End-of-Life Devices: The Silent Risk to Your Cyber Essentials Certification

Cyber Essentials has become a baseline requirement for organisations across the UK, especially those working with public sector contracts or handling sensitive data. It’s designed to help businesses defend against common cyber threats—but achieving (and maintaining) certification means more than just ticking boxes.

One often-overlooked risk? End-of-life (EoL) hardware.

In this blog, we’ll explain what EoL means, why it matters for your Cyber Essentials compliance, and what steps your organisation should take to stay secure and certified.

What Does “End-of-Life” Hardware Actually Mean?

When a manufacturer declares a product as “end-of-life,” it means the device:

• No longer receives software or security updates
• Is no longer supported by the vendor
• Will not be patched for newly discovered vulnerabilities
• May not work reliably with modern systems

This includes things like:

• Outdated desk phones
• Legacy routers, switches, and firewalls
• Unsupported operating systems (e.g. Windows 7 or Server 2012)
• Older mobile devices or IP handsets

Why Is EoL Hardware a Problem for Cyber Essentials?

Cyber Essentials requires that all devices within scope are secure and up to date. If you’re running unsupported equipment, you’re immediately at risk of non-compliance—even if the rest of your environment is fully protected.

Key Risks EoL Devices Pose:

• Unpatched vulnerabilities – No security updates means attackers can exploit known issues.
• No vendor support – If something goes wrong, there’s no fix or workaround.
• Limited compatibility – Older devices may not support modern encryption or authentication standards.
• Increased attack surface – Cybercriminals often target outdated hardware because they know it’s unlikely to be secured.

Important: During a Cyber Essentials assessment or audit, if any EoL device is found in scope, even if it’s not actively in use, you could fail certification.

What Does the Cyber Essentials Scheme Say?

The National Cyber Security Centre (NCSC) is clear: devices must be supported to be compliant.

“Operating systems and software that are no longer supported must be removed from scope or segregated from the rest of the network.” — NCSC Cyber Essentials Technical Requirements

That means:

• No unsupported operating systems or firmware
• No networked legacy equipment without justification and segmentation
• No excuses — EoL means out of scope, or out of compliance

Taking corrective action — such as replacing outdated devices — can restore compliance, but not without consequences. In many cases, delays in addressing unsupported technology can disrupt operations, create unnecessary risk, and stall critical business activities.

What You Should Do Now

If you’re preparing for Cyber Essentials—or simply want to protect your business—it’s essential to identify and phase out EoL hardware before it becomes a liability.

Action Plan:

1. Audit all connected devices – Phones, routers, switches, PCs, mobile devices.
2. Check support status – Look up firmware and OS support from the manufacturer.
3. Document everything – Prove that each device is supported and up to date.
4. Replace where needed – Prioritise phones, firewalls, and networking gear.
5. Isolate if you can’t replace – If a device must remain, segment it from the rest of your network.

Don’t Let Old Devices Undermine Your Compliance

Cyber Essentials is a powerful safeguard, but it’s only as effective as your most neglected asset. That overlooked device in the corner could be the reason you fail certification, expose customer data, or lose out on critical contracts.

You can find out more about Cyber Essentials and why its vital for all businesses here.

Call us now or book a free consultation to protect your business and keep compliance on track.