Early July is the natural time for the mid-year view: what did we get done in H1 2026, what is firmly coming in H2, and where is it worth reserving budget now? This article is a pragmatic stocktake from DATAZONE consulting practice — not a trend report, but a list of concrete dates and topics that will really occupy the second half.
EOL dates in view
Software and hardware EOLs are the most unyielding component of an IT roadmap — the dates stand, handling them is a matter of planning.
Exchange 2019 — already EOL
Important to repeat: Exchange Server 2019 reached the end of mainstream and extended support on 14 October 2025. Anyone still running Exchange 2019 on-prem (and in our consulting practice surprisingly many SMBs do) has been running without security updates for almost nine months. That is not “we will migrate when we can” — that is acute action required.
Options, ordered by frequency in our consulting practice:
- Migrate to Microsoft 365 — the classic Microsoft path. Calculate licence costs, clarify data sovereignty.
- Migrate to Exchange Server SE (Subscription Edition) — stays on-prem but subscription model with ongoing updates.
- Migrate to alternative mail platforms like mailcow, Kopano, Stalwart — open-source paths with notable cost reduction but migration effort.
Anyone who has not acted yet: our Exchange replacement article with ROI calculation is the starting point.
Windows Server 2016 — EOL October 2027
Windows Server 2016 (mainstream and extended) reaches the end of extended support on 12 January 2027. We have a dedicated migration article. That gives about 18 months — sounds like a lot, but with running hardware life cycles, app migrations and Proxmox/Hyper-V evaluations it is a tight deadline.
H2 2026 is the natural time for:
- Inventory: which workloads still run on 2016?
- Target platform decision: 2022, 2025 or Linux/containers?
- Hardware refresh planning if the 2016 hosts go EOL at the same time
- Pilot migration of a non-critical workload in Q3 2026, main migration in Q4 or H1 2027
CentOS Stream 9 — May 2027
CentOS Stream 9 reaches end of builds in May 2027. Anyone still running CentOS Stream 9 as a server base should make the target platform decision in 2026: RHEL, AlmaLinux, Rocky Linux, Oracle Linux or Debian/Ubuntu LTS. Migration tools are available; the strategic decision is the more relevant question.
Hardware EOL waves 2026
On the hardware side we see in consulting practice:
- Server generations 2018–2020 are entering the typical 5–7 year refresh window
- UPS batteries from 2019–2020 need a second battery replacement round in 2026
- Switches with 1 GbE backplane are increasingly the bottleneck — 100 GbE is the new 10 GbE is moving from data centre into SMB
- TrueNAS Mini X (old variant) is EOL, R30/R40 too — adjust hardware plans
NIS2 — transposition deadlines
NIS2 has to be implemented — the German NIS2UmsuCG entered into force in early 2026. Most mid-market companies are now in the concrete phase:
- Self-classification (essential or important entity?) should have been done by mid-2026
- Risk management process documented and operational
- Incident reporting process (24h early warning, 72h notification, 1 month final report) established
- Supplier security documented and in contracts
- Management training documented — the personal liability of management is new
- First audits are due in some sectors already in H2 2026
Anyone who has not started in H1 should now do the self-classification and start documentation. A full NIS2 implementation in three months is not realistic — but a documented plan with milestones is defensible.
CER Directive — coming now
The CER Directive (Critical Entities Resilience) is the physical resilience component alongside the cyber-focused NIS2. The German CER Transposition Act is in the legislative process as of July 2026; commencement is expected during H2 2026.
We have a dedicated article — in short: anyone operating in one of the eleven CER sectors (energy, transport, banking, financial market, health, drinking water, wastewater, digital infrastructure, public administration, space, food) and not very small should expect a classification as a critical entity.
H2 2026 preparation:
- Sectoral self-assessment
- All-hazards risk assessment (not only cyber)
- Document resilience plan
- Review backup power, water and supply-chain resilience
TrueNAS 26 GA — Q3 or Q4 2026
TrueNAS 26 Halfmoon is in Beta 2 as of July 2026 (17 June 2026). With the typical iX cadence we expect the GA release in late summer or early autumn, the Enterprise variant a few weeks later.
For H2 2026 this means:
- New installations in the first weeks of H2 start with TrueNAS 25.10 Goldeye, in-place update to 26 later
- Existing Enterprise installations wait for 26 Enterprise, no beta pressure
- Hardware refresh orders time-align with the GA window — the configurator will adjust as soon as iX release the final spec
Proxmox VE 9.x roadmap
Proxmox VE 9.0 has been in production since 2025. For H2 2026 we expect:
- Proxmox VE 9.2 or 9.3 as maintenance release
- Proxmox Backup Server 4.1 or higher (as of H1 2026 4.0/4.1 is released)
- Live migration and cluster features get incrementally better in every minor release
Anyone still on Proxmox VE 7.x or 8.x should plan migration to 9.x in H2 2026 — the 8.x line is in extended support, but 9.x gets the new features.
IT budget 2027 — plan now
An honestly strategic reality: budgets for 2027 are locked in many SMBs in Q3 2026. Anyone still negotiating big items in Q4 has poor cards.
Topics that must be evaluable for the 2027 budget planning now:
- Hardware refresh for the 2018–2020 server generation
- Licence waves: VMware vSphere renewal or migration to Proxmox; Microsoft 365 vs. on-prem; Exchange SE or alternative
- Backup infrastructure: do we need more capacity, a second offsite target, immutable layer?
- NIS2/CER compliance: how much external consulting, how much internal training?
- Cyber insurance: premiums keep rising, requirements on security level too
- Cloud vs. on-prem evaluation — see cloud repatriation
Summer patch waves
July and August Patch Tuesdays are historically often large — the combination of “remainder before summer break” and “fast-flowing CVE fixes” produces big update packages. Expected:
- Microsoft Patch Tuesdays July/August: typically 50–100 CVEs
- Linux kernel LTS updates with collected security fixes
- OPNsense summer release (typically July with OPNsense 26.7 or similar)
- Browser updates with zero-day fixes
Patch strategy for H2 2026: do not freeze, but prioritise. High-CVSS security patches go in, feature patches are delayed.
GDPR state of the art — periodic review
“State of the art” is not a state but a moving line. What was state of the art in 2023 is not automatically sufficient in 2026. Concretely for H2 2026:
- Password policy: are passkeys or MFA everywhere they make sense?
- Encryption at rest: are critical datasets encrypted with key management?
- Logging and monitoring: who did what when — auditable?
- Backup resilience: immutable layer active? Test restore documented?
- Supplier assessment: are the sub-processors current?
The annual GDPR state-of-the-art review is a routine item often hidden behind compliance duties — but in incidents it is exactly this documentation that the supervisory authority wants to see.
H2 2026 checklist
A 12-point take-away checklist:
- Exchange 2019 migration plan updated or executed
- Windows Server 2016 inventory completed, migration plan documented
- CentOS Stream 9 target platform decision made
- NIS2 self-classification done and documented
- NIS2 incident reporting process practised (at least tabletop)
- CER sector assessment done (if relevant)
- TrueNAS upgrade path to 26 aligned with hardware refresh
- Proxmox 9.x migration plan for older hosts
- IT budget 2027 — hardware, licences, compliance, cyber insurance
- Backup test in the last quarter current and successful
- GDPR state-of-the-art review current
- Patch Tuesday routine for H2 defined
DATAZONE recommendation
H2 2026 will not be a quiet half-year — the combination of compliance waves, EOL dates and real hardware refresh load creates many parallel topics. Anyone who builds a sorted H2 roadmap now goes through more relaxed.
Three pragmatic priorities we recommend from consulting practice:
- Close the Exchange 2019 risk — anyone who has not migrated has acute action to take
- Bring NIS2 documentation up to date — audits are coming, documentation must be defensible
- Coordinate hardware refresh and TrueNAS 26 GA window — time orders now so both fit
We at DATAZONE offer H2 strategy workshops — one day internal, stocktake, prioritisation, documented plan. Anyone who wants to push through the half-year without emergency brakes profits more from this than from another tool.
Sources and further reading
- NIS2 obligations for SMB
- CER Directive resilience for SMB
- Windows Server 2016 end of life migration
- TrueNAS 26 Beta 2 status
- Cloud repatriation for SMB
Anyone preparing the H2 strategy talk: please book a meeting — we bring the checklist.
More articles
TrueNAS HA: When Is the Dual Controller Worth It?
Dual-controller high availability on TrueNAS is non-trivial — neither in price nor in concept. When HA really pays off, what it does not solve, and when two single-controller systems are the better choice.
Cyber Insurance 2026: What Insurers Demand from SMBs
Insurers in 2026 demand increasingly detailed minimum standards — MFA everywhere, documented patch management, EDR, immutable backups, training, incident response plan, segmentation. What is on the pre-contract questionnaire and what gets checked in a claim.
Backup Encryption: Key Management Done Right
Encrypted backups are useless if key management is sloppy. Symmetric vs. asymmetric, vault options, rotation, recovery scenarios and the tool-level practice for PBS, Restic and TrueNAS.