Julia Maria Gomez de Avila Segade | 09/10/2025
All over the world, the foundations that sustain daily life still rely on technologies that are decades old. Some facilities have not advanced or been updated at the pace of societal development, and this poses a genuine risk to collective security.
While digital threats—and the solutions to counter them—evolve at high speed, much of our basic infrastructure continues to depend on unsupported software, outdated systems, or industrial components never intended to be connected to the internet. The risk is no longer theoretical; it has become an operational problem that can lead to serious incidents.
This growing gap threatens security, resilience to failure, and the continuity of essential services. If the equipment or protocols that support energy, water, transportation, communications, or healthcare networks no longer receive vendor support, spare parts, or updates, their reliability is compromised—even if they appear to keep working.
Main causes
The reasons behind technological obsolescence are varied, but two stand out: the age of the systems and their life cycle. Many were originally designed to last for decades, but over time manufacturers stop producing spare parts or updating firmware. For many operators, extending the life of this equipment is seen as a way to reduce costs. However, this approach carries significant risks, as highlighted in studies such as Risk Management and Enforcement on Ageing Hazardous Sites, published by the European Commission’s Joint Research Centre. The report warns of the need to address obsolescence in order to mitigate the associated dangers.
Another key challenge is technological dependence and what is known as “technical debt.” Over the years, ad hoc integrations and “patches on top of patches” create systems so heterogeneous that they become difficult to maintain. At the same time, there is a shortage of specialized personnel able to manage this obsolescence, which further aggravates the risk. ENISA, the European Union Agency for Cybersecurity, has identified the skills gap and the persistence of unpatched systems as major threats looking ahead to 2030.
Compatibility is yet another issue. Many legacy systems were never designed to integrate with modern technologies. This means they lack modern security protocols, such as encryption or advanced authentication, making upgrades even more complex. This is especially critical in sectors such as energy, water, or communications, where any infrastructure failure can have severe consequences.
Finally, economic and regulatory factors also play a role. Investments tend to focus on expansion or short-term priorities, delaying renewal, while outdated regulations and unclear responsibilities further weaken long-term planning. For this reason, several years ago the EU concluded that a change was needed in the way critical infrastructure is managed and maintained.
Europe in pursuit of resilience
In 2022, two EU directives came into force with a clear goal: to reduce risks and strengthen the resilience of both critical and digital infrastructure against threats, both cyber and physical. The scope is broad, covering public health, natural disasters, cyberattacks, and other risks. The two EU directives aimed at building resilience are:
1. Critical Entities Resilience Directive (CER). This replaces the 2008 European Critical Infrastructure Directive. Its objective is to reinforce resilience against a variety of threats, and it applies to entities in sectors such as energy, transport, banking, financial markets, healthcare, water (drinking and wastewater), digital infrastructure, public administration, and food.
EU member states must adapt by conducting a risk assessment at least once every four years to identify critical entities providing essential services. These entities must then adopt appropriate measures and report incidents, while each country must also develop a national strategy.
2. Directive on measures for a high common level of cybersecurity across the European Union (NIS 2). This directive strengthens Europe’s cybersecurity by broadening the sectors and types of critical entities under its scope. It also raises the risk management requirements that companies are legally required to meet, while streamlining incident-reporting obligations.
Key sectors include network providers, public communications services, data centers, waste and wastewater management, basic goods manufacturing, postal and courier services, public administrations, and healthcare. Since its adoption, it has stood as the first EU-wide legislation on cybersecurity.
Impact by sector
ENERGY
The world depends on energy, which is essential for virtually every activity. Today’s power grids combine legacy equipment with new smart nodes. Their obsolescence can trigger both local disruptions and large-scale failures. Studies on smart grids—electricity distribution systems that integrate digital and communication technologies to optimize supply—show that exposure increases when older components are not updated.
WATER
Another critical infrastructure is water. Treatment plants and distribution networks often rely on PLCs (Programmable Logic Controllers) and SCADA (Supervisory Control and Data Acquisition) systems with outdated interfaces. As a result, unpatched failures or vulnerabilities can compromise water quality or service availability, with direct consequences for public health.
TRANSPORTATION
The railway system is among the most obsolete, though far from the only one. Railway signaling, air traffic control, and road traffic management all rely on legacy controllers and protocols. Updating these systems is complex due to strict certification and functional safety requirements, which often leads to extending the life of archaic systems—and to higher operational risk.
TELECOMMUNICATIONS
Although the sector is highly dynamic, parts of the passive infrastructure—such as backhaul networks, operations or business support systems, and local operator equipment—can still become obsolete. Moreover, the reliance on specific hardware and the lack of support create potential points of failure and new vulnerabilities.
Operators and regulators in action
The main responsibility for preventing technological obsolescence from becoming a threat to critical sectors lies with operators and regulators. According to various agencies, some practical solutions include
- Developing an inventory and life-cycle management analysis
- Creating segmentation and applying compensatory controls where immediate replacement is not possible
- Committing to progressive modernization, with phased migrations to minimize disruption
- Reducing redundancy and promoting resilient design
- Establishing extended maintenance and support policies
- Investing in workforce training and talent retention
- Conducting frequent evaluations and stress tests
In Spain, the National Center for the Protection of Critical Infrastructure, through its Specific Protection Plan, develops a framework that prioritizes actions based on risk, structures security measures according to their nature, assigns responsibilities for their implementation, establishes a comprehensive and detailed plan, and finally sets up a monitoring mechanism with metrics to track the progress of these actions.
In conclusion, obsolescence in critical infrastructure is not merely a maintenance issue but an organizational, economic, and regulatory challenge. The good news is that the European framework provides a clear roadmap—yet time pressure remains a critical factor. The most effective strategy will be one that combines planned modernization with strict regulatory compliance. The real challenge lies in achieving effective coordination among governments, regulators, operators, and suppliers to ensure that essential infrastructure does not become a vulnerability because of outdated technology.
