Open Source Retreat 2026: Why UK GDS Publicly Criticized NHS Digital Security Policy

The UK Government Digital Service (GDS) has issued a stark, public rebuke of the National Health Service's 2026 decision to retreat from its open source commitments, marking a significant fracture within government digital policy. According to analysis by blogger and open source advocate Terence Eden, the GDS's newly published guidance, AI, open code and vulnerability risk in the public sector, serves as a direct counterpoint to the NHS's controversial action. The core of the disagreement centers on the NHS's decision to close public access to its code repositories following the discovery of security vulnerabilities by Project Glasswing, an AI-powered security research initiative.

Civil Service Protocol and Public Policy Disagreement

Terence Eden interprets the GDS statement as a major escalation within the normally discreet UK Civil Service. He notes that such public disagreements are rare, often described internally as "a meeting without biscuits"—a frosty discussion devoid of customary politeness.

GDS Open Source Guidance vs NHS Action

The GDS guidance, published on May 14th, 2026, does not mention the NHS specifically, but its central recommendation is unequivocal: "Keep open by default. Making everything private adds additional delivery and policy costs, and can reduce reuse and scrutiny. Openness should remain the default posture, with closure used sparingly and deliberately." This principle stands in direct opposition to the NHS's wholesale closure of repositories, which Eden had previously criticized as a "poorly considered decision" and a "war against open source."

Project Glasswing: AI Security Discovery Trigger

The NHS's action was triggered by Project Glasswing, a 2026 research project that used AI tools to scan public code repositories for vulnerabilities. When these vulnerabilities were responsibly reported to the NHS, the organization's response was to remove its code from public view, effectively shutting down the open source collaboration and scrutiny that GDS argues is vital.

Security Through Transparency Debate

This knee-jerk reaction to security threats, rather than addressing the flaws, has sparked a critical debate about the balance between transparency and security in public sector technology. Key questions include:

• Does closing code actually improve digital security?
• How should public sector organizations handle vulnerability disclosures?
• What are the policy costs of retreating from open source?

The Strategic Value of Open Source in Government

The Government Digital Service has long championed open source as a cornerstone of efficient and accountable digital government. Industry case studies, such as those highlighted by Sirius Open Source, underscore GDS's role in promoting reusable, transparent technology across the public sector.

Open By Default Policy Benefits

The "open by default" policy is designed to foster collaboration, reduce costs through shared solutions, and enhance security through continuous, public scrutiny—a concept known as "many eyes" making bugs shallow. Key advantages include:

• Reduced delivery and policy costs through code reuse
• Enhanced security through community scrutiny
• Increased public sector innovation collaboration
• Greater accountability in government technology

Closed Model Risks and Costs

By moving to a closed model in 2026, the NHS not only incurs the "additional delivery and policy costs" warned of by GDS but also isolates itself from the broader ecosystem of government digital innovation. It loses the potential for other agencies or the private sector to reuse and improve upon its code, and it removes a layer of public accountability.

AI-Powered Security Analysis Tension

The clash highlights a fundamental tension in the age of AI-powered security analysis. Tools like those used in Project Glasswing can rapidly expose weaknesses in public code.

NHS Risk Assessment vs GDS Opportunity View

The NHS viewed this exposure as a risk requiring retreat. The GDS, and many in the open source community, view it as an opportunity for improvement and a reason to strengthen, not abandon, open practices. The guidance suggests that responsible vulnerability disclosure processes and prompt patching are the correct responses, not secrecy.

2026 Digital Transparency Test Case

This incident serves as a critical test case for the UK's commitment to digital transparency in 2026. As public services increasingly rely on complex software, the principles of open government extend into the code itself.

Future Implications for Public Sector IT

The Government Digital Service's public stance reinforces that retreating from open source is not a viable security strategy but a step backwards in efficiency, collaboration, and public trust. The outcome of this internal policy dispute will likely shape how other UK public bodies handle similar security disclosures in the future, determining whether openness remains the default or if fear prompts a wider retreat from transparency.

For more information on government digital policy, explore the Government Digital Service official guidance and read Terence Eden's detailed analysis of this open source policy clash.