Working Time Regulations: The Compliance Issue Every Scaling Tech Company Underestimates

UK tech companies treat the Working Time Regulations 1998 as something between a formality and an embarrassment. The 48-hour opt-out is signed at onboarding and never mentioned again. Salaried engineers work weekends without anyone counting. The 24/7 on-call rotation runs without anyone checking the rest period rules. Hybrid working has made measuring actual hours almost impossible. Founders assume the rules do not really apply to a knowledge-work business where everyone is contributing voluntarily and being paid well.

This view is wrong on the law, exposes founders and directors to personal liability, and is one of the underlying contributors to the burnout crisis the sector openly discusses. The Working Time Regulations apply to almost every UK tech worker. They have been updated as recently as 2024. Investor due diligence increasingly asks about them. And the link between working time non-compliance and the stress and mental health risks every founder claims to take seriously is direct and well-evidenced.

This guide explains what the Working Time Regulations actually require, where tech companies most commonly fall short, the recent legislative changes most have not adjusted to, and what to do about it. It is written for founders, Heads of People, COOs, and anyone responsible for compliance in a UK technology business of any stage from seed-stage startup to listed company.

What the Working Time Regulations are

The Working Time Regulations 1998 implement the EU Working Time Directive and remain in force in UK law post-Brexit, with amendments. The regulations set out minimum entitlements and maximum limits across five connected areas:

• Maximum weekly working time: an average of 48 hours per week, calculated over a 17-week reference period
• Daily and weekly rest: at least 11 uninterrupted hours of rest in every 24-hour period, and at least 24 uninterrupted hours of rest in every 7 days (or 48 hours in every 14)
• Rest breaks: a minimum 20-minute break during any working day longer than 6 hours
• Night working: an average limit of 8 hours per 24-hour period for night workers, plus mandatory health assessments
• Paid annual leave: a statutory minimum of 5.6 weeks per year, inclusive of bank holidays

The regulations apply to almost every "worker", a definition broader than just employees. It includes most contractors, agency staff, and some self-employed individuals where there is an element of subordination to the engaging business. Genuinely self-employed founders are typically outside the scope for themselves, but the company is in scope for every worker on its books.

Two regulators have a role in enforcement. The Health and Safety Executive enforces the health and safety aspects of the regulations: weekly limits, night work, rest breaks, rest periods, and health assessments. HMRC enforces working time pay matters where they relate to the National Minimum Wage. Employment tribunals hear individual disputes. The HSE has powers to issue Improvement Notices for Working Time breaches, which carry the consequences set out in our HSE Notices guide.

The 2024 changes (introduced through the Employment Rights (Amendment, Revocation and Transitional Provision) Regulations 2023, in force from January 2024) updated holiday entitlement calculations for irregular hours and part-year workers, reintroduced rolled-up holiday pay for those workers, and simplified some record-keeping requirements. Most tech companies have not adjusted their payroll and HRIS configurations to reflect these changes.

Why tech companies underestimate the Working Time Regulations

Five reasons consistently come up.

The salaried-employee misunderstanding. Many tech founders assume that paying a fixed salary above the National Minimum Wage discharges any obligation around hours worked. This is wrong. The Working Time Regulations apply regardless of how an employee is paid. A salaried software engineer earning £80,000 has exactly the same statutory rest break, rest period, and weekly limit entitlements as a minimum-wage shift worker.

The opt-out illusion. Most tech companies sign new joiners up to a 48-hour opt-out at onboarding and treat the matter as closed. The opt-out only removes the 48-hour average weekly limit. It does not remove the 11-hour daily rest, the 24-hour weekly rest, the 20-minute break, the 8-hour night work limit, or the health assessment duty for night workers. None of those rights can be opted out of by a worker over 18. Workers can also revoke an opt-out at any time on at least 7 days' written notice (or up to 3 months if their contract specifies that period). Treating the opt-out as a one-time waiver of working time law is a common compliance failure.

The "everyone wants to be here" defence. The argument that long hours are voluntary in tech because everyone chooses to work them does not survive contact with the regulations. Working time law was written specifically because employer-favourable consent in unequal employment relationships cannot be assumed to be genuine. The HSE Management Standards on work-related stress treat workload and working time as employer responsibilities, not employee choices.

The hybrid blind spot. Since 2020, hybrid and remote arrangements have made measuring actual working time genuinely difficult. Most tech companies have responded by simply stopping the attempt. Working time data has dropped out of HRIS dashboards. Managers have no visibility on how many hours their reports are actually doing. The duty to keep records exists in law, even if the practical mechanics have got harder.

The "we'll deal with it at Series C" deferral. Founders consistently treat compliance as a problem for later. The legal duties apply from the first employee. The personal liability exposure of directors under Section 37 of the Health and Safety at Work etc. Act 1974 applies from the first employee too. Deferring the work means the gap grows, the practical fix gets harder, and the exposure compounds.

What every UK tech worker is entitled to

Six entitlements apply to every worker in a UK tech business. They are not waivable except in the specific ways noted.

1. Average 48-hour weekly maximum (opt-outable for adults)

Workers cannot be required to work more than an average of 48 hours per week, calculated over a 17-week reference period. The 17-week average accommodates fluctuations: a heavy week immediately before a product launch followed by lighter weeks afterwards can be compliant. A sustained pattern of 60-hour weeks is not, even with the opt-out, because the rest period entitlements still apply.

Workers over 18 can opt out of the 48-hour limit individually. The opt-out must be:

• In writing
• Voluntary, not a condition of employment
• Specific to this individual
• Revocable on at least 7 days' notice (or up to 3 months if the contract specifies)

The opt-out cannot be a one-line clause in an employment contract that the worker is required to accept. Employment tribunals have repeatedly found "I had no choice but to sign it" opt-outs to be invalid.

2. Daily rest period: 11 hours

Every worker is entitled to 11 uninterrupted hours of rest in every 24-hour period. This is non-waivable. A worker who finishes at 10pm on Tuesday cannot lawfully be required to start again before 9am on Wednesday. The 24/7 on-call rotations and crunch-time evenings common in tech often breach this rule. The exception is genuine emergencies, which a planned product release is not.

3. Weekly rest period: 24 hours

Every worker is entitled to 24 uninterrupted hours of rest in every 7 days, or 48 uninterrupted hours in every 14 days. This is also non-waivable. Weekend working that prevents any continuous 24-hour rest period is a breach.

4. Rest breaks: 20 minutes

Where the working day exceeds 6 hours, the worker is entitled to a minimum 20-minute break, taken away from the workstation where reasonably practicable. The break must be a real break, not interruptible by work tasks. Eating lunch at the desk while continuing to answer Slack messages does not satisfy the regulation.

5. Night work limit: 8 hours average

Night workers (workers whose normal hours include at least 3 hours between 11pm and 6am, on most days) cannot work more than an average of 8 hours per 24-hour period over a 17-week reference period. Night workers are also entitled to a free health assessment when they start night work and at regular intervals afterwards. Tech businesses with global ops teams covering UK overnight shifts, or with on-call engineers, are most affected.

6. Annual leave: 5.6 weeks (with 2024 changes)

The statutory minimum is 5.6 weeks per year inclusive of bank holidays. For a full-time worker, this is 28 days. From January 2024, irregular-hour workers and part-year workers (which includes many fractional or contract tech roles) have an updated holiday entitlement calculation based on 12.07% of hours worked, and rolled-up holiday pay is permitted for these workers. Companies that have not updated their payroll configuration to reflect these changes are at risk of underpaying leave entitlements.

The night working complication tech companies miss

24/7 operations, on-call rotations, and global customer support shifts make night working common in tech. The regulations bite harder than most realise.

A night worker is anyone whose normal working hours include at least 3 hours between 11pm and 6am. The qualifying threshold is the worker's normal pattern, not occasional crunch time. SRE engineers on a regular on-call rotation, technical support staff on overnight shifts covering US customers, and DevOps teams supporting 24/7 systems are likely all night workers in law.

For each night worker, the employer must:

• Limit average hours to 8 per 24-hour period over the reference period
• Offer a free health assessment before they start night work
• Repeat the health assessment at appropriate intervals
• Move them to suitable day work if a registered medical practitioner advises night work is causing health problems and day work is available
• Apply special hazard limits (absolute 8-hour limit per 24 hours) where the work involves special hazards or heavy physical or mental strain

Tech businesses with 24/7 ops teams often miss the health assessment duty entirely. The cost is low. The legal exposure of failing to provide them is significant. Insurers and acquirers increasingly ask.

The connection to burnout, stress, and mental health

Working Time Regulations compliance is not just an employment law issue. It is directly connected to the broader workplace mental health duties under the Management of Health and Safety at Work Regulations 1999 and the HSE Management Standards for work-related stress.

The HSE Management Standards identify "demands" (workload, work patterns, work environment) as one of the six source-level causes of work-related stress. Working time sits at the heart of demands. A workforce regularly working 50, 60, or 70-hour weeks, even where individuals have signed opt-outs, is one whose stress risk assessment cannot honestly conclude that demands are well-managed.

This matters because tech companies routinely treat mental health and burnout as separate problems from working time. They deploy Mental Health First Aiders, Employee Assistance Programmes, and wellbeing apps to address the consequences while leaving the cause untouched. As our Mental Health First Aid guide notes, the order matters: address source-level causes first, then layer support interventions on top.

For tech investors and acquirers, this connection is becoming more visible. ESG due diligence increasingly looks at working time data, stress risk assessment status, and the alignment between the company's wellbeing rhetoric and its working time reality. A tech company with prominent mental health initiatives and a workforce averaging 55-hour weeks is a credibility problem for a sophisticated investor.

Specific compliance failures in UK tech companies

Across audits of tech companies from seed-stage to public listing, the same patterns repeat.

Opt-outs signed once and never reviewed. New joiners sign at onboarding. The form goes into the HR file. Years later the worker is still treated as opted-out, with no evidence the opt-out remains voluntary or that the worker has been reminded of the right to revoke. Tribunal cases have set this aside.

No record of actual hours worked. Hybrid working broke the timekeeping systems that were already weak. Most tech companies now have no way to evidence whether their workforce is within the 48-hour average, the 11-hour daily rest, or the 24-hour weekly rest. The duty to keep records still exists.

Rest breaks ignored entirely. Engineers in back-to-back meetings or deep coding sessions routinely skip the 20-minute break. Managers do not enforce it. Some companies have policies that imply breaks are optional or "self-managed". They are not optional in law.

Night worker health assessments not offered. SRE, ops, support, and security teams running 24/7 rotations have never been offered the health assessment. Few of them know they are entitled to one.

Annual leave not refreshed for irregular workers. Fractional CTOs, contractors with worker status, part-year sales hires, and other irregular arrangements are still being calculated on pre-2024 rules. The 12.07% accrual basis introduced by the 2023 amendments has not been applied.

Hybrid policies that ignore working time entirely. Hybrid working policies typically cover where work is done, who pays for the home setup, and core hours expectations. They almost never address how working time is measured, who is responsible for the 11-hour rest period in a hybrid arrangement, or how the company evidences compliance.

Founders working unsustainable hours and modelling it for the team. The cultural component is usually the hardest to address. Founders who work 80-hour weeks themselves implicitly authorise the workforce to do the same, regardless of policy. This is a leadership issue, not a legal one, but the legal consequences flow from it.

A structured health and safety audit is the most efficient way to identify which of these gaps your company has. The audit covers Working Time Regulations alongside the wider H&S framework, so the position is assessed as a system rather than as isolated issues.

When founders and directors are personally exposed

Section 37 of the Health and Safety at Work etc. Act 1974 creates personal liability where a health and safety offence is committed with the consent, connivance, or neglect of a director, manager, secretary, or similar officer of the company. The HSE has used Section 37 against directors of small and mid-stage businesses including in working time-related stress cases.

For tech founders and directors, the practical exposure includes:

• HSE prosecution following a serious stress, mental health, or fatigue-related incident
• Inclusion on the public HSE notices register, which is searchable by name
• Disclosure obligations to investors at the next funding round
• Disclosure obligations to acquirers in M&A due diligence
• Insurance cover impact on D&O policies
• Personal disqualification proceedings in the most serious cases

The exposure is rarely the primary reason a founder fixes the working time position. It should be sufficient reason for those who have not yet addressed it.

How to fix the working time position in a tech company

A pragmatic sequence that works in tech-business contexts:

Audit the current position. A structured review of opt-outs, recorded hours, night working arrangements, holiday entitlement calculations, rest break compliance, and the underlying records. The audit identifies the actual gaps rather than the assumed ones.

Address the source-level causes. A working time problem is usually a workload, prioritisation, or leadership problem at root. Process and policy fixes only work if the underlying demand profile is addressed. The HSE Management Standards is the framework.

Refresh opt-outs with proper voluntariness. Withdraw any opt-out clauses embedded in employment contracts. Issue standalone opt-out documents that clearly state voluntariness and the right to revoke. Re-collect opt-outs from existing workers with a clean process.

Implement working time tracking that fits the business. This does not mean intrusive time-and-motion monitoring. It means understanding hours worked at a workforce level sufficient to evidence compliance with the average limits. Most modern HR platforms have working time modules that are not switched on.

Address night worker health assessments. Identify the workers in scope. Offer the assessments. Repeat at appropriate intervals (typically annual). Record the offers and the outcomes.

Update holiday entitlement calculations. Apply the 2024 changes to irregular hours and part-year workers. Configure payroll and HRIS accordingly.

Integrate working time into the wider stress risk assessment. The risk assessment under the Management of H&S at Work Regulations 1999 must address stress. Working time data should be one of the inputs. See our office risk assessment guide for how this fits into the broader assessment framework.

Address the cultural piece. Founder and senior leadership working patterns set the tone. A company that wants compliant working time needs leaders who model it. This is the hardest fix and the most important.

When to bring in a Chartered consultant

Arinite's Chartered consultants work with tech companies from seed-stage through to listed companies. The four situations where we typically add the most value:

Pre-investment or pre-acquisition compliance work. Series B and beyond, and especially pre-acquisition, due diligence on working time, stress, and broader H&S compliance is increasingly thorough. Having the position documented, defensible, and current avoids deal-stage surprises.

Post-incident review. Following a serious mental health incident, a working-time-related employment tribunal, or HSE involvement, an external review by Chartered consultants is more credible to regulators, tribunals, and investors than purely internal work.

Multi-country operations. Tech companies expanding internationally face country-by-country working time rules that vary widely. France, Belgium, and several other European jurisdictions have stricter regimes than the UK, including formal right-to-disconnect provisions. Arinite operates in 50+ countries with locally-qualified consultants who understand the local rules.

ISO 45001 implementation. ISO 45001:2018 treats psychological health on the same footing as physical health. Working time data and stress risk assessment are explicit inputs. Tech companies pursuing ISO 45001 for ESG, investor, or customer reasons benefit from external support to integrate the elements.

Arinite works with 1,500+ businesses across 50+ countries. 100,000+ Employees Protected. ISO 45001:2018 certified. 15+ years of practice across UK and international clients including in technology, professional services, and financial services.

The fastest way to understand your position is a 30-minute Free Gap Analysis Call. A structured review of your current arrangements (including Working Time Regulations, stress risk assessment, and broader H&S compliance), the gaps that matter most, and what to do about them. No commitment.

Book My Free Gap Analysis Call or call +44 (0)20 7947 9581.

Frequently asked questions

Do the Working Time Regulations apply to salaried tech workers? Yes. The Working Time Regulations apply to almost every UK worker regardless of how they are paid. A salaried software engineer has the same statutory rest break, rest period, and weekly limit entitlements as any other worker. The fact that pay is fixed does not exempt the employer from the working time duties.

What does the 48-hour opt-out actually do? The opt-out removes the average 48-hour weekly working time limit only. It does not remove the 11-hour daily rest period, the 24-hour weekly rest period, the 20-minute break, the 8-hour night work limit, or the night worker health assessment duty. These remain non-waivable regardless of any opt-out signed.

Can a worker revoke their opt-out? Yes. Workers can revoke an opt-out at any time on at least 7 days' written notice. Where the contract specifies a longer notice period, up to a maximum of 3 months can apply. The right to revoke is itself non-waivable.

Are tech founders covered by the Working Time Regulations? Genuinely self-employed founders without worker status are typically outside the scope for themselves. The company is in scope for every worker on its books, including employees, most contractors, agency staff, and some self-employed individuals with worker status under the regulations.

Do the 11-hour daily rest and 24-hour weekly rest apply to engineers on call? Yes. The rest periods apply to every worker regardless of role. An engineer who is genuinely on call (free to use their time as they wish but available to respond) may have the on-call period treated differently from active working time, depending on the responsiveness expected. The legal position on on-call time follows European case law and is fact-specific. Companies relying on on-call exemptions to working time should take specific advice on their arrangements.

What is a night worker under the regulations? A night worker is someone whose normal hours include at least 3 hours between 11pm and 6am, on most days they work. Tech roles likely to qualify include SRE and DevOps engineers on regular overnight on-call rotations, technical support staff on US-hours shifts, and security operations roles covering 24/7 monitoring. Each night worker is entitled to a free health assessment when they start and at appropriate intervals afterwards.

How does hybrid working affect Working Time Regulations compliance? The duties are unchanged. The practical mechanics are harder. Employers remain responsible for ensuring the rest periods, rest breaks, weekly limits, and night working rules are complied with regardless of where the work is being done. Hybrid policies should address how working time is measured and managed, not just where the work happens.

What changed in the Working Time Regulations in 2024? The Employment Rights (Amendment, Revocation and Transitional Provision) Regulations 2023 came into force in January 2024 and updated holiday entitlement calculations for irregular hours and part-year workers (now based on 12.07% of hours worked), reintroduced rolled-up holiday pay for those workers, and simplified some record-keeping requirements. Most companies have not updated their payroll and HRIS configurations to reflect these changes.

What is the link between working time and mental health duties? Direct. The HSE Management Standards for work-related stress identify workload and working patterns ("demands") as one of the six source-level causes of work-related stress. The duty to assess stress risk under the Management of Health and Safety at Work Regulations 1999 cannot be honestly discharged without addressing the working time profile of the workforce. Tech companies addressing burnout through Mental Health First Aid or Employee Assistance Programmes while leaving the underlying working time position unchanged are treating symptoms rather than causes.

Can directors be personally prosecuted for Working Time Regulations breaches? Section 37 of the Health and Safety at Work etc. Act 1974 creates personal liability for directors where an offence is committed with their consent, connivance, or neglect. Personal prosecutions are not common but happen, and have happened in working-time-related stress cases. Directors of growing tech companies should not assume the exposure is hypothetical.