EOL Hardware and Compliance
What the regulations actually say. Clause numbers included.
Last reviewed
Multiple regulatory frameworks and cybersecurity directives explicitly reference end-of-support or end-of-life hardware as a control point. Running unsupported gear is not just a security risk — it can make specific compliance requirements structurally impossible to satisfy. No compensating control fixes "the vendor does not issue patches for this device."
PCI-DSS
Requirement 12.3.4 (effective 2025-03-31): requires an annual review of all hardware and software technologies, including those at vendor end-of-support, with a plan to remediate. Separate from Requirement 6.3.3, which mandates timely patching — a requirement you cannot meet if the vendor has stopped issuing patches.
See the full breakdown with verbatim PCI SSC text: PCI-DSS 12.3.4.
CISA BOD 26-02
Binding Operational Directive 26-02 (issued 2026-02-05): requires federal civilian agencies to inventory and decommission end-of-support edge devices — routers, firewalls, VPN gateways, load balancers. Inventory deadline was 2026-05-05, with decommissioning waves through 2028. CISA, FBI, and NCSC explicitly recommend all organizations follow the same guidance.
Full directive coverage: CISA BOD 26-02.
NY DFS §500.13
23 NYCRR §500.13(a)(1)(iv) (effective 2025-11-01): requires covered financial-services entities to include "support expiration date" as a mandatory field in their asset inventory. If you can't populate that field, you can't demonstrate compliance with the inventory requirement.
Regulation text and analysis: NY DFS §500.13.
HIPAA and NIST
HIPAA §164.308(a)(5) and NIST SP 800-53 SA-22 both address the use of unsupported system components. Neither uses the exact phrase "end of life," but the intent is clear: if the vendor no longer provides security updates, the device is a non-compliant component absent a documented risk acceptance and compensating controls.
Clause-level details: Compliance and Insurance Impact.