ARTICLE / M AND A AND COMPLIANCE
Open source in M&A and compliance FAQ.
This open source in M&A and compliance FAQ gives plain answers to the questions deal teams ask most: what open source risk in a transaction is, when diligence should happen, how a relicense changes valuation, and how copyleft obligations carry across a sale. Read it as an orientation, then follow the links into the detail.
Open source in M&A and compliance sits at the meeting point of two disciplines. The deal team wants to know what it is buying and what the exposure is worth. The compliance function wants to know whether the obligations attached to the software are being met. Both questions run through the same dependency tree. This FAQ answers the ones that come up first when a buyer or a counsel scopes the work, with each answer pointing to where the detail lives. The thread running through all of them is timing. The open source exposure in a target is far cheaper to handle before the price is set than after the warranties are tested.
What open source risk in M&A actually is
Open source risk in M&A is the exposure carried by the open source inside a target's software. A target may depend on components that have moved, or could move, to source available terms, or that carry copyleft obligations the seller has not satisfied. If that exposure is not found during diligence, it transfers to the buyer at closing, where it changes the real cost of the deal long after the price was set. The relicensing wave made this concrete. A target built on Elasticsearch, which moved to the Server Side Public License in 2021, on Redis, which moved to a source available model as of March 2024, or on Terraform, which moved to the Business Source License as of August 2023, can carry a commercial license demand or a forced migration that the model never accounted for. The structure for finding it is the open source due diligence checklist.
When diligence happens and how it shapes the price
The value of open source diligence is the option it preserves. Run early, before the price is fixed, a finding becomes a line in the model: a source available dependency priced in, a remediation reserve set, or a term renegotiated. Run late, the same finding becomes a dispute under the warranties, where the cap and the survival period decide how much the buyer actually recovers. The way to turn a finding into a number is set out in quantifying open source risk for a deal, and the specific case of a relicensed component in a target is covered in relicensing exposure in an acquisition target. The contract side, where what diligence could not eliminate gets allocated, is addressed in open source indemnities and warranties.
Compliance obligations and the counsel line
Compliance risk runs alongside deal risk and often becomes part of it. When a buyer acquires software that includes copyleft licensed components, it acquires the obligations attached to them, including any source disclosure duties triggered by how the software is distributed. An obligation the seller failed to meet does not vanish at closing. The mechanics of those duties are explained in copyleft distribution obligations explained. Source available is not open source, and licenses such as the Business Source License and the Server Side Public License are not approved by the Open Source Initiative, which is part of why their obligations surprise teams that assumed an open license. Our role is to map and price the exposure on the buyer side and to flag the obligations that need legal review. Whether a specific obligation applies to a specific use is a question for your own counsel. The full frame sits in our pillar on open source in M and A and compliance.
COMMON QUESTIONS
Questions buyers ask.
What is open source risk in M&A?
Open source risk in M&A is the exposure carried by the open source inside a target's software. A target may depend on components that have moved, or could move, to source available terms, or that carry copyleft obligations the seller has not satisfied. If that exposure is not found during diligence, it transfers to the buyer at closing, where it can change the real cost of the deal long after the price was set.
When should open source diligence happen in a deal?
As early as practical, ideally before the price is fixed. The value of finding a source available dependency or a copyleft obligation is the ability to price it in or negotiate around it while there is still room. A finding made after signing becomes a dispute under the warranties rather than a line in the model. The earlier the dependency tree is mapped, the more options the buyer keeps.
How does a relicense in a target affect valuation?
A relicensed component can carry a commercial license demand, a forced migration cost, or a competitive use restriction that limits how the target's product can be sold. Each has a number, and that number reduces the value the buyer should pay or raises the remediation reserve. A target built on Elasticsearch, Redis, or Terraform after their moves to source available licenses can carry exposure that materially changes the model.
What is the difference between M&A risk and compliance risk?
M&A risk is about what you inherit when you buy, found through diligence and allocated through the contract. Compliance risk is about meeting the obligations of the licenses you already use, such as the distribution and source disclosure duties under copyleft licenses like the GNU AGPL. The two overlap, because a target's unmet compliance obligation becomes the buyer's problem, but they are managed with different tools.
Do copyleft obligations transfer in an acquisition?
In substance, yes. When a buyer acquires software that includes copyleft licensed components, it acquires the obligations attached to them, including any source disclosure duties triggered by how the software is distributed. An obligation the seller failed to meet does not disappear at closing. Whether a specific obligation applies to a specific use is a question for your own counsel, which is why diligence flags it for legal review.
Is open source M&A and compliance advice legal advice?
No. This is commercial and licensing risk advisory, not legal advice. We map and price the open source exposure in a target on the buyer side and flag the obligations that need legal review. The interpretation of license terms, copyleft obligations, and contract clauses is a question for your own counsel.
DUE DILIGENCE
Find the open source exposure before you close.
Our M and A due diligence maps and prices the open source risk in a target. Independent, buyer side, paid only by you.
Not ready to talk? Read the free open source license risk guides first.