Technology & Outsourcing 2024 Comparisons

IT outsourcing is still on the rise in Belgium. This is partly owing to a shortage of available technology professionals, which makes insourcing increasingly difficult. IT outsourcing is often driven by the need for trained, affordable and flexible manpower. Consequently, there is an increase in outsourcing outside the EEA to more economically favourable regions and countries (eg, North Africa and India). 

COVID-19 had a lasting impact on the use of technology in business. Virtual meetings have become the default mode of communication and collaboration, not only within companies but also among companies exploring or doing business. There is also a rise in availability on the market of virtual collaboration tools (such as project management tools). These tools give an answer to one of the biggest challenges of outsourcing (in particular, when this takes place abroad to countries in another continent). These tools allow businesses to keep a finger on the pulse – namely, to better train staff abroad and ensure an almost simultaneous follow-up, which benefits the quality of the outsourced work and facilitates swift intervention if there is an issue. 

The outsourcing of cloud computing remains very popular since the cloud offers a plethora of opportunities. Other key market trends include:

• automation;
• big data analysis;
• cybersecurity;
• AI;
• sustainability; and
• green IT (prompted to some extent by ESG requirements).

As a result of the COVID-19 pandemic, companies have increasingly turned towards outsourcing their non-core and administrative functions, which has resulted in an increase in BPO. Over the course of the last few years, the reliance on BPO has seen continuous and significant growth, which is expected to continue. 

Other key market trends include the following.

• Automation and intelligent process automation (IPA): the further development of technologies such as AI, machine learning and robotic process automation have increased automation in BPO. The automation of repetitive tasks improves efficiency, reduces costs and speeds up processing times.
• Knowledge process outsourcing (KPO): there has been a shift from the BPO of repetitive tasks to more knowledge-based processes. KPO services include training, consultancy and research, such as intellectual property research or business and market research, as well as R&D. They offer customers the opportunity to benefit from the knowledge of experienced individuals and companies, without having to integrate them into their internal business structures.

New technologies (such as AI, chatbots, machine learning, robotics and robotic process automation, blockchain, cryptocurrency, NFTs, fintech and smart contracts) bring numerous opportunities for companies but go hand in hand with specific challenges, requiring far-reaching expertise in these fields that is often missing in-house. For instance: 

• AI and machine learning enable the development of intelligent automation tools, allowing the streamlining and optimisation of various IT processes;
• increasing the use of AI techniques for text and data mining and analysis (also given the text and data mining exception in the DSM Directive (Directive (EU) 2019/790)), which can nevertheless be limited by technical restrictions (eg, captchas);
• chatbots and robotic process automation allow for the automation of repetitive tasks, enhancing customer support and improving overall productivity; and 
• fintech and smart contracts impact on financial transactions and contract management processes. 

Overall, these new technologies have extensively transformed the market for numerous companies, offering them the opportunity to innovate, improve efficiency and enhance service offerings. To keep up with this ever-changing technological landscape, companies are increasingly turning to IT outsourcing.

The most commonly outsourced IT services in Belgium are:

• web development;
• hosting;
• software and application development and maintenance;
• helpdesk and technical support;
• database development and maintenance; and
• IT consulting and infrastructure. 

There is no specific regulatory framework for outsourcing transactions. However, the sector-specific rules that apply to a company may also apply to its suppliers.

Outsourcing is restricted in some sectors, such as the following. 

Public Sector

Certain outsourcing transactions in the public sector may be subject to the principles and rules of public procurement pursuant to the Belgian Public Procurement Law of 17 June 2016. This Act includes extensive obligations that should be adhered to in the context of a public procurement tender procedure and any subsequent negotiation process. The applicability of these obligations depends on the value and characteristics of the outsourcing. 

Banking and Investment Sector

Outsourcing in the financial sector is extensively regulated. The main legal instruments are:

• the Law of 25 April 2014 on the legal status and supervision of credit institutions;
• the Law of 20 July 2022 on the legal status and supervision of stockbroking firms and containing various provisions;
• National Bank of Belgium (NBB) Circular 2021_21, Circular 2021_28, Circular 2020_23, Circular 2019_19, Circular 2019_09, Circular 2018_20, and Circular 2009_17;
• Circular PPB 2005/2 on sound management practices with regard to outsourcing by financial institutions;
• the Financial Services and Markets Authority (FSMA) Practical guide to outsourcing 2023_24, of 12 October 2023;
• FSMA Communication 2022_19 of 8 June 2022, relating to the ESMA guidelines on outsourcing to cloud service providers;
• FSMA Circular 2019_23 of 5 August 2019;
• the European Banking Authority (EBA) Guidelines EBA/GL/2019/02 of 25 February 2019 on outsourcing arrangements; and
• EBA Recommendations EBA/REC/2017/03 of 20 December 2017 on outsourcing to cloud service providers.

Financial institutions must limit the operational risks of outsourcing and remain fully responsible when outsourcing functions, activities and operational tasks. Additionally, outsourcing may not lead to an impairment of the quality of the professional service or of the organisation and, in particular, of the quality of the internal control (such as an undue increase in operational risk or an impairment of the supervisory authority’s ability to monitor the institution’s compliance with its obligations). 

Additional requirements apply when outsourcing operational tasks of critical importance. Such outsourcing must be preceded by a notification to the NBB or the FSMA, depending on the supervisory authority. This notification must include the details of the planned outsourcing. Existing outsourcing contracts undergoing material changes, or events inducing such changes, are subject to a similar obligation.

Please note that, depending on the financial institution, slightly different requirements may apply in relation to outsourcing. It shall therefore be important to correctly identify the legal provisions applicable to specific entities. For instance, with respect to financial credit institutions, the following specific legal instruments apply:

• the EBA Guidelines on outsourcing of credit institutions’ business activities; and
• the NBB Guidelines applicable to less significant institutions.

Therefore, a case-by-case analysis shall always take place with respect to the functions and/or services to be outsourced as well as the regulatory status of the entity planning the outsourcing.

Insurance Sector

Outsourcing in the insurance sector is extensively regulated. The main legal instruments are:

• the Law of 13 March 2016 regarding the statute and supervision of insurance and reinsurance companies;
• Delegated Regulation 2015/35 (Solvency II);
• Circular NBB_2020_18 on the recommendations of the NBB in relation to cloud outsourcing; and
• the EIOPA Guidelines on outsourcing to cloud service providers.

An insurer who subcontracts operational activities must ensure that this shall not lead to:

• seriously compromising the quality of the insurer’s governance;
• unduly increased operational risk;
• compromising the ability of the NBB to monitor the company’s compliance with its legal and regulatory obligations; and
• undermining the continuous and satisfactory service to policyholders, insured persons and beneficiaries of insurance contracts or persons concerned by the execution of reinsurance contracts.

Insurers must inform the NBB promptly before outsourcing critical or important functions, or activities or independent control functions, of:

• their intention to do so; and
• later important developments as regards these functions or activities (including the decision to end the outsourcing of a function or activity).

Specifically, the NBB asks insurance companies to provide information within a reasonable period of time (in principle, at the latest six weeks before the outsourcing enters into force, barring any duly justified specific derogation) with a file in accordance with the standard notification form.

When an insurer plans to outsource critical or important functions or activities, the supplier must, in principle, be located in Belgium or in another member state of the European Economic Area (EEA). 

A critical function or activity may only be outsourced to a service provider located in a country outside the EEA if the following conditions are met:

• there is an appropriate co-operation agreement between the NBB and the prudential supervisory authority in the supplier’s country or, if the service provider is part of a group that is subject to supervision at group level, there is a co-ordination agreement for a college of supervision to which the NBB and the prudential supervisory authority of the third country are a member; and
• said agreement guarantees that the NBB has the ability to acquire, upon request, the essential information for executing its tasks, as well as to obtain suitable access to any relevant data, documents, premises or staff in the third country for the exercise of its supervisory powers.

Where the supplier of outsourced services is located in a country outside the EEA, the insurer must also be able to guarantee:

• that itself, its accredited statutory auditor and the NBB will be able to exercise and enforce their right of access and review; and
• that it has the capacity to restructure and liquidate in Belgium (the information needed for this purpose should be accessible at all times in Belgium).

The NBB has also published additional recommendations for the specific case of outsourcing by insurers to cloud service providers, among others:

• in the case of outsourcing to cloud service providers of critical or important operational functions or activities, the insurer (where appropriate) should reflect the changes in its risk profile owing to its cloud outsourcing arrangements in its own risk and solvency assessment; and
• in its selection and assessment process, the insurer should ensure that the cloud service provider is suitable for providing the relevant services according to the criteria defined by its written outsourcing policy (due diligence process).

DORA

In addition to the foregoing, it is worth mentioning the EU Regulation on digital operational resilience for the financial sector (Regulation (EU) 2022/2554; DORA), which entered into force on 17 January 2023 and will apply as of 17 January 2025.

DORA targets Belgian entities providing financial and insurance services, as well as the Belgian branches of these entities.

Among others, DORA provides uniform requirements for the security of the networks and information systems of financial institutions, as well as critical third-party providers that provide them with information and communication technology (ICT) services, such as cloud computing platforms (PaaS) or data analysis services.

In addition, DORA lays down requirements relating to:

• ICT risk management;
• reporting major ICT-related incidents and notification of significant cyberthreats to the competent authorities; and
• reporting operational or security payment-related incidents to the competent authorities by certain financial institutions.

In February 2024, the FSMA conducted a survey on financial institutions subject to its supervision, to carry out an initial self-assessment of their level of preparedness for the requirements of DORA. The FSMA concluded, among other things, that:

• the majority of the financial entities report having a framework for managing ICT risks, including a continuity policy in this area;
• the supervised entities should enhance their management of risks associated with external ICT service providers;
• a comprehensive digital operational resilience testing programme should be implemented; and
• financial entities should improve their incident response capabilities related to ICT.

The FSMA will rely on these initial findings to guide its future supervisory actions, and will also conduct more detailed investigations to deepen its assessment of the entities’ compliance with the requirements of DORA.

The Proposed PSD3, the Payment Services Regulation (PSR) and the Regulation on a Framework for Financial Data Access (FIDA)

The proposed PSD3 and PSR require existing payment and electronic money institutions to reapply for their licence within 24 months of the PSR coming into force, in order for them to rely on grandfathering provisions that allow prior licences to be valid for 30 months after PSD3 enters into force. In the context of the reapplication of the licence, the payment institutions must demonstrate compliance with new requirements relating to (among others) the continuity of any critical activities by outsourced service providers, agents or distributors.

The proposed FIDA includes a licensing requirement for financial information service providers. A licence will only be provided if it is satisfied that any outsourcing arrangements will not render the financial information service provider a letterbox entity. When relying on a third party for the performance of functions that are critical for the provision of continuous and satisfactory service to customers, and for the performance of activities on a continuous and satisfactory basis, it must take reasonable steps to avoid undue additional operational risk. Outsourcing of important operational functions may not be undertaken in such a way as to materially impair the quality of its internal control and the ability of the supervisor to monitor the financial information service provider’s compliance with all obligations.

With the PSR, the European Commission (EC) has focused on strengthening anti-fraud measures. One of the proposed measures includes the requirement for payment service providers to conclude outsourcing agreements with technical service providers, when the latter provide and verify the elements of strong customer authentication for the account of the payment service provider.

Finally, to ensure effective powers of the supervisory authorities, additional investigative powers have been considered in relation to the supervision of technical service providers, operators of payment schemes and outsourcing companies used by the companies that are subject to the proposed PSR.

Cross-Border Data Flows

The processing of personal data, including cross-border data flows within the EEA and from the EEA to non-EEA countries, is subject to the provisions of the GDPR. 

The GDPR restricts cross-border data flows to non-EEA countries that have not obtained an adequacy decision. Hence, this is especially important for international outsourcing where the supplier and/or its subcontractors are based outside the EEA in a country without an adequacy decision, since additional requirements might apply. In such event, the data exporter must ensure that the data importer outside the EEA offers an equal level of protection to the level of protection under the GDPR, which can be realised by (for example) concluding standard contractual clauses (SCCs) or setting up binding corporate rules (BCRs) combined with additional technical measures (eg, encryption of the data with the key held by an independent party).

There has also been an increase in risk assessments in the context of data transfers outside the EEA, as companies undertake more data protection impact assessments (in this context, also referred to as “data transfer impact assessments”). 

Following the Schrems II decision of the European Court of Justice (ECJ), and the guidance of the European Data Protection Board (EDPB) and the Belgian Data Protection Authority (BDPA) in this regard, companies are obliged to assess whether the conclusion of SCCs with a recipient in a third country (without an adequacy decision) will provide for an adequate level of protection of the personal data transferred. Hence, one cannot assume this is the case by merely concluding the SCCs, as such clauses may (for example) not be effectively enforceable in the third country. Depending on the outcome of such an assessment, companies wishing to set-up cross-border data flows to third countries could be required to undertake additional measures (eg, extensive pseudonymisation). 

In July 2023, the EC published an adequacy decision for the new EU-US Data Privacy Framework, considering personal data flows between the EU and the USA organised under this framework as providing for an adequate level of protection. 

In January 2024, the EC concluded its review of 11 of the 16 existing adequacy decisions, and has confirmed that personal data transferred from the EU to Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continues to benefit from adequate data protection safeguards.

The NIS and NIS2 Directives

Cybersecurity in Belgium is mainly governed by the Law of 7 April 2019 establishing a framework for the security of network and information systems of public safety interest (the “NIS Law”), implementing the NIS Directive (Directive (EU) 2016/1148). The NIS Law holds various minimum cybersecurity and incident-reporting requirements for operators of essential services (eg, in the energy or transport sector) and relevant digital service suppliers.

In January 2023, the NIS2 Directive (Directive (EU) 2022/2555) was adopted with the aim of:

• expanding the scope of application to more sectors and entities;
• harmonising the rules for identifying these entities (using a size limit as an automatic and uniform criterion);
• expanding security requirements;
• increasing the involvement and responsibility of executives and boards of directors;
• harmonising and strengthening the sanctions and supervisory powers of competent authorities;
• clarifying incident-reporting obligations (eg, deadlines, information to be included); and
• strengthening supply chain security.

The NIS2 Directive repeals the NIS Directive with effect from 18 October 2024.

The NIS2 Directive has been transposed into Belgian law by the Act of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security (the “NIS2 Act”). The NIS2 Act will apply as of 18 October 2024.

Guidelines

Both the Belgian Centre for Cybersecurity and the European Union Agency for Cybersecurity (ENISA) have published several guidelines, good practices and tools for companies to use to enhance their internal cybersecurity levels, which could also be useful in the context of companies’ collaboration with (IT) suppliers and partners.

Belgium has no standard contract model for outsourcing transactions. Outsourcing contracts are deemed contracts for “rent of work” (Article 1710, (old) Civil Code) and are, like any other contracts, governed by the provisions of the Belgian Civil Code regulating (among others) the formation and legality of contracts as well as certain warranties and liabilities. Parties thus have an extensive contractual freedom and can, in principle, agree on anything that does not conflict with mandatory law, public order or morality. 

The most traditional form of IT outsourcing is direct outsourcing. The customer and one main supplier contract directly, and the main supplier delivers “end-to-end” IT services to the customer. Unless otherwise agreed upon, this structure does not, in principle, preclude subcontractors of the supplier, who evidently remains responsible for their work. Although this structure reduces the complexity of the outsourcing transaction for the customer, it may lead to “supplier lock-in” (ie, high dependency on one main supplier) and unknown subcontractors may lead to uncertainties. 

The customer can also decide to contract with multiple suppliers (multi-sourcing), which implies the conclusion of multiple separate contracts with different suppliers of (parts of) services or one multi-vendor agreement. The contracts generally oblige the different suppliers to co-operate. Although this model offers more flexibility, it also complexifies the outsourcing for the customer, who will need to manage the different outsourced projects (and, for example, set up a solid governance system).

The customer may also contract with a supplier that subcontracts the services in its entirety to one or more third-party suppliers (indirect outsourcing), often nearshore or offshore third parties. Contrary to multi-sourcing, this places the burden of the operational management on the supplier instead of the customer.

Finally, a far-reaching outsourcing partnership may be organised as a joint venture (JV), requiring a complex contractual structure (and, therefore, being a rather time-consuming and costly solution). Setting up a JV is rather rare and is mainly used when the customer and supplier wish to jointly set up a new business. Where a JV falls within the scope of European or Belgian competition law, additional aspects should be taken into account (eg, prior notification to the Belgian or European competition authorities may be required).

Where digital transformation is part of the services provided, the contract’s terms are often adjusted accordingly with, for instance:

• specific/complex (technical) schedules describing such digital transformation tools;
• procedures to be used;
• expected results; and
• governance mechanisms.

Where required – for instance, in a multi-sourcing environment – specific attention should be paid to the liability clause and clauses related to cybersecurity and data processing; see also 4.7 Digital Transformation. 

Where AI and machine learning are involved (which require large-scale data processing), parties tend to pay more attention to specific terms related to:

• data protection;
• transparency of algorithms;
• active information obligations;
• intellectual property;
• contractual milestones;
• logging;
• data governance; and
• in some cases, formal AI principles and requirements related to the ethical use of AI.

Protection Stemming From the Law

In certain areas, a customer is protected by legal obligations imposed on the supplier, regardless of whether a contractual clause is included in this regard – for example, personal data protection legislation and cybersecurity legislation (see also 2.2 Industry-Specific Restrictions, 2.3 Restrictions on Data Processing or Data Security and 4.4 Implied Terms).

In addition, pursuant to Articles VI.91/3 et seq of the Belgian Code of Economic Law, certain clauses in business-to-business (B2B) contracts are deemed abusive and therefore null and void. Some types of clauses are always considered abusive, without any possibility to refute the qualification (eg, causing the other party to waive any remedy against the company in the event of a dispute). Other clauses are presumed to be abusive until proven otherwise (eg, granting the company the right to unilaterally modify the price, characteristics or conditions of the contract without a valid reason). 

Additionally, clauses that create a manifest imbalance between the rights and obligations of the parties to a B2B contract are also prohibited and can be declared void when used. Whether a clause is deemed imbalanced shall depend on the circumstances of the contract (conclusion) and the collaboration in practice between the parties.

Contractual/Technical Protection Mechanisms

The following mechanisms are often used in IT contracts to protect the customer (non-exhaustive):

• non-disclosure agreements or confidentiality clauses;
• extensive service-level agreements (SLAs), both in terms of availability and maintenance, including a penalty mechanism;
• appropriate change-request procedure;
• no exclusivity for the supplier;
• no contractual termination rights for the supplier;
• no volume commitment for the customer;
• audit right;
• benchmarking provisions;
• escrow arrangements; 
• pseudonymisation; and
• appropriate exit clauses to govern the collaboration after contract termination.

Remedies

Contractual remedies often consist of compensation (in kind or in cash), termination rights and step-in rights. Non-contractual remedies (among others) have recourse to the Belgian Data Protection Authority (in the case of a data protection violation) or the Belgian Centre for Cybersecurity (in the case of a cybersecurity incident), or to obtaining (provisional) measures via summary proceedings.

Termination Foreseen by Law

Unless otherwise agreed upon, the following will apply.

A contract with an indefinite term can be terminated by either party giving a reasonable notice period (Article 5.75, Civil Code). What is deemed reasonable will depend on the circumstances (eg, intensity and duration of the existing collaboration, dependency on services). In such event, in principle, no damages will be due.

For convenience, the customer can always unilaterally terminate the outsourcing contract of a clearly defined work, such as the installation of an IT system or an outsourcing contract with a fixed duration (Article 1794, (old) Civil Code). Consequently, the customer will have to reimburse the supplier for all their expenses, work and everything they could have gained from the outsourcing contract.

Either party can dissolute the contract for cause, in the case of a severe contractual breach by the other party (subject to post factum judicial control) (Article 5.90, Civil Code). When an outsourcing contract is dissolved, in principle this only applies to the future (ex nunc), since it is often impossible to return the services that have already been performed. The party in breach will, in principle, have to reimburse the other party’s damage (eg, costs of finding and onboarding another supplier, costs of any interim solution), subject to any contractual liability terms, as the case may be (eg, liability cap).

Contractual Termination

Outsourcing contracts may be terminated according to the contractual terms agreed upon by the parties. Parties can agree on situations in which the customer may terminate the contract – for instance, in the case of:

• significant breaches of service levels;
• serious regulatory compliance or data security and privacy breaches; or
• insolvency.

The contract may provide for the procedure to follow in such events (eg, formal notice, remediation term) and the damages due.

It is uncommon to contractually grant the supplier extensive termination rights. This is usually granted in the case of prolonged non-payment of invoices by the customer.

Basic Principle for Recoverable Losses

When a contract party is in breach of contract and causes damage, the injured party is entitled to integral recovery of the damage suffered as a consequence of the contractual breach, in kind or in cash (Article 5.86 and 5.87, Civil Code). In principle, all damage that is reasonably foreseeable by the parties at the time of the forming of the contract should be remedied. However, limitations and exclusions are regularly stipulated by the parties in the contract to limit their liability.

In principle, the recovery of damages caused by the non-performance of a contractual obligation was exclusively governed by the rules of contract law. Therefore, the concurrence prohibition existed, which meant that the contracting parties did not have the choice between a contractual or a non-contractual liability claim, even if the faults were extra-contractual. It also followed that the principal injured party could not sue the auxiliary person (eg, subcontractor) directly on a non-contractual basis, but could only make a claim to the main contractor. This is called the quasi-immunity of the performing agent. Under these principles, the defaulting party or auxiliary person could only be held non-contractually liable in two situations, namely:

• when the contractual breach of contract also constitutes a crime; and
• when the fault is mixed (ie, contractual and non-contractual) and the damage is purely extra-contractual.

With the introduction of the new Book 6 of the Civil Code (which comes into force on 1 January 2025 and will apply to an ongoing contract), these principles will be abolished, and the principal injured party does have the choice of bringing both a contractual and an extra-contractual claim against their contracting party or directly against the auxiliary agent (Article 6.3, Civil Code).

The abolition of these core principles raises fundamental issues that are also essential to outsourcing, and that should be taken into account when carefully drafting agreements. The law prescribes double protection for the auxiliary person (except in cases of impairment of physical or psychological integrity caused by fault, or in cases of wilful misconduct), who can raise defences from both the principal agreement and the sub-agreement against the claimant principal.

Distinction Between Direct and Indirect Loss

While not expressly provided for in Belgian law, it is common in contracts to make a distinction between “direct” and “indirect” damage, and to exclude liability for the latter. In such event – given the lack of any legal definition in this regard and the fact that, in Belgium, by default any damage caused by a breach should be compensated – it is recommended to define what is understood under “indirect” damages to avoid the potentially unpredictable interpretation of a judge. Parties typically include (among others):

• loss of profits;
• loss of business (opportunities);
• loss of time;
• loss of revenue; and
• loss of data.

In principle, such exclusion of liability is accepted, in so far as this does not erode the agreement.

Categories of Losses That Are Not Subject to Any Limitation of Liability

In principle, contractual clauses that exclude/limit liability are valid and parties have extensive contractual freedom in this regard – except if, contrary to mandatory law (Article 5.89, Civil Code), they:

• exonerate or limit the liability in the event of wilful misconduct or fraud; 
• exonerate or limit the liability for faults damaging the physical integrity of a person; or
• erode the contract (eg, when liability for loss of data is excluded even though the storage of data, data maintenance and back-ups of data are essential elements of the contract).

Specifically in B2B commercial relationships, contractual clauses that exonerate the liability for gross negligence are presumed to be unlawful, unless proven otherwise (Article VI.91/5, 6° Belgian Code of Economic Law). 

Further, a limitation of liability may not lead to a manifest imbalance in the relationship between the parties (see 4.1 Customer Protections).

Certain obligations are mandatory by law, regardless of whether any contractual term is included in the contract in this regard. Examples of such legal obligations are the protection and processing of personal data governed by the GDPR, as well as specific security obligations applying to certain sectors, such as the financial sector (see 2.2 Industry-Specific Restrictions and 2.3 Restrictions on Data Processing or Data Security). 

The parties’ contractual obligations extend to the consequences conferred on them by law, good faith or customs, according to the contract’s nature and scope, thus potentially going beyond what the parties explicitly agreed upon (Article 5.71, Civil Code). Contractual terms are interpreted by the judge in a dispute and can be mitigated (to reflect the parties’ initial intention). 

Good faith requires the parties to work together in a loyal way, including during the pre-contractual phase, to ensure the proper negotiation, conclusion and execution of the contract. This could imply co-operation obligations, the precontractual disclosure of certain information or the obligation to consider the other party’s interests.

Customs are highly dependent on the sector.

The most common cybersecurity protections and security measures required by customers in technology transactions or outsourcing in Belgium are:

• adherence to the technical and organisational measures as required under the GDPR, including continuous testing, improvement and updating;
• requirements in terms of collaboration and responsibilities in the case of a personal data or cybersecurity breach (eg, joint response, notification obligations, address data subject requests);
• compliance with the customer’s cybersecurity guidelines and policies;
• adherence/obtainment of certain certifications (eg, ISO norms);
• restrictions on the use of subcontractors and, where allowed, the obligation to conclude back-to-back contractual terms;
• requirement to demonstrate/obtain appropriate cybersecurity insurance;
• step-in right for the customer; and
• audit right for the customer (or any third-party expert it may appoint in this regard).

Business continuity is often guaranteed by appropriate back-up systems, redundancy and disaster recovery plans.

The most common mechanism is the use of SLAs, both in terms of availability (for example, in the case of a SaaS or NaaS agreement where this is expressed as a percentage, such as monthly availability of 98%), and in terms of support and maintenance, providing for response and solution times depending on the criticality of the encountered problem. Typically, such SLAs include penalties – often in the form of service credits – for not complying with the agreed-upon service levels. 

An audit right for the client is a common mechanism used to allow the customer to – either itself or through appointment of an independent third party – control the correct implementation and performance of the contract. 

In general, the contractual terms remain unchanged to a large extent if the technology or outsourcing is cloud-based. Nevertheless, in such event specific attention is mostly given to provisions related to data protection, often including more extensive language regarding data security (eg, encryption) and the processing of personal data (particularly if the server location is outside the EEA). Attention is also given to an active information obligation (among others) regarding any centrally governed updates and upgrades that may affect the functioning of the software within the larger IT infrastructure of the customer (eg, links/interaction with other software programs used).

Governing Rules and Conditions

The rules governing employee transfers in outsourcing are based on the Acquired Rights Directive (Council Directive 2001/23/EC) (ARD). The ARD is implemented into Belgian national law through Collective Bargaining Agreement No 32bis (CBA No 32bis).

Three cumulative conditions must be met in order (for an outsourcing operation) to qualify as a transfer of undertaking under CBA No 32bis:

• a change of employer;
• the transfer is the result of a legal transfer of assets or merger; and
• a transfer of a (part of a) business through an asset transfer as a “going concern” – ie, an economic entity maintaining its identity, that has similar company facilities, staff, company equipment, commercial contracts, clientele base, etc.

The main consequences of the applicability of CBA No 32bis can be summarised as follows.

Automatic transfer of employment

The employment agreements (including all rights and obligations) primarily pertaining to the “going concern” existing at the time of the transfer are automatically transferred from the company – along with the assets – to the new service provider. Certain exceptions do apply with respect to the continuation of certain supplementary social benefit schemes.

Protection against dismissal

The transferring employees may not be dismissed by the company or by the new service provider on the ground of a TUPE transfer – ie, the Transfer of Undertakings (Protection of Employment) mechanism was introduced to regulate the transfer of a (part of a) business to a new employer and to protect employee rights during this process. As an exception, dismissal may be permitted, though only for gross misconduct or for economic, technical or organisational reasons. 

Joint liability

The company and the new service provider are jointly and severally liable for the payment of debts (eg, salary arrears and bonuses) existing at the date of the TUPE transfer, with the exception of debts in respect of certain supplementary social benefit schemes. This means that the employee may collect full compensation from any party. 

Information and consultation requirements

The company and the new service provider must inform and consult their employee’s representatives in the works council (or, in the absence thereof, the trade union delegation or the relevant committee for prevention and protection at work) before any decision on the TUPE transfer is taken and, in any event, before any public disclosure. In the absence of any employee representative bodies, the individual employees must be informed (but need not be consulted).

If an outsourcing operation does not qualify as a transfer of undertaking under CBA No 32bis, no automatic transfer of employment applies. The employees may still be transferred to the new service provider, but the consent of the company that outsources the activity, of the new service provider and of the employees would be required.

If an outsourcing operation qualifies as a transfer of undertaking under CBA No 32bis, the information and consultation requirements laid down in this CBA apply (please refer to 5.1 Employee Transfers).

If the outsourcing operation is not subject to CBA No 32bis, similar information and consultation requirements may apply if (among others) the outsourcing operation qualifies as an “important structural change”, which will often be the case in practice. However, no information or consultation of individual employees will be required in the absence of employee representative bodies.

In the authors’ experience, offshore outsourcing to more economically favourable regions and countries (eg, North Africa, India) has grown more popular owing to recent developments in cloud services and the increase in remote work options (see 1.1 IT Outsourcing). On the other hand, increasingly strict environmental, social and governance (ESG) obligations in the supply chain might be a deterrent for offshore outsourcing in certain cases. Although companies consider ESG, in practice a direct impact of this on decision-making regarding outsourcing has not (yet) been seen.

Belgian law distinguishes between two types of remote working, both with their own framework.

• Structural remote work (CBA No 85) is defined as a way of organising and/or executing the work, with the use of information and communication technology, as part of an employment agreement, where tasks that could also be executed at the company’s premises are executed outside the company’s premises. Moreover, structural telework requires that employees perform telework on a regular and permanent basis (ie, at least one day per week).
• Occasional remote work (Article 22-28, Law of 5 March 2017 on workable and agile work) provides a framework enabling employees to work remotely in the event of force majeure (such as unforeseen weather conditions) or for personal reasons (such as a medical appointment).

Employees working remotely are entitled to the same employment terms and conditions as comparable employees working at the company premises. 

The primary business considerations raised by employers when considering whether to allow remote working include:

• employee retention;
• less need for office space; and
• a larger talent pool for recruitment.

When allowing employees to work remotely abroad (for the long-term), employers should consider the risk that the applicability of local labour laws and social security regimes may be triggered. Another consideration is that the employees who are working remotely abroad may not always be covered by work accidents insurance coverage in the event of work accidents abroad.