Open-Source Software in M&A Transactions

Introduction

Open-source software (hereinafter referred to as “OSS”) is software whose source code is public and can be viewed, modified and used by third parties (the technical term “open source” indicates an “open” or “public” source). The origins of OSS date back to the 60s and 70s. Today, OSS is an indispensable part of business processes. According to the 2024 State of Open Source Report, 95% of participants stated that they continue to use OSS or even use it to an increased extent. OSS is not only used in companies that work with software, but also in companies that develop software and make use of OSS modules and libraries that are distributed under OSS licences. This not only allows the inclusion of innovative solutions, but also leads to faster and more cost-efficient development and can reduce errors at the same time.

One characteristic of OSS is that it may be used and distributed free of charge subject to compliance with the licence conditions. This means that users of OSS are well advised to carefully examine the relevant licence conditions from a legal perspective and to establish appropriate internal company rules for programming and use (OSS governance). For developers who wish to resell their software, the question of whether the licence terms impose legal obligations for the further distribution of the software (known as “copyleft clauses”) is particularly relevant. In the context of an M&A transaction, this can even affect the value of the company (particularly in the case of a software company). Without a thorough review and in-depth understanding of OSS use, M&A deals can pose significant risks with long-term consequences for the acquirer. Effective preparation for these challenges is therefore essential to avoid legal and financial pitfalls.

This article aims to shed light on the most important legal and contractual issues in connection with the use of OSS in M&A transactions.

What is open-source software?

Characterisation

As mentioned in the introduction, OSS stands for software whose source code is public and can be viewed, modified and used by third parties. This means that users are not only able to use the software, but also view and modify the underlying program code and adapt it to their own needs. This enables the user to adapt, further develop and integrate the software, as well as maintain and further develop the OSS independently in order to reduce dependency on a specific software provider, for example.

This is a crucial difference compared to proprietary software, where the source code is protected and cannot be viewed by third parties. Source code is a human-readable text that programmers write in a programming language. The source code is then translated or compiled into machine language. It is the compiled text, known as object code, that gives the computer precise instructions and thus forms the basis for programs and websites.

OSS is published under special licences that specify the conditions which users must comply with if they wish to use the OSS as a component for their own software development or use it directly as a finished program for their business processes. These licences generally allow the software not only to be used free of charge, but also to be modified and redistributed, often under the condition that changes must also be made publicly available (such as under “copyleft conditions”). The best-known OSS projects include the Linux operating system, the Firefox web browser and the LibreOffice office program.

OSS is a key factor for companies whose core business is based on the development and distribution of software products. For the further distribution of software developed with the aid of OSS, the limits of the relevant licence conditions must be observed.

Technical and economic importance

OSS offers significant advantages such as cost savings, flexibility and the ability to draw on broad developer knowledge. At the same time, the use of OSS requires careful compliance with licence conditions, which can be of varying importance depending on the use of the software and business model. For example, OSS plays a decisive role in the introduction of cloud technologies such as Kubernetes and Docker, which are now standards in software development. Companies that use these technologies benefit from increased scalability and agility, but also face new challenges in terms of licencing and compliance with OSS licences.

Companies such as Google, Amazon and Meta (aka Facebook/Instagram) not only contribute to the development of OSS, but also integrate OSS into their core products. Google, for example, has developed its own programming language called GO or GoLang, which is now used around the world for a wide variety of applications. In M&A transactions, it is therefore essential to assess the extent to which the target company depends on the OSS solutions of these tech giants.

Modern AI and machine learning frameworks such as TensorFlow and PyTorch are based entirely on OSS. Companies involved in M&A transactions must carefully check whether these frameworks are correctly licenced, as they often form the core of the software applications.

The ever-increasing threat posed by security vulnerabilities in OSS (such as the Log4Shell exploit) underlines the need to integrate tools such as Dependabot or OSS Review Toolkit into the compliance process. These help companies to proactively identify and eliminate security risks.

Finally, the importance of OSS is also increasing in terms of compliance with ESG criteria. OSS promotes sustainability by facilitating the reuse of software in line with the circular economy and supporting innovations that are less resource intensive.

Legal basis of OSS and OSS licences

Copyright

Computer programs are protected by copyright if they have an individual character and thus qualify as a work in the sense of copyright law (Art. 2 para. 3 of the Copyright Act). In this respect, OSS is no different from proprietary software.

OSS is typically licenced under conditions that grant users extensive rights, including the right to modify and redistribute the software. However, these rights are associated with certain obligations, in particular regarding copyleft clauses, which stipulate the redistribution of modified software under the same licence conditions.

Copyleft clauses

The key distinguishing criterion of OSS licences is whether they contain a copyleft clause and, if so, how restrictive this is. The scope of copyleft clauses is often subject to interpretation, and not all questions have been satisfactorily clarified. This applies in particular to the linkage of the copyleft effect: usually at least the transfer of a program copy to a third party is required to trigger the copyleft effect, but in some cases, making the software available as a network application (as a SaaS service, for example) may already be sufficient. The question of the material scope of the copyleft effect also varies and is often not clearly defined. In the case of certain licences, the copyleft effect may already apply if a correspondingly licenced program is combined with a proprietary program. Other licences, namely those with a limited or weak copyleft clause, are less strict and allow, for example, the interaction with and integration of program libraries without the copyleft effect taking effect (such as LGPLv3). OSS licences without a copyleft clause give the licensee extensive freedom.

OSS in the AI Act

Regulation (EU) 2024/1689 on Artificial Intelligence (known as the AI Act) is the world’s first statutory legal act that establishes comprehensive legal rules for the development and use of artificial intelligence (AI) systems. It expressly does not apply to AI systems that are provided under “free and open-source licences” (i.e. OSS licences), unless they are placed on the market or put into operation as “high-risk AI systems” (such as in the HR sector) or as an AI system to which special transparency rules apply (for example, because they serve direct interaction between humans and machines) (Art. 2 para. 12).

In order to know whether a software development company can benefit from this OSS exemption, it must know exactly for what purposes its customers use its software. Conversely, a provider of high-risk AI systems must carefully examine the liability issues it faces when using OSS components for its own product compliance. This is because OSS providers usually exclude liability for malfunctions, among other things, in their licence conditions.

Drafting contracts in the M&A context

When drafting contracts in M&A transactions, particular attention should be paid to the terms of OSS licences. Contracts should contain clear provisions on the use of OSS, including the rights and obligations of the acquirer in relation to the further use and exploitation of the software.

Another important point is the transferability of OSS licences as part of share deals or asset deals. It is important to ensure that the licences can be transferred properly without restricting the use of the software.

Risks associated with the use of OSS and OSS licences

The use of OSS by the target company harbours risks that must be carefully examined by the buyer in an M&A transaction. In the worst case, the use of OSS may result in the target company being obliged to disclose the source code of its own proprietary software to third parties or to licence it under strict OSS licencing conditions. Legal OSS due diligence must aim to identify and assess these risks so that the buyer can take the necessary contractual precautions such as warranties.

In particular, the following risks must be considered when using OSS:

• Copyleft effect: The copyleft effect obliges companies to pass on changes to the OSS under the same licence conditions, which may restrict proprietary use or commercial distribution.
• Termination of the right of use in the event of breach of contract: If the licence conditions are breached, the right of use expires, which may have legal consequences.
• Cost of achieving compliance: Compliance with licence conditions may result in unexpected costs, especially if additional technical and legal reviews are required.
• Liability risks due to warranty exclusions: OSS is often provided without warranty, which means that the company is not entitled to support or compensation in the event of problems.
• Liability risks due to breaches of contract: Failure to comply with licence conditions may lead to significant legal disputes and claims for damages. In view of the increasing use of AI, the new requirements of the EU AI Act may need to be considered here.
• Incompatibilities between different OSS licences: Different OSS licences may be mutually exclusive, which can lead to legal problems when integrating multiple OSS components.
• Transferability in the context of a transfer of assets: According to Art. 71 para. 1 lit. b and Art. 37 lit. b of the Merger Act, intangible assets such as software licences must be listed individually in the transfer agreement, which is often difficult in practice, especially in the case of extensive software with numerous OSS components.

A clear overview of these risks and a careful licence check are crucial to avoid legal and financial consequences.

Conclusion

The use of OSS is widespread in modern companies, but can lead to significant legal and commercial risks. Copyleft clauses and the complex transferability of OSS licences can have a significant impact on the exploitation of software and the value of a company. Thorough OSS compliance, which closely examines all OSS licences and ensures that licence conditions are correctly adhered to, is therefore essential. For companies, it is worth taking measures at an early stage to minimise potential liability risks and ensure the viability of their business models.

In the M&A context, thorough OSS due diligence is essential to ensure that the target company does not use any OSS whose licences could entail risks. The breadth and depth of OSS due diligence always depends on the specific transaction, with the transaction volume, the specific negotiating situation (and power of the parties) and the anticipated risks playing a key role. A careful examination of the licences used can help to identify risks and take appropriate measures.

Next steps

As a next step, companies should carry out a detailed review of all OSS licences used to ensure compliance and identify potential risks at an early stage. It is advisable to establish internal processes for licence monitoring and implement a clear OSS strategy. It should also be examined whether contractual protection mechanisms can be built into potential future M&A transactions to minimise legal and financial risks.

Authors: Markus Winkler (Counsel), Xenia Pisarewski (Associate, Banking & Finance), Dario Gomringer (Associate, Corporate / M&A), Andrew Galantay (Junior Associate, Corporate / M&A), Armina Burkic (IT Consultant)

No legal or tax advice

This Legal Update provides a general overview of the legal situation in Switzerland and does not claim to be exhaustive. It does not constitute legal or tax advice. If you have any questions about this Legal Update or require legal advice regarding your situation, please get in touch with your contact person at Pestalozzi Attorneys at Law Ltd. or one of the contact persons mentioned in this Legal Update.

© 2025 Pestalozzi Attorneys at Law Ltd. all rights reserved.