Legacy systems: Outdated IT as a strategic risk

Today, 62% of companies classify parts of their business-critical applications as outdated because they no longer meet current requirements and require urgent modernisation. This is according to the Lünendonk study, ‘IT Modernisation between Legacy, Cloud and AI’ (2025).¹

What appears to run reliably today often proves, on closer inspection, to be a cost trap, a security vulnerability and a brake on innovation. Proprietary in-house developments, a lack of maintenance, and outdated interfaces make it difficult to integrate modern technologies such as the cloud, automation, and AI. At the same time, regulatory requirements are increasing, for example through the Digital Operational Resilience Act (DORA) and stricter data protection regulations.

This article explains why companies should no longer ignore their legacy IT, and how a structured approach to modernisation can lead to success.

Legacy systems are IT applications or infrastructures which, despite their age, continue to perform business-critical tasks but are difficult to adapt to new requirements. They have evolved over many years or decades, with corresponding consequences.

In short, legacy systems are technical burdens that may work in day-to-day business but make any innovation difficult and pose a considerable risk.

Even in 2025, around 70% of banks worldwide still rely on legacy mainframes.² Although these systems reliably process millions of transactions every day, they are incompatible with modern interfaces and incur significant operating costs. Maintaining these systems alone consumes up to 75% of the IT budget in financial institutions, which severely slows down innovation.³  Moreover, many core banking systems still rely on COBOL code from the 1960s, a technological anachronism that restricts flexibility and speed in digital finance.²

Many manufacturing companies still use ERP and CRM solutions that date back to the 1990s or early 2000s and have been repeatedly customised over time. This has resulted in highly complex structures that hinder modern digitalisation initiatives. Around 74% of industrial and engineering companies use legacy software or spreadsheets for core processes, which makes introducing new technologies such as AI services or cloud platforms almost impossible.

Applications that have grown ‘organically’ over the years often result from countless extensions implemented by different development teams. Up-to-date documentation is often lacking, meaning that only a few employees, if anyone, still understand how the system works. In many companies, only one or two individuals fully understand each legacy application.³ This bottleneck of knowledge is risky: if one of these experts leaves, the organisation is left with a poorly maintainable black box system.

Outdated IT systems pose a significant risk of cyber attacks. Since legacy software is generally no longer provided with current security updates, known vulnerabilities remain permanently in place and can be exploited by attackers at any time. Studies show that almost half of actively exploited vulnerabilities in organisations stem from unsupported legacy software.⁵ According to an IBM study, the average cost of a data breach now exceeds USD 4.4 million, and outdated infrastructure demonstrably increases these costs.⁶

Compliance also suffers. Systems that are no longer maintained quickly violate current data protection or industry standards. According to analyses, companies with legacy IT are 40% more likely to be affected by compliance violations. ³  This is particularly critical in the highly regulated financial sector, where the Digital Operational Resilience Act (DORA) has been in force since January 2025. DORA explicitly defines legacy systems as ICT systems at the end of their lifecycle that can no longer be updated but still perform critical functions. Financial institutions must identify each of these systems and regularly subject them to ICT risk assessments to evaluate and remediate vulnerabilities. Those who fail to do so risk severe penalties .⁷

Specialist departments are tempted to introduce their own software solutions, such as cloud storage or self-procured SaaS tools, without the knowledge of the IT department, due to rigid legacy applications. This circumvention of official IT structures leads to uncontrolled growth that is neither centrally managed nor secured. According to estimates, such unauthorised solutions already account for 30–40% of IT expenditure in large companies.⁸ The consequences include an increased risk of data loss, security breaches, and undetected compliance violations, as systems are operating outside the IT department’s purview.

Legacy systems generate significant ongoing costs that are not always immediately apparent. These costs can be driven up by factors such as increased maintenance effort, the need for expensive specialists or external service providers, premium support contracts after standard support has expired, and inefficient processes due to a lack of automation. Many companies underestimate these costs. A recent survey shows that almost two-thirds of companies spend more than two million US dollars annually on maintenance and updates for their legacy systems alone.⁹
In three out of four companies, IT teams spend between five and 25 hours each week installing patches and updates for legacy systems.¹⁰ This ties up valuable human resources. At the same time, dangerous vendor lock-in can arise. Companies become dependent on individual vendors or the last remaining internal experts. If this support is lost, there is a risk of significant downtime. These dependencies make companies inflexible, as necessary changes or upgrades become risky because a small team has to keep the entire operation ‘running’.

Perhaps the most serious issue is that an outdated IT landscape restricts a company’s ability to innovate. Legacy architectures are generally incompatible with modern technologies. It is difficult, if not impossible, to integrate cloud services, open APIs, automation tools or AI applications. According to a recent survey, 41% of IT professionals cited lack of compatibility with modern tools as one of the biggest legacy challenges.¹¹ Consequently, valuable data remains trapped in isolated systems, unable to be leveraged for big data analytics or AI.

The consequence is clear: while competitors are rapidly launching new digital products, mobile apps and AI-supported services, the company is struggling with technical integration issues. Innovation projects are either delayed or fail because the legacy IT system does not support them. Over time, the organisation loses ground; a risk that, while difficult to quantify, is very real in terms of market share and growth.

This situation slows innovation and strains finances. Currently, 60–80% of IT budgets are spent on maintaining outdated systems.³ Consequently, companies must address the strategic question of how to redirect these resources towards innovation and growth.

Despite obvious weaknesses, many organisations hesitate to replace their legacy IT systems. The mindset is often: ‘Never change a running system.’ A recent survey confirms this: for 50% of IT teams, the main reason for postponing modernisation is that the existing system still works.¹¹ Short-term convenience and fear of the effort involved override the long-term pressure to act. But why is this attitude deceptive? Two key thinking traps are holding many decision-makers back.

Legacy systems that have evolved over many years are often seen as impenetrable entities. It is impossible to fully assess the hidden dependencies and functions they contain. Therefore, replacement appears risky, as any change might ‘break something that still works’. Suitable test environments are often lacking, making safe experimentation difficult. The risk of potential outages deters IT decision-makers from embarking on modernisation. While this caution is understandable, it is dangerous in the long term. The risks of maintaining the status quo increase annually and will eventually exceed the effort required for migration.

At first glance, the investment costs of a modernisation project may seem too high to many decision-makers, particularly when budgets are tight. However, a major legacy upgrade can cost around USD 2.7 million on average.¹⁰ This argument falls short, though. The ongoing operating costs of legacy systems add up year after year and often exceed the one-time migration costs within a few years.³ Many of these costs are hidden, such as losses due to unplanned downtime, inefficiencies in day-to-day business or the high error rate of outdated processes.

On top of this, there is the growing mountain of technical debt. Experts estimate that non-modernised legacy systems cause around 20% ‘debt’ annually.³ The cost of modernisation therefore increases significantly with each year of delay. While waiting, the company loses potential revenue due to delayed innovation projects, which is not directly visible. Conclusion: Those who only consider the short-term costs (“We’re saving the migration budget today”) risk significantly higher expenses and damages in the long term.

Although replacing historically grown IT systems can be challenging, the opportunities for strategic modernisation are equally significant. Renewing the IT landscape can deliver tangible benefits in a number of areas. In fact, more than 95% of companies report being satisfied or very satisfied with the outcomes of their modernisation projects.¹²

Migrating modernised applications to high-performance cloud environments increases scalability and enables location-independent access, while reducing infrastructure costs. Monolithic legacy systems can be transformed into modular microservices. Individual functions can then be flexibly extended or replaced without endangering the entire system.

Modern, API-enabled architectures also provide the foundation for automation and AI integration. Routine tasks can be automated efficiently and data from formerly isolated systems can be analysed centrally. Overall, IT becomes more agile and innovative.

Replacing outdated structures significantly reduces ongoing maintenance and operating costs, freeing up resources for future innovation. New digital products or features can be developed and deployed much faster on a modern platform. This shortens time to market and creates a competitive advantage.

Industry benchmarks show that modernisation projects in banking can reduce IT operating costs by 30–40% and bring new digital offerings to market 50% faster.² At the same time, human resources are freed up. Instead of constantly managing legacy issues, IT teams can focus on strategic initiatives.

Companies that update their systems to current standards have a stable and scalable foundation for growth. They can also comply with new regulatory requirements, such as DORA or GDPR updates, more easily and securely.

Furthermore, the technology base impacts employer branding. Outdated systems deter IT professionals, whereas modern cloud, data, and AI projects attract talent. In fact, 58% of developers have considered leaving their employer because of outdated technology stacks.² Therefore, a modern IT environment improves a company’s ability to attract and retain key expertise.

Above all, modern systems enable better data availability and analytics. Real-time reporting, AI-supported analysis and meaningful dashboards become possible once data is no longer trapped in legacy silos. Executive management can then make faster and more robust decisions based on IT-driven corporate governance.

Many organisations still have legacy systems that conceal invisible risks. Although they appear stable and familiar, they are actually costly, insecure and hostile to innovation.

The longer companies wait, the greater the gap with more agile competitors becomes. Modernising legacy systems is an essential strategic transformation process for sustainable development. It begins with responsible leaders making a deliberate decision to address the issue proactively, combined with a systematic assessment of the IT landscape. Those who set the course today will be ahead tomorrow. Companies that modernise their legacy systems earlier will benefit sooner from reduced costs, faster digitalisation, greater talent attraction and improved decision-making data.

References