BSI Warns of GDPR Violations Due to Outdated Exchange Servers in Germany's Public Sector

The German Federal Office for Information Security (BSI) has issued a warning about the significant cybersecurity risks posed by thousands of outdated Microsoft Exchange servers still in operation across Germany. These aging servers process personal data, thereby violating the European Union's General Data Protection Regulation (GDPR). The problem is widespread, not only affecting numerous companies but also critical public sector organizations such as hospitals, medical practices, schools, universities, municipal utilities, and local governments.

Microsoft is providing potential security updates for these vulnerable systems through its Extended Security Update (ESU) program until April 14, 2026. However, continued use under this program demands additional financial resources, which has slowed necessary upgrades or migrations to more secure platforms and heightens risks to data security.

The BSI’s warning highlights the urgent need for public institutions to modernize their IT infrastructures to safeguard sensitive data against cyber threats and ensure compliance with data privacy laws. Failure to address these vulnerabilities not only imperils operational stability but also risks sanctions due to GDPR infringements.

This alert comes amidst ongoing challenges in Germany's IT landscape, emphasizing the critical intersection of technology, security, and regulatory compliance for both private and public sectors.