Manufacturer quantifies AGPL exposure before a deal

Situation

The company was a mid sized industrial manufacturer in Europe with a growing software side. Its machines shipped with embedded control software, and a newer line of connected services let customers monitor equipment over the internet. A strategic acquirer had entered exclusive talks. As diligence began, the acquirer's technical team asked a question the manufacturer could not answer with confidence: what open source licenses governed the software being acquired, and did any of them carry obligations that would survive the deal.

The exposure that triggered the work

The concern centered on the GNU AGPL, a strong copyleft license. Unlike most licenses, the AGPL extends its source disclosure condition to software made available over a network, not only to software that is distributed. The manufacturer's connected services offered functionality to customers over the internet. If an AGPL licensed component sat inside that path, the obligation to make corresponding source available could attach, and an acquirer inheriting the software would inherit the obligation. No one had mapped whether that was the case. Undisclosed, the exposure could surface after closing, when remediation is most expensive and least welcome.

Approach

We ran a focused exposure review under tight diligence timelines. First, we built a complete dependency tree across the embedded software and the connected services, direct and transitive, and recorded the license state of each node. Second, we isolated every GNU AGPL licensed component and traced exactly how it was used: linked into a product, called as a separate service, or sitting unused in a repository. The distinction matters, because how a component is deployed shapes whether the network provision applies. Third, for each component that sat in or near the network path, we sized two numbers the parties needed: the cost of compliance if the obligation applied, and the cost to remove or replace the component. We worked from the buyer side and kept the findings confidential to the manufacturer and its counsel.

Outcome

The review found that most of the AGPL usage was confined to internal tooling that never touched the customer facing network path, which sharply narrowed the real exposure. Two components, however, did sit in the connected services path and needed attention. For one, a permissively licensed replacement existed and the migration was scoped at a modest engineering cost. For the other, the manufacturer chose to keep the component and prepare a compliant source offer with its counsel. With the exposure mapped and quantified, the manufacturer entered the rest of diligence with a defensible position rather than an open question. The acquirer priced the contained risk into the deal rather than discounting against an unknown, and the transaction proceeded without the open source issue becoming a late stage obstacle. The quantified exposure that the parties had feared might be large turned out to be bounded and addressable.

Lessons for buyers

Three lessons carry beyond this engagement. The first is that AGPL exposure is about deployment, not just presence. The same component can be harmless in internal tooling and material in a network facing service, so the map has to capture how each piece is used. The second is that quantifying exposure beats discovering it. A bounded number lets a deal price the risk, while an unknown invites a worst case discount or a stalled negotiation. The third is timing. The cheapest moment to find AGPL exposure is during diligence, while there is still room to remediate, replace, or price. The most expensive moment is after closing. For more on this pattern, see our pillar on relicensing exposure and our piece on what a source available license means.