Who controls the technology behind a UK accountancy practice?
How much this sector depends on technology suppliers it cannot fully control — and where that matters most.
The big picture
Six of eight building blocks are High exposure, clustered on the bookkeeping ledgers — the full financial picture of every client — which sit with foreign-controlled suppliers (Xero NZ/US-hosted; Intuit US) on mostly-American cloud. This sector uniquely has real UK-owned options (Sage, IRIS, FreeAgent, TaxCalc, BTCSoftware), but even the British brands keep data on US cloud, so UK ownership buys less sovereignty than buyers assume.
We looked at the everyday layers of technology a UK accountancy or professional-services firm relies on, from the cloud it runs on to the systems that define the sector. A supplier owned in the United States can be compelled to hand over data under US law — the CLOUD Act[1], and the surveillance powers in Section 702 of the Foreign Intelligence Surveillance Act[2] — even when that data is stored in Britain; a British supplier answers only to UK law. We scored each building block on four things — how few the suppliers are, whose laws they answer to, how hard they are to switch, and how essential they are.
Where the exposure sits
Who controls each layer
The building blocks this sector relies on, coloured by who ultimately controls each one:US-controlledMixed / otherUK-controlled
Accountancy is the first sector we have profiled with genuine UK-owned options at the defining layer: Sage (Newcastle, FTSE-listed), FreeAgent (NatWest-owned), IRIS (UK-operating, though majority-owned by US private equity), TaxCalc and BTCSoftware. That is rare. But the headline stays High because (1) the cloud underneath almost everything is American — even Sage Intacct (EU data) and FreeAgent (Ireland) rent Amazon; (2) Microsoft/Google own productivity, BI and identity; and (3) the two most popular ledgers (Xero NZ/US-hosted, Intuit US) and two of the three big compliance suites (Wolters Kluwer NL, Thomson Reuters Digita CA) are foreign-controlled. UK control of the vendor is not the same as UK control of the data.
What this means, in plain terms
If a supplier pulled the plug, how fast would it hurt?
| Speed of impact | Layer | What happens |
|---|---|---|
| <24h | Identity & log-in | Fastest failure — instant lockout of the whole practice (time to leave: months) |
| days | Cloud & compute | Account suspension propagates to everything hosted (time to leave: months) |
| days–weeks | Bookkeeping ledger | MTD filing obligation continues; extracting seven years of records is the deepest migration here (time to leave: >12mo) |
| days | Productivity & email | Email and documents down; workarounds exist (time to leave: months) |
| weeks | Tax, compliance & practice management | Tax-season-dependent; a January cut would be acute (time to leave: 6–12mo) |
| n/a | Payments & banking | Low exposure; not a crisis layer (time to leave: n/a) |
What organisations can do about this
| Building block | Practical steps |
|---|---|
| Bookkeeping ledger | prefer UK-owned but pin down the data region in writing (Sage Intacct=EU, FreeAgent=Ireland); UK-hosted small-end options include Pandle (Google UK) and iplicit (UK Azure). Keep an open-format export route for seven years of records. |
| Tax, compliance & practice management | prefer a UK-controlled suite at renewal (IRIS estate, TaxCalc, BTCSoftware) over Wolters Kluwer CCH (NL) or Thomson Reuters Digita (CA); but note IRIS is majority-owned by US private equity, so check who holds the capital. |
| Cloud and log-in | reduce the Microsoft/Google concentration; UK/EU options include OVHcloud, Scaleway (France), IONOS (Germany), Civo (UK). |
| Data / BI | keep reporting on a UK-region tenancy where offered, or consider open-source BI. |
| Payments and banking | already low-risk; accept and monitor, but check who owns the open-banking aggregator feeding your bank transactions. |
Sources
- US CLOUD Act 2018 (18 U.S.C. 2713) – compels US-incorporated providers to produce data in their custody wherever in the world it is stored. https://www.govinfo.gov/content/pkg/USCODE-2018-title18/html/USCODE-2018-title18-partI-chap121-sec2713.htm
- US Foreign Intelligence Surveillance Act, Section 702 (50 U.S.C. 1881a) – a US directed-surveillance authority. https://www.govinfo.gov/app/details/USCODE-2021-title50/USCODE-2021-title50-chap36-subchapVI-sec1881a
- Vendor ownership and hosting – taken from company filings, public registries (including UK Companies House) and suppliers’ own documentation, compiled in the Information Matters UK vendor sovereignty database.
How we did this. We scored each technology layer on four things — supplier concentration, whose laws they answer to, how hard they are to switch, and how essential they are — using the IM Sovereignty Framework and our UK vendor database. Control and hosting facts come from primary sources; the harder-to-quantify judgments are our reasoned view of a typical organisation. Scores are bands, not exact measurements. Full evidence record available on request.
This research consists of the opinions of the Information Matters team — human and AI — and should not be considered statements of fact.
Information Matters · informationmatters.net
If you have any questions or comments about this article please email info@informationmatters.net

