The appeal of self-hosted open source software is straightforward. A business pays for its own hosting infrastructure, deploys software that carries no per-seat or per-user licence fee, and retains control over its data and configuration. Compared to SaaS subscriptions that compound annually and scale with headcount, the economics appear compelling.
What a growing number of UK businesses are discovering — often at the worst possible moment — is that open source does not mean free of commercial obligation. The licensing frameworks governing many of the most widely deployed open source applications contain provisions that create genuine legal liability for organisations that exceed certain usage thresholds, modify source code, or deploy software in ways the licence does not permit. And the hosting choices made when deploying these applications can be the precise trigger that pushes a business from compliance into violation.
The Licensing Landscape Most Businesses Have Not Read
Open source software is not governed by a single unified licence. It is governed by a diverse and sometimes contradictory ecosystem of licence frameworks, each with its own specific obligations and commercial implications. Understanding the distinctions between them is not merely an academic exercise — it is a practical compliance requirement.
The GNU Affero General Public Licence (AGPL) is among the most significant for businesses deploying web applications. Unlike the more familiar GPL licence, the AGPL extends its copyleft requirements to cover software accessed over a network. In practical terms, this means that if a business modifies AGPL-licensed software and makes it available to users — even over an internal network — it may be legally required to publish the source code of those modifications. For businesses that have customised an AGPL application to integrate with proprietary systems or to implement bespoke business logic, this obligation can be deeply uncomfortable. Many organisations are unaware that their customisations fall within scope.
The Business Source Licence (BSL or BUSL) has gained considerable traction in recent years as commercial software companies seek to protect revenue streams from large-scale competitive use. BSL-licensed software is typically available for free use below a defined threshold — often expressed in terms of user numbers, revenue, or production deployment scale — and converts to a more permissive licence after a specified period, commonly four years. The critical point for UK businesses is that the threshold at which commercial licensing becomes required is often lower than organisations assume, and crossing it without a commercial agreement in place constitutes a licensing violation.
Commons Clause is an addendum applied to otherwise permissive licences such as MIT or Apache that restricts the sale of the software or services substantially derived from it. Businesses that have built commercial services on top of Commons Clause-licensed software — including internal services delivered to clients — may find that their commercial model conflicts with the licence terms in ways that were not apparent at the time of adoption.
How Hosting Decisions Trigger Licensing Liability
The relationship between hosting environment choices and licence compliance is not always intuitive, but it is direct and consequential.
Consider a UK business that deploys an AGPL-licensed analytics platform on its own infrastructure and makes modifications to the codebase to accommodate its specific reporting requirements. If that platform is accessed by users — whether internal staff or external customers — over a network connection, the AGPL's network use provision is engaged. The business may be obligated to make its modified source code available. If it has not done so, it is in breach of the licence terms, regardless of whether the software was ever distributed externally in the traditional sense.
The scale of the hosting environment can similarly determine whether a BSL threshold has been crossed. A business that begins with a modest internal deployment and gradually expands user access — adding teams, departments, or client-facing functionality — may cross a usage threshold without any single deliberate decision triggering the transition. The licence violation emerges incrementally, through ordinary business growth, rather than through any identifiable moment of non-compliance.
Cloud infrastructure choices introduce additional complexity. Some BSL licences specifically restrict use by cloud service providers or businesses offering managed services. A UK managed service provider that deploys BSL-licensed software as part of its client service delivery may find that its entire service model falls outside the permitted use cases of the licence, irrespective of the scale of any individual deployment.
The Compliance Risk That Follows
Open source licence enforcement has historically been inconsistent, and many UK businesses have operated on the implicit assumption that violations are unlikely to attract attention. This assumption is becoming less reliable.
Several of the software companies that have adopted BSL and similar commercial licensing frameworks have done so precisely because they intend to enforce those licences against commercial users who exceed permitted thresholds. Enforcement activity — through legal correspondence, formal demands, and in some cases litigation — has increased in frequency across European jurisdictions. UK businesses are not immune.
The consequences of a licence violation can extend beyond the immediate remediation cost. A business found to be operating outside its licence terms may be required to cease use of the software immediately, which — if the application in question is embedded in core operations — creates an acute business continuity problem. Alternatively, it may face demands for retrospective commercial licence fees calculated from the point at which the threshold was first exceeded, which can represent a significant and unanticipated financial liability.
Practical Steps for UK Businesses
The starting point for any business currently running self-hosted open source applications is a structured licence audit. This means identifying every open source component in the application stack — not merely the headline application, but its dependencies and libraries — and reviewing the licence terms applicable to each.
For applications licensed under AGPL, BSL, or Commons Clause variants, the audit should assess whether current deployment and usage patterns fall within permitted use cases, and whether any modifications to the codebase create disclosure obligations. Where uncertainty exists, legal advice from a solicitor with software licensing expertise is warranted.
For businesses that find themselves in violation — or approaching a threshold that would create a violation — the options typically include obtaining a commercial licence from the software vendor, restructuring the deployment to fall within permitted use cases, or migrating to an alternative application with more permissive licensing terms. None of these options is without cost or disruption, but all are preferable to the alternative of continuing in non-compliance.
Hosting providers with experience supporting business-critical applications can play a meaningful role in this process. The architecture of your hosting environment — how users access the application, how the deployment is structured, and how usage is monitored — directly affects your compliance position. Engaging infrastructure expertise early, rather than after a licence dispute has already begun, is the more prudent approach.
The economics of self-hosted open source software remain genuinely attractive for many UK businesses. However, those economics only hold if the licensing obligations are understood and managed. The cost of non-compliance has a habit of exceeding the subscription fees that self-hosting was intended to avoid.
