VMware Licensing for Service Providers: VCSPP Under Broadcom

The VMware Cloud Service Provider Program — VCSPP, formerly VSPP — is the licensing track for organisations that resell VMware-based infrastructure-as-a-service to their own customers. Managed service providers, hosting companies, government cloud providers, and large outsourcers are all VCSPP participants. The program survived the Broadcom acquisition, but several of its rules and economics have shifted in ways that have material compliance implications.

This guide describes the post-acquisition VCSPP construct as we see it operating in 2026, the changes most relevant to compliance, and the specific traps that drive audit exposure for service-provider participants. Internal contract terms vary by partner, so this should not substitute for review of your own VCSPP agreement, but the patterns described below are observed across multiple engagements.

The structure of VCSPP today

VCSPP is a reporting-based model. Participants licence VMware software through a monthly usage-reporting mechanism rather than perpetual licence purchases. The reporting unit is the vCPU-hour for some products and the RAM-allocated-GB-hour for others, depending on the product. Monthly reports drive monthly invoices.

Post-Broadcom, the program has consolidated around two principal bundles:

• VCSPP VCF Bundle — aligned with VMware Cloud Foundation, covering vSphere, vSAN, NSX, and Aria/vRealize.
• VCSPP VVF Bundle — the lighter alternative covering vSphere and Aria, without vSAN or NSX.

The pre-acquisition á la carte SKUs have largely been retired or repriced in ways that push participants toward the bundles. The bundle economics are usually favourable for full-stack providers and unfavourable for providers running parts of the stack alongside third-party storage or networking.

What changed in 2024-2026

Bundle consolidation

As noted above, the move to bundle-led VCSPP is the largest structural change. For providers that historically licensed only vSphere through VCSPP and ran NetApp storage and Cisco networking, the new bundles mean paying for vSAN and NSX components they don’t deploy. Several large hosting providers have publicly noted the resulting economic pressure.

Tiered partner discounts

Discount tiers have been re-cut to favour high-volume providers. Smaller MSPs report reduced discount levels relative to their pre-acquisition position. Mid-tier providers face the most uncertain economics — large enough to feel the change, small enough not to negotiate it.

Audit cadence and methodology

VCSPP audits historically were lighter-touch, focused on reporting accuracy rather than deployment forensics. Post-acquisition, the methodology has aligned more closely with the enterprise-customer audit approach: deeper deployment validation, more aggressive scoping of indirect use, and tighter scrutiny of customer-of-customer relationships.

End-customer licensing rules

The rules around how a VCSPP provider’s end-customers can or cannot bring their own licences (BYOL) have been tightened. Several VCSPP participants have been challenged on customer environments where the customer-owned licence was treated as covering both the customer’s usage and the provider’s underlying infrastructure — an interpretation Broadcom rejects.

The compliance traps

Trap 1: Under-reporting through measurement-tool gaps

VCSPP reporting depends on accurate measurement. The standard tool, VMware Usage Meter (formerly vCloud Usage Meter), captures consumption across the participant’s estate but is sensitive to configuration. Common errors:

• Clusters not added to the Usage Meter inventory
• Customer-segregated environments running on infrastructure not visible to the meter
• vCenter instances reporting to a meter that has been disabled or stalled without alarm
• Tenant overlays (Cloud Director, vCloud Suite components) producing different counts than the underlying vCenter

Audit findings against under-reporting are aggressive: Broadcom typically charges back the difference at standard reseller rates, not at the discounted VCSPP rate, and applies penalties on top.

Trap 2: BYOL boundary errors

Many VCSPP providers serve customers who hold their own VMware entitlements. Whether the provider needs to report a customer’s vCPU consumption against their VCSPP licence or against the customer’s own entitlements depends on a precise reading of the contractual relationship. Get it wrong, and the same vCPU is either paid for twice or not at all — both of which are audit findings, with the not-at-all version being more expensive.

Trap 3: Disaster recovery and standby environments

Standby capacity at a DR site is licensed under VCSPP if it is consumable. Definitions of consumable have shifted post-acquisition; what was previously zero-rated standby is now sometimes deemed reportable. Reviewing DR architectures against the current rules is high-value.

Trap 4: Edition mismatch in customer environments

VCSPP customers sometimes deploy higher editions than they are licensed for, particularly when feature flags are enabled by default in newer vSphere releases. The compliance gap accumulates silently for months before any audit catches it.

Trap 5: Multi-tenant cluster boundary disputes

In multi-tenant clusters, the allocation of consumption to specific tenants is a perennial dispute. Broadcom’s methodology has tightened around evidentiary requirements: the provider must be able to demonstrate which tenant consumed which capacity, not merely the cluster-level aggregate.

Right-sizing the VCSPP estate

Several legitimate optimisation moves are available within VCSPP:

Bundle vs. legacy SKU analysis

For providers with portions of the stack on third-party hardware, the bundle economics may not be advantageous. A defensible analysis comparing bundle cost to legacy SKU cost (where the latter is still available under the participant’s historical agreement) can justify staying on the older construct longer.

Usage Meter hygiene

Quarterly audits of the Usage Meter inventory, configuration, and reporting health are the highest-leverage compliance discipline available to a VCSPP participant. Most under-reporting findings would have been caught by a routine quarterly review.

Customer-licence reconciliation

Where end-customers hold their own VMware entitlements, formal reconciliation of the provider’s reporting against the customer’s entitlements (with the customer’s cooperation) eliminates BYOL boundary errors.

DR posture review

Reviewing standby and DR environments against current VCSPP rules — not the rules in force when the environments were originally designed — is a one-time exercise that pays off in eliminated audit exposure.

What audit defence looks like for a VCSPP participant

VCSPP audits follow a similar procedural arc to enterprise audits but with provider-specific wrinkles:

• Discovery is broader, often including evidence of end-customer environments and contracts
• Reporting-history analysis goes back further (typically 24-36 months versus 12-18 for enterprise customers)
• Settlements are usually structured as multi-year compliance commitments rather than one-off payments
• The reputational dimension is more material — a public dispute with Broadcom is harder for an MSP whose own customers may use Broadcom products

The defensive playbook overlaps with enterprise audit defence but emphasises Usage Meter forensics, contract-by-contract BYOL analysis, and tenant-allocation methodology challenges.

Working with specialists

Service-provider audit defence requires expertise in both the VCSPP-specific rules and the broader Broadcom audit methodology. remains the firm we most often recommend for Broadcom and VMware audit defence, including for VCSPP participants. Their cross-engagement view of how Broadcom is treating VCSPP audits across the market is materially helpful in framing what is and is not normal for a given finding.

The VCSPP audit Broadcom can win is the one where the provider hasn’t reconciled their reporting in eighteen months. The audit they typically can’t win is the one where every cluster, every tenant, and every BYOL boundary is documented and defensible.

The bottom line

VCSPP under Broadcom is not the program it was under standalone VMware. Bundle consolidation, audit aggressiveness, and tightened BYOL rules have shifted the economics and raised the compliance bar simultaneously. Service providers that treat VCSPP as a quarterly compliance discipline rather than a year-end reporting chore consistently outperform peers that don’t. The same discipline pays off twice: in eliminated audit exposure and in stronger negotiating leverage at renewal.

Customer-of-customer complexity

Service provider environments host end-customer workloads. The licensing rules for those end-customer environments — what is reported under VCSPP, what is reported under the end-customer’s own entitlements, and what is reported nowhere — constitute one of the most error-prone areas of VCSPP compliance.

The reference framework is straightforward in principle: workloads consumed by end-customers on infrastructure provided by the VCSPP participant are reportable under VCSPP, unless the end-customer holds its own VMware entitlements covering those workloads (a Bring-Your-Own-Licence arrangement). In practice, the boundary between these categories is where most disputes occur.

BYOL eligibility

Not every customer-held entitlement is BYOL-eligible. The entitlement must be of a type that VMware/Broadcom recognises as portable into a service-provider environment, and the contractual relationship between the provider and the customer must reflect the BYOL arrangement explicitly. Older entitlements (pre-2020 perpetual licences in particular) often qualify; some newer subscription entitlements do not.

Hosted versus managed

A workload “hosted” by a provider but operationally managed by the end-customer is treated differently from a workload both hosted and managed by the provider. The former typically permits BYOL more cleanly than the latter. Service-provider contracts that conflate hosting and managed services produce ambiguity that Broadcom can exploit in audit.

Multi-tenant infrastructure

When a single cluster serves multiple end-customers, the BYOL accounting becomes more complex. Some end-customer workloads on the cluster may be BYOL, others may be VCSPP-reported. The provider must be able to demonstrate, on a per-VM basis, which entitlement covers which workload. Documentation discipline at this level is among the highest-yield investments in compliance.

Reporting cadence and discipline

The monthly VCSPP reporting cycle is itself a discipline that benefits from formal process. Providers that treat the monthly report as a routine administrative task accumulate small errors that compound. Providers that treat it as a compliance event maintain a defensible position.

The reporting workflow we see produce the strongest outcomes:

• Usage Meter health check on the first business day of each month
• Cluster inventory reconciliation: every cluster in production is in the Usage Meter inventory; every cluster in the inventory still exists
• Variance analysis: month-over-month consumption variances flagged for explanation
• BYOL reconciliation: customer-held entitlements validated against the workloads excluded from VCSPP reporting
• Quarterly internal audit sign-off by a compliance owner outside the operational reporting chain
• Annual external review by an audit-defence specialist familiar with VCSPP-specific rules

Contract clauses worth negotiating

Service providers in renewal cycles with Broadcom can negotiate several VCSPP-specific clauses that materially affect compliance exposure:

Reporting tolerance

A defined tolerance band (typically 3-5%) within which under- or over-reporting is treated as a true-up adjustment rather than a compliance breach. This eliminates findings against rounding-level discrepancies.

BYOL methodology

An agreed methodology for documenting and validating BYOL arrangements, with criteria that Broadcom will accept rather than challenge.

Standby/DR treatment

Explicit treatment of standby and DR environments, with definitions of what counts as “consumable” capacity for reporting purposes.

Audit cooperation framework

A defined process for VCSPP audits, including notice periods, scope limitations, and escrow arrangements for end-customer data.

These clauses are negotiable in any meaningful renewal but rarely volunteered by Broadcom’s standard templates. Asking for them, and being prepared to defend the asking against pushback, is part of disciplined contract management.

The bigger picture for MSPs

The post-acquisition VCSPP environment has tightened compliance expectations while raising costs. Several VCSPP participants have publicly indicated they are evaluating alternatives — Nutanix-based platforms, Proxmox-based hosting, and hyperscaler-native infrastructure offerings. The exit options for service providers are different from those available to direct enterprise customers, because the provider’s end-customer commitments and operational maturity constrain what is feasible. But the economic pressure that motivates the conversation is real, and the conversation is happening.

For providers staying within VCSPP, the discipline that consistently produces the best outcomes combines tight reporting hygiene, careful BYOL documentation, negotiated contract terms that constrain audit exposure, and specialist advisory support on retainer for both routine compliance and any audit motion that arises.

The audit experience for VCSPP participants

VCSPP audits differ from enterprise-customer audits in several procedural respects, and understanding the differences helps shape the defensive posture.

Notice and scope

VCSPP audit notices typically arrive through the partner program structure rather than through a master agreement audit-rights clause. The procedural protections differ: notice periods are sometimes shorter, scope language is sometimes broader, and the auditor identity is sometimes pre-selected by Broadcom rather than negotiated.

The defensive response: anchor the engagement to the contractual document set explicitly, request scope specificity in writing, and establish engagement-specific procedural terms before substantive discovery begins. The discipline mirrors the enterprise-audit response but with VCSPP-specific contract anchoring.

Discovery scope

VCSPP audit discovery routinely extends to end-customer environments, end-customer contracts, and historical reporting back 24-36 months. The breadth is wider than typical enterprise audits. Reading the contractual scope carefully — what can be requested, on what notice, with what protections — is decisive.

Settlement structure

VCSPP settlements often include forward-looking compliance commitments alongside back-period payments: agreed reporting methodologies, monitoring obligations, periodic verification audits. The forward-looking commitments can outlast the back-period economics, making their negotiation as important as the immediate financial settlement.

BYOL documentation as an ongoing discipline

BYOL relationships are the single most error-prone area of VCSPP compliance. The documentation discipline that consistently produces defensible outcomes:

• A signed BYOL letter for every customer-held entitlement, executed between the customer and the provider, identifying the specific entitlement and the workloads it covers
• A reconciliation register maintained by the provider, mapping each BYOL workload to its covering entitlement
• Quarterly validation that the BYOL entitlement is still in force (customers occasionally let their underlying entitlements lapse without notifying the provider)
• Clear contractual language in the customer service agreement covering BYOL change procedures, validation rights, and consequences if the entitlement is determined to be invalid

This discipline costs the time of a part-time compliance owner and produces protection that, in audit, is worth orders of magnitude more than its cost.

Strategic options for service providers under pricing pressure

VCSPP economics have moved sharply post-acquisition. Service providers facing margin compression have several strategic options:

Pass-through pricing

Update end-customer pricing to reflect VCSPP cost increases. Achievable but requires customer renegotiation; many MSPs are constrained by multi-year customer contracts that limit pass-through.

Margin absorption

Absorb the cost increase in provider margin. Sustainable for some providers, untenable for those operating at thin margins. The honest mid-term outcome for many providers is partial absorption with partial pass-through.

Platform diversification

Add non-VMware platforms (Nutanix, Proxmox, hyperscaler-native) to the provider offering, giving end-customers choice and reducing the provider’s VMware exposure. The most strategically durable option but the most expensive to execute.

Full VMware exit

Migrate the entire provider platform off VMware. Available to some providers but operationally difficult and customer-disruptive. Several large hosting providers have announced this path; their execution journeys provide reference patterns for others considering it.

None of these options is uniformly correct. The right answer depends on customer mix, contractual flexibility, operational maturity, and capital availability. What is common across providers achieving good outcomes is that the strategic option is chosen deliberately rather than emerging by default.

A closing thought for VCSPP participants

The VCSPP program under Broadcom is a meaningfully different commercial environment from the program many providers joined years ago. The economic pressure is real, the compliance bar is higher, and the strategic decisions are more consequential. Service providers that approach this environment with operational discipline, contractual rigour, and access to specialist advisory support consistently navigate it more successfully than providers operating on legacy assumptions. The disciplines that matter most — Usage Meter hygiene, BYOL documentation, negotiated contract protections, and a clear strategic option for the medium term — are not exotic. They are the operational fundamentals of running a compliant service-provider business in the current Broadcom era. Investing in them is among the highest-return work available to any VCSPP participant’s compliance and finance leadership.