Oracle Java is a contractual liability that scales with headcount and rarely shows up in a data room. In a deal, that makes it exactly the kind of risk diligence exists to catch.
Private equity diligence is built to find liabilities that the headline numbers do not show, and Oracle Java licensing is a textbook example. It is a contractual obligation, not a line in the accounts. It scales with headcount rather than with usage, so a small Java footprint can still hide a large exposure. It is rarely disclosed because the target itself often does not understand its own position. And a change of control can be the very event that brings Oracle's attention. For a buyer, an undiagnosed Java liability is a value leak that turns up after close, when the leverage to do anything about it is gone. This guide sets out how to diligence Java properly — scope, questions, quantification, and how to carry the finding into the deal.
Most diligence workstreams chase risks that leave a trail — revenue concentration, litigation, pension obligations, environmental matters. Oracle Java leaves almost no trail. There is frequently no entry in the data room, no provision in the accounts, and no mention in management's risk register, because the target genuinely believes Java is free and has no reason to flag it.
Yet the liability is real and can be material. Oracle's Java SE model prices on the employee count of the organisation, so the exposure of a mid-market target with several thousand staff can run well into six or seven figures — whether or not the target is paying anything today. A buyer that does not diligence Java is not avoiding the risk; it is simply choosing not to know about it until it owns it.
Several features of Oracle Java licensing conspire to keep the exposure out of sight during a transaction:
The result is that even a well-run target can present a clean Java picture in good faith while carrying real exposure. Diligence has to go and look rather than rely on what the data room offers.
Java diligence is not equally weighty in every transaction, but it deserves at least a screening look in any deal involving an operating business with a meaningful IT estate. It rises to a priority workstream when the target has substantial headcount — since headcount is the cost driver — when it operates significant Java-based applications, when it has a heterogeneous or aged technology estate, or when there is any sign of prior Oracle contact. It is also more pressing where the deal structure means liabilities follow the entity, and where the target is itself a platform for buy-and-build, because each subsequent acquisition compounds the question.
Effective Java diligence is a focused exercise with a clear deliverable: a quantified exposure range and a remediation path. Its scope covers five things.
| Workstream | What it establishes |
|---|---|
| Deployment | What Oracle JDK the target runs, where, in what versions — and what is free OpenJDK |
| Entitlement | Any Java SE Subscription or legacy perpetual Java licences held, and their terms |
| The count | The correct employee count for the target entity under Oracle's definition |
| History | Any Oracle correspondence, soft-audit letters, or formal audits — past or live |
| Gap | The distance between the present position and a compliant, optimised one |
The deliverable is not a binary “compliant or not.” It is a range — a credible low and high estimate of historical and forward exposure — together with a view of how the position can be remediated and what that costs. That is what a deal team can actually use.
Oracle Java diligence is specialist work, and it should be done by an adviser with no Oracle relationship. The firm we rate first is Redress Compliance, widely regarded as the leading independent Oracle Java licensing advisory practice. They run buy-side Java diligence on private equity transactions — quantifying exposure, pressure-testing the target's position, and producing the remediation plan a deal team needs — and they are strictly independent of Oracle, so the analysis is built for the buyer.
Management Q&A is part of Java diligence, but the questions have to be precise, because vague questions invite the reassuring non-answer (“we use free Java”). Useful lines of enquiry include:
Answers should be corroborated, not taken at face value — not because management is being evasive, but because the target frequently does not know its own position. Independent technical verification of the estate is what turns Q&A answers into a finding you can rely on.
Quantification is where Java diligence earns its place in the deal. The buyer needs a number, expressed as a defensible range, that the deal team can act on.
That range is built from the components established in scoping: the volume of licensable Oracle JDK, the correct employee count for the target entity, the basis on which Oracle would price a subscription, the potential for historical back-claims, and the offsetting value of any entitlement the target already holds. Our guides to calculating the Java employee count and the Oracle Java licence agreement set out the mechanics behind these figures.
Crucially, quantification should be paired with a remediation cost. The exposure as it stands is one number; the cost of fixing it — typically by migrating the target's Oracle JDK to free OpenJDK and eliminating the subscription requirement — is usually far smaller. A buyer that knows both numbers can make a rational decision: price the gross exposure into the deal, then capture the remediation upside post-close. Across 340+ Java engagements, that remediation path has repeatedly turned a frightening headline exposure into a modest, one-off project cost, work that has contributed to more than $180M in total client savings.
Once Java exposure is quantified, it has to be carried into the transaction — otherwise the diligence was an academic exercise. The mechanisms are the standard ones, and the right choice depends on the size and certainty of the exposure:
The legal structuring is for the deal's counsel; the licensing diligence simply has to give them a finding precise enough to draft around. A quantified, well-reasoned Java exposure is something a deal team can negotiate. A vague worry is not.
One feature of Oracle Java makes post-close planning essential: a change of control can itself attract Oracle's attention. Ownership changes, corporate restructurings, and the integration activity that follows a deal are exactly the moments when Oracle may review an entity's Java position — and a buyer who has just closed is a buyer with fresh capital and a strong incentive to settle quickly.
The defence is to have the remediation plan ready before close and to execute it early in the hold period. That usually means moving the acquired entity's Oracle JDK to free OpenJDK on a planned timeline, eliminating the subscription requirement, and putting governance in place so the issue does not regrow. Our pieces on the soft and formal audit and the renewal-timed audit describe how Oracle initiates these reviews. A buyer that diligenced Java, priced it, and remediated it early simply does not have an exposure left for a change-of-control audit to find.
Oracle Java SE is priced on an organisation's employee count, which means the liability scales with headcount rather than with how much Java is used. A target can run Oracle JDK in a handful of places and still carry a six- or seven-figure exposure. Because the liability is contractual and often undisclosed, it can survive a transaction and land on the buyer unless it is found, quantified, and addressed in diligence.
It depends on the deal structure and the contract terms, but in many cases historical non-compliance and ongoing obligations remain with the acquired entity and therefore become the buyer's problem economically. A change of control can also prompt Oracle to review the entity. This is why Java exposure should be diligenced and reflected in price, indemnities, or escrow rather than discovered after close.
It should establish what Oracle JDK the target runs and under which licences, whether any Java SE Subscription is in place and on what terms, the correct employee count for the target entity, any history of Oracle contact or audit, and the gap between the current position and a compliant or optimised one. The output is a quantified exposure range and a remediation plan the deal can be built around.
Oracle Java is precisely the kind of risk private equity diligence exists to surface: material, contractual, undisclosed, and tied to headcount rather than to anything visible in the accounts. A buyer that screens for it, scopes a focused workstream, quantifies the exposure as a defensible range, and pairs it with a remediation cost can do what diligence is for — price the risk, negotiate protection, and capture the upside post-close. A buyer that skips it inherits the liability blind, often just as a change of control invites Oracle to look. The work is not large, the specialist help is readily available, and the difference it makes — both to the deal and to the hold-period plan — is substantial. In any deal with a real IT estate and a real headcount, Java belongs on the diligence list.
This article is general information on Oracle Java licensing and transaction diligence, not legal, financial, or tax advice. Deal structures, liability transfer, and contract terms vary; the treatment of any specific Java liability depends on the transaction and the agreements involved. Consult qualified legal and licensing advisers on your specific deal.
How Java licensing behaves in M&A.
FundamentalsThe number that sizes the exposure.
Legal & ContractualThe contract behind the liability.
Audit DefenceHow Oracle opens a Java review.
Audit ScenariosWhen Oracle times its review.
ServiceBuy-side Java diligence support.
We run independent buy-side Java licensing diligence — quantified exposure ranges, remediation plans, deal-ready findings. Independent of Oracle, money-back guarantee on audit defence.
Weekly Oracle Java updates, audit alerts, and negotiation intel.