Mitigating Open-Source Software Risks in National Grid Infrastructure Projects: Foreign Contractor Licensing and Liability in Philippine Government Contracts

Introduction: why open-source choices can become a legal and contracting problem

Foreign contractors delivering software to the Philippine government—especially in power transmission and other national grid-related projects—often embed open-source components into proprietary systems (e.g., SCADA add-ons, asset management tools, cybersecurity monitoring, analytics modules). This is common and frequently technically sound.

However, in the Philippines, open-source use can create corporate licensing exposure and contract and dispute exposure when (a) the foreign entity is unlicensed but is considered “doing business” locally, (b) the deliverable is sold/implemented under government procurement or PPP arrangements, (c) the software distribution model conflicts with open-source license obligations, and (d) liability and warranty terms are tested by critical infrastructure incidents.

1) Governing Philippine legal sources that matter for foreign software contractors

Foreign corporation licensing / “doing business” risk. Philippine regulators treat participation in government bidding and project implementation as potentially constituting “doing business,” which can require a Philippine license for a foreign corporation. This is discussed in SEC-OGC Opinion No. 14-21 (2014), which warns that even a single government bidding and contract implementation may be treated as “doing business” depending on the circumstances.

PPP confidentiality and regulated disclosure. For PPP-type arrangements (including certain interconnection/interface situations), confidential business information submitted under the PPP Code is protected, but confidentiality yields when disclosure is mandated by law or by a valid court/regulatory order. This is recognized in the Public-Private Partnership (PPP) Code of the Philippines, Republic Act No. 11966 (2023), particularly on confidentiality of information and interface risks (e.g., MOAs for interconnection/interface plans).

National grid context and risk allocation. Where a project is tied to the national transmission system, risk allocation is influenced by the statutory role of NGCP and the public-interest nature of grid operations. Republic Act No. 9511 (2008) includes an express clause requiring the grantee to hold governments harmless for claims arising from accidents or injuries caused by construction/installation/operation/maintenance of the transmission system and grid (a policy signal that grid-related activities are treated as high-consequence public infrastructure).

Construction/infrastructure disputes and arbitration exposure. Grid infrastructure projects often bundle software with construction/installation. The Supreme Court has held that even non-parties to a construction contract’s arbitration clause may be bound where they are significantly and substantially connected—such as assignees or those who assumed rights/obligations under the contract. This is discussed in Hyundai Engineering Co., Ltd., et al. v. National Grid Corporation of the Philippines, et al. (G.R. Nos. 214743 & 248753, 2023), which also recognizes CIAC jurisdiction for construction disputes where the arbitration agreement binds the disputants directly or by reference.

2) The central warning: open-source compliance can be a licensing and liability multiplier

Open-source itself is not prohibited. The risk is that open-source obligations (such as source-code disclosure, copyright notices, attribution, redistribution terms, and copyleft conditions) can collide with a contractor’s representation that it is delivering fully proprietary software, or with government contract terms that expect unrestricted use, modification, escrow arrangements, or broad warranty/indemnity coverage.

When that collision happens in a government setting, the exposure is amplified: audits, cybersecurity incident investigations, COA/regulatory inquiries, and disputes may demand disclosure of code provenance and licensing records. Under Republic Act No. 11966 (2023), confidentiality protection is not absolute and can yield to a valid court or regulatory order.

3) “Doing business” in the Philippines: why a software delivery to government can require a license

Foreign contractors sometimes assume that a single contract, offshore development, or “project-based” work is exempt from Philippine licensing. SEC-OGC Opinion No. 14-21 (2014) cautions otherwise: participation in government bidding and subsequent project implementation may be treated as “doing business”, which typically requires a license to do business in the Philippines.

In software terms, risk factors often include sustained onshore presence, local project teams, acceptance testing, deployment, maintenance, patching, or operating infrastructure (e.g., servers or devices) in-country. The more the foreign corporation’s activities resemble continuing commercial dealings rather than isolated sales, the greater the exposure to a “doing business” finding.

4) Typical open-source risk scenarios in national grid or similar critical infrastructure IT

The following scenarios commonly create contractual breach or regulatory friction:

• Copyleft components embedded in proprietary deliverables. A contractor includes GPL/LGPL-like components in a way that may require disclosure of certain source code or modifications, conflicting with the contractor’s proprietary positioning or the government’s expected rights.
• Missing attribution/notice obligations. The contractor fails to deliver license texts, copyright notices, and attribution files required by permissive licenses (e.g., MIT/BSD/Apache-style patterns).
• Unclear third-party IP warranties. The contract promises broad non-infringement warranties and indemnities without properly carving out open-source, leading to unpriced and uncontrolled exposure.
• Security patching duties collide with version pinning. The government requires rapid patching for vulnerabilities, but the contractor’s open-source dependency chain is undocumented or unmaintained, increasing operational risk.
• Audit or dispute requires provenance proof. In investigations or arbitration, the contractor cannot show a software bill of materials (SBOM), license inventory, or approval trail, weakening defenses and increasing settlement pressure.

5) Contracting and dispute implications: why arbitration and “assumption of obligations” matters

Even when the IT vendor is not the original signatory to a construction contract, it may still be drawn into arbitration if it is substantially connected to the contract or has assumed obligations. Hyundai Engineering Co., Ltd., et al. v. National Grid Corporation of the Philippines, et al. (G.R. Nos. 214743 & 248753, 2023) teaches that parties beyond the original signatories may be bound by arbitration clauses when their relationship to the contract is significant (e.g., assignment or assumption of rights and obligations).

For foreign IT contractors, this means open-source compliance issues can become arbitration issues in a broader grid project dispute—especially where software performance, cybersecurity, system availability, or integration is treated as part of the project’s deliverables.

6) A compliance-first checklist for foreign contractors selling software to Philippine government

Below is a compliance checklist that aligns open-source governance with Philippine licensing and government-contract realities:

Risk area	What to do before bidding	What to do before delivery/acceptance
Foreign corporation licensing	Assess whether the bid + implementation constitutes “doing business” and whether a Philippine license is needed; plan the contracting structure accordingly (SEC-OGC Opinion No. 14-21, 2014).	Confirm the licensed entity is the one performing and invoicing; ensure project activities match the approved scope and documentation.
Open-source license compliance	Create an SBOM and license inventory; flag copyleft risks early; decide what can/cannot be used in deliverables marketed as proprietary.	Deliver required notices/attributions and license texts; document source availability obligations (if any); keep reproducible build records.
Warranties and indemnities	Draft realistic IP warranties; avoid absolute statements inconsistent with open-source use; price residual risk.	Provide a third-party software schedule; align warranty language with actual OSS components and compliance steps.
Confidentiality vs. compelled disclosure	Assume code provenance may be reviewed in audits or proceedings; prepare a disclosure protocol.	Maintain a “ready-to-produce” compliance packet; remember confidentiality may yield to lawful court/regulatory orders (RA 11966, 2023).
Dispute readiness	Map which contracts contain arbitration clauses and who may be treated as bound/connected.	Preserve compliance evidence for arbitration or CIAC-type dispute settings (Hyundai Engineering v. NGCP, 2023).

7) Risk allocation in grid projects: why consequences are higher

National grid projects are treated as public-interest infrastructure. This affects how parties view diligence, safety, continuity, and accountability. Republic Act No. 9511 (2008) requires the grantee to hold national and local governments harmless from claims arising from accidents or injuries caused by construction/installation/operation/maintenance of the transmission system and grid. While this clause directly binds the franchise grantee, it illustrates the policy context: grid incidents produce public harm, and risk allocation tends to be scrutinized.

For foreign contractors, this translates into higher expectations on software integrity (including third-party code governance), cybersecurity maintenance, and documentary readiness.

8) Recommendations for foreign contractors: what to implement immediately

• Conduct a Philippine “doing business” assessment before bidding or signing, and align the delivery model with licensing requirements (SEC-OGC Opinion No. 14-21, 2014).
• Adopt an SBOM and open-source approval workflow tied to release management, so open-source components are never “accidentally shipped.”
• Align contract language with OSS reality: third-party software schedules, notice delivery, limited IP warranties consistent with open-source use, and clear maintenance/security patch obligations.
• Build a disclosure-ready compliance file because confidentiality in PPP or government settings may yield to lawful orders (Republic Act No. 11966, 2023).
• Plan for arbitration exposure where software is embedded in construction/integration deliverables, and where assumption/assignment theories may bind related parties (Hyundai Engineering v. NGCP, G.R. Nos. 214743 & 248753, 2023).

Conclusion

Open-source components can be used responsibly in proprietary systems sold to the Philippine government, but only with disciplined compliance and a contracting posture that matches the real licensing and operational model. For foreign contractors in national grid-related projects, the biggest recurring problems are not technical—they are documentary (SBOM, notices, provenance), structural (foreign licensing/“doing business”), and contractual (warranties, disclosure, dispute pathways). Address these before bidding, and treat open-source governance as part of deliverable acceptance, not as an afterthought.

About Nicolas and De Vega Law Offices

 Nicolas and de Vega Law Offices is a full-service law firm in the Philippines.  You may visit us at the 16th Flr., Suite 1607 AIC Burgundy Empire Tower, ADB Ave., Ortigas Center, 1605 Pasig City, Metro Manila, Philippines.  You may also call us at +632 84706126, +632 84706130, +632 84016392 or e-mail us at [email protected]. Visit our website https://ndvlaw.com.