End of support for Microsoft Exchange Server 2016 and 2019: How businesses can take sovereign action now

Two businessmen brainstorm over an iPad

What do the end of support for Microsoft Exchange Server 2016 and 2019 and the Hafnium hack of 2021 have in common? Both dramatically demonstrate how crucial security updates are for business communications. When the hacker group known as "Hafnium" exploited critical security vulnerabilities in Exchange servers in March 2021, IT departments worldwide went on high alert. The attackers were able to read e-mails, install malware, and establish themselves in their victims' networks. Even the German Federal Office for Information Security (BSI) raised the alarm: more than 20,000 servers in Germany alone were affected. The only salvation: an emergency security update provided by Microsoft.

This dramatic episode illustrates the vital importance of regular updates for business-critical systems. Yet these essential updates will soon be discontinued for many businesses.

Microsoft pushing for cloud migration

On 14th October 2025, Microsoft will end support for Exchange Server 2016 and 2019. This means the end of security updates, bug fixes, and technical support for these widely used e-mail server solutions, which will result in e-mail blocking for numerous businesses. This development is part of Microsoft's long-term strategy to move customers to the cloud. For many businesses, this means a critical decision between various migration options – and potentially even against their data sovereignty.

Why businesses still rely on Microsoft Exchange 2016/2019

Microsoft Exchange Server is an on-premises solution for e-mail, calendar, and collaboration that serves as a central communication platform in businesses and is independent of the cloud. Versions 2016 and 2019 follow Microsoft's "Fixed Lifecycle Policy", with a support period of 10 years, comprising 5 years of mainstream support and 5 years of extended support.

Despite the trend towards cloud solutions, numerous businesses still use the on-premises versions. The reasons for this are diverse: data sovereignty and compliance play a central role, particularly in regions with strict data protection laws such as the EU, where businesses are legally obliged to ensure complete control over their data. From an economic perspective, maintaining existing on-premises systems can be more cost-effective than migrating to subscription-based cloud services, especially when investments have already been made in hardware running the service.

E-mail blocking and other critical consequences

With the end of support for Exchange Server 2016 and 2019, businesses face several challenges: Particularly critical is the announced e-mail blocking by Exchange Online. After the deadline, Microsoft will block e-mails from unsupported Exchange versions. This means that affected businesses will no longer be able to send e-mails to partners using newer Exchange Online services – regardless of their own server configuration. The communication capability of many businesses is thus fundamentally at risk.

At the same time, security risks increase due to missing updates, making Exchange servers attractive targets for attacks. On the other hand, migration to the Microsoft Cloud creates significant GDPR compliance risks: business data stored on Microsoft servers is subject to the US CLOUD Act. This directly conflicts with European data protection requirements and could also be overturned by the European Court of Justice in the near future.

Three paths, one sovereign choice

Businesses essentially have three options to respond to the end of support:

  • Migration to Exchange Online (Microsoft 365): Offers continuous updates and integration with other Microsoft 365 services, but comes with limited control over data.
  • Upgrade to Exchange Server Subscription Edition (SE): Available from Q3 2025, allows maintaining the on-premises infrastructure with relatively simple upgrades for Exchange 2019 users, but may lead to vendor lock-in.
  • Switch to a data sovereign alternative such as mailbox.org: Ensures complete data sovereignty and GDPR compliance without dependence on the Microsoft ecosystem, with free migration of existing data and complete independence in the choice of IT solutions.

Why choose an independent e-mail provider?

In times of growing concerns regarding data protection and digital sovereignty, independent e-mail providers like mailbox.org offer decisive advantages over remaining in the Microsoft ecosystem.

Unlike Microsoft Exchange Online, where data can be stored in global data centres, mailbox.org guarantees data storage in Germany under the strict data protection standards of the EU and German law – a crucial advantage for businesses with sensitive information or special compliance requirements. While Microsoft, as a US company, is subject to the CLOUD Act, which can allow US authorities access to data, mailbox.org exclusively follows European data protection standards with encryption of data as a central element of its business model.

Looming vendor lock-in: The alternative

The transition to Microsoft Exchange Online or the new Exchange Server Subscription Edition (SE) leads to increasing dependence on the Microsoft platform. With the progressive integration of all Microsoft services, it becomes increasingly difficult for businesses to replace individual components or to flexibly design their IT infrastructure – a classic vendor lock-in threatens.

A switch to mailbox.org, on the other hand, offers genuine independence in the choice of IT solutions. The open standards and interfaces allow connection to or switching to other systems at any time. Business customers also receive personal and competent support that caters to their individual needs and assists with the free migration.

Conclusion and outlook

The end of support for Exchange Server 2016 and 2019 marks a turning point in business communication and represents a strategic moment for IT decisions. While Microsoft is forcing cloud migration, a window of opportunity for fundamental reorientations is simultaneously opening. The future should increasingly belong to decentralised, data sovereign IT solutions that guarantee both security and independence.

Businesses that now rely on platforms like mailbox.org are positioning themselves not only for short-term security against the looming e-mail blockade but also for the long term in a world where data protection and digital self-determination are becoming increasingly important.

About Microsoft Exchange

Microsoft Exchange has been the backbone of business communication worldwide since the 1990s. As a central platform for e-mail, calendar, and collaboration, it enables the management of communication across various devices. Microsoft Exchange Server is the classic, locally (on-premises) installed software that is operated in one's own IT infrastructure. Businesses that use Exchange Server manage the hardware, updates, and security themselves.

Microsoft's strategy has fundamentally changed: the focus today is on the cloud-based Exchange Online version as part of Microsoft 365 and a subscription business model. The Exchange Server Subscription Edition, releasing in 2025, serves as an intermediate step for businesses that do not yet want to fully switch to the cloud. This development is part of a larger trend at Microsoft to offer all services as Software-as-a-Service – a challenge for businesses with special requirements for data sovereignty.

Businessman working on a laptop in front of the European Commission building with several EU flags in the background

Digital sovereignty in uncertain times

European companies must act now!

Learn more about the US CLOUD Act in our blog

 

 

  • zurück
  • nach Oben