Regulators rarely set out to reshape software business models—but that may be exactly what EU cybersecurity law is doing.
Many customers traditionally preferred to own their software to keep software providers at arms length. A perpetual license avoided price increases and gave CFOs predictability. On premise provision provided control. In a sense, perpetual licenses were a statement of independence.
That preference began to erode well before any regulator got involved. The rise of software delivered from centralized data centres (the so called "cloud") made the subscription model not just commercially attractive for vendors, regularly the only viable option—you cannot buy a perpetual license or other ownership to something that runs entirely on someone else's infrastructure. Even so, a meaningful market for perpetual licenses persisted, particularly in enterprise on-premises deployments. The question now is whether a new wave of IT security regulation will finish what the cloud started.
Regulation is raising the stakes for software makers
As cybersecurity threats have grown in sophistication and scale, EU regulators have moved to impose more demanding obligations on software and technology vendors. They now come to think of software both as a product and as part of important societal infrastructure. Most notably, regulation now expressly does not stop with the software sale. Obligations extend well beyond the moment a product is placed on the market.
Under the Cyber Resilience Act, vendors are required to monitor their products for security vulnerabilities on an ongoing basis (cf. Art. 13 para. 8 CRA), to remediate those vulnerabilities and provide fixes to customers for the expected lifetime (with a minimum of five years). Furthermore, the Act introduces an obligation to report actively exploited vulnerabilities to authorities (cf. art. 14 CRA). These are not one-off compliance exercises. They are continuous operational obligations that generate recurring workload — and, consequently, recurring cost — for software producers, in case of perpetual licenses long after a customer has paid their license fee.
While market demand and brand and reputation management already made software producers update software earlier, the CRA creates broader obligations that were earlier only part of (recurring fee) software maintenance packages. One might even consider it a fundamental shift in the approach. Where parts of security were once still considered reactive—fix it if something breaks—the current situation clearly requires a proactive approach. A vendor selling a perpetual license without maintenance is in future, in effect, signing up for an open-ended support and monitoring commitment with no guaranteed future revenue stream to fund it. That is a difficult business case to sustain.
The commercial logic favours subscriptions
It does not take long to see where this leads. If a software producer faces ongoing regulatory obligations tied to products in active use, they have a strong incentive to ensure that active use generates active revenue. That's where subscription models come in: the customer pays as long as they use the product, and the vendor has the financial basis to meet their compliance obligations throughout that period.
There are carve-outs in most regulatory frameworks, for example, open source software in non-commercial contexts, military applications, and certain products subject to specific regimes are typically treated differently. But these exceptions affect the margins of the market, not its centre of gravity. For the broad commercial software market, the direction of travel is clear.
The practical consequence is that vendors will increasingly look to hand off ongoing responsibilities to customers. Or, more precisely, to price those responsibilities into recurring contracts. I expect that perpetual licenses, with their implicit promise of indefinite use for a fixed fee, become harder to offer profitably.
What this means for customers
Buyers of software will need to adjust their expectations. The case for perpetual licenses was always partly about cost control and partly about independence. For the software developer, both seem untenable in an environment of ongoing maintenance and support. For the customer, both arguments weaken in light of an environment of ever increasing cyber threats. Software can no longer be maintenance free.
On the cost side, subscription models do offer one genuine advantage: they defer expenditure and smooth it over time, which has real cash flow benefits. For finance teams managing liquidity and optimising expenditure, that is significant. The likely trade-off, however, is that total cost of ownership over a multi-year period will increase. Vendors will price regulatory compliance into their recurring fees, and customers will pay for it—just in instalments rather than upfront.
To the customer, the regulation brings some benefit. IT security requirements are no longer merely contractually relevant, the customer can rather point to legal requirements. Where the software is licensed not procured "as a service", customers should still identify their procedural and security needs and include them in their contract. Regulation provides an argument that vendors will find difficult to reject.
On the independence side, the picture is more sobering. Tighter ongoing relationships with vendors, driven by security and compliance obligations, mean deeper dependencies. Note compliance requirements also abound on the customer side. The EU NIS2 directive and its national implementations subject many industries to registration and cybersecurity obligations, including critical infrastructure, but also many manufacturing sectors. The customer who once valued a perpetual license precisely because it reduced vendor lock-in may find that the regulatory environment has made lock-in, in some form, almost unavoidable.
Takeaway
The shift toward subscription-based software licensing has been underway for years, driven first by commercial innovation and then by the economics of cloud delivery. Regulation is now adding structural momentum to that trend. As the obligations placed on software vendors extend further into the product lifecycle, the business case for perpetual licensing erodes—not because vendors are necessarily being opportunistic, but because the economics of continuous compliance do not fit a one-time payment model.
As a software producer, you should consider moving to subscription models if you have not done so yet. I expect that more and more of the industry will shift the revenue model that way in the coming years, with regulation serving both as an accelerant and as a ready-made argument to present to customers still hesitant about the transition. Plan for a phase of selling perpetual licenses and subscriptions in parallel. Create a transition package for customers that both helps them understand their compliance requirements (e.g. out of NIS2, GDPR or contractual obligations) and how your subscription approach and corresponding services help them navigate these challenges.
As a customer, if you have until now relied on perpetual licenses, you might brace for a change. You should plan for higher overall expenditure and closer and increasingly unavoidable dependency on your software provider. On the upside, you may benefit from smoother payment schedules. Internally, regulation increases the burden of demonstrating a solid IT security, thus you should allocate a clear budget and incorporate requirements into your purchasing process. If you have already done so, it might be wise to revisit the requirements to establish whether any changes are needed in view of the recent developments of regulation. Overall, regulatory changes and their effect on the vendors will provide valuable input to your security measures.
If your organisation both produces and procures software—as many technology-driven businesses do—the considerations above apply in parallel, and the regulatory pressure is even stronger.