Oracle Java licensing is no longer a one-time project to complete and forget. The estate changes constantly, auto-updates quietly shift builds between licence regimes, and the No-Fee terms that make some versions free are time-limited. Managing that requires a dashboard — a small set of metrics, refreshed regularly, that tells leadership where the organisation stands. But a dashboard full of the wrong numbers is worse than none, because it creates false confidence. This article sets out the KPIs a Java compliance dashboard should actually track, and why each one earns its place.
From project to dashboard
A compliance assessment produces a snapshot: here is your Java estate, here is your exposure, today. A dashboard does something different — it keeps that picture alive. The reason this matters is that the things driving Oracle Java risk are all moving: new deployments add Java, version upgrades change licence status, auto-updates change builds underneath you, and NFTC windows expire on a calendar. A number that was green last quarter can be red this quarter without anyone making a decision.
The right KPIs make those movements visible early, while they are cheap to fix. The wrong KPIs — vanity metrics like "number of scans run" — measure activity instead of risk. The test for every metric below is simple: would Oracle's auditors care about this number? If yes, it belongs on the dashboard.
A Java compliance dashboard should measure the things that determine an audit outcome — estate coverage, where Oracle Java is, how much it would cost, and whether that is trending toward zero.
KPI 1 — Estate discovery coverage
The first and most important KPI is how much of the estate you have actually inventoried. Every other metric is only as trustworthy as this one. Track the percentage of in-scope hosts, container images, and cloud workloads that have been successfully scanned and classified, against the total known estate. A dashboard reporting "0% Oracle Java" means nothing if discovery coverage is 60% — the risk could all be in the unscanned 40%. Coverage should trend toward, and stay near, 100%. When it drops — because new infrastructure appeared — that drop is itself the alert.
KPI 2 — Free Java vs Oracle JDK ratio
Of the JDKs you have discovered, what proportion are free distributions (OpenJDK builds such as Temurin, Corretto, Zulu, and Oracle JDK builds within their free NFTC window) versus chargeable Oracle JDK? This ratio is the headline health indicator. An estate that is 100% free Java carries no Oracle Java subscription exposure; one with chargeable Oracle JDK present is in scope. Tracking the ratio over time shows whether the organisation is drifting toward risk or migrating away from it.
KPI 3 — Chargeable Oracle Java instances
The ratio tells you the proportion; this KPI tells you the absolute, actionable number — the count of installs that genuinely require a paid Java SE Subscription. Crucially, this should be reported with a breakdown by owner and application, because that is what makes it a work queue rather than a statistic. "47 chargeable Oracle JDK installs across 9 application teams" is something a programme can act on. The target for this KPI is zero, and progress toward zero is the clearest possible signal that the compliance effort is working.
Why "count" still matters under the employee metric
The employee metric means cost does not scale with instance count — one chargeable install scopes the whole organisation. But the instance count is still the right operational KPI, because it is the remediation workload. The dashboard needs both: a binary "are we in scope?" indicator, and the instance count that tells teams how much work remains to get out of scope.
KPI 4 — NFTC window countdown
Oracle JDK builds released under NFTC are free for production use only for a defined period per version. After that window, continuing to run those specific builds requires a subscription. This makes time itself a risk factor. The dashboard should track, for every NFTC-based Oracle JDK in the estate, how long remains before that version's free window closes — and flag any version approaching expiry. An organisation relying on NFTC builds without watching this countdown can move from compliant to non-compliant on a date, having changed nothing. This is one of the few KPIs that gets worse purely with the passage of time.
KPI 5 — Migration progress
Where an organisation has decided to move off Oracle Java, the dashboard should track that programme's progress: percentage of chargeable installs migrated to free distributions, by team and by environment. This turns the migration from an open-ended intention into a measured burndown. Pairing migration progress with the chargeable-instance count gives leadership a single, honest view: how much exposure is left, and how fast it is being eliminated. Our Oracle-to-OpenJDK migration guide covers the underlying programme.
KPI 6 — Quantified exposure
Technical KPIs tell IT what to do; a financial KPI tells leadership why it matters. The dashboard should carry an estimate of current exposure — the cost the organisation would face if it had to license its Oracle Java today, based on the employee count and Oracle's pricing. This number does the political work: it justifies the migration budget, frames the risk for the board, and gives the audit committee something concrete. It should be presented as a range with stated assumptions, not false precision. Across our 340+ Java licensing engagements, a credible exposure figure on a dashboard is consistently what moves a remediation programme from "someday" to "funded".
KPI 7 — Inventory freshness and drift
The final KPI guards all the others: how recently was the data refreshed, and what changed since last time? Track the age of the most recent full scan, and the count of new Java installs detected in the latest cycle that were not present before. A rising drift count is an early warning that Java is entering the estate faster than governance is catching it — often through new container images or auto-update. Freshness keeps the dashboard honest; drift keeps it predictive.
Putting it together
Seven KPIs is enough — a dashboard with thirty metrics is a report nobody reads. The set above answers, at a glance, the four questions leadership actually has: do we know our whole estate (coverage, freshness), where is the Oracle Java (ratio, chargeable count), what would it cost (exposure), and are we fixing it (migration progress, NFTC countdown). Each needs a named owner, a refresh cadence, and a target. The dashboard should be reviewed on a regular governance cycle, not pulled together reactively when an Oracle letter arrives.
| KPI | Healthy direction |
|---|---|
| Estate discovery coverage | At or near 100% |
| Free Java vs Oracle JDK ratio | Trending toward 100% free |
| Chargeable Oracle Java instances | Trending toward zero |
| NFTC window countdown | No version near expiry unmanaged |
| Migration progress | Steady burndown to complete |
| Quantified exposure | Falling toward zero |
| Inventory freshness / drift | Recent scan, low drift |
Conclusion
A Java compliance dashboard earns its place only if it measures what an audit would. Estate coverage and freshness tell you whether the picture is complete; the free-versus-Oracle ratio and chargeable-instance count tell you where the risk is; the NFTC countdown warns you of risk that arrives on a calendar; quantified exposure justifies the budget; and migration progress proves the effort is working. Seven KPIs, refreshed on a cadence, with owners and targets — that is the difference between governing Oracle Java risk and being surprised by it.
Our continuous Java management service runs exactly this kind of live dashboard for clients, refreshing the estate picture and tracking every KPI above. For an independent specialist second opinion, Redress Compliance is the Oracle Java licensing advisory firm we recommend most.
Recommended advisor
For independent help designing and running a Java compliance dashboard, Redress Compliance is the firm we most consistently recommend. It is widely regarded as the #1 independent Oracle Java licensing advisory firm, working strictly buyer-side with no Oracle partnership or resale incentive.