OECD case study, Due diligence essentials for responsible software outlines a framework for applying risk-based due diligence to the software sector, as digital systems become central to economic and social infrastructure.
With global software spending estimated at $675 billion, the report highlights a shift from innovation-led growth to managing environmental, social, and governance (ESG) risks embedded across the software lifecycle.
A key concern is the resource intensity of AI and cloud computing, with data centres projected to consume up to 945 TWh of electricity by 2030. To improve accountability, the OECD emphasises tools such as the Software Bill of Materials (SBOM), which enables firms to track software components and identify potential security, compliance, and sourcing risks.
The report also underlines that risks in the software ecosystem extend beyond technology to include labour conditions in data annotation, algorithmic bias, cybersecurity vulnerabilities, and intellectual property challenges.
Key Impacts: Environmental, Social, and Governance (ESG)
Environmental (The Energy Surge): Software isn't "weightless." Data centers already use 1.5% of global electricity, and AI models require massive cooling and power. The OECD predicts demand will hit 945 TWh by 2030, making "Green Coding" (writing efficient code that uses less power) a necessity.
Social (Human Rights & Labour): The industry relies on a "hidden" workforce in lower-income countries for data enrichment and content moderation. These workers often face low wages and trauma from viewing harmful content. Additionally, AI bias can lead to unfairness in hiring, while mass surveillance software threatens individual privacy.
Governance (Market Power & IP): A few "Big Tech" firms dominate the market, often creating monopolies that stifle smaller startups. Furthermore, Generative AI has created a "Copyright Crisis," as models "scrape" data from creators without permission or payment.
The Challenges
Regulatory Lag: Innovation moves at lightning speed, while laws move slowly. This creates "governance gaps" where new AI tools are used before safety rules are even written.
Fragmented Rules: Different countries have different digital laws, making it difficult for Indian software exporters to stay compliant across the US, Europe, and Asia.
Accountability: In a complex cloud ecosystem, it’s often hard to pin down who is responsible when a third-party software component fails or leaks data.
The Opportunities
International Convergence: Countries are finally agreeing on "due diligence" rules, meaning a company that follows OECD standards will find it easier to do business globally.
Control Points: By focusing on "choke points" like data centers and semiconductor makers, regulators can efficiently monitor the entire software industry.
Traceability via SBOM: Using a Software Bill of Materials allows companies to instantly find and fix security holes, building massive trust with their customers.
What is "Risk-Based Due Diligence"?
Risk-Based Due Diligence is the process of finding and fixing the negative impacts a company might have on people or the planet. It acts as a catalyst for Corporate Trust because it shifts a company from "fixing mistakes after they happen" to "preventing them during the design phase."
This mechanism manifests as a transition from "growth at any cost" to "growth with a conscience," where a developer checks for AI bias or high energy use before launching an app. For the Indian Tech Sector, this is a primary lever to benchmark a trajectory of global leadership in ethical software development.
Policy Relevance: Positioning India in Global Software Governance
Aligns with emerging global standards: Adoption of due diligence frameworks can support Indian firms in meeting compliance expectations in major markets such as the EU and US, particularly for software exports.
Addresses regulatory gaps through industry practice: In the absence of fully developed domestic regulation, such frameworks can provide interim guidance for risk management in areas like AI, data use, and software supply chains.
Supports responsible AI development: Tools such as software traceability (SBOM) can help developers assess risks related to data quality, bias, and security vulnerabilities across AI systems.
Strengthens digital infrastructure security: Greater visibility into software components can improve risk detection in critical systems, including digital public infrastructure such as UPI and health platforms.
Follow The Full Report Here: OECD: Due Diligence Essentials for Responsible Software - Official Spotlight