Windows 10 officially reached its end of life - or has it?

---

This article requires data controllers and processors to implement “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.” 

• Using an unsupported OS like Windows 10 increases vulnerability to malware and breaches.
• Failure to patch known security flaws could be seen as negligence, especially if personal data is compromised.

• Non-compliance penalties: If a data breach occurs due to outdated software, regulators may impose fines of up to €10 million or 2% of global annual turnover, depending on severity and negligence. 
• Accountability failures: Organisations must demonstrate proactive risk management. Continuing with Windows 10 without Extended Security Updates (ESU) may be interpreted as failing to uphold GDPR’s accountability principle.
• Audit and enforcement risk: Supervisory authorities may scrutinise IT infrastructure during audits or investigations, and unsupported systems could trigger enforcement actions.

• Article 32 – Security of Processing: Requires “appropriate technical and organisational measures” to protect personal data. 
• TPM 1.2 lacks modern cryptographic support: It only supports SHA-1, which is deprecated due to known vulnerabilities.
• Regulatory exposure: If a breach occurs and TPM 1.2 is deemed insufficient, regulators may view it as a failure to meet GDPR’s security obligations.
• TPM 2.0: meets with Article 32 expectations.

• Upgrade to Windows 11 or ensure ESU coverage is in place for Windows 10. 
• Document risk assessments and mitigation strategies if continuing to use Windows 10 temporarily.
• Review contracts and vendor obligations to ensure third-party processors also comply with Article 32.

• Non-compliance with baseline requirements: Cyber Essentials mandates that all software, including operating systems, must be supported and receive security updates. Unsupported Windows 10 violates this requirement, potentially invalidating your certification. 
• Increased audit risk: During assessments, certification bodies may flag unsupported systems as critical vulnerabilities. This could lead to failed audits or revocation of certification.
• Insurance and liability exposure: Many cyber insurance policies and contractual obligations rely on Cyber Essentials compliance. Running unsupported systems could affect coverage or breach terms.

• Upgrade to a supported OS: Move to Windows 11 or another supported operating system that receives regular security updates.
• Use Extended Security Updates (ESU): If upgrading isn’t immediately feasible, enroll in Microsoft’s ESU program for Windows 10. This ensures continued patching and maintains compliance under Cyber Essentials.
• Restrict unsupported systems: If legacy systems must remain, isolate them from the internet and sensitive data environments. They must be out of scope for certification.
• Document your mitigation strategy: Keep records of your upgrade plans, ESU enrolment, and risk assessments to demonstrate proactive compliance during audits.

• Extended Security Update schemes: For any end-of-life operating system that has an extended security update program, you must maintain
• the required subscription.
• If you are using Windows 10 beyond the 14th October 2025 you must be signed up to the Microsoft Extended Security Update program in order to remain compliant.

Further guidance:

• Operating System Support
• Guidance to BYOD

Microsoft is offering the first 12 months of ESU for Windows 10 free to users in the European Economic Area (EEA), including the UK, until October 14, 2026.

🇪🇺 Why Is ESU Free in the EEA?

• Regulatory pressure: Microsoft reversed its initial paid ESU policy after advocacy groups argued that requiring payment or cloud backup violated the EU’s Digital Markets Act (DMA).
• Consumer protection: The free ESU period gives users more time to upgrade without compromising security or facing financial penalties.

🛡️ What’s Included in the Free ESU?

• Security-only updates: No feature enhancements or bug fixes—just critical patches to keep systems protected.
• Eligibility: Applies to Windows 10 version 22H2. Users must enrol via Windows Update using a Microsoft account.
• No cloud backup required: Microsoft removed the previous condition that required syncing with its cloud services.

If you’re in the EEA and still on Windows 10, you can enrol now through Settings > Windows Update > Enroll Now. Let me know if you’d like help checking your eligibility or planning your upgrade.

Link: https://windowsforum.com/threads/microsoft-extends-free-windows-10-esu-in-the-eea-through-oct-2026.382447/

For business customers purchasing Windows 10 Extended Security Updates (ESU) through volume licensing, Microsoft requires a minimum of 5 devices per order

Timeline:

Year                    Business Cost (per device)           Consumer Cost (per device)

2025 - 2026        $61*                                                    $30

2026 - 2027        $122                                                    $60

2027 - 2028        $244                                                    $120

* free of charge within eea

🧾 Minimum ESU Purchase Requirement

• Applies to businesses using Microsoft’s Volume Licensing Service Center (VLSC).
• Minimum order: 5 licenses per ESU year (e.g., Year 1: 5 devices × $61 = $305 minimum).
• Purpose: This threshold ensures ESU is used primarily by organisations rather than individuals.
• 
  

🏠 What About Individual Users?

• No minimum for consumers or small businesses using the Windows Update wizard.
• You can enroll just one device if needed, and pay annually via Microsoft account.
• This route is ideal for freelancers, home users, or microbusinesses.

Running Windows 10 without updates after its end of support on October 14, 2025 affects three critical areas—each with serious implications for security, compliance, and operational integrity:

🔐 1. Cybersecurity Vulnerabilities

• Unsupported systems no longer receive security patches, leaving them exposed to malware, ransomware, and zero-day exploits.
• Attackers often target known vulnerabilities in outdated software, making these systems high-risk entry points into networks.

📉 2. Operational Reliability and Compatibility

• New applications, drivers, and hardware may not be compatible with Windows 10, leading to performance issues or system failures.
• Lack of updates can cause instability, software crashes, and reduced productivity, especially in business-critical environments.

⚖️ 3. Legal and Regulatory Compliance (GDPR Article 32)

• GDPR requires organisations to implement “appropriate technical and organisational measures” to secure personal data.
• Using an unsupported OS violates this principle, as it fails to provide adequate protection against data breaches.
• If personal data is compromised due to outdated systems, organisations may face fines, audits, and reputational damage.

Businesses can bypass the Windows 11 compatibility checker using registry edits or custom install tools, but TPM 2.0 is still strongly recommended due to security and support implications. TPM 1.2 is technically usable but lacks key protections.

🛠️ How to Bypass the Windows 11 Compatibility Checker

Registry Edit Method

Custom USB Installer (e.g., Rufus)

Clean Install with ISO

⚠️ Microsoft warns that bypassing requirements may lead to instability, lack of updates, or unsupported configurations.

🔐 TPM 1.2 vs TPM 2.0: Security and Compliance Implications

• TPM 2.0 is required for full Windows 11 support and security features like BitLocker, Secure Boot, and Credential Guard.
• TPM 1.2 lacks modern cryptographic capabilities, making it unsuitable for high-security environments.
• Cyber Essentials and GDPR compliance may be compromised if TPM 1.2 is used, especially in regulated sectors.

Encryption Algorithms - TPM1.2: Limited (SHA-1 only) TPM 2.0: Advanced (SHA-256, ECC, RSA)

Secure Boot Support - TPM 1.2: Partial TPM 2.0: Full

Windows 11 Requirement - TPM 1.2: Not officially supported TPM 2.0: Required for full support

Compliance (e.g., GDPR, Cyber Essentials) - TPM 1.2: Risk of non-compliance TPM 2.0: Meets modern standards

✅ Recommendations for Businesses

• Upgrade hardware to support TPM 2.0 if possible.
• If using TPM 1.2:
• Document the risk and mitigation strategy.
• Isolate legacy systems from sensitive data environments.
• Consider ESU for Windows 10 if upgrade isn’t feasible.

• Future-proofing: New devices will support updates and features for years, reducing the need for frequent upgrades. 
• Employee productivity: Faster, more reliable systems improve user experience and reduce support tickets.
• Audit readiness: Demonstrates proactive risk management and compliance with Cyber Essentials and GDPR.