2026--The Year Oracle's Java Audits Get Real

For three years, we have been writing about Oracle’s Java licensing enforcement as a slow-motion campaign — one that began with “friendly” compliance emails, continued through a series of escalating sales-team overtures, and rarely produced a formal audit letter. That campaign is now changing character. In 2026, the soft outreach is giving way to formal audit notices issued under Oracle’s license management function — what used to be called LMS, and is now branded Global Licensing and Advisory Services, or GLAS. The letters are arriving. They look and feel different from what Oracle Java customers have seen for the last several years. And the pattern of who is getting them is not random.

Our view, which we have previewed in earlier posts, is that this moment has been structurally inevitable since early 2023 — the year Oracle replaced its prior Java SE subscription with the Java SE Universal Subscription, a per-employee model that made Java dramatically more expensive for most enterprises and fundamentally changed Oracle’s enforcement economics. This post explains why the formal audits are finally here, what they actually look like, and what Oracle Java customers should be doing before — or, if the letter has already arrived, during — the audit.

How We Got Here

The current story starts with Oracle’s decision, announced in January 2023, to move Java SE off a per-user and per-processor model and onto a per-employee model covering every employee, contractor, and agent of a subscribing entity — whether or not they actually use Java. We wrote about the immediate commercial effect in Oracle Changes Java SE Licensing Rules and Prices Explode, and the practical upshot has not changed: for most enterprises the cost of Oracle Java increased dramatically, in many cases by a multiple of what the prior subscription had charged. Many companies concluded, reasonably, that the new model was not for them. They began evaluating OpenJDK, Amazon Corretto, Azul Zulu, and other supported alternatives. Some migrated. Some did not.

What happened next was not a quiet period. It was a campaign. As we described in Oracle Java Licensing Enforcement: How “Friendly Outreach” Is Driving Significant Compliance Risk, Oracle’s sales and compliance teams began contacting organizations with pointed but informal questions about their Java deployments. Those inquiries were frequently positioned as helpful — an offer to “clarify” licensing status, or a suggestion that the company might qualify for a “special transition” subscription. In Warning to Oracle Customers: Don’t Be Fooled By Oracle’s Java Playbook, we explained why that framing was — and is — dangerous. The calls and emails were not customer service. They were pre-litigation intake.

Why the Formal Audits Are Finally Coming

Three things have changed in 2025 and 2026 that are now driving formal audit letters in volume.

First, Oracle has had three years to gather data. As we discussed in How Oracle Uses Online Agreements for “Free Software” to Trap Companies, Oracle tracks downloads of Java binaries in detail — IP addresses, corporate domain associations, download timestamps, and whatever account information was used at download. It also logs the automatic update check-ins made by every installed copy of Oracle Java that has not been affirmatively disconnected from Oracle’s servers. Three years of that telemetry, cross-referenced against whatever the friendly outreach emails extracted from the company directly, is now a usable audit foundation. The companies Oracle is sending formal letters to in 2026 are not being chosen at random.

Second, the soft-outreach stonewall has produced a target list. Companies that responded to the friendly outreach by buying the subscription on Oracle’s terms were never going to receive a formal audit letter — they were already paying. Companies that simply did not respond, or that responded with a polite “we use non-Oracle Java,” were implicitly telling Oracle that the only way to convert them was through the audit clause in their existing Oracle agreements or through the click-wrap terms they accepted when they downloaded Oracle Java. Three years later, that target list is mature.

Third, Oracle has business reasons to push harder now. As we wrote in our recent coverage of the Rimini Street settlement, Oracle’s financial story has pivoted to a cloud and AI infrastructure business whose margins are widely understood to be thinner than its legacy support business. The support and subscription revenue line — the line that includes the Java SE Universal Subscription — has become more, not less, critical to Oracle’s investor narrative. Converting long-resistant Java customers into subscription customers, via audit, is directly aligned with that strategy.

There is a fourth factor worth naming separately. We have seen an emerging pattern — which we flagged earlier and which the trade press has since confirmed — of Oracle declining to sell Java subscriptions to certain customers unless those customers first disclose detailed usage and employee-count information. In some instances, companies that tried to buy their way into compliance have been told, in effect, that compliance is not available to them without first producing the data that typically comes out of an audit. That is not a sales process. It is a structure for manufacturing non-compliance, and in-house counsel should treat it as such.

What a Formal Java Audit Letter Looks Like

The formal audit letters arriving in 2026 look meaningfully different from the outreach emails that preceded them. They are typically addressed to a named C-suite executive — CIO, CFO, or General Counsel — and signed by an Oracle GLAS representative rather than a salesperson. They cite an audit clause either in the company’s existing Oracle Master Agreement (if the company holds other Oracle products) or in the Oracle Technology Network License Agreement that governed the original Java download. They name an audit window — commonly forty-five days — and specify whether the review will be conducted directly by GLAS or through a designated third-party auditor. And they set an expansive scope: global employee counts, deployments by version, installation inventories, virtualization and cloud environments, and anything Oracle believes relates to its employee-metric calculation. For readers who want a deeper walk through how Oracle conducts these engagements generally, our earlier post Oracle Knows More About You Than You Think: Lessons from Oracle v. Kelkar remains directly on point.

What Oracle Java Customers Should Be Doing Now

Whether or not a formal letter has already arrived, a few things are worth doing now.Inventory your own Java deployments before Oracle tells you what they are. The most damaging audit outcomes we see are the ones where the company learns the size of its Java footprint from Oracle — usually at a moment when the company has lost most of its negotiating leverage. Counsel-led internal discovery, done under privilege, almost always produces a more favorable result.

Understand which license terms actually govern your Java usage. Not every Java installation is governed by the same agreement. Versions and licenses have changed several times since 2019, and what you downloaded in 2018 is almost certainly not what you downloaded in 2024. Older, more permissive license grants still exist in many environments. Identifying them is often the single most important step in a Java audit defense.

Do not respond to “friendly outreach” without counsel. The consistent pattern we see is that informal responses to Oracle’s pre-audit inquiries become the foundation of the formal audit that follows. If an email from an Oracle Java team member has landed in your inbox and you have not yet responded, treat it the way you would treat a preservation letter.

If the formal audit letter has arrived, assert the procedural protections you are entitled to. Oracle audit clauses are negotiable in practice, even if they look one-sided on the page. Scope, timeline, choice of auditor, and handling of proprietary data are all areas where experienced counsel can substantially change the trajectory of an audit.

Closing Thought

None of this was unpredictable. We wrote, in Java Audits Likely Will Increase as Oracle Seeks to Move Java Users onto its Total Employee Metric, that the shift to the employee metric would eventually produce a wave of formal audits, and that the quiet soft-outreach period was not a feature of Oracle’s enforcement posture but a phase of it. That phase is now closing. The companies that treated the last three years as a chance to prepare — to inventory, to analyze their contracts, and to reduce their dependence on Oracle Java where alternatives exist — are in a materially stronger position than those that assumed the outreach would simply go away. It did not. It never does.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.