Author: Thierry Julien, CEO, TJC Group
A recent €1.7 million fine by the French data protection authority serves as a stark reminder: software maintenance is no longer optional. Organisations that neglect proactive security measures, especially on legacy systems, face significant regulatory, financial, and reputational consequences. Therefore, it is imperative for organisations to ensure that their systems, whether legacy or non-legacy, are maintained regularly. That said, one of the best ways to avoid the cost for maintaining legacy systems is through decommissioning them. Read on to know more!
Table of contents
Introduction
In today’s regulatory landscape, software maintenance has evolved from a purely technical concern into a critical compliance obligation. Organisations can no longer treat security updates as optional tasks to be addressed when convenient. The consequences of neglecting maintenance are becoming increasingly severe. Regulators across Europe are taking a harder stance, and recent enforcement actions demonstrate that excuses whether related to resource constraints or system age will not shield organisations from accountability. This shift demands a fundamental change in how businesses approach their entire software estate, including those legacy systems that often slip through the cracks of modern security practices.
The wake-up call: CNIL’s €1.7 million fine
On 22 December 2025, the French data protection authority (CNIL) issued a significant fine of €1.7 million against an IT company for failing to implement appropriate security measures. The application in question, a PCRM system used by public social services, had been handling sensitive personal data without adequate protection. But what led to this massive amount of fine?
The root causes leading to CNIL levying a fine on the company were persistent security vulnerabilities, known gaps against state-of-the-art security standards, and significant delays in implementing corrective actions. Most critically, audits had identified these issues well before any data exposures occurred. Moreover, what comes as shocking here is the fact that the organisation knew about the problems but failed to act decisively.
Consequently, this sends a clear message to all organisations that awareness without action is no defence. Regulators will scrutinise not just whether you identified vulnerabilities, but how quickly and effectively you addressed them.
Why software maintenance is a compliance imperative?
Security maintenance must be proactive, not reactive
Waiting for incidents or complaints before taking action is never a logical solution. As per Article 32 of EU’s data privacy law, GDPR, it requires organisations to implement appropriate technical and organisational measures that reflect current threats and technology baselines. This obligation is a non-negotiable, ongoing process and not a one-time checkbox exercise. As threats evolve and new vulnerabilities emerge, your security measures must adapt accordingly. Reactive approaches leave dangerous windows of exposure that can be exploited easily.
Regular patching and updates are core compliance tasks
One of the most significant aspects is that software maintenance extends far beyond system stability. It is fundamentally a compliance activity, which is essential to protect personal data and limit risk from known exploits. In fact, when patches are available for known vulnerabilities, delays in deployment become increasingly difficult to justify. Each day a known vulnerability remains unaddressed, the riskier your IT landscape gets – a concern that regulators will scrutinise if a breach occurs.
Audits alone are not sufficient
Many organisations invest significantly in security audits, believing this demonstrates due diligence. While investing in security measures is important, it is noted that identifying vulnerabilities through such security measures is merely the first step. Regulatory scrutiny focuses on what happens after audit findings are delivered, such as – how quickly were fixes deployed, were resources allocated appropriately, and so on. These questions will determine whether an organisation is deemed compliant or negligent.
Legacy systems: A weak link targeted by regulators
Outdated systems present elevated risks
Legacy systems frequently lack vendor support, modern security controls, and integration capabilities with contemporary security tools. They are regularly highlighted in breach reports and regulatory findings as high-risk environments. These systems were often designed in an era when cybersecurity threats were less sophisticated. Their architecture may not support modern encryption standards, access controls, or monitoring capabilities, which makes them easy targets for attackers and concerning priorities for regulators.
Regulators expect mitigation, not excuses
Whether software is new, old, custom-built, or off-the-shelf, the obligation to ensure adequate security remains constant. CNIL guidance on maintenance and control of third-party interventions reinforces this lifecycle responsibility. As a matter of fact, the age of a system does not diminish an organisation’s duty of care. If anything, older systems require more attention precisely because they lack built-in protections that modern platforms provide. Regulators understand these challenges but expect organisations to implement compensating controls or make difficult decisions about system retirement.
Risk profiles are cumulative
Legacy platforms typically house sensitive historical data and are integrated into broader business processes. Their compromise can cascade into wider systems, creating ripple effects across the organisation. This interconnected risk means that a breach in a seemingly isolated legacy system can expose current operations, customer data, and business continuity. Decommissioning legacy systems should therefore be viewed not as an optional modernisation project, but as a critical cybersecurity imperative.
Actionable steps for organisations
Build a maintenance policy that explicitly includes legacy applications
It is extremely important to ensure that your maintenance policy leaves no system behind. The policy must define clear triggers for refresh cycles, patch deployment, and strategic decisions on decommissioning legacy systems. Make sure to align these policies with CNIL (GDPR authority in France), GDPR with any other local authority, or requirements pertaining to the data privacy laws of the region for documented measures, ensuring you can demonstrate compliance during audits.
Conduct risk-based reviews regularly
Prioritise systems handling sensitive data for more frequent security updates and reviews. In fact, obsolete systems must be included in vulnerability management programs, not exempted due to their age or perceived isolation.
Track maintenance as evidence of compliance
Records of interventions, fixes, and decisions become key artefacts in audits and internal governance. Maintain comprehensive documentation that demonstrates your organisation’s commitment to ongoing security maintenance.
Consider decommissioning where appropriate
For legacy systems that cannot be adequately secured, decommissioning may be the safest path forward. Modern decommissioning platforms enable organisations to retire outdated systems whilst maintaining access to historical data for compliance purposes. This approach eliminates the security risks of maintaining vulnerable systems without sacrificing data accessibility.
Conclusion
The CNIL’s €1.7 million fine represents a significant moment for software maintenance obligations. Regulators have become stringent their compliance checkpoints and expect organisations to implement security practices across full software and IT landscapes.
Legacy systems, often overlooked in modernisation efforts, are precisely where regulatory attention will focus. Failure to enforce robust maintenance at scale leads to meaningful sanctions and lasting reputational damage.
For organisations grappling with legacy systems that pose ongoing security risks, decommissioning offers a strategic solution. TJC Group’s Enterprise Legacy System Application (ELSA) provides a safe, compliant path forward. This SAP-certified solution enables organisations to decommission 100% of their legacy systems, from a single ERP to hundreds of applications, while maintaining easy access to historical data whenever needed.
Through the ELSA gateway, businesses can quickly retrieve any legacy data, reports, and documents required for regulatory compliance, without the risk and expense of maintaining outdated systems. ELSA also maintains traceability logs to ensure ongoing compliance with tax requirements and data privacy laws such as GDPR.
Contact us today to discover how ELSA can help you reduce compliance risk and strengthen your security posture.
