Software Licensing in M&A Due Diligence: Risks, Checklist, and Integration Strategy

Why Software Licensing Is the M&A Due Diligence Blind Spot

In most M&A transactions, technology due diligence focuses on infrastructure quality, technical debt, cybersecurity posture, and integration complexity. Software licensing typically receives a fraction of the attention given to those areas — despite consistently producing some of the largest post-close financial surprises. A 2025 Nixon Peabody analysis documented multiple cases where acquirers discovered seven-figure licensing exposures only after transaction close, exposures that were directly attributable to licence terms that a thorough pre-close review would have caught.

The reasons for this gap are structural. Software licences sit at the intersection of legal, IT, finance, and procurement — no single M&A workstream owns them. Legal teams review contracts for change-of-control provisions but often lack the technical depth to assess deployment compliance. IT teams understand what software is deployed but rarely have access to the licence agreements governing that deployment. The result is a gap that vendors — particularly Oracle, SAP, IBM, and Microsoft — are experienced at identifying and exploiting at the moment of maximum leverage: immediately following deal announcement or close.

The Three Categories of M&A Licensing Risk

1. Change-of-Control and Non-Transferability Clauses

The majority of enterprise software licence agreements — particularly older on-premises agreements — contain change-of-control or anti-assignment provisions that restrict or prohibit the transfer of the licence to a new entity. These clauses take several forms. Some require vendor consent before the licence can be transferred to an acquirer. Others allow the vendor to terminate the agreement and demand renegotiation under new commercial terms if a change of control occurs. The most aggressive versions — found in some Oracle and SAP agreements — treat a change of control as a new deployment event, potentially requiring the acquirer to purchase additional licences at current list prices to cover the combined entity's use.

These clauses are not hypothetical risks. They represent a documented pattern of vendor behaviour in M&A contexts. Oracle, in particular, has a well-established practice of triggering licence reviews immediately following deal announcements, leveraging the acquirer's eagerness to close integration to extract commercial concessions that would be much harder to achieve in an arms-length renewal negotiation. The acquirer who has not reviewed the target's Oracle agreements before close is negotiating from weakness on day one of integration.

2. Compliance Gaps in the Target's Licence Estate

Targets in acquisition processes rarely conduct thorough internal licence compliance reviews. Licence drift — the gradual divergence between contractual entitlements and actual deployments — accumulates over time, particularly in growing organisations where IT infrastructure scales faster than the licence management programme that is supposed to track it. When an acquirer takes on a target, it also takes on the target's accumulated licence compliance exposure. A target that has been deploying Oracle Database in a VMware environment without properly accounting for processor coverage, or running IBM middleware without correctly configuring ILMT for sub-capacity licensing, is transferring that exposure to the acquirer along with the rest of its software estate.

For IBM specifically: sub-capacity licensing — which allows companies to license IBM software based on the capacity of the virtual machine rather than the physical server — is only valid if ILMT (IBM License Metric Tool) is correctly configured and reporting. Many organisations running IBM software on virtualised infrastructure have not properly deployed ILMT, which means their sub-capacity claims are invalid. In an audit following an M&A event, IBM would be entitled to calculate licence requirements based on full processor capacity — potentially generating an exposure several times larger than what the target believed it owed.

3. Post-Merger Integration Licence Costs

Even where the target's licence estate is fully compliant and cleanly transferable, the act of integrating two technology estates typically creates licence events that neither the acquirer nor the target anticipated. Combining user populations under a single Microsoft 365 or Salesforce tenant can trigger tier changes that increase per-seat pricing. Migrating the target's Oracle or SAP workloads onto the acquirer's infrastructure may require additional processor or named user licences if the integration involves new deployment environments. SAP indirect access — the licensing requirement triggered when non-SAP applications query SAP data through APIs — is a particular risk in integration scenarios where the acquirer's application portfolio begins interacting with the target's SAP systems before the licence implications have been assessed.

The M&A Licensing Due Diligence Checklist

A thorough software licensing due diligence review for an M&A transaction should cover the following areas. This is not an exhaustive legal review — it is a risk-identification exercise designed to surface the exposures with the greatest financial significance before close, so that they can be reflected in the deal price, indemnified in the transaction documentation, or remediated before integration begins.

Contract Review

Obtain copies of all active licence agreements for the target's top-20 software vendors by spend and by deployment criticality. Review each agreement for change-of-control provisions, assignment restrictions, audit rights, and any specific terms triggered by a corporate restructuring event. Pay particular attention to agreements with Oracle, SAP, IBM, Microsoft, and Salesforce — these five vendors account for the majority of M&A licensing disputes and have the most aggressive change-of-control enforcement track records. Flag any agreement where the vendor's consent is required for transfer, and assess the commercial risk of triggering that provision given the vendor's known behaviour in similar transactions.

Entitlement and Deployment Reconciliation

Request an entitlement report from the target's IT or SAM team showing all software purchases and their contractual terms. Cross-reference this against a discovery of the target's actual software deployments — either through the target's own SAM tools or through an independent discovery exercise. The gap between entitlements and deployment is your compliance exposure map. Prioritise reconciliation for the vendors with the highest audit risk and the most aggressive licence metrics: Oracle processor metrics in virtualised environments, IBM PVU or VPC calculations with ILMT coverage gaps, SAP named user licence requirements in hybrid landscapes, and Microsoft licensing in Azure-connected on-premises environments.

Open Source Audit

For technology companies or targets with significant in-house software development, an open source licence audit is essential. Open source components used in proprietary software carry licence obligations — including copyleft requirements that can, in some circumstances, affect the acquirer's ability to exploit the target's proprietary software assets commercially. Tools such as Black Duck or FOSSA provide automated open source discovery and licence compliance assessment, and their use in M&A contexts is increasingly standard practice for technology acquirers.

SaaS Agreement Review

SaaS agreements typically contain specific provisions governing change of control, data portability, and subscriber assignment. Review the target's major SaaS agreements — typically including Salesforce, ServiceNow, Workday, and the SaaS applications used by the target's business units — for any provisions that would require vendor consent, impose price renegotiation, or limit data portability at close. SaaS agreements negotiated by smaller targets are frequently less favourable than the terms an acquirer could negotiate independently, and integration may provide an opportunity to consolidate onto more advantageous commercial terms.

Structuring the Deal to Manage Licensing Risk

Once the due diligence review has identified the material licensing exposures, there are several mechanisms available to reflect or manage that risk in the deal structure. A price adjustment is the most direct approach: where the due diligence has identified a quantifiable compliance exposure — for example, a validated IBM ILMT gap that would support a specific audit claim — that exposure should be reflected in the purchase price. Specific indemnities in the transaction documentation provide targeted protection for identified licensing risks that cannot be resolved before close, requiring the seller to compensate the acquirer if identified exposures materialise post-close. Escrow arrangements — where a portion of the transaction proceeds is held pending resolution of licence reviews or vendor audits — provide a mechanism for managing exposures that are identified but cannot be precisely quantified at close. Representations and warranties insurance can cover residual licensing risks that are not specifically indemnified in the transaction documentation, though coverage terms vary and exclusions for known issues are typical.

Post-Merger Integration: Licensing Strategy

The 90 days following deal close are the highest-risk period from a licensing perspective. Vendors are most likely to trigger licence reviews or change-of-control discussions during this window, and the integration team's primary focus on operational continuity creates internal pressure to resolve vendor demands quickly — typically at an unfavourable price. The organisation that enters this period with a clear licensing strategy is significantly better positioned than one that is reacting to vendor approaches without preparation.

Prioritise vendor communication before close for any agreement where the change-of-control provision requires vendor consent. Approach these vendors proactively — ideally before deal announcement — to begin the consent and renegotiation conversation on terms that the acquirer controls. This approach is counterintuitive but consistently produces better commercial outcomes than waiting for the vendor to initiate contact after close. Vendors who are approached proactively by a well-prepared acquirer are less able to exploit the integration urgency that post-close vendor contacts typically leverage.

For the combined entity's major vendor relationships — Oracle, SAP, IBM, Microsoft, and Salesforce — use the integration event as an opportunity to consolidate licences, renegotiate commercial terms, and establish enterprise agreements that reflect the combined entity's scale. A combined organisation is typically a larger customer than either predecessor — and larger customers have more negotiating leverage, including the ability to negotiate volume discounts, multi-year price stability, and more favourable audit provisions. Integration is not merely a licensing risk event; managed properly, it is a commercial opportunity.