A technical debt compendium¶
Or, everything you need to understand why most infrastructure is one unpatched Windows 7 box away from catastrophe
This page collects resources for understanding technical security debt, with the weight on Europe and the wider world rather than the usual view from Washington.
The scale of the problem¶
Why Legacy Systems Are Breaking Down in the UK and Europe, Stromasys, 2026. A survey of European and British organisations finds ageing infrastructure increasingly unable to meet regulatory, security, and availability expectations. The recurring pattern is the same across the continent: systems that were merely old in 2015 are now actively obstructing the regulatory obligations placed on them by NIS2, DORA, and the Cyber Resilience Act, all of which assume a level of maintainability that legacy estates do not possess.
Technical Debt’s £45 Billion Toll for the UK Public Service, Cognizant, 2025. Legacy systems cost the UK public sector an estimated £45 billion in lost productivity every year. The UK government allocates close to half its annual technology budget, roughly £2.3 billion, simply to keep outdated systems running, and critical public sector systems are estimated to cost £3,000 per minute in downtime. This is what deferred maintenance looks like once it has compounded for a couple of decades.
2025 Cost of a Data Breach Report, IBM, July 2025. The global average cost of a data breach fell to 4.44 million dollars, but the European picture is uneven: the average cost in Germany dropped to 3.87 million euros, down from 4.9 million euros the year before, while the UK average sat at £3.29 million. Breaches involving legacy systems and unpatched vulnerabilities consistently exceeded the average, and legacy environments frequently lack the integration points required to deploy the security automation that drove the headline reduction.
Technical Debt and Its Impact on IT Budgets, Software Improvement Group, February 2025. The Amsterdam-based code-quality firm, drawing on McKinsey research, finds that around 40 per cent of an IT budget is spent simply dealing with the fallout of technical debt, that between 10 and 20 per cent of budgets earmarked for new product development are instead redirected to servicing it, and that the average technology stack contains 20 to 40 per cent pure technical debt. The money is not so much spent as quietly absorbed.
Government and critical infrastructure¶
UK Government Admits Over 25 per cent of Its Digital Systems Are Outdated, Tech Monitor, 2025. As of 2025, 28 per cent of central government IT systems are formally classified as legacy, up from 26 per cent in 2023, and the rate of deterioration is accelerating rather than improving. The NHS is the most visible casualty: Windows 7 remains in use across parts of the estate years after it stopped receiving security updates, legacy system rates within individual trusts range from 10 to 50 per cent, and NHS England recorded 123 major system failures in 2024 that disrupted patient care and forced staff back to paper.
Legacy IT Debt Slowing AI Adoption in UK Public Sector, February 2026. 84 per cent of UK government organisations carry Windows technical debt. Three in five say legacy systems are already blocking AI adoption, and 45 per cent report diverting innovation budgets to maintain ageing infrastructure. The money meant to build the future is being spent keeping the past alive, which is the defining mechanic of technical debt at national scale.
ENISA Threat Landscape 2025, ENISA, October 2025. The EU cybersecurity agency analysed 4,875 incidents between July 2024 and June 2025. DDoS attacks dominated at 77 per cent of reported incidents, driven largely by hacktivist activity, while ransomware accounted for 81.1 per cent of cybercrime incidents targeting EU organisations and remained the most financially damaging threat. State-aligned groups demonstrated supply chain compromise and abuse of signed drivers against telecommunications, logistics, and manufacturing across the Union.
Die Lage der IT-Sicherheit in Deutschland 2025, BSI, November 2025. Germany’s federal cybersecurity authority records an average of 119 new vulnerabilities reported daily during the period, roughly 24 per cent more than the year before. The report names the cause directly: systems that have grown over years without unified security concepts, now comprising outdated software, poorly configured services, and unnecessarily exposed components. It calls these technical debts a central cause of rising vulnerability, and notes that known weaknesses in perimeter systems are too often patched late or not at all.
NIS2 Directive, European Commission. 2026 is the year the first enforcement actions under NIS2 begin, covering energy, transport, healthcare, finance, water, digital infrastructure, public administration, and the space sector. Member states had until October 2024 to transpose the directive, yet only 23 had fully done so, and in January 2026 the Commission proposed amendments to simplify application and improve coordination with related regulation. The directive obliges entities to classify systems by risk and apply stricter controls to the most critical, which is precisely where legacy estates are the least able to comply.
Identity and access management debt¶
Machine Identities Outnumber Humans by More Than 80 to 1, CyberArk, 2025. Drawing on respondents across France, Germany, Italy, the Netherlands, Spain, the UK, and beyond, the report finds non-human identities (service accounts, API keys, and AI agents) outnumber human users by an average of 45 to 1, rising to 144 to 1 in cloud-native environments. Legacy IAM systems were designed around human users and cannot govern this scale, leaving the fastest-growing population of credentials largely ungoverned.
The State of Secrets Sprawl 2026, GitGuardian, March 2026. 28.65 million new hardcoded secrets were added to public GitHub commits during 2025, a 34 per cent year-on-year increase and the largest single-year jump on record. 96 per cent of organisations store secrets outside dedicated secrets managers, in code, config files, and CI/CD tools. Roughly 64 per cent of credentials confirmed valid in 2022 were still valid when retested in January 2026, and AI-assisted commits leak secrets at around twice the baseline rate. The remediation gap is not narrowing.
The Non-Human Identity Crisis: Why Your Machine Identities Are Your Biggest Governance Gap, The Hacker News, May 2026. As organisations layer AI agents and automation onto identity infrastructure built for a smaller, human-shaped world, the governance vacuum widens. The non-human identity population grew 44 per cent between 2024 and 2025, and nearly half of these identities hold sensitive or privileged access that no lifecycle process is reliably retiring.
Cloud misconfiguration: the epidemic nobody seems to want to discuss¶
Resources examining how cloud adoption created a new category of technical debt through misconfiguration and complexity.
The misconfiguration crisis¶
Tenable Cloud Security Risk Report 2025, Tenable, June 2025. Analysis of real-world cloud environments identifies the toxic cloud trilogy, workloads that are simultaneously publicly exposed, critically vulnerable, and highly privileged, as present in 29 per cent of organisations. 54 per cent of organisations using AWS ECS have at least one task definition with an embedded secret, and 9 per cent of publicly accessible cloud storage contains sensitive data directly exposed to the internet. The report frames these as compounding security debt created by rapid cloud adoption outpacing governance.
Wiz Cloud Data Security Snapshot 2025, Wiz, May 2025. Analysis of hundreds of thousands of real-world cloud accounts found that 54 per cent of cloud environments have exposed virtual machines and serverless instances containing sensitive information including PII or payment data, and 72 per cent have publicly exposed PaaS databases lacking access controls. 12 per cent have containers that are both publicly exposed and exploitable via known vulnerabilities. These are not edge cases.
Major breach case studies¶
Case Study: Inadequate Configuration and Change Control, Cloud Security Alliance, June 2025. The 2024 Football Australia breach resulted from developers misconfiguring AWS S3 buckets. Publicly available search tools such as Shodan, BinaryEdge, and Grayhat Warfare make it relatively straightforward to find unprotected data repositories, which means the question is not whether someone will look but when.
Detecting and Remediating Misconfigurations in Cloud Environments, Cyber Security News, May 2025. Misconfigurations account for around 23 per cent of cloud security incidents and 81 per cent of cloud-related breaches. Cloud Security Alliance research found 82 per cent of enterprises have experienced security incidents stemming from misconfigurations. The problem has long since moved past the point where it can be described as emerging.
Software supply chain: dependency hell and cascading failures¶
Resources examining vulnerabilities in software dependencies and supply chain attacks.
The supply chain crisis¶
2026 State of the Software Supply Chain, Sonatype, January 2026. Open source malware grew 75 per cent year-on-year to 1.233 million malicious packages tracked since 2019, with 454,648 new malicious packages discovered in the past year alone. Annual open source downloads reached 9.8 trillion across the four largest registries, a 67 per cent increase. Despite patches available for years, Log4Shell was still downloaded 42 million times in 2025. 65 per cent of open source CVEs lack an NVD-assigned CVSS score.
Black Duck 2026 Open Source Security and Risk Analysis, Black Duck, February 2026. Analysis of 947 codebases across 17 industries found mean vulnerabilities per codebase jumped 107 per cent in a single year, driven partly by AI-accelerated code generation introducing components without adequate review. Open source appears in 98 per cent of audited codebases; two-thirds contain licence conflicts. 65 per cent of surveyed organisations experienced a supply chain attack in the past year, and only 24 per cent perform comprehensive security evaluations of AI-generated code.
ENISA Threat Landscape 2025: Supply Chain Findings, 2025. ENISA records supply chain pathways as among the fastest-growing classes of initial access against EU organisations, second only to stolen credentials. State-aligned groups used compromise of managed services, SaaS, and shared infrastructure to reach targets they could not breach directly, confirming that the dependency graph is now the attack surface.
European regulatory response¶
Cyber Resilience Act, European Commission, in force December 2024. The CRA is the EU’s first horizontal law imposing mandatory cybersecurity requirements on any product with digital elements placed on the European market, regardless of where its maker is based. It demands secure-by-design engineering, vulnerability handling, post-market monitoring, and a Software Bill of Materials. Reporting obligations for actively exploited vulnerabilities (an initial report within 24 hours) apply from September 2026, with the main obligations from December 2027. It is, in effect, a legal attempt to make supply chain debt someone’s accountable responsibility.
European Vulnerability Database, ENISA, launched 2025. Mandated by NIS2 and supported by the CRA, the EUVD is Europe’s counterpart to the US National Vulnerability Database, enriching CVE records with CVSS scores and CWE classifications and offering dedicated views for critical, actively exploited, and EU-coordinated vulnerabilities. It arrived as the US NVD struggled with backlog and funding pressure, a reminder that the infrastructure for tracking vulnerabilities is itself something Europe decided it could no longer afford to outsource.
OWASP Top 10:2025, A03 Software Supply Chain Failures, OWASP, 2025. Top-ranked in the Top 10 community survey, with exactly 50 per cent of respondents ranking it number one. Since appearing in 2013 as “Using Components with Known Vulnerabilities,” the risk has grown to encompass all supply chain failures, and now carries the highest average incidence rate at 5.19 per cent when tested.
Financial sector resilience and the weight of the core¶
Digital Operational Resilience Act (DORA), EIOPA, in application since January 2025. DORA requires banks, insurers, investment firms, and their critical ICT third parties to withstand, respond to, and recover from ICT disruption. The friction is structural: operational resilience monitoring, reporting, and testing must be wired into legacy ICT systems that were never designed to expose it, and many third-party contracts had to be renegotiated to add audit rights, exit support, and incident commitments the original terms never contemplated.
The True Cost of Legacy Systems: Banking IT Modernisation, Digital Bank Expert, August 2025. The majority of banks still run core platforms designed decades ago, some up to 40 years old, on mainframe hardware coded in COBOL and Assembler. McKinsey research cited here finds around 70 per cent of banks reviewing their core platforms, yet progress is slow and the talent that understands these systems is leaving: close to a third of COBOL programmers are expected to retire by 2030. The systems holding European savings are maintained by an ageing and shrinking group of specialists, which is its own kind of debt.
The systems are fragile. The infrastructure is ageing. A lot of configurations are wrong.
Technical debt is not a temporary problem that organisations will eventually fix. It is a structural feature of how systems are built, maintained, and evolved. Quick decisions create long-term consequences. Deferred maintenance compounds exponentially. Legacy systems persist because replacing them is harder than keeping them alive. Cloud adoption creates new categories of misconfiguration faster than security teams can address old ones. Software dependencies multiply vulnerabilities whilst appearing to simplify development. Europe has now written much of this into law, which makes the debt visible and overdue, but does not, by itself, pay it down.