Cloud com­pu­ting: are open source licen­ses a source of risk?

Many com­mon open source licen­ses were draf­ted as far back as the 1990’s. The net­work infra­struc­tu­re at that time was not yet strong enough for busi­ness models such as “soft­ware as a ser­vice” (SaaS). As a result, most open source licen­ses do not con­tain express pro­vi­si­ons rela­ting to use in the Cloud, so that use of open source soft­ware (OSS) in Cloud ser­vices may invol­ve licen­se risks for both pro­vi­ders and for users.

Legal risks for pro­vi­ders of Cloud services

The­re is a wide ran­ge of OSS for Cloud ser­vices. As a result, depen­ding on the type of ser­vice, ser­vice pro­vi­ders may have to con­sider many dif­fe­rent licen­ses and com­ply with their terms. SaaS pro­vi­ders requi­re licen­ses in order to pro­vi­de ser­vices to cus­to­mers for use. Whe­ther a repro­duc­tion licen­se is requi­red is dis­pu­ted. Accor­ding to the pre­vai­ling view, such a licen­se is not requi­red becau­se cus­to­mers do not recei­ve a copy of the soft­ware. But the modi­fi­ca­ti­on of OSS, e.g. by embed­ding OSS com­pon­ents into inde­pendent­ly deve­lo­ped Cloud ser­vices, invol­ves addi­tio­nal obli­ga­ti­ons. Even more recent licen­ses, such as AfferoGPLv3 , requi­re pro­vi­ders to dis­c­lo­se the source code and include a copy­left clau­se. In the worst case, vio­la­ting the terms of a licen­se may force a pro­vi­der to dis­con­ti­nue Cloud ope­ra­ti­on becau­se no licen­ses exist. It is the­r­e­fo­re indis­pensable for pro­vi­ders of Cloud ser­vices to know and com­ply with the licen­ses of the OSS they use in order to avo­id legal risks. Tech­ni­cal aids such as Black Duck and other soft­ware com­po­si­ti­on ana­ly­sis (SCA) tools may also be used for this purpose.

Legal risks for users of Cloud services

Mere­ly using a work is not typi­cal­ly sub­ject to spe­ci­fic licen­sing requi­re­ments, even for OSS. But the ques­ti­on as to whe­ther use of OSS in the Cloud qua­li­fies as “dis­tri­bu­ti­on” in terms of the OSS licen­se is of gre­at importance for users. This is typi­cal­ly not the case if the soft­ware is being used intern­al­ly, sin­ce the use or con­vey­an­ce is taking place within the same legal enti­ty. Howe­ver, dis­se­mi­na­ti­on of the soft­ware bet­ween dif­fe­rent affi­lia­tes of the same cor­po­ra­te group, or dis­se­mi­na­ti­on to a third par­ty, may qua­li­fy as dis­tri­bu­ti­on and could the­r­e­fo­re invol­ve licen­se obli­ga­ti­ons. As a result, even users of Cloud ser­vices should take mea­su­res to ensu­re com­pli­ance with OSS licenses.


The use of OSS in the Cloud may invol­ve licen­se risks for both pro­vi­ders and users. In order to mini­mi­ze the­se risks, it is important to pre­cis­e­ly under­stand the licen­se terms of the OSS in use. Asi­de from a detail­ed legal assess­ment, the use of tech­ni­cal aids may be neces­sa­ry in order to mini­mi­ze the risk of vio­la­ti­ons. More infor­ma­ti­on can be found in our one-pager on open source soft­ware: how com­pa­nies can avo­id licen­se risks.


Stay up-to-date

We use your email address exclusively for sending our newsletter. You have the right to revoke your consent at any time with effect for the future. For further information, please refer to our privacy policy.