SovereigntyGap.
SovereigntyGap.sovereignty-gap.eu

Open a source code audit right to clients whose contract justifies it

Recognise for your sensitive clients a right to verification of the code by independent eyes, under non-disclosure agreement.
Estimated read: ~4 minutes. Commitment sheet published in the manifesto’s positive program, declarable from the Sovereignty Profile.

Open a source code audit right to clients whose contract justifies it — sensitive public bodies, critical infrastructures, strong sovereign requirements — under non-disclosure agreement#

What this is, concretely#

This commitment does not consist of publishing the source code — the publisher remains owner and retains all rights — but of recognising for certain clients a right of verification by independent eyes. The distinction is essential: an audit right opened under non-disclosure agreement preserves intellectual property and trade secrets while answering a legitimate need for verification on matters that cannot be verified by certificates. The clients concerned are typically sensitive administrations, operators of vital importance (OIVs) and operators of essential services (OESs) within the meaning of NIS2, certain ministries, and actors of critical infrastructure (energy, transport, health, finance) whose contract carries strong sovereign requirements.

The audit right, formally written into the contract, specifies several parameters: (a) the scope of the audit — components covered, type of review (review of supply-chain practices, review of declared third-party components, search for backdoors, cryptography review, secrets-management review); (b) the material conditions — access in a controlled environment (dedicated room, hardened workstations), capped duration, authorised persons (the client’s internal auditors, ANSSI or its European equivalent, an independent audit firm chosen by the client from an agreed list); (c) the confidentiality regime — non-disclosure agreement (NDA), restitution limited to a conclusions report shareable with a defined number of named persons; (d) the frequency — typically once a year, or on a triggering event. This commitment directly informs domain 7 of the Sovereignty Profile (transparency and auditability).

Why this commitment matters#

Thesis 13 of the manifesto grounds this commitment: “Technological sovereignty is not an end in itself. It is the condition under which an organisation — a business, an administration, an individual — can continue to operate its data and conduct its operations, whatever happens: provider failure, geopolitical conflict, sanctions, hostile takeover, unilateral flip by a publisher. It is a right, not a comfort.” For critical operators, operating one’s data and conducting one’s operations “whatever happens” presupposes the ability to verify what runs in the chain of trust, and not simply to rely on a publisher’s declaration. The audit right is the instrument that makes this verification possible without requiring full code opening.

This commitment forms part of the new section “Conditions of equivalence for the proprietary publisher” of the About page. The “source code audit right” condition is the seventh and the most directly oriented towards sensitive actors. It complements pub-005-establish-software-escrow (escrow, which concerns the moment when the publisher disappears) by allowing during the life of the contract a verification equivalent to what open source publishers offer their users by default. Without this commitment, the gap between an open source publisher and a proprietary publisher remains maximal for clients for whom verification is non-negotiable. With this commitment well framed, a proprietary publisher can serve markets that public-procurement doctrine would otherwise reserve for open source.

A concrete example#

A French publisher of an EDR (endpoint detection and response) solution for administrations and critical operators, around 70 employees, takes this commitment in May 2026 with a 12-month horizon. The trajectory goes through several stages. First quarter: drafting of an audit procedure in collaboration with an accredited cybersecurity firm (PASSI), definition of an isolated audit environment (dedicated workstation, code unpacked on an encrypted volume, full logging of consultations). Second quarter: drafting of a standard clause integrated into the framework contract for OIV/OES clients and for ministerial public-procurement contracts, validated by the publisher’s legal services and by a pilot client.

Third and fourth quarters: conduct of a first audit with a pilot client (a ministry), covering the conformity of the declared supply chain, the cryptographic review, and the search for backdoors. The report, delivered under NDA, concludes without major reservation. By the 12-month horizon, the clause is integrated into all new contracts with qualified clients and the procedure is publicly documented (without sensitive technical detail) in the Sovereignty Profile. Several responses to ministerial tenders explicitly mention the audit right as a differentiator, and the publisher observes an acceleration of consultations on markets reserved for this level of requirement.

Anti-pattern to avoid#

An audit right that is theoretical but surrounded by conditions so restrictive as to be inoperable in practice (only on the publisher’s premises, on site, without tools, with very long notice, on a trivial scope) empties the clause of all content. An audit limited to auditors chosen and paid by the publisher itself brings no independence. Restitution so constrained by confidentiality that the client cannot even share the conclusions with their own security leadership runs counter to the spirit of the commitment. Conversely, an audit right opened to all clients without qualification puts intellectual property and the security of the device at risk — the commitment must remain targeted at clients whose contract justifies it.

Success indicators#

By the 12-month horizon, you can reasonably consider this commitment fulfilled if the audit clause is integrated into the standard contract for qualified clients, if the audit procedure is documented and validated by an accredited firm, if at least one audit has been conducted with a pilot client and its report delivered under the agreed conditions, and if mention of this commitment appears in the Sovereignty Profile.

→ Documented in the dossier#

JSON schema category: audit. Default horizon: 12 months. Applicable to: businesses.

Themes

Continuity on failure

Related sheets

pub-005-establish-software-escrowProvider

Establish a software escrow mechanism with a trusted European third party, or publicly commit to releasing the source code under defined circumstances

Guarantee your clients a continuity path if you disappear, through software escrow or a public release commitment.

Horizon · 18 monthspublication
pub-010-minimum-notice-periodProvider

Contractually guarantee a minimum notice period (six to twelve months) before any end of support, unilateral flip, or substantial change to the service

Give your clients time to migrate by guaranteeing a minimum contractual notice period before any major change to the service.

Horizon · 6 monthspublication
pub-011-operational-continuity-arrangementProvider

Prepare an operational continuity arrangement that can be activated in the event of cessation — organised transfer of the client relationship, sector guarantee fund, or mutual takeover agreement between peers

Prepare a continuous operations path for your clients in the event of cessation, through a takeover agreement, sector fund, or mutual takeover.

Horizon · 2 yearspublication
Add this commitment to a declaration →← Back to the library
Commitments librarypub-013-source-code-audit-rightCC BY-SA 4.0