No institutional home for open code in the NHS, and an active retreat from it
NHS England's open source policies lapsed when NHSX was merged away in 2021; the policy pages were quietly deleted in December 2025, and in May 2026 NHSE adopted a default-closed posture on its source code citing AI-related security risks, drawing an open letter (74 signatories, May 2026) asking it to keep code open. Meanwhile the EPR rollout (95% of trusts by March 2026) locks in proprietary vendors with no open-code or open-API conditions. Partial coverage: the Apperta Foundation (clinician-led CIC, steward of OpenEyes) is small and industry-supported; OpenSAFELY/OpenPrescribing are funded by Wellcome (£17m over seven years) and grants: philanthropy substituting for an NHS core responsibility.
Health tech is where UK open source once led (OpenSAFELY ran national COVID research on open code) and where lock-in costs most. A closed-by-default NHS forfeits scrutiny, reuse across 200+ trusts, and negotiating power against EPR vendors.
A reinstated NHS open source policy with a named accountable owner; open-code and open-API conditions in EPR and framework procurements; and a modest NHS stewardship fund maintaining clinically critical open software, contracted through bodies like Apperta or the Bennett Institute.
// Build together: Counterparty: NHS England/DHSC; pilot possible with one volunteer ICB or trust adopting open-code procurement conditions.
EPR lock-in completes this year while NHS England just went default-closed and deleted its policy, so the window to keep clinically critical code open is closing now.