diff --git a/pkg/controller/operatingsystemconfig/actuator.go b/pkg/controller/operatingsystemconfig/actuator.go
index d0776c01..0155f1ec 100644
--- a/pkg/controller/operatingsystemconfig/actuator.go
+++ b/pkg/controller/operatingsystemconfig/actuator.go
@@ -98,9 +98,12 @@ if [ ! -s /etc/containerd/config.toml ]; then
 fi
 mkdir -p /etc/systemd/system/containerd.service.d
 cat <<EOF > /etc/systemd/system/containerd.service.d/11-exec_config.conf
+# TODO(MichaelEischer): remove this file once all flatcar versions that use torcx,
+# that is before 3815.2.0, have run out of support
 [Service]
 ExecStart=
-ExecStart=/bin/bash -c 'PATH="/run/torcx/unpack/docker/bin:$PATH" /run/torcx/unpack/docker/bin/containerd --config /etc/containerd/config.toml'
+# try to use containerd provided via torcx, but also falls back to /usr/bin/containerd provided via systemd-sysext
+ExecStart=/bin/bash -c 'PATH="/run/torcx/unpack/docker/bin:$PATH" containerd --config /etc/containerd/config.toml'
 EOF
 chmod 0644 /etc/systemd/system/containerd.service.d/11-exec_config.conf
 ` + writeFilesToDiskScript + `
diff --git a/pkg/controller/operatingsystemconfig/actuator_test.go b/pkg/controller/operatingsystemconfig/actuator_test.go
index 9c308eae..c8660cff 100644
--- a/pkg/controller/operatingsystemconfig/actuator_test.go
+++ b/pkg/controller/operatingsystemconfig/actuator_test.go
@@ -65,9 +65,12 @@ if [ ! -s /etc/containerd/config.toml ]; then
 fi
 mkdir -p /etc/systemd/system/containerd.service.d
 cat <<EOF > /etc/systemd/system/containerd.service.d/11-exec_config.conf
+# TODO(MichaelEischer): remove this file once all flatcar versions that use torcx,
+# that is before 3815.2.0, have run out of support
 [Service]
 ExecStart=
-ExecStart=/bin/bash -c 'PATH="/run/torcx/unpack/docker/bin:$PATH" /run/torcx/unpack/docker/bin/containerd --config /etc/containerd/config.toml'
+# try to use containerd provided via torcx, but also falls back to /usr/bin/containerd provided via systemd-sysext
+ExecStart=/bin/bash -c 'PATH="/run/torcx/unpack/docker/bin:$PATH" containerd --config /etc/containerd/config.toml'
 EOF
 chmod 0644 /etc/systemd/system/containerd.service.d/11-exec_config.conf
 
@@ -87,10 +90,18 @@ CONTAINERD_CONFIG=/etc/containerd/config.toml
 
 ALTERNATE_LOGROTATE_PATH="/usr/bin/logrotate"
 
+# prefer containerd from torcx
+# TODO(MichaelEischer): remove this special case once all flatcar versions that use torcx,
+# that is before 3815.2.0, have run out of support
+CONTAINERD="/usr/bin/containerd"
+if [ -x /run/torcx/unpack/docker/bin/containerd ]; then
+    CONTAINERD="/run/torcx/unpack/docker/bin/containerd"
+fi
+
 # initialize default containerd config if does not exist
 if [ ! -s "$CONTAINERD_CONFIG" ]; then
-    mkdir -p /etc/containerd/
-    /run/torcx/unpack/docker/bin/containerd config default > "$CONTAINERD_CONFIG"
+    mkdir -p "$(dirname "$CONTAINERD_CONFIG")"
+    ${CONTAINERD} config default > "$CONTAINERD_CONFIG"
     chmod 0644 "$CONTAINERD_CONFIG"
 fi
 
@@ -99,6 +110,8 @@ if [[ -e /sys/fs/cgroup/cgroup.controllers ]]; then
     sed -i "s/SystemdCgroup *= *false/SystemdCgroup = true/" "$CONTAINERD_CONFIG"
 fi
 
+# TODO(MichaelEischer): remove this block once all flatcar versions that use torcx,
+# that is before 3815.2.0, have run out of support
 # provide kubelet with access to the containerd binaries in /run/torcx/unpack/docker/bin
 if [ ! -s /etc/systemd/system/kubelet.service.d/environment.conf ]; then
     mkdir -p /etc/systemd/system/kubelet.service.d/
diff --git a/pkg/controller/operatingsystemconfig/coreos_reconcile.go b/pkg/controller/operatingsystemconfig/coreos_reconcile.go
index 19c3b125..05b10862 100644
--- a/pkg/controller/operatingsystemconfig/coreos_reconcile.go
+++ b/pkg/controller/operatingsystemconfig/coreos_reconcile.go
@@ -161,10 +161,13 @@ WantedBy=containerd.service kubelet.service
 			coreos.File{
 				Path:               "/etc/systemd/system/containerd.service.d/11-exec_config.conf",
 				RawFilePermissions: "0644",
-				Content: `[Service]
+				Content: `# TODO(MichaelEischer): remove this file once all flatcar versions that use torcx,
+# that is before 3815.2.0, have run out of support
+[Service]
 SyslogIdentifier=containerd
 ExecStart=
-ExecStart=/bin/bash -c 'PATH="/run/torcx/unpack/docker/bin:$PATH" /run/torcx/unpack/docker/bin/containerd --config /etc/containerd/config.toml'
+# try to use containerd provided via torcx, but also falls back to /usr/bin/containerd provided via systemd-sysext
+ExecStart=/bin/bash -c 'PATH="/run/torcx/unpack/docker/bin:$PATH" containerd --config /etc/containerd/config.toml'
 `,
 			},
 			coreos.File{
diff --git a/pkg/controller/operatingsystemconfig/coreos_reconcile_test.go b/pkg/controller/operatingsystemconfig/coreos_reconcile_test.go
index 0f58ff71..d1551877 100644
--- a/pkg/controller/operatingsystemconfig/coreos_reconcile_test.go
+++ b/pkg/controller/operatingsystemconfig/coreos_reconcile_test.go
@@ -127,10 +127,13 @@ var _ = Describe("CloudConfig", func() {
 
 			expectedFiles := `write_files:
 - content: |
+    # TODO(MichaelEischer): remove this file once all flatcar versions that use torcx,
+    # that is before 3815.2.0, have run out of support
     [Service]
     SyslogIdentifier=containerd
     ExecStart=
-    ExecStart=/bin/bash -c 'PATH="/run/torcx/unpack/docker/bin:$PATH" /run/torcx/unpack/docker/bin/containerd --config /etc/containerd/config.toml'
+    # try to use containerd provided via torcx, but also falls back to /usr/bin/containerd provided via systemd-sysext
+    ExecStart=/bin/bash -c 'PATH="/run/torcx/unpack/docker/bin:$PATH" containerd --config /etc/containerd/config.toml'
   path: /etc/systemd/system/containerd.service.d/11-exec_config.conf
   permissions: "0644"
 - content: |
@@ -140,10 +143,18 @@ var _ = Describe("CloudConfig", func() {
 
     ALTERNATE_LOGROTATE_PATH="/usr/bin/logrotate"
 
+    # prefer containerd from torcx
+    # TODO(MichaelEischer): remove this special case once all flatcar versions that use torcx,
+    # that is before 3815.2.0, have run out of support
+    CONTAINERD="/usr/bin/containerd"
+    if [ -x /run/torcx/unpack/docker/bin/containerd ]; then
+        CONTAINERD="/run/torcx/unpack/docker/bin/containerd"
+    fi
+
     # initialize default containerd config if does not exist
     if [ ! -s "$CONTAINERD_CONFIG" ]; then
-        mkdir -p /etc/containerd/
-        /run/torcx/unpack/docker/bin/containerd config default > "$CONTAINERD_CONFIG"
+        mkdir -p "$(dirname "$CONTAINERD_CONFIG")"
+        ${CONTAINERD} config default > "$CONTAINERD_CONFIG"
         chmod 0644 "$CONTAINERD_CONFIG"
     fi
 
@@ -152,6 +163,8 @@ var _ = Describe("CloudConfig", func() {
         sed -i "s/SystemdCgroup *= *false/SystemdCgroup = true/" "$CONTAINERD_CONFIG"
     fi
 
+    # TODO(MichaelEischer): remove this block once all flatcar versions that use torcx,
+    # that is before 3815.2.0, have run out of support
     # provide kubelet with access to the containerd binaries in /run/torcx/unpack/docker/bin
     if [ ! -s /etc/systemd/system/kubelet.service.d/environment.conf ]; then
         mkdir -p /etc/systemd/system/kubelet.service.d/
diff --git a/pkg/controller/operatingsystemconfig/templates/containerd/run-command.sh.tpl b/pkg/controller/operatingsystemconfig/templates/containerd/run-command.sh.tpl
index 374b1435..ada39af4 100644
--- a/pkg/controller/operatingsystemconfig/templates/containerd/run-command.sh.tpl
+++ b/pkg/controller/operatingsystemconfig/templates/containerd/run-command.sh.tpl
@@ -4,10 +4,18 @@ CONTAINERD_CONFIG=/etc/containerd/config.toml
 
 ALTERNATE_LOGROTATE_PATH="/usr/bin/logrotate"
 
+# prefer containerd from torcx
+# TODO(MichaelEischer): remove this special case once all flatcar versions that use torcx,
+# that is before 3815.2.0, have run out of support
+CONTAINERD="/usr/bin/containerd"
+if [ -x /run/torcx/unpack/docker/bin/containerd ]; then
+    CONTAINERD="/run/torcx/unpack/docker/bin/containerd"
+fi
+
 # initialize default containerd config if does not exist
 if [ ! -s "$CONTAINERD_CONFIG" ]; then
-    mkdir -p /etc/containerd/
-    /run/torcx/unpack/docker/bin/containerd config default > "$CONTAINERD_CONFIG"
+    mkdir -p "$(dirname "$CONTAINERD_CONFIG")"
+    ${CONTAINERD} config default > "$CONTAINERD_CONFIG"
     chmod 0644 "$CONTAINERD_CONFIG"
 fi
 
@@ -16,6 +24,8 @@ if [[ -e /sys/fs/cgroup/cgroup.controllers ]]; then
     sed -i "s/SystemdCgroup *= *false/SystemdCgroup = true/" "$CONTAINERD_CONFIG"
 fi
 
+# TODO(MichaelEischer): remove this block once all flatcar versions that use torcx,
+# that is before 3815.2.0, have run out of support
 # provide kubelet with access to the containerd binaries in /run/torcx/unpack/docker/bin
 if [ ! -s /etc/systemd/system/kubelet.service.d/environment.conf ]; then
     mkdir -p /etc/systemd/system/kubelet.service.d/