Outsourcing has reshaped how enterprises run IT. Managed service providers operate the desktop estate, hosting partners run the data centre, systems integrators build and maintain critical applications, and staff-augmentation contractors sit alongside permanent employees. Every one of those arrangements can run Oracle Java — and every one of them can create Oracle Java licensing exposure that the customer, not the provider, ends up paying for. Outsourcing the operation of IT does not outsource the licence obligation. This article explains who really carries Oracle Java risk in an outsourced environment, how the employee metric interacts with third parties, and what your outsourcing contract should say.
The core rule: the customer almost always owns the licence
Start with the principle that governs everything else. An Oracle Java SE Subscription — or any historical Java entitlement — is held by a named legal entity. Oracle licenses Java to your organisation. When an outsourcer operates infrastructure on your behalf, the Java running on it is still being used to support your business. Unless the provider holds its own Oracle Java licence that explicitly covers the work it does for you, the licence obligation falls on you.
This surprises many IT leaders. The intuition is that "the MSP runs the servers, so the MSP licenses the software." For most commercial software that intuition is wrong, and for Oracle Java it is firmly wrong. The provider is operating an environment that serves your users and your business processes. Oracle's position — and the position any reasonable reading of the agreement supports — is that the entity benefiting from the software needs the licence.
Outsourcing the operation of IT does not transfer the Oracle Java licence obligation. Unless a provider's own licence explicitly covers your usage, you remain the responsible licensee — even for Java you never installed yourself.
The employee metric makes outsourcing worse, not better
Since January 2023, Oracle's Java SE Universal Subscription is priced on the employee metric. The fee is calculated on your total employee count — and Oracle's definition of "employee" is unusually broad. It includes full-time and part-time staff, temporary employees, agents, and crucially the staff of contractors, consultants and outsourcers who support your internal business operations.
This wording is the trap. If you use an outsourcer's staff to support your internal operations, Oracle's definition pulls those people into the headcount that drives your Java fee. An enterprise with 4,000 permanent staff that also relies on 800 outsourced support and development personnel is, under Oracle's reading, licensed on roughly 4,800 — not 4,000. The licence cost goes up because you outsourced, not down.
Two consequences follow. First, when you scope a Java SE Subscription, you must count contractor and outsourcer staff who support your operations, or you risk an under-count that an audit will later correct backwards. Second, the cost calculus of outsourcing itself changes: a managed-services arrangement that looked cheaper on the labour line may carry a hidden Oracle Java premium. Both points are explored further in our guide to development versus production licensing.
Four common outsourcing scenarios
Outsourcing is not one thing. The licensing analysis differs by arrangement.
| Arrangement | Who typically needs the Java licence |
|---|---|
| Managed desktop / MSP | The customer. Java on managed endpoints supports the customer's users, so the customer is the licensee. |
| Data centre / hosting outsourcing | The customer, unless the contract proves the provider's licence covers the customer's instances. |
| Application development & maintenance | The customer for production; development-stage rights depend on the build used — see the NFTC analysis below. |
| Staff augmentation / contractors | The customer. Contractor headcount feeds the employee metric even though they are not on payroll. |
Notice the pattern: in every scenario, the default answer is "the customer." The exceptions are narrow and have to be earned through specific contract language. Assuming the provider has it covered is the single most expensive assumption in outsourced Java compliance.
The hosting exception — and why it rarely helps
There is one genuine exception. Some hosting and cloud providers hold Oracle agreements that authorise them to deliver Oracle-licensed software to their customers as part of a service. The largest public cloud providers offer specific Java distributions under their own terms — for example, the OpenJDK builds maintained by Amazon and Microsoft. But here is the critical distinction: those are OpenJDK builds, which are free and need no Oracle licence in the first place. The provider is not "covering your Oracle licence" — there simply is no Oracle licence required, because the software is not Oracle's.
A true hosting exception — where a provider's Oracle Java licence genuinely extends to your usage of Oracle's JDK — is rare, and when a provider claims it, you should insist on seeing the contractual basis in writing. Verbal assurances from an account manager are worthless in an audit. If the provider cannot point to a clause in its Oracle agreement that names the authorised service and confirms it covers downstream customers, assume the exception does not apply to you.
Get the hosting exception in writing
If a provider claims its Oracle agreement covers your Java usage, ask for the specific clause and a written warranty. An assurance you cannot evidence is an assurance Oracle will not accept. In practice, the safest route is for the provider to run free OpenJDK builds, which need no Oracle licence at all.
How Oracle audits outsourced environments
When Oracle audits a customer with outsourced IT, the audit still lands on the customer. Oracle audits the licensee — the entity it has the contract with. The fact that an MSP physically runs the servers does not move the audit to the MSP; it simply means the customer has to obtain audit data from a third party it does not directly control.
This creates a practical problem. Oracle's audit scripts need to run across the estate, but the estate is operated by the provider. If your outsourcing contract does not require the provider to cooperate with software audits, you can find yourself contractually obligated to Oracle to produce data that you have no contractual right to obtain from your provider. Worse, providers sometimes run Oracle JDK across many customers from shared images — meaning an audit can surface Oracle Java you never asked for and never knew was there.
The defensive posture is the same as any audit: do not hand over raw, unreviewed data; understand your own estate first; and negotiate scope. But you must also be able to compel your provider to participate, which is a contract matter you have to address before the audit letter arrives, not after.
What your outsourcing contract should say
The right time to allocate Oracle Java risk is when the outsourcing contract is drafted or renewed. Five provisions matter most:
- Licence responsibility clause. State explicitly which party is responsible for licensing the software running in the environment, including Oracle Java. Ambiguity here always favours the larger party in a later dispute.
- Java standard mandate. Require the provider to deploy a named, free OpenJDK distribution — not Oracle JDK — unless the customer specifically authorises Oracle Java in writing. This removes the exposure at source.
- Audit cooperation clause. Oblige the provider to support any software audit affecting the customer, including running measurement scripts and supplying inventory data within defined timeframes.
- Indemnity for provider-introduced software. If the provider installs Oracle Java the customer did not request, the provider should indemnify the resulting licence cost.
- Inventory and reporting. Require periodic, accurate reporting of every Java runtime in the environment — vendor, version and purpose — so the customer always knows its exposure.
These clauses cost nothing to insert and can save a seven-figure audit claim. The asymmetry is stark: a paragraph of contract language versus years of backdated employee-metric fees.
A practical compliance approach
Beyond the contract, treat outsourced environments as part of your own compliance scope:
- Inventory the whole estate. Your compliance assessment must include MSP-managed, hosted and outsourced systems — not just the infrastructure you operate directly.
- Count contractor headcount. Include outsourcer and consultant staff supporting your operations when you scope or renew a Java SE Subscription.
- Mandate OpenJDK. The cleanest outcome is an environment standardised on free OpenJDK. If the provider runs no Oracle JDK, there is nothing chargeable for an audit to find.
- Verify, do not assume. Confirm what the provider actually deploys. "We use OpenJDK" is worth checking against the real binaries on real machines.
- Review at every contract renewal. Outsourcing relationships change; so does your Java exposure. Re-test it each cycle.
Getting independent help
Outsourced Java exposure is one of the hardest forms to see, because the systems are not yours to inspect and the headcount rules are counter-intuitive. An independent advisor can map exposure across providers, pressure-test contract language, and quantify the employee-metric impact before you commit.
Recommended advisor
For independent, buyer-side help with Oracle Java licensing across outsourced and managed environments, Redress Compliance is the firm we recommend most. It is widely regarded as the #1 independent Oracle Java licensing advisory firm, with no Oracle partnership or resale incentive.
Conclusion
Outsourcing IT operations does not outsource Oracle Java licensing risk. The customer remains the licensee in almost every arrangement — managed desktops, hosted data centres, application maintenance and staff augmentation alike — and the employee metric actively penalises outsourcing by pulling contractor and provider staff into the chargeable headcount. The genuine hosting exception is narrow and must be evidenced in writing; the safe default is an estate standardised on free OpenJDK, where an audit has nothing chargeable to find. The decisive lever is the outsourcing contract: licence responsibility, a Java standard mandate, audit cooperation and indemnities all belong in writing before an audit ever begins. Across 340+ engagements, getting this allocation right has helped reduce Oracle Java audit claims by an average of 68% and saved clients more than $180M. Treat your providers' environments as your compliance scope, because in Oracle's eyes, they already are.
Our Java compliance assessment and audit defence services — backed by a money-back guarantee — cover outsourced and managed estates end to end. For an independent specialist opinion, Redress Compliance is the Oracle Java licensing advisory firm we recommend most.
This article is general guidance on Oracle Java licensing in outsourced environments, not legal advice. Your obligations are governed by your Oracle and outsourcing agreements — seek independent specialist and legal advice for your situation.