1. Open source as an opportunity and a hindrance
Open source software (OSS) is an integral part of modern vehicle architectures and is driving digital transformation — from control unit software and connectivity stacks to AI-supported driver assistance functions. Its use shortens development cycles and reduces costs, but it does not take place in a legal vacuum; open source licences are legally binding conditions, and failure to comply with them can result in the loss of usage rights and thus copyright infringements.
In the automotive sector, open source compliance has become a key supply chain metric: OEMs and system integrators require suppliers to provide comprehensive proof of legally compliant software governance – with immediate implications for contract awards, contractual penalties and market access.
2. Copyright classification and regulatory differentiation in the automotive context
Open source licences are licence agreements that grant usage rights only if clearly defined conditions are met; violations may result in the loss of usage rights and pose copyright risks for further use.
In automotive practice, open source conditions have an impact on a dense type approval and safety regime: Changes to the vehicle code (including OSS components) may affect type approval parameters and are subject to additional procedural requirements, particularly in the case of software updates and over-the-air (OTA) campaigns.
3. Current stumbling blocks: a selection
- (a) Claims due to non-compliance with specific distribution requirements from open source licences
Similar to breaches of licence obligations in other industries, the legal consequences of breaches can also be significant in the automotive sector. Rights holders to open source code can demand injunctive measures in the event of licence breaches – up to and including a sales ban or recall of delivered hardware (e.g. vehicles/ECUs with embedded software).
Whether persons other than rights holders have claims if specific conditions in the licences between rights holders and manufacturers are not complied with – in particular customers who purchase vehicles and regularly ‘just drive’ them – is another matter. In this case, it will likely depend on whether the customer has suffered specific disadvantages and whether specific licence conditions have a protective effect vis-à-vis third parties. In this context, it should also be noted that the respective licensing requirements may have to be interpreted from the perspective of the regulatory requirements and safety requirements applicable to automotive manufacturers.
- (b) Claims for disclosure of own code
In addition, the so-called ‘copyleft effect’ may also require the disclosure of proprietary algorithms, thereby affecting the core value of the software of OEMs and suppliers as an asset – with significant competitive consequences in SDV platforms, ADAS stacks and infotainment ecosystems.
- (c) General governance requirements
In due diligence reviews, unclear open source licensing conditions regularly lead to purchase price reductions, indemnities or transaction cancellations – a key risk given the complex software supply chains in the automotive industry.
Most OEMs require auditable open-source governance, including SBOM and update verification; non-compliance can lead to exclusion from supply chains, tendering procedures or contractual penalties. This makes open-source compliance a prerequisite for entry into the vehicle supply chain.
4. Conclusion and strategic recommendations for action
Open source compliance is an integral part of corporate risk management in the automotive sector and is directly linked to cybersecurity and update regimes. Our specific recommendations to tier suppliers at all levels and OEMs:
- (d) Conduct a baseline audit of your type approval-relevant software products and supply chain artefacts, with a particular focus on:
- (i) Licence analysis and architecture consulting (permissive vs. copyleft) in SDV, ADAS, infotainment and connectivity platforms, including IP protection and type approval compliance.
- (ii) Design and audit of open source policies and processes in line with SUMS/CSMS, including RXSWIN and update documentation for regulatory audits.
- (e) Establish an interdisciplinary governance structure and link open source processes to SUMS/CSMS requirements (threat/risk analyses, update validation, RXSWIN management) for audit and market access security.
- (f) Implement continuous SBOM and configuration control processes and ensure the integrity/authenticity of updates (OTA-capable, rollback-capable, user information) in accordance with R156.
- (g) Regularly raise awareness and train your development teams on licensing obligations and security requirements (security by design, compliance by design), including copyleft risks in embedded systems.
- (h) Check for OpenChain ISO/IEC 5230 compliance to increase supply chain trust and efficiently support audit/certification processes (R155/R156).
Open source compliance, cybersecurity and update engineering form a mutually reinforcing governance trilogy in the automotive industry. We support you with combined expertise in IT law, IP strategy, technical implementation and our many years of experience in the automotive sector to make innovations legally compliant and sustainable.
