| Aspect | Self-Assessed Dependencies | Verified Dependencies | Verified Software Licence | Software Licence Assurance | 
|---|---|---|---|---|
| Purpose | Entry-level self-assessment of direct dependencies | External verification of all dependencies, without requiring a licence | Confirms appropriate licence choice and full compliance | Mature, ongoing governance of licences and dependencies | 
| Suitable For / Scope | Early-stage projects, internal tools, initial governance | Projects nearing release without a licence; internal tools | Software ready for public release, distributed or externally available | Actively governed OSS projects committed to compliance | 
| Validation | Developer self-assessment; no external validation | Verified by Licence Management Team using SCA or equivalent | Reviewed by Licence Management Team via SLA service or structured process | Licence Management Team review following internal audit; ongoing monitoring | 
| Effort Level | Low – basic analysis documenting direct dependencies | Medium – full external dependency verification | High – detailed analysis and artefact creation | Very high – continuous governance and validation | 
| Licence Declaration | Not required | Not required | Required | Required, with full compliance framework | 
| Dependencies Coverage | Direct only; transitive optional | All, including transitive; mutually compatible licences | All verified, compliant and compatible with chosen licence | All validated through CI/CD integration | 
| Requirements | Listed in Software Catalogue; identify direct dependencies; mutually compatible licences; no critical vulnerabilities or licence violations | As left, extended to all dependencies | As left, plus GÉANT-approved licence; correct artefacts; licence in documentation, Software Catalogue, repository metadata, and website | As left, plus designated compliance officer; CI/CD-integrated SCA tools; licence monitoring; contributor onboarding; tool maintenance; audits; documented processes | 
| Artefacts | Internal list of direct dependencies and licences; optional NOTICE or README | SCA report listing licences and vulnerabilities | As left, plus LICENSE, COPYRIGHT, README, NOTICE, CHANGELOG, CONTRIBUTING | As left, plus compliance records; suggested SBOM | 
| Certification Process | Submit notification | Submit dependency report | Submit after SLA review and artefact finalisation | Provide repository access, documents, and audit evidence | 
| Governance & Maintenance | Maintained by developers; occasional checks possible | Maintained by developers; reviewed by Licence Management Team; occasional checks | Maintained by developers; reviewed at certification; occasional checks | Continuous maintenance; designated compliance officer; biennial audits; occasional checks | 
| Validity Period | 5 years (renewable) | 5 years (renewable) | Indefinite (unless revoked) | Indefinite (with biennial audits) | 
| Revocation Triggers | Missing dependencies; licence conflicts; critical vulnerabilities; unresolved complaints; non-responsiveness | As left, for all dependencies | As left, plus unapproved licence changes; incorrect artefacts; non-compliance; distribution violations | As left, plus outdated tools/processes/documents; ignored errors; failed audits; not maintained practices; misrepresentation of compliance | 
| Limitations | Self-assessment only; not validated; no distribution permission; no licence selection | No distribution permission; no licence selection | Not a legal audit; excludes patents, export controls, and data protection | Not a legal or security audit; unsuitable for prototypes; requires sustained adherence and collaboration | 
Overview
            Content Tools
            Tasks
    