Key Takeaways:

  • After 31 December 2026, Kentico 13 receives no security patches. Any vulnerability found from 2027 stays unpatched permanently.
  • A single security incident on an unpatched CMS can cost significantly more than a planned migration.
  • Cyber insurance providers increasingly exclude EOL software from coverage. Check your policy now.
  • Regulatory requirements for Australian organisations holding customer data may create additional exposure for sites running unsupported software.

When organisations delay a CMS migration past a vendor's end-of-life date, the reasoning is usually financial: avoid the cost of a migration project this year. It is a reasonable instinct. But it rests on an assumption that running EOL software is a neutral decision, a deferral with no cost attached. It is not.

The security cost: unpatched vulnerabilities

From 1 January 2027, every new vulnerability discovered in Kentico 13 will be unpatched. Kentico will not issue a fix. Your development team cannot patch what the vendor no longer patches. The vulnerability inventory grows permanently.

This is exactly what the Australian Cyber Security Centre's advisory describes. Attackers scan for EOL software with known, unpatched vulnerabilities. Organisations on EOL platforms become easier targets not because they are being singled out, but because their vulnerabilities are documented and unfixed

K13-end-of-support.jpg

The insurance cost: EOL exclusions

Cyber insurance policies are increasingly specific about software support status. Many include exclusions for incidents that occur on unsupported or end-of-life software. If your organisation experiences a breach on a Kentico 13 site after 31 December 2026 and your policy includes an EOL exclusion, the insurer may decline the claim. Review your current cyber insurance policy and ask your broker specifically about EOL software provisions before the end of 2026.

The compliance cost: data obligations

Australian organisations that collect and hold customer data have obligations under the Privacy Act 1988 and, in some sectors, additional regulatory requirements around data security. Running a website on unsupported software that processes or transmits personal information creates a compliance exposure. The question is not just whether a breach occurs, but whether the organisation took reasonable steps to prevent one. Running EOL software makes that answer harder to defend.

The operational cost: incompatibility over time

Beyond security, EOL software becomes incompatible with the ecosystem around it. Browser updates, operating system changes, third-party plugin updates, and integration API changes happen on a schedule that does not account for your CMS being unsupported.

Every month on Kentico 13 past its EOL date is a month where a third-party integration might fail, a browser security update might break a form or checkout flow, or a hosting dependency might require an update the unsupported CMS cannot accommodate.

The calculation most organisations are not doing

A planned Kentico migration to Xperience by Kentico is a known cost, scoped in advance, managed over a fixed period. A security incident, an insurance claim denial, a compliance investigation, or a period of site downtime is an unknown cost that can exceed the migration cost many times over. The decision to delay is not a decision to avoid cost. It is a decision to trade a known, manageable cost for an uncertain, potentially much larger one

Hidden_Costs_Iceberg.jpg

Author
Phil Allen
Founder & Chief Strategist
Get in touch

We transform

Discover More insights.

One thing we won't apologise for? Our passion for the digital world.