Minister reveals that programme to address biggest areas of risk in department’s software estate has mitigated issues with scores of apps, with others coming in scope over the next year

The Department for Environment, Food and Rural Affairs has revealed that an £80m programme to address cybersecurity risks has so far tackled critical legacy technology issues in more than 180 software programs.

The Legacy Applications Programme is a four-year initiative that began work in 2021, backed by funding of £78.5m – including £32.2m during its first year, according to information from the National Audit Office.

A study from the NAO published a little over a year ago found that about one in three of the nearly 2,000 applications in use across Defra and its main arm’s-length agencies were no longer supported by the supplier.

By the time of the report’s publication, the department was already about two-fifths of the way through delivery of the legacy remediation project, which aims “to reduce security risk and end the use of outsourced data centres… [before then] stabilising existing applications by moving them to modern, cloud-based hosting”, according to the NAO.

The audit agency reported that, as of late 2022, Defra was “making steady progress towards completing the initial phase” of the scheme. Thirteen months on, as the project approaches its final year of delivery, the Legacy Applications Programme has now worked to minimise the most severe risks created by almost 200 ageing software platforms, according to farming minister Mark Spencer.

Related content

• Defra to spend £43m this year on addressing ageing apps
• Defra to create UK-wide digital system to collect rubbish information
• Defra launches developer recruitment drive

“We continue to invest in replacing legacy IT systems, both through the dedicated upgrade programmes and through major programme deliveries,” he said, in response to a written parliamentary question from Labour MP Julie Elliott. “Our Legacy Applications Programme is addressing technical debt which includes exiting from old data centres, removing obsolescence, bringing applications into mainstream support, and improving their security posture. Over 180 applications have had their most critical legacy technology addressed through this programme.”

The minister added that, for other platforms that continue to use ageing technology, the work of the legacy software-focused scheme is complemented by other Defra programmes of work taking place to support wider technological and operational reform.

“We are addressing legacy technology in other applications through digital transformation and policy programmes where this provides a better coordinated approach,” Spencer said. “This approach has enabled us to remediate the most critical legacy technology and continue to remediate priority applications to April 2025.”

Beyond the conclusion of the Legacy Applications Programme, the NAO report said that Defra expects the totality of work needed to fully address legacy risk and transform dated systems and processes is expected to take at least 10 years.

Despte the progress cited by the minister, in his recent annual speech to parliaments, NAO head Gareth Davies told MPs that “Defra spends more than three quarters of its digital budget maintaining ageing systems”.