NHS England restricts open source code access citing AI-driven security risks, triggering a sharp debate over transparency versus cybersecurity.
NHS England is moving to a default-closed model for its software code, marking a significant shift away from open source practices amid rising AI-related security concerns.
From 11 May 2026, all source code repositories will be private by default, with public access allowed only under “explicit and exceptional need” and subject to Engineering Board approval. The move reflects growing fears around advanced AI systems such as the Mythos model, which can ingest, analyse, and infer insights from large-scale codebases—potentially exposing sensitive architecture, configurations, and contextual information.
An NHS England spokesperson said: “We are temporarily restricting access to some NHS England source code to further strengthen cyber security while we assess the impact of rapid developments in AI models.
We will continue to publish source code where there is a clear need.” Internal guidance warns that public repositories “materially increase the risk of unintended disclosure” and establishes a “default-closed posture” while risks are assessed. Teams must seek exemptions by 6 May 2026.
Cybersecurity expert Saif Abed called the move “a sensible temporary step,” but urged a transparent, funded mitigation strategy.
However, open source advocate Terence Eden criticised the decision, stating:
“Don’t let them take away your right to see the code which underpins our nation’s healthcare,”
The shift has sparked backlash, including an open letter signed by 74 supporters. NHS England had previously published code on GitHub, enabling reuse and cost efficiency, but removed its open source policy pages in December 2025—signalling a deeper policy reset now driven by AI-era risks.
