £30k-£90k per website rebuild.
  • Bennett Institute for Applied Data Science (University of Oxford) (university institute): Builds OpenSAFELY and OpenPrescribing, open source NHS data infrastructure; long-running funding precarity eased by £17m from Wellcome (2025), illustrating dependence on philanthropy rather than NHS core budgets.
  • Open Data Institute (ODI) (nonprofit): Founded 2012 by Berners-Lee and Shadbolt; data stewardship training, standards and policy work; fed evidence into the National Data Library discovery phase.
  • mySociety / SocietyWorks (charity with trading subsidiary): Runs TheyWorkForYou, WhatDoTheyKnow and FixMyStreet: de facto national civic infrastructure funded by foundations plus commercial income, with no dedicated UK funding stream for such infrastructure.
  • Centre for Public Data (nonprofit): Anna Powell-Smith's non-partisan data-policy body; leads the Open Address File UK campaign and has asked Ofcom to review Royal Mail's Postcode Address File licensing.
  • Society of Research Software Engineering (professional body/charity): Professional association for the UK's research software engineers; the RSE career track the UK invented still lacks recurring maintenance funding.
  • National Cyber Security Centre (NCSC) (government body): Publishes SBOM and supply-chain guidance and warns of active dependency-compromise attacks, but runs no inventory of or support scheme for the open source the state depends on.
  • Apperta Foundation (community interest company): Clinician-led CIC promoting open platforms in health (steward of the OpenEyes EPR); still operating but small, and now swimming against NHS England's 2026 default-closed code posture.
  • UKRI / Innovate UK (funder): Funds the Digital Research Infrastructure programme (host of the SSI maintenance fund) and is the administering body proposed for a UK open-source fund by both OpenUK and the UK Day One paper.
  • National Data Library (DSIT programme) (government programme): £100m+ programme; completed discovery January 2026 with five kickstarter projects; absorbing data.gov.uk and shifting it from passive aggregation to curation; details due spring 2026.
  • Open Rights Group (campaign group): Running a 'Demand UK Digital Sovereignty' campaign pushing government away from proprietary hyperscaler dependence toward open alternatives.
Funders active or plausible here (12)
  • UKRI (Innovate UK, EPSRC and the Digital Research Infrastructure programme; host of the SSI maintenance fund and proposed administrator of a UK open-source fund)
  • DSIT (National Data Library £100m+, £500m Sovereign AI Fund, digital centre of government budgets; the natural home for a sovereign tech fund)
  • Wellcome Trust (£17m to OpenSAFELY 2025; £600m with government for the Health Data Research Service)
  • NHS England (platform and EPR budgets; currently funds almost no open source stewardship)
  • MHCLG (former DLUHC Local Digital Fund, ~£1m to LocalGov Drupal, now closed; an obvious vehicle to revive)
  • Nesta (innovation foundation; past digital/civic tech funder)
  • The National Lottery Community Fund (ran a Digital Fund, now closed)
  • Charitable trusts funding civic tech at the margins (Joseph Rowntree trusts, Paul Hamlyn, Worshipful Company of Information Technologists small grants)
  • US/international philanthropy currently substituting for UK funders (Omidyar Network, Open Society, Sloan/Ford digital infrastructure funds)
  • Corporate open source money (GitHub Sponsors, Google/Microsoft OSS programmes, Linux Foundation/OpenSSF Alpha-Omega)
  • EU Horizon Europe (UK associated; NGI cascade-grant route via NLnet cut from 2025)
  • Member subscriptions (the Open Digital Cooperative council/supplier model; proven self-sustaining route once seed-funded)
Policy notes

'Open by default' has been UK policy since 2012 (Service Standard; Technology Code of Practice point 3) but has no institutional owner, no compliance measurement and no funding arm: a policy without a programme. NHS England's 2025-26 retreat to default-closed code shows how easily it evaporates. The Procurement Act 2023 and G-Cloud 15 modernised process but created no duty to weigh open source. The Cyber Security and Resilience Bill (report stage June 2026) is, unlike the EU Cyber Resilience Act, silent on open source stewardship. DSIT's activity is analytic (commissioned OSS supply-chain research, a voluntary Software Security Code of Practice), not financial. The National Data Library (further details due spring 2026) is the main live data policy and the natural host for register reform and open address data. The 2026 Digital and Technologies Sector Plan update funds sovereign AI equity, not open digital infrastructure; OpenUK's UKRI-commissioned guidance is the nearest thing to an emerging strategy.