EU Compliance &
End-of-Life Software
Running end-of-life software used to be a security decision you made for yourself. In the EU, that era is over: three laws now make unsupported software a regulatory matter, each from a different angle — the product you ship, the organisation you run, the financial services you provide. This page is the map: what each law covers, the one date that matters for each, and the shared operational fix underneath all three. It's an orientation guide, not legal advice — confirm how each regime applies to your specific situation with qualified counsel.
The Three Laws
CRA — the Cyber Resilience Act
The Cyber Resilience Act (Regulation 2024/2847) regulates the products themselves: manufacturers of hardware and software with digital elements sold in the EU must handle vulnerabilities across a defined support period — which makes every EOL component inside a product a liability on the manufacturer's books. Reporting obligations for actively exploited vulnerabilities apply from September 11, 2026, with the main obligations following on December 11, 2027. Full breakdown: the CRA and end-of-life components.
NIS2 — the Network and Information Security Directive
The NIS2 Directive (Directive 2022/2555) regulates the organisations: essential and important entities across critical sectors — energy, transport, health, digital infrastructure, and more — must manage cybersecurity risk, including in their supply chains. As a directive it works through national law: member states' transposition deadline was October 17, 2024, and obligations are live today through those national laws. Full breakdown: NIS2 and unsupported software.
DORA — the Digital Operational Resilience Act
DORA (Regulation 2022/2554) regulates the financial sector: banks, insurers, investment firms, and their critical ICT providers must run a formal ICT risk management framework — and legacy, unsupported systems sit squarely inside its scope. As a regulation it needed no transposition and has applied directly since January 17, 2025. Full breakdown: DORA and legacy ICT.
CRA vs NIS2 vs DORA at a Glance
| Law | Who It Covers | EOL Relevance | Key Date |
|---|---|---|---|
| CRA Regulation 2024/2847 |
Manufacturers of products with digital elements sold in the EU | Vulnerabilities must be handled across the support period — EOL components can't be patched | Reporting: Sep 11, 2026 Main obligations: Dec 11, 2027 |
| NIS2 Directive 2022/2555 |
Essential and important entities in critical sectors | Risk management must cover systems and supply chains — unsupported software is unmanaged risk | Live via national law Transposition due Oct 17, 2024 |
| DORA Regulation 2022/2554 |
Financial entities and their critical ICT providers | ICT risk framework must account for legacy systems — EOL software is legacy by definition | Applies since Jan 17, 2025 |
The Common Thread
Strip away the sector differences and the three laws make the same two demands: know what components you run, and be able to patch them when vulnerabilities appear. An end-of-life component fails both at once — it's often invisible to inventories built around CVE scanning, and when a vulnerability lands there's no vendor patch coming, ever. That's why one EOL runtime or database can undermine compliance under all three regimes at once.
The shared fix is not three separate compliance projects — it's one continuous lifecycle process. Turn dependency files into a lifecycle report with the stack scanner, look up any single product in the EOL checker, get alerted before dates hit with EOL Watch, and prioritise findings with the EOL Risk Score. That process gives you the component knowledge every regime assumes; what it can't manufacture is a patch stream for software the vendor abandoned.
For that gap, the bridge is extended support: commercial providers that keep shipping security patches for EOL software while you migrate. Under all three regimes, "unsupported but under a paid patch stream" is a very different posture from "unsupported, full stop."
Close the patchability gap
Running EOL software inside CRA, NIS2, or DORA scope? Extended support keeps patches flowing while you migrate.
Frequently Asked Questions
Which EU laws regulate end-of-life software?
Three currently do the heavy lifting: the Cyber Resilience Act (Regulation 2024/2847) for products with digital elements, the NIS2 Directive (Directive 2022/2555) for essential and important entities across critical sectors, and DORA (Regulation 2022/2554) for the financial sector. Each approaches unsupported software from a different angle, but all three make running unpatchable components a compliance problem, not just a security one.
What is the difference between the CRA, NIS2, and DORA?
The CRA regulates products — manufacturers of hardware and software sold in the EU must handle vulnerabilities across a defined support period. NIS2 regulates organisations — essential and important entities must manage cybersecurity risk, including in their supply chains, under national laws transposing the directive. DORA regulates the financial sector — financial entities must manage ICT risk, which includes legacy and unsupported systems, and it applies directly as a regulation since January 17, 2025.
When do the CRA obligations start?
In two steps: reporting obligations for actively exploited vulnerabilities and severe incidents apply from September 11, 2026, and the main obligations apply from December 11, 2027. NIS2 and DORA are already live — NIS2 via national transposition laws that were due by October 17, 2024, and DORA directly since January 17, 2025.
How does end-of-life software affect EU compliance?
All three regimes assume you know what components you run and can patch them when vulnerabilities appear. An end-of-life component breaks both assumptions: no vendor patches means known vulnerabilities stay open indefinitely, which undermines the vulnerability handling the CRA expects, the risk management NIS2 requires, and the ICT risk framework DORA mandates. The fix is a continuous lifecycle process — inventory, EOL tracking, risk scoring — with extended support as the bridge where migration can't finish in time.