Conduct an internal audit of our exposure to single-vendor technology dependencies#
What this is, concretely#
This commitment consists of systematically examining the technologies you use in order to identify those whose trajectory depends on a single publisher — what the manifesto calls “single-vendor” projects. These projects are under the exclusive control of a company that can, at any time, change the licence, restrict the conditions of use, or dismantle the free edition, as Redis Inc. did in March 2024, HashiCorp in August 2023, Elastic in 2021, MongoDB in 2018, or MinIO between 2025 and 2026.
The audit is not meant to produce an exhaustive report on your whole stack — it specifically targets the components strategic for your operations. The usual method is as follows: list the bricks whose failure would block your activity, identify for each the publisher or foundation that controls its governance, and qualify the nature of that governance (neutral multi-vendor foundation, single-vendor project with a commercial enterprise edition, closed proprietary, etc.).
The result is a map that makes the zones of concentrated risk visible. This map then serves as the basis for operational decisions — for example, prioritising migration to an alternative for a component whose flip risk has become a concern.
Why this commitment matters#
Many organisations discover their exposure at the moment it materialises through a flip. That is too late. The migration cost is then at its peak — time pressure, unplanned resources, untrained teams, unqualified alternatives. Conversely, an organisation that has carried out the audit in calm waters can plan its response calmly: it has identified the alternatives, costed the effort, perhaps even tested a proof of concept.
At the collective level, the aggregation of these audits — when they are published — feeds the manifesto’s gap observatory (/dossier). If several hundred European organisations all observe that they massively depend on the same US registry or the same single-vendor brick, that concentration becomes a signal for public investment and IPCEI-CIS programmes.
A concrete example#
A French regional administration with about 200 staff and a typical IT stack runs the audit as follows. The IT team inventories the strategic components starting from three broad categories: infrastructure (hypervisor, container orchestrator, storage), critical business applications (ERP, document management, HR management), and digital services to citizens (portal, online forms, integrated third-party services). For each component, the team documents the publisher, the jurisdiction, and the governance model.
The audit identifies four zones of concentration on US single-vendor: the collaboration suite (Microsoft 365), the antivirus (CrowdStrike), part of document management (proprietary solution with cloud edition in the United States), and the leave-management system (US SaaS). For each, the team identifies a credible alternative — Nextcloud + Collabora for collaboration, an open source EDR for antivirus, a Cegid solution for document management, a French solution for leave management. No migration is started immediately, but the map serves to inform future procurement cycles and to prepare a multi-year plan to reduce exposure.
The administration publishes a public summary of the audit (without sensitive details) on its website, which becomes a signal for alternative providers and feedback for other administrations.
Anti-pattern to avoid#
An audit that merely lists publishers without examining the nature of governance, or that aggregates “everything is open source so all is well” without distinguishing neutral foundation from single-vendor, misses the goal. Likewise, a confidential, unpublished audit does not feed the commons and benefits only the organisation that conducted it.
The audit is not a tool for retrospective blame either. Many choices were made years ago in a different context. The aim is to produce a clear-eyed picture to guide future decisions, not to judge past ones.
Success indicators#
By the horizon you set (typically 12 months), you can reasonably consider this commitment fulfilled if you have: a written map of strategic components with their governance jurisdiction, a qualification of the governance model for each component, identification of at least one alternative for the highest-risk components, and publication or internal sharing of the result.
The commitment does not require that you have acted on the risk zones — the audit is the knowledge step, action comes next (and is the subject of other possible commitments, such as user-004-study-migration-single-vendor).
→ Documented in the dossier#
JSON schema category: audit. Default horizon: 12 months. Applicable to: businesses, public administrations, associations, foundations, research institutions.