Senior officials acknowledge that existing info on outdated platforms is ‘incomplete’ and does not reflect the true scale of the issue outside of systems that underpin the most critical services

Government’s digital centre is to collect data to map the extent of what it believes are “thousands” of legacy IT systems in use across departments, before releasing a new “action plan” intended to address the problem.

The State of digital government review published in January 2025 reported that, in the  average public body, 28% of tech systems were consider legacy.

But, 14 months on, “current legacy IT data is incomplete and focuses on the most critical service systems, with thousands of non-critical legacy systems still unidentified”, according to a recent letter written by government chief data officer Aimee Smith and chief security officer Vincent Devine.

But the missive – sent on request to parliament’s Science, Innovation and Technology Committee – pledges that Whitehall’s specialised digital department will take steps to gather more comprehensive information. This additional intelligence will then inform a new government-wide strategy to address the risks of ageing technology, according to Smith and Devine.

Related content

• MPs seek reassurance on DWP’s ‘highly challenging’ legacy IT plans
• Defra legacy mitigation framework aims to ‘prioritise the highest-impact activities’
• Legacy IT warning as UK hit with twice as many ‘nationally significant’ cyberattacks in past year

“DSIT is committed to refreshing the legacy risk assessment framework and restarting data collection in 2026,” the letter said. “PAC (the Public Accounts Committee) has recently asked to see a baselined list of legacy systems DSIT has identified.”

The document added: “DSIT will publish a comprehensive Legacy IT Action plan by the end of the year. It will describe our approach to fixing outdated legacy systems and prevent the creation of new ones, while departments work to address the ‘highest-risk’ systems.”

The risk framework referred to in the letter is intended to enable departments to assess the level of risk being caused by their technology estate. Using a scoring system based on factors such as availability of vendor support, workforce skills, and downtime issues, the framework awards each system a score out of 30. Anything from 16 upwards is consider ‘red-rated’ – which “signifies that the system is at a critical level of risk, where the likelihood of encountering issues or failures is significant, and the potential impact of these issues could be severe”, according to the guidance.

Following last year’s comprehensive spending review – in which hundreds of millions of pounds was awarded to departments to tackle legacy IT – the Government Digital Service and the Treasury have since collaborated to monitor departments’ ongoing spending and, where necessary, step in to prevent money intended to support tech upgrades being spent elsewhere.