Most compliance regulations require organizations to be running supported versions of an operating system. If you are running Server 2003 without a support agreement from Microsoft, that means you are in breach of those regulations.
What breaching compliance regulations means depends on your jurisdiction and the type of data with which your organization works. It could be that your organization gets a fine. It could mean that your organization is blocked from doing business with financial institutions such as banks or payment card providers.
Many sysadmins and managers treat compliance regulations as a bit of a joke. It’s not as though they’ve ever heard of anyone have the Compliance Police turn up with their flashing chartreuse sirens and their solar powered compliance pursuit vehicles.
Sysadmins who work for government organizations are a little more wary of compliance regulations. That’s because working in government can be a lot more like being a character in Terry Gilliam’s Brazil and the bureaucrats in those sorts of dystopias are always on the lookout for rules that are being broken and coming up with interesting ways of punishing the rule breakers.
As there are so many organizations that are non-compliant in terms of running Server 2003, and the deadline for support passed so recently, many compliance auditors today are turning a blind eye or are giving organizations a slap on the wrist if they are caught running Server 2003. At some point in the not to distant future, when running into a computer running Server 2003 is a surprise rather than par for the course, these auditors are likely to come down a lot harder on this violation of the rules.