With emerging technologies like AI and quantum computing, recent headlines have focused on novel threats and futuristic defenses, while outdated network equipment and software are building up in critical infrastructure and posing growing risk of exploitation. Globally, nearly half of business network infrastructure assets were aging or already obsolete at the beginning of this decade.

Continued reliance on unsupported technology for which security patches or support are no longer provided creates a significant danger. Not only does it make it easier for attackers to get in the door, it enables them to do more damage while they are there, and makes it harder for defenders to boot them back out. Malicious cyber actors are taking note. Volt Typhoon is just one example of high-profile nation-state sponsored campaigns targeting unpatchable technology.

Europe's Policy Tools to Address Technical Debt

While much of the EU's cybersecurity policy framework was set out during the last political mandate, current plans present crucial opportunities to address this issue. The 'Digital Omnibus' is looking to simplify and harmonize cyber incident reporting, offering an opportunity to build a better understanding of the prevalence of the End-of-Life (EoL) issue and its impact in real-life incidents. 

The Cybersecurity Act review will take a closer look at simplifying risk management measures, bringing EoL technology risks into focus. And the ongoing implementation of the NIS2 Directive could enable cyber authorities and national regulators to translate high-level objectives into practical guidance for critical infrastructure operators on asset management and risk for EoL technology, drawing inspiration from the Cybersecurity and Infrastructure Security Agency (CISA) in the U.S. and the National Cyber Security Centre (NCSC) in the U.K. on removing obsolete products from organizations' networks.

Cyber policy is at its most effective when incentives are offered to make the policy vision into a reality. Public procurement is an essential means to drive security into governments' own networks and IT systems, as well as to set an example for the wider market. Similarly, funding instruments or financial incentives can provoke replacement of technology that would not happen without intervention. As such, the EU's plan to reform Public Procurement Directives next year and the proposed European Competitiveness Fund in the 2028-34 EU budget will be decisive.

End-of-Life technology poses a critical threat to Europe's vital infrastructure, leaving systems exposed. Businesses and policymakers must prioritize robust asset management, clear lifecycle assessments, and enhanced incident reporting to close the gaps between NIS2 and the Cyber Resilience Act. Cisco, as a technology provider, is actively contributing by making secure configurations default and proactively alerting administrators against insecure choices.

New Research: Understanding End-of-Life Technology Risk

Addressing this threat requires a common understanding of the size and scope of the problem. Yet, to date, there has been inadequate data to effectively assess how this exposure varies across sectors and countries, or to compare the risks of failing to manage "technical debt" against the costs of replacement investments.

WPI Strategy's report, "Update Critical: Counting the Cost of Cybersecurity Risks from End-of-Life Technology on Critical National Infrastructure," analyses this global challenge and offers recommendations for policymakers and private sector leaders. Commissioned by Cisco, this research provides a novel approach to comparative analysis of EoL risk across the US, UK, France, Germany and Japan, and critical sectors, with healthcare consistently emerging as particularly vulnerable.

Policy Recommendations

As governments and the private sector consider how to best allocate resources and securely deploy AI, the report offers actionable recommendations.

To pivot from reactive response to active risk reduction, the authors recommend prioritizing proactive asset management by maintaining live technology asset registers and conducting lifecycle assessments to identify and plan for EoL technology. Equally vital are enhanced incident reporting mechanisms that capture EoL technology's role in breaches, fostering transparency and accountability to identify patterns.

Furthermore, the report recommends reforming IT investment models to shift spending from merely maintaining aging systems to actively remediating technical debt. For a deeper dive into these recommendations, read our dedicated blog post and the full report.

The Path Forward

As European policy makers look to improve the resilience of their critical infrastructure, and accelerate Europe's digitization, we should not forget its foundations currently riddled with obsolete, unpatched technology.

By improving visibility into technology lifecycles, reforming funding models, and establishing clear management requirements, we can shift from reactive incident response to proactive risk reduction, tackling vulnerabilities before they can be exploited.

Cisco is focused on ensuring governments and organizations have the secure, resilient, and data-ready infrastructure needed to harness AI and defend against evolving cyber threats. Today, Cisco's SVP and Chief Security & Trust Officer Anthony Grieco announced new effort to enhance the resilience of infrastructure, simplifying our offerings so that secure configurations, protocols, and features are the default. This best-in-class approach takes the expectations of "security by default" -a core principle of the EU Cyber Resilience Act -to another level.

Cisco is also now proactively alerting network administrators when insecure choices are being made, and introducing new security features that strengthen the security posture of network infrastructure and provide better threat visibility.