NHS England Prepares to Restrict Public Access to Source Code

NHS England is preparing new internal guidance that would shift most publicly funded software repositories to a private setting unless an explicit exception is granted. This development is relevant because it represents a change from previous practices that promoted open access to code developed with public funds.

The guidance, reportedly referred to as “SDLC-8,” is being developed in response to concerns that artificial intelligence systems such as Mythos could analyse public code repositories to identify vulnerabilities. According to information circulated among NHS staff and developers, the policy is expected to take effect around 11 May 2026.

According to a Reddit post quoting guidance shared with New Scientist, the draft policy states that all source code repositories must be private by default, and public access would require formal approval in exceptional cases. This approach would reverse the previous default of making publicly funded code openly accessible.

The Free Software Foundation Europe stated that removing code from public view does not prevent attackers from examining deployed systems or binaries. The organisation also stated that depublishing code is not an effective security measure.

What the numbers show

• The policy is expected to take effect around 11 May 2026
• All repositories would be private by default unless an explicit exception is approved
• The guidance is internally referred to as “SDLC-8.”

The Free Software Foundation Europe noted that the proposed change would contradict NHS England’s own Service Standard and UK government guidance, which require publicly funded software to be open and reusable by default. The organisation also stated that the move could reduce transparency and hinder independent scrutiny.

The policy shift appears to conflict with NHS England’s previously stated commitment to transparency, including its efforts to promote open data and open access to insights by default. NHS England has previously published updates on its transparency initiatives, emphasising open access as a standard practice.

Discussions among NHS staff and developers indicate that the proposed guidance has been circulated informally, but there has been no official public statement from NHS England confirming the details or rationale for the change. The absence of a formal announcement leaves some questions about the final scope and implementation of the policy.

Industry reaction

The Free Software Foundation Europe stated that restricting access to source code does not address underlying security risks and contradicts established government policies on openness. The organisation also stated that the move would not prevent attackers from analysing software through other means.

Some critics, according to the Free Software Foundation Europe, have stated that making repositories private could reduce transparency and limit opportunities for independent review, while not necessarily improving security outcomes.

* This article is based on publicly available information at the time of writing.