Problems with legacy systems: risks, costs and when to modernise

Written for UK IT leads, operations directors and business owners weighing up legacy systems in their own estate - what to worry about, when to act and how to plan a modernisation that's actually worth the investment.

Legacy systems are costing UK businesses a staggering £45 billion annually in lost productivity. If your organisation is still running on outdated technology, you're not alone - but you might be paying a much higher price than you realise, and the regulatory pressure to act is rising fast in 2026.

The problems with legacy systems go far beyond slow loading times and clunky interfaces. We're talking about security vulnerabilities that leave your business exposed, compliance risks that could land you with significant fines and hidden costs that drain your budget year after year. UK regulators are pushing harder, cyber-attack costs are rising and AI-era integration demands are exposing every creaky interface. Ignoring the problem is no longer the cheap option. In this guide we'll explore the seven critical problems, share fresh 2025-2026 UK data and case studies and help you decide when it's time to modernise.

What is a legacy system?

A legacy system is any technology, software or hardware that's become outdated but remains in use because it still performs essential business functions. These systems might have been cutting-edge when first installed, but technology moves fast, and what was revolutionary in 2010 can become a liability by 2025.

Legacy systems aren't always ancient. Sometimes software becomes "legacy" simply because the vendor has stopped supporting it, security patches are no longer available or it can't integrate with the modern tools your business needs. Common examples include:

• Outdated operating systems - like Windows XP or older versions of Windows Server that no longer receive security updates
• Custom-built software - developed decades ago in programming languages like COBOL that few developers now understand
• On-premise databases - that can't connect to modern cloud applications or analytics tools
• ERP systems - from the 1990s and 2000s that lack mobile access or modern reporting capabilities

Shockingly, research by Baringa found that 16% of UK banks still run software from the 1960s, and almost 40% maintain code from the 1970s. Even more concerning, half of these banks rely on just one or two staff members - often approaching retirement - who understand how these systems work.

The 7 critical problems with legacy systems

Let's break down the seven most damaging problems that legacy systems create for UK businesses. Understanding these issues is the first step toward making informed decisions about your technology future.

1. Security vulnerabilities that put your entire business at risk

Outdated systems are a hacker's dream. Legacy software often runs without the latest security patches, leaving known vulnerabilities wide open for exploitation. Cyber criminals actively target these weaknesses because they know many organisations haven't updated their defences - and in the UK SME market the attacker economics are particularly stark, because smaller teams often can't keep up with patching cadence even when vendors are still issuing updates.

Remember the WannaCry ransomware attack in 2017? It devastated NHS services across England precisely because many systems were running unpatched, unsupported versions of Microsoft Windows. Hospitals cancelled appointments, ambulances were diverted and patient records became completely inaccessible. The attack spread globally within hours, targeting organisations that hadn't applied available security patches.

The situation hasn't improved. In June 2024, Synnovis, a major pathology supplier for London hospitals including King's College Hospital and Guy's and St Thomas', suffered a devastating ransomware attack. The result? Over 10,000 outpatient appointments postponed, more than 1,700 elective procedures cancelled and up to 300 million patient records potentially compromised. The following year the NCSC Annual Review 2025 again pointed to ageing estates as a recurring factor in UK incidents, warning that unpatched legacy components remain an open door for adversaries targeting British organisations.

A 2025 ICO enforcement action against Advanced Computer Software Group makes the point concretely. Following the August 2022 ransomware attack that disrupted NHS 111, the ICO fined Advanced £3,076,320 - and explicitly cited failure to patch the known ZeroLogon vulnerability, limited vulnerability scanning and absence of multi-factor authentication on a public-facing environment. All three are classic legacy-estate failings.

A new 2026 pressure point: the Cyber Essentials April 2026 update makes MFA mandatory for all cloud services and promotes passwordless authentication. For any UK business that wants to hold or renew the certification - increasingly a requirement for public-sector and enterprise contracts - legacy authentication set-ups without modern MFA or federation need remediation. The practical fix is usually a modern identity provider in front of the legacy systems, not a retrofit of the legacy auth layer.

2. Regulatory compliance risks and UK GDPR headaches

UK GDPR and the Data Protection Act set strict rules about how organisations handle personal data. Legacy systems, designed before these regulations existed, often can't meet modern compliance requirements - and the penalties are significant.

The UK regulatory landscape has moved on again in 2025-2026. The European Commission renewed the UK adequacy decisions in December 2025 for six years, to 27 December 2031, preserving the permission for EU-to-UK data transfers. At the same time, the Data (Use and Access) Act 2025 came into force on 19 June 2025 and is being phased in through June 2026, introducing new data-sharing and access frameworks that need fine-grained access controls, proper audit logging, secure APIs and the ability to respond to subject access requests at scale. Legacy systems that can't support those capabilities will need either modernisation or wrapping in newer interfaces that can.

Many legacy systems inadvertently generate UK GDPR violations without organisations even realising. These older systems typically operate on a "one size fits all" principle, producing outputs that contain far more information than specific recipients actually need. That directly contradicts the data minimisation principle, and the ICO's enforcement record shows it matters in practice.

Common compliance gaps in legacy systems include:

• No support for multi-factor authentication (now a Cyber Essentials April 2026 requirement for cloud services)
• Encryption that doesn't meet current standards
• Inadequate audit trails to show compliance
• No automated data retention management
• Inability to respond to subject access requests within regulatory timeframes
• Weak privileged-access controls - a recurring ICO finding in 2024-2026

The ICO's 2024-2026 enforcement record puts a price on those gaps: around £41m in legacy-attributable fines in that window. The Capita penalty notices (£14m combined) cited absent Active Directory tiering and missing Privileged Access Management. LastPass UK was fined £1.23m for weak device controls. PSNI received £750k in October 2024 after a breach exposed workforce data. A recurring pattern, not one-offs.

The global Equifax breach of 2017 - 148 million records exposed because of a known unpatched vulnerability, and more than £319m in penalties and settlements - is the textbook warning. But UK organisations don't need to look abroad for the lesson any more; the ICO is actively making it at home.

Three more 2026 regulatory pressures worth noting. NIS2: the UK hasn't directly transposed the EU's NIS2 Directive, but UK firms serving EU "essential and important entities" are drawn into its patching, incident-reporting and resilience obligations via contract. DORA: doesn't directly apply to UK firms, but UK financial-services businesses operating in or serving the EU must align with DORA's ICT-risk management, testing and third-party oversight expectations - legacy core-banking and payments systems are first in line. Online Safety Act 2023: continues rolling out through 2026 (priority offences 8th January 2026, super-complaints regime February 2026, categorisation register July 2026); in-scope UK platforms need moderation and age-verification controls that many legacy architectures can't integrate.

3. Hidden costs that drain your budget

Here's an uncomfortable truth that catches many business leaders off guard: maintaining legacy systems typically costs three to four times more than running modern alternatives. The 2025 State of Digital Government Review puts UK public-sector tech spend at around £26 billion a year, with 28% of central-government digital systems red-rated as legacy. That red-rated share isn't evenly distributed - a small number of costly, high-risk systems typically account for an outsized proportion of the running bill, and the same pattern shows up inside UK SMEs.

These costs creep up in ways that aren't always obvious:

• Specialist expertise - finding programmers who understand COBOL or other legacy languages becomes increasingly expensive as they become scarce
• Hardware maintenance - spare parts for ageing systems become rare and costly
• Integration workarounds - building custom connections to make legacy systems talk to modern tools
• Lost productivity - staff time wasted on manual processes and system limitations
• Compliance retrofit costs - bolting modern controls (MFA, encryption, audit logging) onto systems that weren't designed for them

This accumulated burden is what's known as technical debt. Research shows UK CIOs estimate technical debt amounts to 20-40% of their entire technology estate value. Even more troubling, 30% of CIOs report that more than 20% of their innovation budget gets diverted to resolving technical debt issues - money that could have funded new products or market expansion.

The good news is that UK SMEs and mid-market firms are successfully reversing the trend. AESSEAL, one of the world's biggest mechanical seal manufacturers, invested heavily in upgrading their legacy systems and reported a 77-fold increase in invoicing speed alongside annual sales exceeding £170m.

Smaller UK businesses see similar returns. UK retailer ProCook migrated its e-commerce platform to AWS with UX optimisation and reported a 30% increase in online revenue. Vehicle-telematics specialist ScorpionTrack redesigned on Google Cloud with autoscaling and reported a 78% cost reduction. A Kent-based manufacturer cut operational overhead by more than 30% after replacing a fragmented legacy setup. A UK logistics operator rebuilding a 15-year-old operations system onto Azure saw 40% shorter workflow times and 30% lower maintenance costs. The pattern is consistent: when UK SMEs modernise the right component - not everything at once - running-cost savings typically pay the project back within 18 to 36 months, on top of productivity and compliance upside.

4. Compromised data and poor decision-making

Modern businesses run on data. Accurate, real-time information drives everything from stock management to customer insights to strategic planning. But if you're relying on legacy systems with outdated data storage methods, you're essentially trying to navigate with a broken compass - and in 2026 it's also blocking your ability to deploy the AI tools that your competitors are starting to benefit from.

Legacy systems often create data silos - isolated pockets of information trapped in specific systems that can't communicate with each other. When your sales data sits in one system, your inventory in another and your customer records in a third, getting a complete picture of your business becomes a nightmare of manual exports, spreadsheet reconciliation and educated guesswork. For UK SMEs looking at AI adoption in 2026, this is often the first blocker discovered: the AI is ready, but the data is trapped behind a system that won't export cleanly or expose a usable API.

The Post Office Horizon scandal provides a devastating example of what happens when legacy system data can't be trusted. Between 1999 and 2015, more than 900 subpostmasters were wrongfully convicted of theft, fraud and false accounting based on faulty data from the Horizon accounting system. The software was recording losses that never actually occurred. Some Fujitsu employees had discovered before rollout that the system could produce false data, but this was never made public. The human cost has been catastrophic: six former subpostmasters have died by suicide as a direct consequence, and around 10,000 people are now eligible for compensation. The scandal is still running through the courts and the inquiry in 2026, a live reminder of what happens when legacy system output is treated as ground truth without challenge.

5. Difficulty attracting and retaining talent

Today's workforce - especially Millennials and Gen Z - are tech-savvy and used to modern tools. When talented candidates discover during interviews that your organisation runs on clunky, outdated systems, many walk away to competitors with better technology.

The problems go beyond recruitment. Existing team members become frustrated using inefficient tools that make their jobs harder than necessary, while colleagues at other companies work with sleek modern systems and AI copilots that understand their work.

There's also a knowledge risk with a sharply rising cost. Half of UK banks admit they rely on just one or two staff members, often near retirement age, to understand their legacy systems. The UK contracting market has responded predictably: day rates for COBOL, AS/400 and mainframe engineers have risen every year since 2023, and shortlists keep getting shorter. If your business depends on a system that only one person truly understands, you're on borrowed time - and the bill gets bigger every quarter.

6. Poor customer experience that costs you business

Customer expectations have shifted dramatically. People now expect instant online transactions, personalised recommendations and real-time responses - and AI-driven personalisation keeps raising the baseline. Legacy systems simply can't deliver, and the gap widens every quarter.

Think about your own behaviour as a customer. Research shows users have extremely limited patience for slow-loading websites. If your customer-facing systems don't respond quickly, or your user journey has friction points caused by backend limitations, you're losing business to competitors with updated systems.

Netflix is the classic example of getting this right - they invested in streaming and built the systems to match, while Blockbuster didn't and went bankrupt. For UK private-sector businesses in 2026, the equivalent friction - a customer portal that can't handle a simple amendment, order-tracking that's hours out of date, a help-centre that can't show an account's real state - is commercial self-harm when competitors a click away offer a cleaner journey.

7. Integration nightmares that block innovation

Modern business tools are designed to work together. Your CRM should talk to your email marketing platform, which should sync with your analytics, which should feed into your reporting dashboards. Legacy systems, built in a pre-API world, often struggle to integrate with anything modern - and in 2026 that means being locked out of the AI, automation and analytics stack that cloud-native competitors take for granted.

UK consulting analysis (PAC's research for consultancy.uk) found that 79% of UK professional-services firms view dependence on legacy applications as a primary barrier to modernisation. The 2025 State of Digital Government Review points in the same direction on the public-sector side. The message is consistent: legacy integration limits don't just slow you down - they set a ceiling on what the rest of your business can become.

The Easter 2025 ransomware attack on Marks & Spencer showed how vulnerable interconnected systems can be. Attackers compromised M&S through a third-party supplier, forcing the retailer to revert to pen-and-paper tracking - staff were manually checking refrigerator temperatures because automated monitoring was offline. The incident is expected to cost around £300 million in lost profit. M&S is a FTSE-100 retailer with deep pockets; an SME in the same situation doesn't have that margin for error. Modern integration patterns covered in our system integration guide - webhooks, event buses, middleware-plus-API wrappers - can often make a legacy system usable in a modern stack for a fraction of the cost of full replacement.

When to modernise vs maintain: a decision framework

Not every old system needs immediate replacement. Some legacy technology continues to serve its purpose effectively, and there's no virtue in replacing working software for its own sake. The useful question is: when does the balance tip from "working fine" to "actively harmful"? The framework below is the one we use with UK SME clients facing that decision.

Modernise when the vendor has ended support; your specialist contractor rate is rising faster than the system's business value; the system blocks integration with a tool you genuinely need (AI, modern CRM, accounting, analytics); you've failed a compliance audit the system can't be retrofitted to pass (UK GDPR, Cyber Essentials April 2026 MFA, DUAA 2025); only one or two people understand the system and one of them is approaching retirement; or downtime is affecting customers or revenue.

Maintain when the system still reliably performs its intended function; the vendor is still issuing patches; it integrates with the tools your wider estate depends on; your specialist bench is deep enough for absence cover; and total running cost is meaningfully lower than project cost to replace within a sensible payback period.

If you're on the edge - three modernise signals, two maintain signals - you're in the zone where a proper assessment pays for itself.

Cost comes into this too, of course. Our UK bespoke software cost guide sets out realistic 2026 cost bands for different modernisation scopes; our technical debt article helps you frame the ongoing cost of doing nothing; and our guide to bespoke software covers what's involved when you're looking at building something custom from scratch.

Your modernisation options: the 5 Rs

Modernisation doesn't always mean ripping everything out and starting from scratch. Gartner and Forrester both caution that "big bang" replacement is often too costly, risky and time-consuming. The 5 Rs framework gives you five legitimate routes — for the full deep-dive including a per-route decision matrix (cost, risk, time and AI-applicability per route), 2026 UK cost bands and worked UK SME examples, see our companion guide on legacy software modernisation in the UK:

• Retire - switch off systems that no longer serve a business purpose. Removes maintenance burden and security risk in one stroke; often overlooked, often the right call.
• Retain - keep the system as-is if it's still doing the job, costs little to run and isn't a security or compliance risk. A stable system you know is often worth more than a shiny replacement you don't.
• Rehost (lift and shift) - move to modern cloud infrastructure without fundamental changes. Typically 8-12 weeks for a UK SME.
• Replatform - change the technology stack while keeping business functionality. The middle ground; typically 3-6 months for an SME project.
• Refactor or Replace - update internal architecture (refactor), or rebuild from scratch (replace). Replace is what TSB Bank attempted in 2018 - £318m cost, 2,000 defects at go-live, £48.6m in regulatory fines. For most UK SMEs, refactor plus targeted rebuild of the worst components is lower-risk.

In 2026 a growing number of UK SMEs are adding AI-accelerated modernisation to the mix: using Claude, GitHub Copilot and Cursor to translate code between languages, generate test suites and produce documentation from source. Realistic speedups on well-scoped migration work are 40-60%. AI doesn't replace senior engineers on modernisation projects - it amplifies them and frees them to focus on the parts that still need human judgement.

How to get started

The first step is a thorough assessment of your current technology estate - which systems pose the greatest risk, which offer the best return on modernisation investment. UK funding support can help offset the cost: Made Smarter supports manufacturing SMEs in England with up to 50% grant funding; Innovate UK runs regular digital-adoption calls; the UK Spending Review 2025 allocated funding to public-sector digitisation that opens supplier opportunities.

Key questions your assessment should answer:

• Which systems are business-critical, and what's the blast radius if each fails?
• What security vulnerabilities exist, especially on public-facing components?
• What's the true total cost of maintaining each system - including workarounds, compliance retrofit and opportunity cost?
• Which systems block integration with modern tools (especially AI and automation)?
• Which regulatory obligations (UK GDPR, Cyber Essentials April 2026, DUAA 2025, sector rules) does each system need to satisfy within 18 months?

The costs of inaction are clear - UK businesses lose billions to legacy inefficiency, security breaches and missed opportunities. For a structured whole-of-business approach, see our digital transformation roadmap; for patterns that let you modernise incrementally, see our system integration guide.

Frequently asked questions

Sources

Figures and references used in this article, with publication dates where available. All sources accessed April 2026.

1. UK Government (DSIT) - State of Digital Government Review, January 2025
2. Tech Monitor - UK productivity cost of legacy technology, 2024-2026 reporting
3. IBM UK Newsroom - 2025 Cost of a Data Breach, UK figures (financial services £5.74m; AI-enabled organisations £3.11m)
4. Computer Weekly, citing Baringa - UK banking sector legacy code (16% on 1960s code; 40% on 1970s)
5. Information Commissioner's Office - 2024-2026 enforcement actions: Capita (£14m combined), Advanced Computer Software Group (£3.08m), LastPass UK (£1.23m), Reddit (£14.47m), MediaLab.AI (£247k), Police Scotland (£66k), PSNI (£750k)
6. UK Government - Data (Use and Access) Act 2025 (in force 19 June 2025; phased through June 2026)
7. European Commission - UK adequacy decisions renewed 19 December 2025 for six years (to 27 December 2031)
8. NCSC - Cyber Essentials April 2026 update (MFA mandatory for cloud); NCSC Annual Review 2025
9. NHS England - WannaCry 2017; Synnovis ransomware June 2024
10. Post Office Horizon IT Inquiry - ongoing 2024-2026 proceedings
11. ProCook (Aurelian Strategies), ScorpionTrack (HARE.digital), Kent Business Newsletter - UK SME/mid-market modernisation case studies
12. consultancy.uk (PAC research) - UK professional-services legacy-dependence findings (79%)
13. Made Smarter UK, Innovate UK, UK Spending Review 2025 - SME and public-sector modernisation funding