Whitepaper on the NIS2 Law
Retired Microsoft Products and the New Risks to Your Cybersecurity
'%3e%3cpath%20d='M26.6667%2020.022L30%2023.3553V26.6886H21.6667V36.6886L20%2038.3553L18.3333%2036.6886V26.6886H10V23.3553L13.3333%2020.022V8.35531H11.6667V5.02197H28.3333V8.35531H26.6667V20.022Z'%20fill='%230AA971'/%3e%3c/g%3e%3c/svg%3e)
Key Takeaways at a Glance
- October 2026 deadline: According to current information, support for Office 2021 and several critical server components will end permanently.
- Security gaps without patches: After the end of support (EOS), newly discovered vulnerabilities will no longer be fixed.
- Compliance trap: Using outdated software can jeopardize GDPR compliance and may invalidate insurance coverage.
- SMEs in the crosshairs: Attackers deliberately exploit the period after support ends to launch ransomware attacks on small and medium-sized businesses.
- Action required: Migrations take time – those who don’t plan now risk costly emergency solutions or operational downtime.
Introduction: When a “Running System” Becomes a Risk
It’s 2026. While many companies are still dealing with the aftermath of the Windows 10 end of life, the next major wave is already hitting the IT infrastructures of German SMEs. Microsoft is pulling the plug on products that still form the backbone of daily operations in thousands of organizations – most notably Office 2021.
For small and medium-sized enterprises, this is no longer just about a software update. It’s about fundamental cybersecurity, liability issues, and one key question:
Will your company still be adequately protected against external attacks tomorrow?
This article outlines the critical deadlines in 2026 and explains why waiting could become one of the most expensive mistakes in your IT strategy.
Table of Contents:
The Red List: Which Products Will Reach End of Life in 2026
The decisive date is – according to current information – 13 October 2026. From this day on, support will end for several widely used Microsoft products that are still actively used by many SMEs.
Particularly relevant for small and medium-sized businesses:
- Office 2021 & Office LTSC 2021
The popular perpetual licenses (non-subscription versions) will no longer receive security updates from this date onward. - Windows Server 2012 / 2012 R2
The final paid Extended Security Updates (ESU) will also expire. After that, the rule is simple: no patches, no support. - Exchange & SharePoint Server (ältere On-Premise-Versionen)
Many installations will lose their security safety net – especially critical for systems accessible from the internet.
From this point on, these systems are officially considered outdated, regardless of whether they still “work” technically.
Whitepaper on the NIS2 Law
Cybersecurity: Why Unpatched Software Is an Invitation to Hackers
Data protection and IT security start with keeping software up to date. Any system without security updates is an open door – and those are exactly the doors attackers are looking for.
Ransomware as the Biggest Threat
Cybercriminals often deliberately wait until official support has ended. From that moment on, known but previously undisclosed vulnerabilities are actively exploited.
For any organization, even a single unpatched Outlook or Exchange system can be enough to:
- introduce malware into the network
- encrypt entire file servers
- shut down business operations for days or even weeks
The Underestimated Risk of “Data Liability”
Outdated server systems such as SQL, SharePoint, or Exchange servers are prime targets for data exfiltration. Since no security updates are provided, the detection risk for attackers decreases – while the attack surface for the company grows to its maximum.
The result:
A security incident becomes not only more likely, but also far more problematic from a legal perspective.
Legal Risks: GDPR, Liability, and Cyber Insurance
In 2026, IT security is no longer a purely technical issue – it is a matter for top management.
GDPR and the “State of the Art”
Article 32 of the GDPR requires companies to implement appropriate technical and organizational measures. Using software without security updates clearly contradicts the recognized “state of the art”.
If an incident occurs, companies may face:
- mandatory reporting of data breaches (72-hour deadline)
- fines
- significant reputational damage
In addition, audits or inquiries by authorities become much harder to handle if known risks were ignored, making it difficult to meet the accountability requirement under Article 5(2) GDPR.
Cyber Insurance
Many cyber insurance policies include clauses that limit or completely exclude coverage if:
- outdated software is used
- security updates were negligently neglected
In a worst-case scenario, this can mean: damage yes – reimbursement no.
E-Invoicing Obligations & Regulatory Side Effects
New legal requirements for digital invoicing and standardized formats may be incompatible with outdated Office or server systems. The result is not only security issues, but also operational disruptions.
SME Checklist: How to Manage a Timely Transition
A structured transition significantly reduces risks and costs.
Key steps:
- Inventory
Document all versions of Office, Windows Server, and connected systems currently in use. - Define a migration path
- Microsoft 365: High security standards, automatic updates, no fixed end-of-support date
- Office LTSC / on-premises: Only suitable for clearly justified special cases (e.g. isolated systems)
- Check hardware
Not every existing infrastructure meets the requirements of modern operating systems (e.g. Windows 11).
Plan the budget early
Licensing, migration, and training costs should be firmly included in the 2026 budget – not treated as emergency expenses.
Summary and Outlook
The Microsoft support end in 2026 marks the final end of the “install and forget” mentality. Cybersecurity is no longer a one-time project, but an ongoing process.
Conclusion:
The era of grace periods is over. Those who plan now not only protect their data, but also avoid stress, downtime, and unnecessary costs. Those who wait will migrate later under time pressure – and that usually comes at a high price.
FAQ: Deep Dive into Microsoft End of Support
Can I simply continue using Office 2021 after October 2026?
Technically yes – but in practice it is highly risky. Without security updates, every newly discovered vulnerability becomes a permanent entry point for malware.
Is there a support extension for Office 2021?
For standard perpetual licenses (Home/Business), Microsoft generally does not offer paid support extensions. Switching to a current version is effectively unavoidable.
What is the safest option for SMEs?
From a security perspective, Microsoft 365 is the most robust solution: automatic updates, continuous development, and no fixed end-of-support date that suddenly turns into a risk.
Important: The content of this article is for informational purposes only and does not constitute legal advice. The information provided here is no substitute for personalized legal advice from a data protection officer or an attorney. We do not guarantee that the information provided is up to date, complete, or accurate. Any actions taken on the basis of the information contained in this article are at your own risk. We recommend that you always consult a data protection officer or an attorney with any legal questions or problems.