How much does legacy software really cost: the hidden costs nobody calculates and how to build the modernization business case

The CFO of a manufacturing company asks the CTO for a cost estimate for the following year's IT budget. The CTO replies: "The management software we have been using since 2005 costs us 200,000 euros a year in maintenance." The CFO writes down the number, compares it with the cost of a new system (estimated at 400,000 euros), and concludes: "Better to keep what we have, it is already amortized." Two years later, the same system suffers a ransomware attack that exploits an unpatachable vulnerability. The cost of the incident: 380,000 euros in remediation, production downtime and consultants. Plus the 400,000 of those two years of maintenance that continued in the meantime.

This story, with variations, repeats itself every year in dozens of companies across Europe. Not for lack of intelligence or attention: for lack of a method to calculate the real cost of legacy software. What the CFO sees in the budget is only the tip of the iceberg. The true cost, made up of hidden costs and unquantified risks, is submerged.

This article is built for those who need to make the decision or justify it to the board: CFOs, CEOs, CTOs who have a legacy system and need to understand exactly how much it costs to keep it, what risk the company carries if nothing is done, and how to build the business case to convince management that modernizing costs less than waiting.

The cost of legacy software is not the "IT maintenance" line item in the budget. It is the sum of maintenance, inefficiencies, missed opportunities, security and compliance risks, and turnover cost. Calculated together, they return a number that changes the conversation.

A company spending 200,000 euros a year on 2005 software: the real case

To make the following framework concrete, let us start with a real anonymized case. A manufacturing company, 180 employees, 35 million euro turnover, custom-built management system developed in 2005 with ASP.NET WebForms technology and SQL Server 2008. The system handles orders, production, warehouse and invoicing. There is no alternative ERP: it is the business operating system.

The IT budget declares 200,000 euros in annual maintenance. The CTO and technical team know the reality is more complex, but have never done a systematic calculation. When we do it together, the picture changes dramatically.

Verified direct costs: software maintenance staff 145,000 euros, SQL Server and Windows Server licenses 28,000 euros, on-premises server hardware (amortized but with management costs) 15,000 euros, backup and disaster recovery (dated solution, not systematically tested) 12,000 euros. Total direct costs: 200,000 euros.

Indirect costs, never calculated before: each system user loses an average of 45 minutes per day on workarounds for software limitations (manual Excel exports, double data entry, waits for slow processing). With 40 users at an average company cost of 30 euros/hour, the annual cost of these inefficiencies is 40 x 0.75 hours x 230 working days x 30 euros = 207,000 euros. This single element alone exceeds the declared IT budget.

Uncaptured opportunities: the system does not integrate with the e-commerce platform the sales team has requested for three years, cannot interface with the supplier portal requested by the purchasing director, cannot feed real-time BI required by management. The estimated value of these blocked growth opportunities: conservatively 80,000-120,000 euros in uncaptured incremental revenue annually.

The real annual cost of that 2005 management system is not 200,000 euros. It is 200,000 (direct) + 207,000 (inefficiencies) + 100,000 (estimated opportunities) = approximately 507,000 euros. By comparison, the modernization cost evaluated at 400,000 euros pays for itself in less than a year.

The visible costs of legacy software: what appears in the IT budget

Before digging into hidden costs, it is useful to have a precise picture of what normally appears in IT budgets as legacy software cost. Often even these visible costs are underestimated because they are distributed across different budget lines.

Corrective and evolutionary maintenance

The main item is the cost of the team maintaining the system: internal developers, external consultants or both. This cost tends to grow over time for two reasons. First: the system becomes increasingly complex and difficult to modify as it accumulates years of patches, workarounds and undocumented "quick fixes." What in 2015 was a 3-day modification now takes 2 weeks for the same type of intervention. Second: developers with system experience cost more because they become rare on the market. A developer who knows 2005 WebForms well is not available at the same cost as a modern .NET developer.

Gartner research estimates that organizations spend an average of 60% to 75% of the total IT budget on maintaining existing systems, leaving only 25-40% for innovation and new development. For companies with very old systems, this proportion is often worse.

Software licenses and infrastructure

Legacy systems are typically anchored to dated technology stacks requiring specific licenses: Windows Server 2012 or 2016 (newer versions may not be compatible), SQL Server in obsolete versions, third-party commercial components that continue to require annual renewal despite vendor abandonment. These license costs are real and often increase rather than decrease, because vendors maintaining legacy products raise prices knowing the customer is locked in.

Hardware and physical infrastructure

Legacy systems often require specific hardware: on-premises servers with particular characteristics, hardware controllers, dedicated backup systems. This hardware has management costs (space, energy, cooling, physical maintenance) that rarely appear in the "legacy software" line item of the IT budget but are part of the total cost. And when this hardware reaches end of life, the replacement cost can be significant to keep running the legacy software versions that do not run on modern hardware.

Support and training

Supporting users of a legacy system is more expensive than supporting a modern system, for two reasons: the system is less intuitive (it was designed to 15-year-old UX standards), and documentation is often incomplete or obsolete. The cost of internal help desk support and new user training is often overlooked but consistent: for systems with 50+ users, it can reach 20,000-40,000 euros annually.

The invisible costs nobody calculates: the real weight of legacy software

Visible costs are the emerged part of the iceberg. The submerged part, the one that sinks companies, is made of costs that do not appear in any budget line because they are never systematically measured.

The cost of user time lost

This is almost always the largest hidden cost and the most surprising for management when calculated for the first time. Legacy software is slow, unintuitive and forces users into workarounds that a modern system would resolve automatically. Consider these scenarios: a salesperson who must export CRM data to Excel for an analysis the system does not support natively, a warehouse manager who enters the same data into two different systems because there is no integration, a controller who waits 20 minutes to generate a report that in a modern system would take 30 seconds.

The method for calculating this cost: have the ten most intensive system users do a week of time tracking, asking them to note every workaround, every wait, every manual process the system does not automate. Multiply the average daily time lost by the total number of users, by the average company hourly rate, by annual working days. The result almost always surprises.

The cost of uncaptured business opportunities

Every business request that the legacy system cannot support is an opportunity cost. This cost is harder to quantify precisely, but can be estimated by identifying the features or integrations the business has requested that were not implemented due to legacy system limitations.

Concrete examples: inability to integrate with modern e-commerce platforms (lost digital channel revenue), inability to provide real-time data to customers (loss of contracts with supply chain visibility requirements), inability to scale operations during seasonal peaks (lost revenue in high-demand periods), inability to integrate advanced analytics tools (management decisions based on incomplete data).

The cost of technical team turnover

Developers do not want to work on legacy systems. This is not caprice: it is rational. A developer working on 2005 WebForms is not building marketable skills. The result is higher than normal turnover, and every developer who leaves takes with them system knowledge documented nowhere.

The cost of replacing an experienced developer (recruiting, onboarding, time to reach productivity) is estimated between 30,000 and 60,000 euros per position. If the team maintaining the legacy system loses 2 developers per year on a team of 5, the annual turnover cost is 60,000-120,000 euros, without counting the risk of not finding replacements with the necessary expertise.

The cost of accumulated technical debt

Technical debt has an interest cost, exactly like financial debt. Every workaround, every undocumented quick fix, every unupdated component increases system complexity and reduces the speed at which the team can make future changes. This effect is exponential over time: a system with average technical debt requires twice the time for changes compared to a modern equivalent system; a system with high technical debt requires three times or more. This overhead has a direct cost on team productivity and on the time-to-market for new features.

How to calculate the real cost of your legacy software: the practical formula

Moving from theory to practice. Here is the formula for calculating the total cost of legacy software in your specific case, with the questions you need to ask your team to gather the necessary data.

Component 1: Annual direct costs (DC)

Sum of: cost of personnel dedicated to maintenance (annual hours x hourly rate, including external consultants), annual license costs (all software required for system operation), infrastructure costs (hardware, hosting, energy, backup), vendor support cost where applicable.

Data source: IT accounting, license contracts, consulting invoices. This should be the easiest data to gather.

Component 2: User inefficiency cost (IC)

Formula: IC = N_users x Hours_lost_per_day x Working_days x Average_hourly_rate.

To gather the "hours lost per day" data, the most reliable method is a structured survey of users, asking them to estimate the time devoted each day to: manual workarounds (things done by hand because the system does not do them), waits for slow processing, manual reconciliations between data from different systems, manual formatting of system output to make it usable. Honest user estimates typically reveal between 30 minutes and 2 hours per day of inefficiencies on dated legacy systems.

Component 3: Cost of uncaptured opportunities (OC)

This is the hardest data to quantify precisely, but also the one with the greatest impact. The method: have management list the top three things the business has requested in the past two years that the legacy system has not been able to support. For each, estimate the potential business value (additional revenue, operational cost reduction, customer churn reduction). Take the conservative value as the estimate.

Component 4: Risk cost (RC)

Formula: RC = (Annual_incident_probability x Average_incident_cost) + (Compliance_penalty_probability x Expected_average_penalty).

To estimate the probability of a security incident: consider the age of system dependencies, the presence of known unpatachable CVEs, the frequency of security updates applied in the last 3 years. For systems with pre-2015 unupdated dependencies, the annual probability of a significant incident is estimated at 15-25% (source: Clusit Report 2025).

The total cost and comparison with modernization

Total Annual Cost = DC + IC + OC + RC.

Compare this with the annualized cost of modernization: if modernization costs 300,000 euros over 2 years, the annualized cost is 150,000 euros. If the total legacy cost exceeds 150,000 euros, modernization pays for itself in the first year. If it is lower, modernization still pays for itself in 2-3 years thanks to post-modernization cost reduction.

The risk cost: security, compliance and GDPR

Security and compliance risk is the legacy cost component that management most tends to ignore, because it has not yet materialized. But it is also the component with the highest potential impact.

Unpatachable security vulnerabilities

Legacy systems have software dependencies (libraries, frameworks, commercial components, operating systems) that no longer receive security updates. This means vulnerabilities discovered after support ends remain open permanently, unless the system is migrated. In the CVE (Common Vulnerabilities and Exposures) database, documented vulnerabilities exist for .NET Framework 3.5, SQL Server 2008, Windows Server 2008, IIS 7: all technologies still in use in many legacy systems across Europe.

The consequences of exploiting these vulnerabilities can include: ransomware with complete operational shutdown (the average recovery cost for a medium-sized European company is estimated between 50,000 and 300,000 euros), data exfiltration with mandatory supervisory authority notification and potential GDPR fine, reputational damage with impact on customer and partner relationships. The cost of a serious incident almost always exceeds the cost of modernization.

Specific GDPR risks of legacy software

The GDPR requires specific capabilities that 2008-2012 legacy systems often lack: the right to erasure (ability to delete all data on a data subject upon request, completely and documentably), data portability (standard-format export of a data subject's data upon request), granular consent management (tracking what the data subject consented to, when and with which version of the privacy policy), and a complete audit trail of processing activities (who accessed which data, when and for what purpose).

A legacy system that does not support these functions is not just technically inadequate: it is potentially non-compliant with the GDPR, with the risk of fines that for medium-sized companies can reach hundreds of thousands of euros. European data protection authorities have shown increasing enforcement activity in recent years, with significant fines issued even against SMEs.

NIS2 risks: the directive many companies have not yet considered

The NIS2 directive, which entered into force in 2024, extends cybersecurity requirements to a much larger number of organizations than NIS1, including sectors like manufacturing, food distribution and digital services. Organizations subject to NIS2 must demonstrate they have adequate technical and organizational measures for the security of information systems, including legacy systems. A system with known and unpatachable vulnerabilities is, by definition, non-compliant with NIS2 requirements.

NIS2 sanctions for non-compliance can reach 2% of annual global turnover for "important" entities and 10 million euros in the most serious cases. More relevant for most companies: the directive provides for personal liability of senior executives (CEO, CTO) for documented security deficiencies.

When legacy software blocks company growth

The cost of legacy software is not just a maintenance and risk problem: it is a structural limit on company growth. This is the argument that resonates most with the CEO and board, because it connects an IT problem to a business problem.

The impossible integration trap

The 2026 market is an ecosystem of integrations. A company that wants to sell through marketplaces requires integrating its ERP with marketplace APIs. A company that wants to use advanced analytics tools requires real-time operational data export. A company that wants to implement a self-service customer portal requires APIs that the legacy system does not expose.

Legacy systems built in 2005-2012 were not designed for this integration ecosystem. They expose data via SQL stored procedures, CSV files or proprietary non-standard interfaces. Every integration requires expensive and fragile adaptation work, creating an additional complexity layer that increases the cost of every future integration.

The practical result: while competitors who have modernized can implement a new integration in 2-4 weeks, the company with the legacy system takes 3-6 months and pays 3-5 times more for the same result. Over time, this gap translates into strategic delay that is much harder to recover from than the cost of modernization.

The scalability block

Legacy systems are not designed to scale. When the business grows, transaction volume increases, user numbers increase, process complexity increases: the legacy system reacts by degrading performance. Typical responses are purchasing more powerful hardware (expensive with diminishing returns), database optimization (a workaround that works short-term), reducing active features to lighten the load. None of these responses solves the structural problem: the system is not architecturally scalable.

The cost of slow decision-making

Legacy systems produce data in formats that are difficult to analyze and often with delay. A sales manager who wants to know which customers have reduced orders in the last quarter may wait for someone to export the data, clean it in Excel and build a report: a process requiring hours or days, not seconds. Every management decision that depends on legacy data has a built-in delay. In markets where response speed is competitive, this delay has a real cost.

Modernize or replace: which approach is more cost-effective

Once it is established that the legacy system needs to be addressed, the next strategic question is: modernize the existing system or replace it with a commercial product or new custom solution? There is no universal answer, but there are clear criteria for making the right choice in your case.

When modernization makes more sense

Modernization (preserving business logic, updating the technology) is preferable when the system implements complex and specific business processes that do not exist in standard commercial products. If your system manages production logic, pricing or supply chain management that is unique to your industry or business model, that logic has value worth preserving. Rewriting it from scratch is expensive and risky: you can lose decades of tacit knowledge codified in the system.

Modernization is also preferable when the budget does not allow complete immediate replacement: the incremental approach (strangler fig) allows migrating piece by piece, keeping the system operational during the transition and distributing cost over time.

When replacement makes more sense

Replacement with a commercial product (ERP, CRM, vertical industry platform) makes sense when the legacy system implements standard processes that the commercial product adequately covers, when the accumulated technical debt is so high that modernization is more expensive than replacement, and when the commercial product offers functionality that the legacy system will never have (cloud ecosystem integration, mobile, advanced analytics).

Replacement, however, carries a high risk that is often underestimated: ERP implementation projects go over budget and over schedule in 60-70% of cases (source: Panorama Consulting ERP Report 2025). The cost of adapting business processes to the new product, the cost of data migration and the cost of user training are often higher than initial estimates.

The practical assessment: three questions to decide

Answering these three questions helps orient the choice: First, is the business logic implemented in the system standard or specific? If standard (basic order management, standard accounting, basic HR), a commercial product covers it adequately. If specific, modernization is preferable. Second, what is the actual technical debt? A technical assessment by an external team can quantify technical debt and estimate whether it is cheaper to modernize or start over. Third, does the budget allow complete replacement or require a gradual approach? If the budget is limited, incremental modernization is almost always the most prudent choice.

The business case for management: how to present it

Having the correct data is necessary but not sufficient. To obtain approval for a modernization investment, the business case must be presented in the language management understands: business impact, quantified risks, measurable ROI. Not "we need to update the technology": "the current system costs us X euros per year and this investment pays for itself in Y months."

Structure of a winning business case

Section 1: The current cost of the problem. Present the total legacy cost calculation with the four components (direct, inefficiencies, opportunities, risk). Show how the "IT maintenance" number in the budget represents only a fraction of the real cost. This is the most impactful moment in the presentation: management sees for the first time the total cost, not just the IT line item.

Section 2: The projection without intervention. Show how costs will grow in the next 3-5 years if nothing is done. Maintenance cost grows 5-10% annually (rarer developers, older dependencies, hardware to replace). Security risk increases (more vulnerabilities, fewer updates). Blocked business opportunities multiply. Project the cumulative cost over 5 years: the number becomes very compelling.

Section 3: The cost and modernization plan. Present the modernization cost estimate with clear methodology (where the numbers come from), 20% contingency included explicitly, realistic timeline with milestones, and project risk mitigation plan. Do not present an optimistic estimate: management that is surprised by overruns loses confidence in the project and the IT team.

Section 4: ROI per year. Calculate the return per year in the 5 years following completion: maintenance cost reduction, user inefficiency reduction, unlocked business opportunities, risk reduction (valued as expected avoided cost). Show the payback period: when the investment has paid for itself. For most real cases with dated legacy systems, payback is between 18 and 36 months.

Section 5: The risks of doing nothing. Do not let this section seem alarmist: present it with data. Documented cases of similar companies that suffered incidents on legacy systems (without names if confidential, but with real numbers). Probability estimate of an incident in the next 3 years based on verifiable technical factors. Concrete consequences: estimated operational downtime in hours/days, recovery cost, regulatory sanction risk.

The signals that your legacy software has reached the critical point

The "critical point" is the moment when the cost and risk of the legacy system exceed the threshold that makes intervention urgent. Not all legacy situations are equal: there are dated systems that cost money but are not urgent, and dated systems that represent an existential risk to the business. Identifying where your system stands is essential for calibrating the urgency of intervention.

Signals of urgent risk

The system has dependencies with known and unpatachable CVEs: documented vulnerabilities in the libraries or components used, for which no patch exists because the vendor has abandoned the product. The system is not compliant with current regulatory requirements (GDPR, NIS2): it does not support legally required functionality, and the company is exposed to concrete fines. The system has had at least one security incident in the last 24 months, even minor: this is a predictive signal of future, more serious incidents. The primary vendor or the team that developed the system is no longer available for support.

Signals of operational risk

Annual maintenance cost exceeds 20% of the original development cost. Time-to-market for new features has increased by more than 50% over the last three years. The technical team maintaining the system has experienced turnover exceeding 40% in the last year. The system cannot support the current operational volume satisfactorily (degraded performance, frequent errors, recurring extraordinary maintenance). The business has given up implementing at least 3 features requested in the last 18 months due to system limitations.

Signals of strategic blockage

The company cannot integrate the system with tools or platforms required by the business strategy (e-commerce, mobile, analytics, partner ecosystem). Competitors using modern systems are implementing features or integrations your system cannot support, and the gap is growing. The system cannot scale to support the expected business growth in the next 3 years without disproportionate infrastructure investments.

If your system shows even just two urgent signals or three operational signals, modernization is urgent. For more on the most effective modernization patterns, read also our article on legacy software modernization: approaches and costs and on the Blazor migration path for legacy .NET systems.

How much does modernization really cost (and why it costs less than waiting)

The question management always asks: "how much does modernization cost?" The honest answer is: it depends on system complexity. But there are verified ballpark figures from real projects that allow a reasonable rough estimate.

Ballpark figures for modernization

Small system (20-30 screens, few users, relatively simple logic): 150,000-300,000 euros, 6-12 months. Appropriate for departmental applications or secondary systems.

Medium system (50-100 screens, 30-100 users, moderately complex business logic): 300,000-700,000 euros, 12-24 months. Appropriate for departmental management systems or production applications.

Large system (100+ screens, 100+ users, critical and complex business logic): 700,000-2,000,000+ euros, 24-48 months. For mission-critical systems, custom ERPs or core business platforms.

Always add to these costs: 20% contingency for unforeseen issues, data migration cost (often underestimated, can be 10-20% of total cost on systems with complex historical data), user training cost, cost of the parallel run period (when both systems run simultaneously to validate functional parity).

The comparison that changes the decision

Take a modernization cost of 400,000 euros for a medium system. Amortize it over 5 years: 80,000 euros/year cost of modernization. Compare this with the total legacy cost calculated using the previous formula: if it is 300,000 euros/year (common for medium systems with 50+ users), modernization pays for itself in less than 2 years, and in the following 3 years produces a net saving of 220,000 euros/year. Over a 5-year horizon post-modernization, the net saving is 220,000 x 5 = 1,100,000 euros, against an investment of 400,000 euros.

This is the calculation management needs to see. Not "modernization costs 400,000 euros", but "not modernizing costs 1,100,000 euros more over the next 5 years compared to the cost of modernization."

The real cost of waiting

Every year of delay in modernization has three components of additional cost: the annual operational cost of the legacy (continuation of the current cost), the increase in future modernization cost (the system becomes more difficult and expensive to migrate each passing year), and the increase in incident risk (the probability of a security event grows with system age). For most dated legacy systems, the cost of waiting is higher than the cost of starting modernization immediately.

Conclusion: the legacy software cost you do not see is the one that sinks you

Legacy software has a cost that IT budgets never fully capture. Visible maintenance is real, but it is only the emerged part. The cost of user inefficiencies, blocked business opportunities, security and compliance risk: this is the submerged part that sinks companies when it materializes, often suddenly and expensively.

The framework presented in this article does not require sophisticated tools to apply. It requires discipline in gathering data (a user survey, a license review, a technical assessment of dependencies), honesty in valuing the often-ignored cost components, and the courage to present the complete picture to management without minimizing risks.

Modernizing legacy software is not an IT expense: it is an investment with a measurable ROI that is often higher than most alternative investments available. Management that understands this makes better decisions.

The starting point is always the same question: do you really know how much your legacy software costs you? Not the budget line item: the total cost. If you do not know, the first thing to do is calculate it. Only with that number in hand can the conversation about modernization happen on a real basis, not on perceptions.

Our modernization experts can guide you through a complete assessment of your legacy system cost and the construction of a concrete business case for modernization, with real numbers and a practical roadmap. Not a generic presentation: a specific analysis of your system, your team and your business context.