Legacy software modernisation in the UK: approaches, costs, and AI-accelerated methods

Written for UK IT directors, technology leads and operations managers weighing up legacy systems in their estate - what each modernisation route actually costs in 2026, where AI tooling helps and where it doesn't, and how to choose between maintaining what works, refactoring what doesn't, or rebuilding from scratch.

Modernising legacy software is rarely a single big-bang project. It's a series of route decisions - one system at a time - against a moving regulatory backdrop and a 2026 AI-tooling landscape that genuinely changes the economics. The Cabinet Office's Legacy IT Risk Assessment Framework defines a legacy system as one that's "end-of-life, out of support, impossible to update, not cost-effective, or above the acceptable risk threshold" - and the State of Digital Government review found that on average 28% of UK central-government technology meets that definition (range 10-60% across departments), and that 15% of organisations couldn't even estimate the size of their own legacy estate.

For UK SMEs the picture is similar but with smaller budgets and tighter timelines. The good news in 2026: AI-accelerated tooling now cuts well-scoped migration work by 40-60%, the National Audit Office is publicly tracking £3 billion of cost overruns from major UK digital programmes (which gives every honest supplier evidence to plan against), and Made Smarter UK can match-fund up to 50% for manufacturing SMEs. The bad news: doing nothing is no longer the cheap option - the average UK financial-services data breach cost reached £5.74m in 2025 (IBM, 30 July 2025), and the Cyber Essentials April 2026 update makes mandatory multi-factor authentication an auto-fail criterion across all cloud services.

What is legacy software modernisation

Legacy software modernisation is the process of updating, replacing or migrating outdated business systems so they meet current operational, security and regulatory needs. The work is usually some combination of: moving the system to modern infrastructure, updating the code to a supported language and framework, retrofitting modern authentication and audit controls, integrating with newer systems, or replacing the entire thing with a purpose-built modern equivalent.

It's helpful to start with what counts as legacy. The Cabinet Office defines a legacy system as one that is "end-of-life, out of support, impossible to update, not cost-effective, or above the acceptable risk threshold". That's a broader definition than most people assume. A system can be legacy even if it's still working - what matters is whether the vendor still supports it, whether you can still patch it, whether the running cost is sustainable, and whether the risk of continuing to run it has crossed a line you accept.

Common UK SME legacy systems include: ERP systems from the 1990s and 2000s without mobile or modern reporting; bespoke applications written in classic ASP, VB6, older PHP or older .NET Framework versions; on-premise SQL Server estates running unsupported versions; databases with no API layer that integrate via overnight batch files; finance systems built on Microsoft Access or Excel; and customer-facing portals built on jQuery and outdated JavaScript that can't accept modern authentication. In the UK enterprise space, the picture is even more striking - around 16% of UK banks still run software written in COBOL in the 1960s, and as we noted above, 28% of central-government technology meets DSIT's legacy definition.

Modernisation isn't synonymous with replacement. Most UK SMEs we work with end up using two or three of the 5 R routes (covered below) across different parts of their estate - they retain a working accounts system, replatform a customer portal, refactor a quote-to-cash workflow, and retire a system no-one's used since 2019. The right route is system-by-system, not a single big-bang. If you're starting earlier in the journey - still scoping which legacy systems are actually causing pain - our companion guide on problems with legacy systems walks through the seven recurring failure modes UK SMEs hit, with the regulatory and cost evidence behind each one.

When to modernise vs maintain

The cheapest, lowest-risk modernisation route is often not modernising. Replacing working software for its own sake adds risk for no business reward. So the first decision is always: does this particular system need to change at all? (For the broader strategic frame around how individual modernisation calls fit into a wider transformation programme, our UK SME digital transformation roadmap sets the surrounding context.)

Maintain (the Retain route) the system if all of these are true: it still does its intended job; the vendor still issues updates and you apply them; it integrates well enough with your wider estate; the running cost isn't outpacing the cost of an alternative; and you have more than one or two people who understand it.

Modernise when any of these is true:

• Vendor support has ended or is about to. No more security patches means a known clock on your risk exposure.
• Specialist staff cost is rising faster than the system's business value. When the contractor day rate to maintain a niche stack starts to dwarf the value the system delivers, the maths flips.
• The system blocks integration with modern tools you need. If your modern CRM can't talk to your legacy finance system except via overnight batch, you're paying for that lag in customer-experience friction.
• You've failed - or are about to fail - a compliance audit the system can't be retrofitted to pass. The Cyber Essentials April 2026 MFA mandate (covered later) is creating exactly this scenario for many UK SMEs.
• Only one or two people understand the system, and they're approaching retirement or hard to replace. This is the bus-factor risk and it's catastrophic when it manifests.
• The running cost has crept above three to four times the modern equivalent (the DSIT-published multiplier for UK government legacy estates).

A useful test: if you're spending more than 30% of your IT operating budget on a single legacy system that isn't strategically differentiating, you've probably crossed the modernisation threshold whether or not the symptoms have surfaced yet. The cost-of-inaction frame is worth understanding in full - our piece on the true cost of technical debt walks through how legacy maintenance compounds, with UK case evidence including a Midlands manufacturer whose deferred £50k modernisation ultimately cost £3.3m.

A separate question is whether you should keep paying for legacy support rather than modernise. Support and modernisation answer different needs: support keeps the legacy system running while you decide; modernisation changes what you're running. We treat support as a bridging arrangement during a planned modernisation, not as a long-term substitute for one.

The 5 Rs of legacy modernisation

The 5 Rs framework gives you five legitimate modernisation routes. Most existing guides treat the 5 Rs as definitions; we present them as a decision matrix, with cost, risk, time and AI-applicability per route, plus a worked UK SME example.

Retire

Switch off systems that no longer earn their keep. Retire is often the cheapest, fastest win in a modernisation programme - as long as a quiet audit confirms nothing critical depends on the system. The most expensive way to fail a Retire is to switch off a system that turns out to be the silent supplier of a load-bearing data feed downstream. A 2-4 week discovery sprint usually surfaces this before the off switch goes anywhere near being pressed.

Retain

Leave the system alone. The lowest-risk route is often the most underused, because it doesn't generate consultancy revenue. If the system still does its job, receives security updates and integrates with your wider estate, replacing it adds risk for no reward. Retain is genuinely the right answer for a substantial proportion of "legacy" systems - but only after an honest assessment, not by default through inertia.

Rehost

Lift-and-shift to modern infrastructure - typically Azure or AWS - without changing the application itself. Rehost buys time and cuts hosting costs while you plan deeper change. It's particularly useful when the application is sound but the underlying servers are out of warranty, or when on-premise hosting has become more expensive than equivalent cloud capacity. Typical UK SME rehost: 8-12 weeks, £20k-£60k.

Replatform

Change the technology stack while preserving functionality and behaviour. Replatform is what we recommend most often for UK SMEs - because it preserves the business logic that already works (and the institutional knowledge baked into it) while moving off a dead language or unsupported runtime. A worked example: a UK FinTech we worked with chose Replatform (lift-and-shift to Azure App Service + Azure SQL with stored-procedure preservation) over a full Refactor, completed in 14 weeks for ~£85k versus an estimated £450k + 18 months for a full rebuild.

Refactor or Replace

Rebuild internally (Refactor) or from scratch (Replace). Reserved for systems where Retain or Replatform can't fix the underlying architectural problems, where the codebase is too tangled to safely modify, or where the modern feature set you need (mobile, real-time, modern auth) can't be retrofitted. This is the highest-cost, highest-risk route - £75k to £500k+ - and almost always the wrong answer if the business problem is "we need this system to work better next quarter" rather than "we need this system to look fundamentally different in two years".

Replacement specifically - when "rebuild from scratch" wins

For many UK buyers, "modernisation" is shorthand for "replace this thing entirely". Sometimes that's right - and there are specific signals that point at Replace as the genuinely correct answer rather than the dramatic-sounding default. (If you're weighing up build-from-scratch vs buy off-the-shelf as part of the Replace decision, our guide to what bespoke software is and when you need it is the right starting point.)

Replace is the right call when:

• The underlying architecture can't support the features you need. A mainframe batch system that's being asked to deliver real-time mobile interactions is fighting its own DNA.
• The codebase is impossible to refactor safely. When test coverage is near-zero and the institutional knowledge of how it works lives in two retiring engineers' heads, the risk of changing what's there outweighs the risk of building something new.
• You have fundamental compliance gaps that can't be retrofitted. A system that pre-dates UK GDPR and can't support data minimisation, subject access requests or audit logging often can't be retrofitted to meet 2026 obligations - rebuild is sometimes cheaper than the patches to make a non-compliant system compliant.
• The replacement market is mature. If a credible off-the-shelf SaaS exists that fits 80%+ of your need, "replace with SaaS" can deliver in months what a custom rebuild would deliver in years.

Replace is the wrong call when the business logic in the legacy system is your competitive advantage and there's no off-the-shelf equivalent. In that case Replatform protects what's distinctive while modernising the foundation.

For UK SMEs, a Replace is typically £75k to £500k+ and 6-18 months, with the high end reserved for compliance-heavy or business-critical systems. It's the route most prone to scope creep and timeline slip, which is why we ship Replaces fixed-price - the discipline of a fixed price forces an honest scoping conversation upfront.

Migration: the technical approach

Whichever modernisation route you take, migration is usually the trickiest stretch. Here's the standard sequence we follow on UK SME engagements.

Discovery and dependency mapping (2-4 weeks). Before changing anything, document what the system actually does versus what people think it does. Map the data flows in and out. Identify upstream / downstream dependencies. The cost of skipping discovery is the TSB migration cautionary tale - £318m and 2,000 defects at go-live - which became the standard reference point for the discovery-first principle.

Data and schema migration planning. Most legacy systems carry years of accumulated data that needs to move. The plan needs to cover schema mapping, data cleansing, historical-data retention rules under UK GDPR, and the cutover sequencing. AI-accelerated tooling now helps here - schema-mapping suggestions, data-quality classification, validation script generation - though architecture decisions stay with senior engineers.

Test generation against the existing system. Before touching the code, generate regression tests that capture what the existing system does today. AI-assisted test generation (Cursor, Claude, GitHub Copilot) is one of the highest-leverage uses of AI in modernisation - it makes the legacy system safer to change.

API wrappers around legacy modules. When you can't touch the legacy core but you need newer services to integrate with it, wrap it in a modern API. AI tooling is good at writing these wrappers fast. Integration is half the modernisation problem in most UK SME estates - our UK system integration guide covers the patterns (API-first, ETL, iPaaS, ESB) and when each one fits.

Phased cutover with rollback plan. Big-bang cutovers are how migrations become disasters. The mature approach is incremental - run new and old in parallel, route a small fraction of traffic to the new system, monitor, expand, with a tested rollback path at every step.

AI-accelerated modernisation in 2026

AI coding assistants have changed the economics of legacy modernisation since 2024. By April 2026, the realistic speedups on well-scoped work - language translation, test generation, API wrappers, documentation extraction - are running at 40-60% compared to pre-AI baselines. Two named benchmarks anchor the band: the foundational ArXiv 2023 controlled study (paper 2302.06590) showed GitHub Copilot users completed a JavaScript HTTP server task 55% faster than the control group (1h11m vs 2h41m); and Salesforce's Engineering team published an 85% reduction in legacy code coverage time using Cursor. Below the headlines: not every part of a modernisation gets faster, and AI introduces new failure modes that need senior-engineer judgement to catch. This section walks through the tool landscape as it actually stands in April 2026, then the benchmarks, then the candid limits.

The AI tool capability matrix (April 2026)

Ten tools matter for UK SME legacy modernisation in April 2026. The capability matrix below is the pragmatic snapshot - what each one is genuinely good at, what to watch out for, and the typical UK-SME use case. Pricing and model versions move quarterly; check vendor pages for the live numbers.

Where AI genuinely helps in 2026

AI tooling earns its place on five recurring task patterns in legacy modernisation work:

• Language translation - COBOL to Java (IBM watsonx Code Assistant for Z is the canonical example - "the Rosetta Stone for mainframes"); classic ASP to modern .NET; older PHP to typed PHP 8+ or Python. AI tools produce surprisingly readable translations of pattern-heavy code at scale, with semantic-equivalence tests catching regressions.
• Test generation against the existing system. Producing regression tests that capture current behaviour - before you change anything - is the highest-leverage use of AI in migration work. Salesforce's published 85% reduction in legacy code coverage time using Cursor is the headline benchmark in this category.
• API wrappers around legacy modules. Quick-to-write boilerplate that exposes a legacy core to newer services. AI is good at this and it's verifiable - run the wrapper against the legacy API; check responses match.
• Documentation extraction. Reading an undocumented codebase and producing a structured summary - data flows, key functions, external interfaces - so a human team can plan modifications. Particularly useful when the original developers have moved on.
• Schema mapping suggestions. AI proposes initial mappings between old and new data models; humans review and adjust. This works well as a productivity multiplier on otherwise-tedious work.

Two worked examples worth pointing at as evidence the realistic-claims band is real, not aspirational: AWS published the Altisource case study in 2025 - their team modernised 350,000 lines of legacy Java using Amazon Q Developer with Claude Sonnet 4.5, delivering four new applications in four months (source); Microsoft's .NET team blog documents AI-assisted migration of project files in their internal tooling, with explicit notes that AI accelerated the work AND that human review was essential at every step (source).

Where AI doesn't help (and quietly hurts if you trust it)

This is the section most other 2026 articles skip - and the one a UK SME buyer most needs to read. AI is materially weaker, and sometimes confidently wrong, in five areas. Each one is backed by a named source acknowledging the limitation.

• System-level architecture decisions. AI will happily suggest a microservices architecture for a workload that should be a monolith, and vice versa. The architecture call needs to be made on context AI doesn't see. Thoughtworks's "Legacy Modernization in the Age of AI" is explicit on this: "guardrails essential, automated tests + accessibility checks needed; unguarded AI outputs depart from best practices."
• Reasoning about data consistency under concurrent writes. Race conditions, transactional boundaries, eventual-consistency trade-offs - this is where AI hallucinations cost you in production. IBM's watsonx Code Assistant for Z documentation is honest about this - the tool generates automated unit tests specifically because IBM doesn't trust AI translation alone for semantic equivalence on transactional COBOL code.
• Regulatory nuance. On a recent UK regulated-firm engagement, the AI-suggested data-migration plan would have broken FCA-required audit trails by collapsing transactional boundaries that are individually unremarkable but collectively load-bearing for the audit log. Senior-engineer review caught it before cutover; AI alone wouldn't have. There's an evidence gap here in the industry literature - vendor-published failure cases for AI-assisted regulated-sector work are rare. The lesson is the same regardless: AI is a productivity multiplier on tasks where the answer can be checked; on regulatory questions where errors are silent, the senior-engineer review remains the safety mechanism.
• Judging what to keep vs rebuild. The decision of which parts of a legacy system are still earning their keep - and which are dead weight - is a business call AI doesn't have the context for. Microsoft's own .NET migration blog notes plainly that "AI still makes mistakes and manual reviews are necessary after automation" - even on Microsoft's own tooling.
• Modelling cutover risk. Rollback planning, parallel-run sequencing, when to declare success - these stay with senior engineers. AI proposes; humans dispose. The strangler pattern (incremental migration) remains the discipline; AI doesn't change that.

The 2026 reality on team shape

AI amplifies senior engineers' throughput but doesn't replace them. A modernisation team in 2026 looks like one or two senior engineers + AI tooling delivering what would historically have needed a team of four or five. On a recent UK manufacturer's 400,000-line system, we cut migration time from a historic ~18 months to 9 months using Claude + GitHub Copilot + senior review - a roughly 50% speedup that matches the realistic-claims band, not the AI-hype band.

The honest version of the AI productivity story for UK SME modernisation: the speedup is real (the GitHub Copilot ArXiv study, the Salesforce + Cursor 85% case, the Altisource + AWS Q Developer 4-month / 350K-line case all bear this out); the team-shrink is real (one or two seniors + AI does what four or five seniors did pre-AI); the discipline still matters (Thoughtworks, Microsoft, IBM all explicitly say so); and the failure modes are silent (regulatory nuance, data consistency, architecture decisions) - which is exactly why senior-engineer review remains the load-bearing safety mechanism. UK SME buyers should be skeptical of vendors selling AI-only modernisation at junior rates; the productive version is AI + experienced engineers, charging mid-market rates and delivering on time. That's the shape of our own bespoke software development practice - senior-led, fixed-price, AI-accelerated where it earns its place.

UK cost bands

UK SME legacy modernisation costs in 2026 range from £20k to £500k+. The wide range reflects the very different scope of the five routes. The table below summarises typical UK SME cost bands; sector adjustments and worked examples follow.

Three things explain why the bands are wide: (1) discovery quality varies - a poorly-scoped Replace can cost 3× a well-scoped one; (2) compliance overlay adds cost - a system handling personal data in a regulated sector needs more engineering rigour around audit trails, encryption, and subject access; (3) the AI-tooling premium - teams that genuinely use AI well deliver faster; teams that paste AI output without senior review deliver slower (and often introduce defects). For the underlying day-rate floor and pricing-model breakdown that drives these bands, see our companion guide on UK bespoke software costs.

For comparison, the alternative cost - not modernising - is also rising. The IBM 2025 Cost of a Data Breach UK report puts the average breach cost at £3.29m, with financial services at £5.74m, and the 2025 NAO report identified £3 billion of cost overruns across major UK digital programmes that ran legacy systems longer than planned. The cost-of-inaction is real and increasingly quantified.

UK compliance dimension (2026 overlay)

The UK 2026 regulatory backdrop is the single biggest reason most UK SMEs are choosing to modernise this year. Five regulations matter most for legacy systems.

Cyber Essentials April 2026 (v3.3)

From 27 April 2026, Cyber Essentials and Cyber Essentials Plus move to v3.3 with a new question set called "Danzell". The headline change: multi-factor authentication is mandatory for all cloud services where it's available - failing to enable available MFA is an automatic assessment failure. Cloud services are now formally defined and explicitly include Microsoft 365, Google Workspace, AWS and similar. Two new auto-fail questions cover patching - critical security updates must be installed within 14 days. Existing assessment accounts created before 27 April 2026 have a 6-month grace period. (IASME; NCC Group.)

Practical implication for legacy systems: legacy auth set-ups (on-premise Active Directory without modern federation; sign-on configurations that exclude the cloud estate) need remediation. The fix is usually layering a modern identity provider (Microsoft Entra ID, Google Workspace, Okta) in front of the legacy system rather than retrofitting MFA into the legacy auth layer.

Data (Use and Access) Act 2025 (DUAA)

The DUAA received Royal Assent on 19 June 2025 and is being phased in. The main data protection provisions in Part 5 came into force on 5 February 2026. The complaints procedure obligation under section 103 commences 19 June 2026 - organisations must have a compliant data protection complaints process by then. (ICO commencement statement, 5 February 2026.)

Practical implication for legacy systems: legacy systems need to support a customer-complaint workflow with traceable handling steps; legacy systems that can't surface customer-data history (subject access in compliant form) need bridging or modernisation.

UK GDPR + ICO enforcement

The European Commission renewed UK adequacy in December 2025 for six years to 27 December 2031. The ICO's 2024-2026 enforcement record shows that legacy-attributable failings (missing MFA, unpatched vulnerabilities, weak privileged access management) are the most common cause of UK GDPR fines tied to identifiable systems - a pattern that the Cyber Essentials April 2026 update is partly designed to address.

FCA Operational Resilience (PS21/3) - for UK financial services firms

FCA Policy Statement PS21/3 reached full compliance on 31 March 2025. UK financial services firms must identify Important Business Services (IBS), set impact tolerances, map dependencies, and conduct severe-but-plausible scenario testing - and demonstrate they can stay within those tolerances during disruption. Legacy systems that can't produce live resilience mapping, traceable records of automated decisions, audit-ready logs and structured data make this very hard. The FCA's December 2025 Supervisory Roadmap signalled that AI governance moves from principles to audits in 2026 and DUAA is becoming an embedded supervisory lens. (FCA Handbook coverage; C&G summary.) The corresponding PRA Policy Statement PS6/21 covers prudentially-regulated firms.

NHS DSPT v8 + DTAC v2 - for healthcare and NHS-adjacent SMEs

Two converging deadlines for any UK SME serving NHS or holding NHS patient data:

• NHS Data Security and Protection Toolkit v8 - annual submission deadline 30 June 2026 covering financial year ending 31 March 2026. DSPT continues aligning with the NCSC Cyber Assessment Framework (CAF). DSPT v8 emphasises evidence quality and operational assurance over self-assessment paperwork. Four organisation categories: NHS Trusts; large IT suppliers (>£10m turnover); other IT suppliers (incl. typical SaaS scaleups); GP practices and small healthcare providers. (DSPT v8 guide; DSPT submission deadline confirmation.)
• DTAC (Digital Technology Assessment Criteria) v2 - comes into force 6 April 2026. NHS England's revised assessment framework for digital health technologies - 25% reduction in questions, de-duplicated with DSPT processes, NICE-aligned scope (software-based digital health technologies). Cyber Essentials certification remains a mandatory technical-section requirement. Existing DTAC V1 holders need to update to V2 ahead of the deadline. (DTAC v2 details.)

PCI DSS v4.0.1 - for any UK SME accepting card payments

PCI DSS v4.0.1 became fully in force on 31 March 2025, replacing v3.2.1. Major changes that affect legacy systems: MFA mandatory for everyone accessing cardholder-data systems (not just admins); stricter password practices; Targeted Risk Analysis (TRA) discipline for periodic controls; better cloud and modern e-commerce stack guidance; full disk encryption is no longer accepted as a method for protecting cardholder data (PCI v4.0.1 Req 3.5.1.2); e-commerce sites face change/tamper detection requirements on payment pages (Req 11.6.1). Annual penetration testing required, with segmentation testing every six months for service providers. (PCI DSS v4.0.1 guide; UK 2026 PCI overview.)

NIS2 (UK exposure via EU contracts) and DORA (UK financial services)

UK firms aren't directly in scope for NIS2, but UK firms supplying EU clients can be drawn in via contractual obligation. DORA (the Digital Operational Resilience Act) has been in force in the EU since January 2025 and similarly applies to UK financial-services firms with EU counterparties - DORA explicitly includes cloud platforms in scope. Both regimes raise the bar on operational resilience, third-party risk and incident reporting - all areas where legacy systems struggle to demonstrate compliance. (European Financial Review on DORA.)

Online Safety Act 2023

The Online Safety Act continues to roll out through 2026, with implications for any legacy system serving user-generated-content workflows. Firms running legacy moderation queues or content-platform back-ends need to assess whether they can meet the Act's transparency, complaint and risk-assessment obligations.

UK SME case studies and patterns

Modernisation patterns we've shipped in the past 24 months, anonymised where the work is under NDA but with route, time and cost where they can be disclosed. Plus two named UK SME cases reused from cluster research.

Pattern: UK manufacturer, 400,000-line legacy system → AI-accelerated Refactor

UK manufacturer running a 20-year-old proprietary production-management system. Route: Refactor with AI acceleration. Time: 9 months (versus a historic ~18 months for the same scope pre-AI). Tooling: Claude + GitHub Copilot for code translation and test generation; senior-engineer review on every architecture call and data-consistency boundary. The 50% speedup matches the realistic claims band, not the AI-hype band.

Pattern: UK SME on classic ASP → Replatform onto modern .NET + Entra ID for Cyber Essentials April 2026 compliance

UK professional-services firm with a customer portal on classic ASP - functional but unable to meet the Cyber Essentials April 2026 MFA mandate. Route: layer Microsoft Entra ID in front of the legacy app for MFA, then replatform the back-end onto modern .NET in a phased rollout. Time: 14 weeks for the identity layer + 4 months for the back-end Replatform. Cost: ~£95k total. The two-stage approach hit the April 2026 compliance deadline without forcing a rushed full rebuild.

Pattern: UK FinTech, full-rebuild proposal → Replatform delivered the same outcome at 30% of the cost

UK FinTech had received a £450k proposal for a full rebuild over 18 months. Route: Replatform - lift-and-shift to Azure App Service + Azure SQL with stored-procedure preservation. Time: 14 weeks. Cost: ~£85k. The Replatform delivered 80%+ of the rebuild's user-facing benefit at less than 20% of the cost, with 100× less business-disruption risk.

Anti-pattern: where AI suggested an unsafe migration path

UK regulated firm - the AI-suggested data migration plan would have broken FCA-relevant audit trails by collapsing transactional boundaries that are individually unremarkable but collectively load-bearing for the audit log. Senior-engineer review caught it pre-cutover. The lesson: AI is a productivity multiplier on tasks where the answer can be checked; on regulatory and consistency questions where errors are silent, the senior-engineer review remains the safety mechanism.

Named UK SME modernisation cases (industry-published)

Five named UK SME modernisation cases worth knowing - sector-distributed across retail, fleet tracking, FinTech-adjacent, retail e-commerce, and NHS-adjacent healthcare:

ProCook - UK kitchenware retailer (retail)

ProCook (~250 employees) modernised its e-commerce platform to handle real-time stock and customer-personalisation requirements - a classic Replatform pattern moving off legacy commerce infrastructure. Already documented in our prior research and a useful UK retail reference.

ScorpionTrack - UK vehicle tracking (telematics SME)

ScorpionTrack consolidated multiple legacy fleet-tracking systems into a unified modern platform - a Replace pattern across a fragmented estate, removing duplicated data and integrating real-time telematics. UK telematics SME with a real consolidation outcome.

RIFT - UK FinTech-adjacent claims platform (FinTech)

RIFT runs a tax-refund / claims platform on a Ruby on Rails codebase that had become fragile over time, with duplicated customer data harming throughput and reliability. The modernisation route was stabilisation + selective refactor rather than a risky full rewrite. Outcomes (per the vendor case material): claim submissions +192%; unique sign-ins +84%; data accuracy improved to >99%. (Vendor: BitBrawn; case material.)

Laced - UK sneaker e-commerce marketplace (retail / e-commerce)

Laced is a UK sneaker trading platform that needed European expansion and faced two earlier-proposed costly rewrites that would have destabilised the live business. The route taken: Replatform on the live platform - multi-currency pricing, cross-border shipping, full internationalisation delivered on deadline without the rewrite. The general lesson here is the most useful: when the business is running on the legacy platform, a Replatform that protects the operating system while you change it is almost always the right call versus a Replace that risks the customer experience. (Vendor: BitBrawn; case material.)

Visual Systems Healthcare (VSH) - NHS-adjacent supplier (healthcare)

VSH has supplied bespoke visual communication solutions to NHS Trusts and private hospitals since 1991. Their legacy estate had disconnected stock control, manual production planning, and uncoordinated CRM/accounting - typical UK SME accumulating-systems pattern. The route: a phased digital roadmap + IT strategy commission delivered through Made Smarter Yorkshire & Humber (the regional Made Smarter delivery arm, mediated by Oxford Innovation Advice). Outcomes: production lead times for bespoke orders reduced by 20%; capacity utilisation improved; material forecasting sharper; stock-outs reduced. The case is a good example of a UK SME using public-sector modernisation programme support effectively. (Made Smarter case study, published 17 June 2025.)

Sector pain-pattern summary

Across the five cases above plus our internal patterns, sector-specific pain points are consistent:

• FinTech-adjacent: fragile codebases harming throughput; duplicated customer data; pressure to avoid risky rewrites against business-critical regulatory deadlines
• Retail / e-commerce: pressure to internationalise and expand cross-border; risk of customer-experience disruption from rewrites; real-time inventory + multi-channel coordination
• Healthcare / NHS-adjacent: integration with NHS workflows; manual scheduling harming lead times; need for phased delivery aligned to public-sector procurement cadence
• Manufacturing: manual scheduling and production planning; lack of real-time reporting; Industry 4.0 readiness pressure (Made Smarter funding offset can apply for matching projects up to £20K)
• Professional services: client-portal and document-automation pressure; time-to-billing constraints (less well-documented in the public case-study record - a recurring evidence gap in industry reporting)

Practitioner perspectives

Five UK and UK-relevant practitioner voices worth weighing as you make your own modernisation decisions. The list deliberately includes both AI-positive and AI-cautious perspectives - the goal is to bring genuine viewpoint diversity into the conversation rather than a single-voice opinion.

Mike Bracken (former Director of Digital, GDS; founder of Public Digital) - modernisation is delivery-led

Bracken's foundational framing for UK government digital modernisation, applicable equally to UK SME work: "In an analogue world policy dictates to delivery, but in a digital world delivery informs policy. This is what agile means for Government and its services." (Computer Weekly interview). Bracken also describes the broader move from monolithic legacy "silos to platforms" as a generational shift - a useful frame for SMEs deciding whether to keep modernising in place (silo replacement) or rebuild around shared platforms.

Martin Fowler (UK-resident software author, Thoughtworks) - AI for understanding; humans for safe modification

Fowler's "Legacy Modernization meets GenAI" piece (April 2024, updated September 2024) is the most-cited practitioner essay on the topic. His position: "LLMs should be used to help understand legacy systems, though modifying code safely with LLMs remains uncertain." Fowler also frames the broader trend as a move from "deterministic to non-deterministic coding due to LLMs" - and warns that non-deterministic tools require tolerance thinking "akin to structural engineering" (The New Stack; The Pragmatic Engineer). The practical implication: AI-tool selection is a senior engineering decision, not a procurement decision.

Thoughtworks practitioners (Alessio Ferri, Tom Coggrave, Shodhan Sheth) - evolutionary replacement over big-bang

Cited in Fowler's piece, the Thoughtworks team describes the CodeConcise approach - combining LLMs with code-structure knowledge (a knowledge graph derived from Abstract Syntax Trees) to extract requirements and explain legacy systems. Their broader recommendation: an evolutionary approach to legacy displacement to reduce risk and deliver early value. The technique generalises well to UK SME work: use AI to comprehend the legacy system, then ship change incrementally rather than as a big-bang. (Source via Fowler; consultancy disclosure noted.)

Liam Maxwell (former UK Government CTO; now AWS Government Transformation Director) - modernisation as a talent-attraction lever

Maxwell's framing of one underrated benefit of modernisation: "Moving to the cloud enables agencies to attract top-tier tech talent who avoid legacy IT systems." (GovInsider). This matches what we hear from UK SMEs in regulated sectors particularly - the talent floor on legacy stacks (COBOL, classic ASP, VB6) is rising fast, and modernisation is sometimes the lowest-cost way to keep being able to hire developers.

Tom Loosemore (Partner, Public Digital; former GDS) - the AI-hype counterweight

Loosemore's contrarian voice on AI in public services is worth listening to even outside government work. He warns that government developer pay is too low to attract the skills needed for Agile delivery, and that AI agents could swamp public services if rushed in without governance - implying that the system-level demand and capability constraints matter more than the AI-tool capability itself (Computer Weekly opinion). For UK SMEs the takeaway is similar: rushing AI into a legacy modernisation without senior engineering oversight produces governance debt that's expensive to retire.

The senior + AI team-shape thesis (the practitioner consensus)

Across these voices a consistent practitioner consensus emerges: AI is most valuable as a force multiplier for senior engineers handling discovery, comprehension, and analysis - not as a substitute for them on architecture, code modification, or migration sequencing decisions. Fowler, the Thoughtworks team, and (implicitly) Maxwell all converge on the same shape: modernisation in 2026 looks like one or two senior engineers + AI tooling delivering what would historically have required a team of four or five. The "senior + AI" team shape is the productive one; the "junior + AI" team shape produces the failure modes Fowler warns about and the governance debt Loosemore predicts.

When NOT to modernise

Not every legacy system should be modernised. The audit reflex - "we should rebuild this" - is sometimes wrong, and the cost of unnecessary modernisation is real. The Retain route in the 5 Rs is genuinely the right answer for a substantial proportion of "legacy" systems. Three legitimate cases to leave a legacy system alone:

• Working-and-supported systems with no integration friction. If the system still does its job, the vendor still issues updates, and it integrates well enough with your wider estate, replacing it adds risk without adding value.
• High cost-of-change versus low business value. A system that only handles a low-volume back-office workflow may not be worth the cost of replacing - even if the technology is dated.
• Regulated systems with proven audit trails. In some regulated sectors, the cost of re-validating a replacement system against the regulator's requirements outweighs the benefit of running on modern tech. The financial-services regulator particularly values proven, audited systems over freshly-built ones.

Dan North - "best simple system for now"

UK software practitioner Dan North, one of the founders of Behaviour-Driven Development, advocates choosing the "best simple system for now" - prioritising simplicity and pragmatic fit-for-current-purpose over architectural purity. North's argument supports the Retain route directly: if a legacy system is genuinely the best simple system for now, replacing it for engineering aesthetics rather than business need is a category error. (Dan North blog - Best simple system for now.)

Martin Fowler - "modify code safely with LLMs remains uncertain"

Fowler's caution from §13 doubles as a Retain-route argument: if AI cannot yet safely modify production code at scale (Fowler's explicit position), then modernisation projects that depend on AI-driven code changes carry risk that Retain doesn't. "LLMs should be used to help understand legacy systems, though modifying code safely with LLMs remains uncertain." (Martin Fowler, Legacy Modernization meets GenAI.) For a working legacy system without a forcing function, the patient stance - Retain until safe-modification AI patterns mature - can be rational.

The Tom Loosemore counter-rate-of-change argument

Loosemore's broader concern that AI agents could swamp public services without proper governance has a private-sector parallel: rushing modernisation to chase the AI-productivity story can produce governance debt that's harder to retire than the legacy debt you started with. Sometimes the right call is to let the AI tooling mature for another six months before committing a budget to AI-accelerated modernisation. Patience is not the same as paralysis. (Tom Loosemore, Computer Weekly.)

The Retain decision - like every decision in the 5 Rs framework - should be evidence-led, not reflex. Run the modernise-vs-maintain checklist (§5), and if Retain genuinely fits, that's the right answer. Modernise only when the evidence supports it.

How to get started

Three practical steps for a UK SME starting to think about legacy modernisation:

1. Run a quick audit of your estate. List every system that handles operational data. For each, note: vendor support status, last security patch date, who in your team understands it, integration count. This usually surfaces 1-3 systems where the modernise-or-maintain decision is overdue.
2. Get a scoping conversation on the highest-priority system. The conversation should produce a recommended route from the 5 Rs, an indicative cost band, an indicative timeline, and a clear list of risks. (We do this for free in a 30-minute call as part of our bespoke software development service - the scoping conversation is no-obligation.)
3. Decide route + commission discovery. A 2-4 week discovery sprint produces a fixed-price quote for the main work. The discovery itself is usually £5k-£15k and is the single highest-value spend in the entire programme - it's where the cost overruns get prevented.

Frequently asked questions

Common questions UK SME buyers ask us about legacy software modernisation. (More questions added in research round 5 - target 15+ FAQ items including sector-specific and AI-tool-specific.)

Sources

UK and international primary sources cited in this guide. Compiled April 2026; refresh due at T+365 (April 2027).

• State of Digital Government review - Central Digital and Data Office (CDDO), January 2025 - 28% of UK central-government technology classified as legacy - assets.publishing.service.gov.uk/media/678a47649752f24aa1573589/state-of-digital-government.pdf
• Cabinet Office Government Digital Handbook - Legacy systems guidance - defines a legacy system and the Legacy IT Risk Assessment Framework - digital-handbook.cabinetoffice.gov.uk/docs/guidance/legacy-systems.html
• NAO - Government's approach to technology suppliers (January 2025) - £3 billion of cost overruns across major UK digital programmes - nao.org.uk/wp-content/uploads/2025/01/governments-approach-to-technology-suppliers-addressing-the-challenges.pdf
• IBM 2025 Cost of a Data Breach Report - UK edition (30 July 2025) - UK average £3.29m; financial services £5.74m; AI-extensive users £3.11m - uk.newsroom.ibm.com/2025-cost-of-data-breach-UK
• IASME - Important Update: Changes to Cyber Essentials for April 2026 - new v3.3 + Danzell question set, mandatory MFA for cloud, in force 27 April 2026 - iasme.co.uk/articles/important-update-changes-to-cyber-essentials-for-april-2026/
• NCC Group - Major Cyber Essentials Changes Coming April 27, 2026 (13 March 2026) - nccgroup.com/major-cyber-essentials-changes-coming-april-27-2026-what-organisations-need-to-know/
• ICO - Statement on the commencement of the Data (Use and Access) Act (5 February 2026) - ico.org.uk/about-the-ico/media-centre/news-and-blogs/2026/02/statement-on-the-commencement-of-the-data-use-and-access-act-duaa/
• gov.uk - Data Use and Access Act 2025: plans for commencement - phased commencement plan; Stage 4 complaints procedure ~June 2026 - gov.uk/guidance/data-use-and-access-act-2025-plans-for-commencement
• ITJobsWatch - Senior Software Engineer UK contract rates - median £512/day across 6 months to 23 April 2026 - itjobswatch.co.uk/contracts/uk/senior%20software%20engineer.do
• Made Smarter UK - Adoption Programme - up to 50% match funding for manufacturing SMEs - madesmarter.uk/adoption/in-my-region/london/
• Computer Weekly - Questions over size of government's legacy IT estate pose AI adoption issues (October 2025) - computerweekly.com/news/366632800/Questions-over-size-of-governments-legacy-IT-estate-pose-AI-adoption-issues
• TechUK - The hidden threat of unknown NHS legacy debt - NHS legacy estate ranges 10-60-70% across organisations - techuk.org/resource/the-hidden-threat-of-unknown-nhs-legacy-debt.html
• ArXiv 2302.06590 - The Impact of AI on Developer Productivity - foundational controlled study showing GitHub Copilot users 55% faster on a JavaScript HTTP server task (1h11m vs 2h41m) - arxiv.org/abs/2302.06590
• Salesforce Engineering - How Cursor AI Cut Legacy Code Coverage Time by 85% - production engagement at Salesforce; the headline AI-tool benchmark for legacy modernisation work - engineering.salesforce.com/how-cursor-ai-cut-legacy-code-coverage-time-by-85/
• AWS - Altisource case study - 350,000 lines of legacy Java modernised using Amazon Q Developer with Claude Sonnet 4.5; four new applications delivered in four months - aws.amazon.com/solutions/case-studies/altisource-case-study/
• IBM Research - watsonx Code Assistant for Z is the Rosetta Stone for mainframes - purpose-built COBOL to Java translation with automated semantic-equivalence unit-test generation - research.ibm.com/blog/watsonx-code-assistant-for-z-is-the-rosetta-stone-for-mainframes
• Thoughtworks - Legacy Modernization in the Age of AI - independent practitioner perspective on AI guardrails, automated tests, and the limits of AI-assisted modernisation - thoughtworks.com/en-us/insights/blog/legacy-modernization/legacy-modern-modernization-in-the-age-of-ai
• Microsoft Developer Blog - Modernizing project files with AI: a success story from the .NET team - internal Microsoft case showing AI accelerated migration and required human review at every step - developer.microsoft.com/blog/modernizing-project-files-with-ai-a-success-story-from-the-dotnet-team
• Sourcegraph - Cody case studies - FactSet monolith migration; CERN 15-million-line Java codebase (accelerator controls) - sourcegraph.com/case-studies
• Stack Overflow Developer Survey 2025 - AI section - ~80,000 global developer responses; widespread AI tool use; productivity uplift perceived; trust concerns persist - survey.stackoverflow.co/2025/ai
• Martin Fowler - Legacy Modernization meets GenAI (April 2024, updated September 2024) - practitioner essay on AI in legacy modernisation; the most-cited reference on the topic - martinfowler.com/articles/legacy-modernization-gen-ai.html
• The New Stack - Martin Fowler on preparing for AI's nondeterministic computing - coverage of Fowler's "deterministic to non-deterministic" thesis - thenewstack.io/martin-fowler-on-preparing-for-ais-nondeterministic-computing/
• Computer Weekly - Mike Bracken interview on the next five years for digital government - foundational UK government digital framing including the silos-to-platforms shift - computerweekly.com/news/2240230897/Interview-Government-digital-chief-Mike-Bracken-on-the-next-five-years-for-digital-government
• Computer Weekly - Tom Loosemore opinion: How citizens' AI agents will swamp public services - UK contrarian voice on rapid AI adoption - computerweekly.com/opinion/Flood-warning-How-citizens-AI-agents-will-swamp-public-services
• Dan North - Best simple system for now - UK practitioner essay supporting the Retain route in modernisation decisions - dannorth.net/blog/best-simple-system-for-now/
• GovInsider - Liam Maxwell on cloud and talent attraction - former UK Government CTO on modernisation as a talent-attraction lever - govinsider.asia/intl-en/article/captured-by-the-genai-zeitgeist-how-generative-ai-is-shaping-government-transformation
• FCA Handbook coverage - operational resilience and PS21/3 - UK financial services data governance reference - atlan.com/know/data-governance/fca-handbook/
• Assuric - What is DSPT? A guide for digital health companies - NHS Data Security and Protection Toolkit v8 (2025-2026 submission, deadline 30 June 2026) - assuric.com/blog/what-is-dspt
• Periculo - DTAC Version 2: What digital health organisations need to know before 6 April 2026 - NHS England's revised digital health technology assessment framework - periculo.co.uk/cyber-security-blog/dtac-version-2-what-digital-health-organisations-need-to-know-before-6th-april-2026
• SecurityMetrics - A guide to new requirements in PCI DSS v4.0.1 - PCI DSS v4.0.1 in force from 31 March 2025 - securitymetrics.com/blog/a-guide-to-new-requirements-in-pci-dss-4-0-1
• European Financial Review - DORA in force since January 2025 - UK financial services exposure via EU counterparty contracts - europeanfinancialreview.com/the-attack-your-security-strategy-wasnt-designed-to-spot/