DSIT to Unleash Legacy IT Action Plan Backed by Data Collection on ‘Thousands’ of Ageing Systems

Legacy technology has become a silent threat within the UK public sector, with the State of Digital Government review revealing that over a quarter of systems are already outdated. While the 2025 figures focused on high‑impact services, a recent internal letter admits that the true scale is far larger, encompassing countless non‑critical applications that remain invisible to risk managers. This hidden inventory not only inflates maintenance costs but also widens the attack surface for cyber‑criminals, especially as recent reports show a doubling of nationally significant cyber incidents.

In response, DSIT is restarting a systematic data‑collection programme aimed at cataloguing every legacy asset by early 2026. The initiative will feed into a refreshed risk‑assessment framework that scores each system on vendor support, workforce expertise, and downtime risk on a 30‑point scale, with scores of 16 or higher flagged as red‑rated. By quantifying risk in a uniform manner, departments can prioritize upgrades for the most vulnerable applications and avoid the ad‑hoc, reactive fixes that have plagued past modernization efforts.

Financial oversight is a critical component of the new strategy. Following a substantial legacy‑tech funding boost in the last spending review, the Treasury and the Government Digital Service will jointly monitor departmental spend to ensure earmarked resources are not diverted. This fiscal vigilance, combined with the upcoming Legacy IT Action Plan, signals a shift toward proactive governance, aiming to curb the creation of new legacy systems while systematically retiring the old, thereby strengthening the resilience of public services against future cyber threats.