Oracle Compliance Assessment 20 Checklist Items

Oracle Java SE Audit Risk Assessment

Oracle's 2023 employee-based Java SE model has made every enterprise a potential audit target — regardless of how many developers actually use Java. In 2026, soft inquiries are converting into formal audits. This 20-point assessment helps you quantify your Java SE exposure, evaluate your OpenJDK migration options, and prepare your response before Oracle escalates.

2023
Employee Model Start Date
£1M+
Annual Cost for 50k Employees
2026
Oracle Java Audit Peak Year
£0
OpenJDK Licence Cost

Work through all 20 items. Mark each as compliant (✓), gap (✗), or unknown (?). HIGH-risk items represent the most common Oracle Java SE audit triggers. Download our Oracle Java Audit Defence Kit for response templates.

Compliant — no action required
Medium risk — remediate within 90 days
High risk — immediate attention required
Section 1 Java SE Discovery and Version Assessment
01
You have identified every location in your organisation where Oracle JDK (Java SE) is installed — including on servers, developer workstations, CI/CD pipeline agents, Docker containers, and embedded in third-party applications.
High
Expert note: Oracle Java SE exposure under the 2023 employee-based model is calculated on your total employee count — not on the number of Java installations. However, discovery is still critical: Oracle's audit uses Java installation data to assert that your organisation is a Java SE user and therefore subject to the employee-based subscription fee. A complete Java discovery also identifies OpenJDK distributions that may be misidentified as Oracle JDK (they are free) and any Java installations that pre-date the 2019 licensing change (which may carry different obligations). Run discovery before responding to any Oracle Java inquiry.
02
You have confirmed whether the Java installations identified in your estate are Oracle JDK or an OpenJDK-based distribution — since OpenJDK, Amazon Corretto, Eclipse Temurin, Azul Zulu, and Microsoft Build of OpenJDK carry no Oracle licence obligation.
High
Expert note: This is the most important discovery distinction in any Java audit. Oracle JDK binary carries a licence obligation; OpenJDK-based distributions do not — they are free, open-source, and functionally equivalent for the vast majority of enterprise workloads. Many organisations find that a significant portion of their Java estate is already on OpenJDK distributions — installed by developers or package managers — reducing their Oracle JDK exposure substantially. Identify every Java runtime distribution in your estate before calculating any Oracle Java SE liability.
03
You understand Oracle's 2023 employee-based licensing model and have calculated your organisation's total employee count as Oracle defines it — including full-time, part-time, temporary staff, contractors, and outsourcers who support the business.
High
Expert note: Oracle's January 2023 Java SE Universal Subscription calculates licence fees based on total employee count, not on Java user count or Java installation count. Oracle's definition of 'employee' is deliberately broad: it includes anyone who works for or supports the business — full-time, part-time, temporary, contractors, and outsourcers. For a 5,000-employee organisation (on Oracle's broad definition), the annual cost is approximately 5,000 × £15–20 per employee = £75k–£100k per year. For a 50,000-employee organisation, this reaches £750k–£1M annually. Calculate your Oracle-definition employee count before engaging with Oracle on Java SE pricing.
04
You have confirmed whether your organisation was using Oracle JDK before January 2019 (when Oracle changed the licence) and between January 2019 and January 2023 (when commercial use required a licence) — to assess potential back-billing exposure.
High
Expert note: Oracle's Java licensing changed in January 2019: commercial use of Oracle JDK 8+ without a licence became chargeable. A further change in January 2023 introduced the employee-based model. Organisations that used Oracle JDK commercially between 2019 and 2023 without a licence may face back-billing demands covering that period under the old per-Processor or per-Named-User-Plus model. These historical exposures are harder to quantify and negotiate than current-period obligations. Document your Java usage history and seek specialist advice on historical exposure before Oracle raises it.
05
You have assessed which Java versions are in use across your estate — noting that Oracle JDK versions 8, 11, and 17 are the most commonly deployed and each has different licensing implications depending on the period of use.
High
Expert note: Java version matters for licensing. Oracle JDK 8 updates beyond 8u202 (released January 2019) require a commercial licence for production use. Oracle JDK 11 requires a commercial licence for any production use from the time of its release. Oracle JDK 17 LTS and later versions follow the NFTC (No-Fee Terms and Conditions) licence — which is free for most uses, but has restrictions on redistribution and does not include Oracle's paid support features. Confirm the exact version of every Oracle JDK deployment and map it against Oracle's version-specific licensing terms.

Received an Oracle Java SE audit letter?

Independent response strategy and negotiation support. No Oracle affiliation.
Book a Call →
Section 2 Employee Model Exposure and Migration Strategy
06
You have identified all third-party commercial applications in your estate that bundle Oracle JDK internally — since Oracle can claim that these create an indirect Java SE licence obligation even if you never explicitly chose Oracle JDK.
High
Expert note: Many commercial applications — including Oracle's own products, some SAP components, and various enterprise middleware — bundle Oracle JDK internally. Oracle's position is that bundled Oracle JDK constitutes commercial Java SE use and creates a licence obligation for the host organisation under the employee-based model. Inventory all applications to identify those bundling Oracle JDK, and assess whether the application vendor is responsible for the Java SE licence or whether Oracle can assert a claim against you as the end user. This is a disputed area — seek specialist advice.
07
You have assessed your Java SE exposure under the employee model with the most conservative employee count (using Oracle's broad definition) and the most favourable count (using your narrowest defensible definition) — to frame the negotiation range.
Medium
Expert note: The employee count used in Oracle's Java SE calculation is the primary lever in any Java SE negotiation. Oracle will assert the broadest possible count; you should model the narrowest defensible count. The difference can be significant: if Oracle counts your contractors and outsourcers but your legal team argues for employed headcount only, the per-employee fee applies to potentially half as many people. Model both extremes, establish your defensible position on employee definition, and use this range to anchor the negotiation.
08
You have confirmed whether any Java SE licences purchased before 2023 (under the old per-Processor or NUP model) remain active — and whether Oracle is asserting that these must be converted to the new employee-based model.
High
Expert note: Oracle's 2023 licence change introduced the employee-based model as the default for new subscriptions, but the conversion of existing contracts is not automatic in all cases. Some organisations with perpetual Java SE licences or active pre-2023 subscriptions may have legitimate arguments that their existing licences continue under their original terms. Oracle has aggressively sought to convert legacy licence holders to the employee model — which typically increases cost significantly. Challenge Oracle's conversion assertion with legal review of your existing contract terms before agreeing to any licence model change.
09
You have a current-state migration plan for moving Oracle JDK deployments to OpenJDK-based alternatives — with a defined timeline, technical lead, and budget — as leverage in any Oracle Java SE negotiation.
High
Expert note: The most powerful lever in an Oracle Java SE negotiation is a credible, in-progress migration to OpenJDK. Oracle cannot force you to use Oracle JDK; OpenJDK, Amazon Corretto, Eclipse Temurin, Azul Zulu, and Microsoft Build of OpenJDK are all free, production-grade Java runtimes. An organisation with an active migration programme that demonstrates genuine intent to exit Oracle Java SE can negotiate significantly more favourable terms than one with no migration activity. Start the migration even if you intend to reach a negotiated settlement — it is the most valuable commercial lever you have.
10
You have evaluated the total 3-year cost of Oracle Java SE at the employee-based model against the cost of migrating the entire Java estate to OpenJDK — to determine whether negotiation or migration is the optimal strategy.
Medium
Expert note: For most organisations, migration to OpenJDK is the economically optimal long-term strategy. The migration cost — tooling, testing, application validation, and operational transition — is typically a one-time investment of £50k–£200k for a mid-sized estate. The Oracle Java SE subscription cost at the employee-based model is a recurring annual obligation. A 5,000-employee organisation paying £80k per year saves £240k over 3 years after a £150k migration investment — a payback of less than 24 months. Model this comparison with your actual employee count and current Oracle Java SE pricing before any renewal.
Section 3 Audit Response and Negotiation Preparation
11
You have prepared your response to Oracle's Java audit inquiry — including a designated response owner, a legal hold on Java-related documentation, and a defined process for responding to Oracle's discovery requests without voluntarily providing data beyond what is legally required.
High
Expert note: Oracle Java SE audits frequently begin as 'licence reviews' or 'compliance conversations' rather than formal audit notifications. The initial Oracle contact is designed to gather information informally — before you have had an opportunity to assess your exposure and prepare a response strategy. Designate a response owner, impose a legal hold on Java-related discovery and licence documentation, and do not provide any data to Oracle outside a formal response framework. The data you provide in the first Oracle contact shapes the entire subsequent negotiation.
12
You have assessed whether the Oracle Java SE audit was triggered by a software discovery tool used by Oracle — and whether you have any grounds to challenge the legality or scope of Oracle's data collection methods.
Medium
Expert note: Oracle uses automated tools and software asset management partnerships to identify Java SE deployments without explicit customer consent. Some of these discovery methods — particularly where Oracle's tools are embedded in third-party SAM platforms — raise legitimate questions about the basis for data collection. If Oracle's audit is based on discovery data collected through a third-party tool, investigate the data provenance before accepting Oracle's assertion of your Java SE deployment footprint as accurate.
13
You have explored whether Oracle's Digital Access Adoption Program (DAAP) equivalent for Java — or any amnesty programme — applies to your situation, providing historical forgiveness in exchange for new subscription agreement.
Medium
Expert note: Oracle has not introduced a formal Java SE amnesty programme equivalent to SAP's DAAP, but commercial discussions with Oracle on Java SE have resulted in negotiated settlements that include historical forgiveness in exchange for forward subscription agreements. For organisations with significant historical Java SE exposure (2019–2023 period), a negotiated settlement that includes historical forgiveness may be more cost-effective than paying back-billing demands in full. Explore this option through specialist negotiation support rather than direct Oracle account team discussions.
14
Your technical team has completed a compatibility assessment for the specific OpenJDK distribution most suitable for your environment — confirming that your applications run correctly on the target distribution before committing to migration.
Medium
Expert note: OpenJDK distributions are not always plug-in replacements for Oracle JDK in all application contexts. Some applications use Oracle JDK-specific APIs or JAR files that are not included in OpenJDK distributions. GraalVM native compilation, JavaFX, and Oracle-specific security providers are examples of Oracle JDK features not present in all OpenJDK distributions. Run a compatibility assessment on your target OpenJDK distribution — against your actual application portfolio — before committing to a migration programme.
15
You have confirmed the Java SE licence position for your cloud-based workloads — noting that Oracle charges the employee-based fee regardless of whether Java runs on-premises, in AWS, Azure, or OCI.
High
Expert note: Oracle's 2023 employee-based Java SE model applies universally: it does not matter whether Java runs on-premises, in the cloud, in containers, or in serverless environments. The fee is calculated on your total employee count regardless of deployment model. However, cloud-managed Java runtimes — AWS Lambda's Java runtime, Azure App Service's Java runtime, and similar managed environments — use OpenJDK internally and do not create Oracle JDK obligations. Confirm whether your cloud Java workloads use managed runtimes (OpenJDK, no obligation) or explicitly deployed Oracle JDK BYOL (employee model applies).
Section 4 Governance, Stakeholder Engagement, and Compliance
16
You have briefed your board and CFO on Oracle Java SE risk using financial terms — total annual subscription cost at employee-based pricing, historical back-billing exposure estimate, and migration cost — to secure the budget and mandate for action.
Medium
Expert note: Java SE risk is frequently treated as a technical issue managed by IT. The financial implications — annual subscription costs of £100k–£1M+ for mid-large enterprises, plus potential historical back-billing — require board-level awareness and CFO mandate. Prepare a one-page financial summary: worst-case annual subscription cost, best-case negotiated subscription cost, migration investment, and 3-year cost comparison. Present this to the CFO before Oracle escalates the conversation to an executive level — which Oracle routinely does when initial audit responses are delayed.
17
You have identified and engaged the business owners of every major application that uses Java — to build internal support for an OpenJDK migration programme and to identify any application-specific Java constraints that affect migration planning.
Medium
Expert note: OpenJDK migration success depends on application owner engagement. Database administrators, middleware teams, and application developers all have Java dependencies that must be addressed individually. Application owners who are unaware of the Java SE cost exposure have no incentive to prioritise migration. Communicate the financial impact of Oracle Java SE licensing to each application owner and engage them in migration planning. The migration is technically straightforward for most workloads — but organisationally complex without cross-functional buy-in.
18
You have a defined Java licence governance process — including an approved list of Java distributions, a prohibition on Oracle JDK installation without licence review, and a monitoring mechanism to detect new Oracle JDK deployments.
Medium
Expert note: Without a governance process, Java SE exposure grows organically: developers download Oracle JDK because it is the default result of a Google search, because legacy scripts reference it, or because build tools default to it. A simple policy — approved Java distributions list, prohibiting Oracle JDK without licence review, and an automated ITAM alert when Oracle JDK is installed — prevents new exposure from accumulating. Implement this governance as part of your software procurement and developer onboarding processes.
19
You understand that using Oracle JDK on developer workstations and CI/CD pipeline agents also creates a licence obligation under the employee-based model — not just server-side production deployments.
High
Expert note: Under the 2023 employee-based model, Oracle charges on total employee count regardless of where Java is deployed. Developer workstations, CI/CD pipeline agents, build servers, and test environments all constitute Oracle JDK commercial use. The employee-based fee is not reduced by limiting Oracle JDK to developers only — every employee in the organisation counts regardless of whether they personally use Java. This means that an organisation with 100 Java developers but 10,000 total employees pays based on 10,000 — not 100.
20
You have engaged independent Java SE licensing specialists — with experience in Oracle Java SE audit defence and OpenJDK migration — to validate your exposure assessment and negotiate the most favourable outcome.
High
Expert note: Oracle's Java SE audit team is experienced, well-resourced, and incentivised to maximise licence revenue. Organisations that negotiate Java SE directly with Oracle — without independent specialist support — consistently accept higher fee obligations than those who engage specialist advisers. At Redress, we have defended Java SE audits for clients across financial services, healthcare, retail, and manufacturing — reducing Oracle's initial demands by 40–70% in every case. We operate exclusively on the buyer side and have no commercial relationship with Oracle.
"Oracle's Java SE employee model has turned every enterprise into a potential audit target regardless of how much Java they actually use. We have yet to manage a Java SE engagement where the client's initial self-assessment was accurate — the exposure is almost always either larger or smaller than expected." — Morten Andersen, Redress Compliance

Interpreting Your Assessment Score

Count fully compliant items. Unknown answers should be treated as gaps for scoring purposes.

17–20
Strong Position
Controls mature. Schedule annual review to maintain as your estate evolves.
12–16
Moderate Exposure
Material gaps identified. Prioritise HIGH-risk items immediately and commission an independent review within 90 days.
0–11
High Exposure
Significant risk present. Do not engage Oracle commercially until independent specialists have assessed your position. Contact Redress immediately.
Download Oracle Audit Defence Kit →

Oracle Java SE in 2026: The Audit Peak Has Arrived

Oracle's January 2023 shift to the employee-based Java SE model was designed to maximise revenue from organisations that had historically used Java under loose or no licence terms. Three years later, 2026 is the year when Oracle's 'soft inquiries' — letters asking you to confirm your Java SE licence position — are converting into formal audits with specific financial demands. Every organisation using Oracle JDK anywhere in its estate is a potential audit target, regardless of scale or industry.

The good news is that the alternatives are compelling. Amazon Corretto, Eclipse Temurin, Azul Zulu, and Microsoft Build of OpenJDK are all production-grade, enterprise-supported Java runtimes that carry no Oracle licence obligation. For most enterprise workloads, migration is technically straightforward. The complexity is organisational: identifying every Java deployment, engaging application owners, and completing the transition before Oracle escalates the audit.

Redress Compliance operates exclusively on the buyer side. We have advised on Java SE licensing compliance, audit defence, and OpenJDK migration across over 100 engagements since 2019. Contact us to begin an independent Java SE risk assessment.