Resources / Glossary
UK Tax & Compliance Glossary 2026
Plain-English definitions for the UK tax, compliance and IT terms that come up most for sole traders, landlords and SMEs. Linked to deeper articles where relevant. Informational only — not advice.
Tax
- MTD ITSA (Making Tax Digital for Income Tax Self Assessment)
- HMRC's regime requiring digital records and quarterly updates for sole traders and landlords with qualifying income above £50,000 (from April 2026), £30,000 (April 2027) and £20,000 (April 2028). Replaces the traditional annual Self Assessment with four in-year submissions plus a final declaration.
- CGT Annual Exempt Amount
- The Capital Gains Tax allowance individuals can use each tax year before CGT applies. Reduced to £3,000 from April 2024 (down from £6,000 in 2023-24 and £12,300 in 2022-23). Many casual investors who used to be safely under the allowance are now in scope.
Crypto / Tax
- CARF (Cryptoasset Reporting Framework)
- An OECD international standard for automatic exchange of cryptoasset transaction data between tax authorities. UK reporting cryptoasset service providers (RCASPs) began collecting customer data on 1 January 2026, with first international reporting in 2027.
- Section 104 pool
- HMRC's share-pooling rule for capital gains. For each token (or share class) you hold, all acquisitions are averaged into a single running pool, used as the cost basis when you dispose. Disposals first match same-day acquisitions, then the 30-day 'bed-and-breakfast' window, then the Section 104 pool.
Crypto
- RCASP (Reporting Cryptoasset Service Provider)
- A regulated entity — typically a UK exchange, custodian, broker or certain wallet providers — required under CARF to collect customer due-diligence information and report cryptoasset transactions to HMRC.
Cyber
- Cyber Essentials & Cyber Essentials Plus
- A UK government-backed certification scheme (run by the NCSC and IASME) covering five technical controls: secure configuration, boundary firewalls, access control, malware protection and patch management. Cyber Essentials is self-assessed; Cyber Essentials Plus adds an independent technical audit.
- NIS2 (Network and Information Security Directive 2)
- An EU directive that significantly broadens cybersecurity obligations for medium and large entities in essential and important sectors. UK companies that supply EU customers in scope often need to comply contractually even though NIS2 itself does not directly apply post-Brexit.
Data Protection
- UK GDPR & Data Processing Agreement (DPA)
- The UK General Data Protection Regulation governs how personal data is collected, processed and stored in the UK. A DPA is the contractual document between a data controller and a data processor that sets out lawful processing terms; it is a UK GDPR requirement whenever a third party processes personal data on your behalf.
Resilience
- 3-2-1 backup rule
- Industry baseline for resilient backups: at least three copies of your data, on two different media types, with one copy held off-site. Modern variants add an immutable copy and zero verification errors (3-2-1-1-0).
AI
- RAG (Retrieval-Augmented Generation) & grounding
- An AI architecture that retrieves relevant documents from your own knowledge base before generating an answer, then constrains the answer to those sources. 'Grounding' is the practice of forcing answers to cite (and stay within) those retrieved documents — the single most effective defence against hallucinations.
- Agentic AI
- AI systems that take autonomous actions in software environments (calling APIs, modifying configuration, opening tickets) rather than only producing text. In production IT support, agentic AI should be scoped to reversible, low-blast-radius operations with mandatory human approval for anything else.
Marketplaces
- Escrow (via Stripe Connect)
- A payment pattern where the platform holds customer funds until a service is signed off, then releases payment to the provider. On Stripe Connect this is implemented with separate charges and transfers (or destination charges with manual capture), giving the platform a clean dispute path.
Incident Response
- MTTD & MTTR (Mean Time to Detect / Resolve)
- Two of the most-cited metrics in incident response. MTTD measures how long an incident persists before it is detected; MTTR measures how long from detection to resolution. Mature SOC operations track both at the alert-class level rather than as a single average.
Need this in plain English for your specific situation?
We don't give tax or legal advice, but we are happy to walk you through the IT and bookkeeping implications for your business and point you to the right specialists.
Get in touch →