Who controls the technology behind a UK hospitality business?
How much this sector depends on technology suppliers it cannot fully control — and where that matters most.
The big picture
For a typical UK hospitality operator — a restaurant or pub group, or a hotel — six of the nine building blocks score High exposure. They cluster around the systems that actually take the money and run the floor: the till (EPOS), the payments rail, and the staff log-in. Payments is the sharpest dependency, because almost every card transaction settles over the US-controlled Visa and Mastercard schemes, which no acquirer can route around. The sector’s saving grace is that genuine UK-controlled options exist at the till and the booking desk, which is not true of the cloud, the office software or the card schemes.
We looked at the everyday layers of technology a UK hospitality or leisure business relies on, from the cloud it runs on to the systems that define the sector. A supplier owned in the United States can be compelled to hand over data under US law — the CLOUD Act[1], and the surveillance powers in Section 702 of the Foreign Intelligence Surveillance Act[2] — even when that data is stored in Britain; a British supplier answers only to UK law. We scored each building block on four things — how few the suppliers are, whose laws they answer to, how hard they are to switch, and how essential they are.
Where the exposure sits
Who controls each layer
The building blocks this sector relies on, coloured by who ultimately controls each one:US-controlledMixed / other
Genuinely UK-controlled options in our data: EPOS Zonal, ICRTouch, Tevalis, Comtrex; restaurant booking ResDiary, Collins (DesignMyNight); hotel/leisure PMS Guestline; workforce/back-office Access Hospitality (plus Trail, Slerp for operations and ordering); marketing Airship, Yumpingo; order/pay-at-table Vita Mojo, storekit; payments acquiring Yoello (plus UK-based Dojo and Teya widely used); procurement Erudus, growyze. EU-controlled (a rung below the US incumbents on jurisdiction): Mews (NL) for hotel PMS; Bizimply and Nory (IE) and Flow Learning by Mapal (FR) for workforce; Easilys (FR) and Nutritics (IE) for procurement; SumUp (LU) for payments. None removes the US Visa/Mastercard card-scheme dependency, and several widely-used names are foreign-controlled (Planday is NZ-controlled, Fourth and Harri US, Glofox and TheFork US) — check ownership before relying on any option.
What this means, in plain terms
If a supplier pulled the plug, how fast would it hurt?
| Speed of impact | Layer | What happens |
|---|---|---|
| Hours | Payments (card-acquiring & card schemes) | Card authorisation stops; card-present and online sales halt. An acquirer can be replaced in weeks–months, but the Visa/Mastercard scheme dependency cannot be routed around at all. |
| Hours | EPOS / point of sale | The till cannot take an order; cloud EPOS goes dark and offline modes are limited. Re-fitting an EPOS estate across sites is a multi-month project. |
| Hours | Hotel property management system (PMS) | No check-in, room allocation or rate management; a hotel cannot operate. Migrating a PMS full of guest and booking history is one of the deepest moves on the board. |
| Hours–days | Identity & log-in | Staff and head office locked out of systems; fast failure, but more recoverable than the trading layers. |
| Days | Table booking & reservations | Covers and pre-bookings disrupted; phone and walk-in fallback gives limited runway, online bookings stop. |
| Days–weeks | Workforce & back-office | Rotas, payroll and stock degrade; manual processes buy some time but pay-runs and labour scheduling are time-critical. |
What organisations can do about this
| Building block | Practical steps |
|---|---|
| EPOS / point of sale | At the next till refresh, weigh genuinely UK-controlled options against the US incumbents. Our data shows UK-controlled Zonal, ICRTouch, Tevalis and Comtrex; for hotels and leisure, UK Guestline. Choosing a UK EPOS lowers the jurisdiction towards 1 and breaks the bundle that pulls payments and data onto a single foreign vendor — but an estate-wide swap is slow, so the hardware-refresh cycle is the moment to choose. |
| Payments | An acquirer can be diversified or moved — UK-based Dojo and Teya, or Luxembourg-controlled SumUp, lower the processor’s jurisdiction a rung. But no acquirer removes the Visa/Mastercard scheme dependency; account-to-account and open-banking payment routes (some run through UK-controlled processors) are the only genuine reduction of card-scheme reliance, and adoption in hospitality is still early. Treat the scheme dependency as accept-and-monitor. |
| Booking, reservations & PMS | For restaurant bookings, UK-controlled ResDiary and Collins (DesignMyNight) are credible alternatives to US SevenRooms, OpenTable and TheFork. For hotels, Mews (Netherlands) sits a rung below the US incumbents on jurisdiction and Guestline is UK-controlled. Preferring these at renewal lowers jurisdiction without an estate-wide hardware change — among the cheaper sovereignty wins available to the sector. |
| Workforce & back-office | Fourth and Harri are US-controlled; UK-controlled Access Hospitality and Ireland-controlled Bizimply and Nory are EU/UK-law alternatives for rotas, payroll and stock. These hold staff payroll and personal data, so the jurisdiction question matters even though the layer is less time-critical than the till. Prefer a UK/EU-controlled supplier at renewal. |
| Cloud, identity, data residency & contracts | Head-office cloud and staff log-in have no British option at scale — UK and European choices such as OVHcloud, Scaleway, IONOS and the self-hosted open-source log-in Keycloak reduce reliance on a single US provider. Where a US platform is unavoidable, insist on UK/EU data residency, UK/EU-law contracting and clear sub-processor disclosure. This lowers the practical blast radius but does not remove US legal reach (the CLOUD Act — the Clarifying Lawful Overseas Use of Data Act 2018 — can compel a US company to hand over data it controls, wherever stored). Document the residual and monitor it. |
Sources
- US CLOUD Act 2018 (18 U.S.C. 2713) – compels US-incorporated providers to produce data in their custody wherever in the world it is stored. https://www.govinfo.gov/content/pkg/USCODE-2018-title18/html/USCODE-2018-title18-partI-chap121-sec2713.htm
- US Foreign Intelligence Surveillance Act, Section 702 (50 U.S.C. 1881a) – a US directed-surveillance authority. https://www.govinfo.gov/app/details/USCODE-2021-title50/USCODE-2021-title50-chap36-subchapVI-sec1881a
- Vendor ownership and hosting – taken from company filings, public registries (including UK Companies House) and suppliers’ own documentation, compiled in the Information Matters UK vendor sovereignty database.
How we did this. We scored each technology layer on four things — supplier concentration, whose laws they answer to, how hard they are to switch, and how essential they are — using the IM Sovereignty Framework and our UK vendor database. Control and hosting facts come from primary sources; the harder-to-quantify judgments are our reasoned view of a typical organisation. Scores are bands, not exact measurements. Full evidence record available on request.
This research consists of the opinions of the Information Matters team — human and AI — and should not be considered statements of fact.
Information Matters · informationmatters.net
If you have any questions or comments about this article please email info@informationmatters.net

