Contributed By Greenberg Traurig, LLP
The key market developments in IT outsourcing are:
The key market developments in BPO are:
A development that may potentially prove relevant is the ongoing high labour shortage in the Netherlands. To the extent the Dutch economy continues to experience this shortage, companies may elect to start outsourcing business processes that can effectively no longer be staffed in the Netherlands. In any case, this trend is likely to be relevant in the mid-to-long term as the Dutch population ages.
The impact of new technology on the outsourcing market is as follows.
The most commonly outsourced services in the Netherlands are:
Rules and restrictions on outsourcing apply only in some regulated markets – primarily, the financial, insurance, asset management and pensions industries. In other markets, freedom of contract rules.
As regards technology transactions, the Dutch government has been implementing policies and laws aimed at reducing strategic dependence on foreign powers for vital technologies and knowledge, as well as preventing the acquisition of specific technologies, companies, infrastructure or know-how that are considered vital to the security of the Netherlands. Investment screening and approval is currently required for acquisitions in the power and telecommunications industries and a similar sectoral law is being crafted for the defence industry. Such screenings are conducted by the Dutch Investment Screening Bureau (Bureau Toetsing investeringen, BTI). In the next year, the Dutch foreign direct investment (FDI) screening will expand as new technologies and vital processes are brought into its scope. For example, in February 2024, a motion was passed by the Dutch Parliament calling for the government to included vegetable and seed breeding companies in the scope of the Investments, Mergers and Acquisitions (Security Screening) Act, (Wet veiligheidstoets investeringen, fusies en overnames, Vifo Act).
The Dutch government is currently seeking to expand its ability to screen foreign takeovers of tech companies for national security risks, particularly by adding more sensitive technologies under the Vifo Act.
Act Implementing the EU FDI Screening Regulation
A non-sector-specific piece of legislation, which will apply where no sector-specific act exists, was also adopted to implement the EU FDI Screening Regulation. This “act on investment screening in respect of national security risks” entered into force at the end of 2023. Under this act, any transaction (broadly defined) – whether initiated by a foreign or Dutch person – that poses a risk to Dutch national security interests will be subject to screening and approval by the Dutch Ministry of Economic Affairs and Climate Policy. Such a risk may be deemed to exist where the transaction could:
Note that, in most cases, control is not a requirement for a transaction to be deemed relevant (eg, obtaining just 10% of the votes in a general meeting or the ability to appoint a director may also trigger the requirement for investment screening). If the transaction is deemed to pose a risk to Dutch national security, conditions may be applied to the transaction or the transaction may be prohibited.
Note also that the act will have retrospective effect, starting from 1 March 2020. In other words, a transaction performed prior to the law’s enactment but after 1 March 2020 may still be reviewed, so companies need to take this into consideration.
With regard to technology transactions, approvals are currently required for acquisitions in the power and telecommunications industries and a similar sectoral act is being crafted for the defence industry, with a consultation on this act, which ended on 1 September 2024.
From a compliance perspective, other than in respect of data protection regulation, industry-specific restrictions mainly exist in the financial, insurance, asset management and pensions industries and the regulations are mostly based on EU legislation. The regulations concerned include the Dutch Financial Supervision Act (FSA) (and a number of directives and resolutions under that act), the Solvency II Directive and the Solvency II Regulations, the Alternative Investment Fund Managers Directive 2011 (AIFMD), the Pension Act, the Dutch Central Bank’s (De Nederlandsche Bank, or DNB) good practices for insurers and separate guidelines for other sectors, and the European Banking Authority (EBA) guidelines on outsourcing to cloud service providers. The main principles of these regulations boil down to the following:
DORA
The Digital Operational Resilience Act (DORA) defines binding standards for financial institutions aimed to ensure operational security when outsourcing to third-party service providers. These standards impose binding requirements with regard to governance mechanisms, security reviews and resilience testing, incident reporting, and the contract language used with third parties – with the aim of ensuring that the client remains fully in control of, and accountable for, IT security and risk management.
From a content perspective, many of the requirements set out in DORA are already part of the EBA and European Insurance and Occupational Pensions Authority (EIOPA) guidelines relating to ICT security and risk management. Nonetheless, some requirements have become stricter or more specific, and a full review of existing practices, processes and contract language is advisable to ensure full compliance.
A highly significant change for service providers is that DORA brings them under the direct supervision of the relevant European Supervisory Authorities. Supervisory authorities will be able to assess compliance, require changes to non-compliant practices, and penalise service providers for non-compliance.
DORA came into effect on 14 December 2022 – following which, in-scope companies will now have two years to become compliant (ie, all outsourcing agreements being negotiated at this time should already take DORA into consideration).
The restrictions on data processing and data security are based on the EU General Data Protection Regulation (GDPR). The GDPR restricts cross-border personal data flows to countries that do not offer an adequate level of protection (most countries do, with only a few exceptions). Standard contractual clauses (SCCs) and binding corporate rules continue to be the data transfer mechanisms that are generally most relied upon by organisations when transferring personal data.
The Dutch Government’s Cloud Policy
From the perspective of data protection, the Dutch government is highly pragmatic and – compared to other European countries – quite progressive in its embrace of the cloud, as evidenced in the landmark agreement between the Dutch State and Microsoft in 2019, its agreement with Google in 2022, and the most recent framework agreement with Amazon Web Services in 2023. This stance was also demonstrated by the risk-based assessment of data transfers adopted by the Dutch Ministry of Justice and Security (“the Ministry”) in the Data Protection Impact Assessment (DPIA) on Microsoft Teams.
In February 2022, the Ministry published a DPIA on Microsoft Teams, OneDrive and SharePoint. As part of this DPIA, the Ministry also published a data transfer impact assessment (DTIA), based on the Rosenthal format for DTIAs. The outcome of the DTIA was, in summary, that it is extremely unlikely that personal data from Dutch government customers is unlawfully accessed by US authorities or by authorities in other countries where Microsoft uses sub-processors. Therefore, the risk was assessed as low and the use of Microsoft Teams could continue.
In Austria and Germany, some decisions have been made that point in the direction of rejecting the risk-based approach, so it remains to be seen what (if anything) the European Data Protection Board (EDPB) and the local supervisory authorities will say about this. The Dutch government’s new cloud policy states that most classified government data may be stored in the cloud, as long as certain requirements are met.
Schrems II Ruling and EDPB Guidance
The Schrems II ruling and the guidance provided by the EDPB continue to keep data controllers who use SCCs busy because, under this ruling, controllers must assess whether – given their use of SCCs – there is an adequate level of protection in the third country. That is, data controllers cannot simply assume this to be the case, as SCC may not be effectively enforceable in said country. Although the EDPB provides six-step recommendations on measures that data controllers and processors can take to simplify the task of enabling compliant data transfers through SCCs, the task at hand is not that simple. Specifically, Step 3 – the rule of law test – is complex to perform.
Particularly notable for outsourcings involving Indian vendors is the new India Digital Personal Data Protection Act (DPDA). The DPDA offers a lower degree of data protection to non-Indian personal data when such personal data is processed in connection with an outsourcing agreement. This will likely influence the assessment of whether any additional measures are necessary to enable compliant data transfers to India through SCCs.
Note that the EC has recently adopted an adequacy decision for the EU–US Data Privacy Framework (EU–US DPF), which is the successor of the Privacy Shield. This will (again) allow for data transfers between organisations in EU and those located in the USA who have self-certified against the principles of the EU–US DPF. As its predecessors (the “Safe Harbour” agreement and the Privacy Shield) were ultimately invalidated by the ECJ, it remains to seen whether the EU–US DPF will be upheld. Binding corporate rules provide multinational companies with a framework for international data transfers; however, it should be noted that the Dutch Data Protection Authority has a significant backlog on approving binding corporate rules.
The NIS and NIS2 Directives
Data security is currently mainly governed by the law on the security of network and information systems (the “Cybersecurity Act”), which implements the EU Directive on the security of network and information systems (the “NIS Directive”) and consolidates other relevant legislation into one act. The Cybersecurity Act establishes a certification framework for IT digital products, services and processes. The NIS Directive identifies sectors that are vital for the aspects of economy and society that rely heavily on IT (eg, energy, transport, banking and healthcare). These sectors have to take appropriate security measures and ensure swift notification of any incidents to the relevant authorities.
Additionally, in keeping with the NIS Directive, the Cybersecurity Act also obliges providers of digital services (other than small enterprises) under Dutch jurisdiction to notify material data breaches in respect of their services to the National Computer Security Incident Response Team and the Minister of Economic and Environmental Affairs.
A variety of sector-specific laws directly or indirectly govern cybersecurity relating to, among other things, energy production and distribution, water, telecommunications, seaports, airports, rail, financial services, healthcare, government bodies and other critical infrastructure.
A key development that is starting to become relevant is the progress on NIS2, which will replace the NIS Directive. The NIS2 Directive came into force in 2023, and EU member states must implement the directive into national legislation by 17 October 2024. The NIS2 Directive will have significantly broader scope than NIS. The NIS2 Directive will cover all medium-to-large enterprises and public organisations that perform important functions for the economy or society as a whole. By way of an example, the new directive will also cover social media service providers and the public administration. The NIS2 Directive should also increase the level of harmonisation across member states in respect of scope, security and incident reporting, national supervision and enforcement powers and sanctions, as well as improve the pan-European collaboration of competent authorities.
Although NIS2 is not yet in force, clients and service providers entering into long-term agreements should take stock of the requirements imposed by NIS2 to ensure future compliance. In this respect, the Dutch National Cyber Security Centre (NCSC) is a government resource that publishes useful information.
There is no standard outsourcing agreement in the Netherlands.
The association of IT service providers, NL Digital, has standard terms but these do not generally apply to outsourcing. Sourcing Netherlands, the association for outsourcing, has developed a fairly balanced standard form for an outsourcing agreement, which is sometimes implemented. Sophisticated customers will contract on the basis of their own tailored agreement. These agreements are similar to the market standard agreements in the UK and USA. They are very detailed and contain approximately 20 schedules.
The usual model consists of an asset transfer agreement and a separate services agreement. For large cross-border projects, a framework structure is used – comprising a framework asset transfer agreement and a separate framework services agreement – under which local-to-local asset transfer agreements and services agreements are concluded.
Although alternative models are sometimes used, 95% of outsourcing will be contracted one-to-one, with an asset transfer agreement and a separate services agreement. Multi-vendor agreements (between the customer and a number of service providers) are also common. Joint ventures (JVs) are rare, mainly because a JV structure is rather complicated and expensive. This will only be used where the customer and service providers wish jointly to set up a new business.
One new development, which is currently underway, is a shift towards contracting based on customer experience, business outcomes and value creation – rather than contracting only or primarily on a fixed cost, fixed service-level basis.
Digital transformations have not, as yet, led to significant changes in contract models for sophisticated customers with sufficient clout. Some smaller changes that have been noted are as follows.
The main customer protections are:
By the Customer
The customer can terminate the contract for cause. Significant breaches of service levels and serious regulatory compliance or data security and privacy incidents are often specifically mentioned as providing cause for termination. Sometimes, outsourcing or services agreements provide a termination right to the customer where there has been a change of control in the service provider, especially in contracts relating to mission-critical services or services provided to regulated financial institutions.
Customers can also, almost always, terminate for convenience. In the case of termination for convenience, the customer must pay termination compensation. There is no fixed formula for calculating this compensation, as this is a matter of freedom of contract. In general, the compensation consists of unrecovered costs and a small lost-margin component. Furthermore, in the financial industry, the customer may terminate the agreement if a regulator requires a termination.
By the Service Provider
The service provider can usually only terminate for material breach (most notably, prolonged non-payment of invoices). It is highly unusual to allow a service provider to terminate for convenience.
Dutch statutory law does not define the difference between direct and indirect loss. Under the influence of Anglo-American contracts and terms, the concept is often used in Dutch law agreements. In such an event, it is wise to precisely define the damages considered direct and those considered indirect. However, it can be hard to reach agreement on these distinctions – given that the customer will try to include as much as possible under the definition of direct damages, whereas the service provider wishes to exclude as much as possible from this definition.
It may, therefore, be better practice to refer to the statutory definition of damages and leave the decision to the courts. This means that damages that are reasonably attributable to the event that caused the damages, and to the party that caused the damages, must be paid. In addition, pure loss of profit and turnover can be excluded.
Dutch statutory law does not define a maximum amount for damages. As a result, it is advisable to cap the liability of both parties. The market standard caps vary between 12 and 36 months of fees.
Dutch law provides for certain implied terms in relation to the quality of goods sold and the provision of services. However, these implied terms are typically not mandatory in B2B contracts and are usually explicitly excluded or superseded by the contents of the contract.
In addition to contractual obligations under Article 28 of the GDPR, contracts commonly include:
Traditionally, performance measurement and management in technology and outsourcing are seen as critical aspects of ensuring efficiency, quality, and accountability in these industries. In technology, key performance indicators (KPIs) and service levels are often meticulously tracked to gauge the effectiveness of software development, system operations, and project management. Metrics such as code quality, system uptime, response times, resolution times and user satisfaction are commonly monitored.
This rigorous approach to performance measurement and management came under fire from scholars and consultants, who point at the watermelon effect (green on the outside, red on the inside) – by which they mean that sometimes all service-level agreement dashboards are on green, while the end user is unhappy. In other words, the wrong metrics are measured. This has led to the use of XLAs, which measure end-user satisfaction, end-to-end performance, and contribution to the success of the business of the customer.
A common point of discussion when negotiating outsourcing or technology agreements governed by Dutch law is whether KPIs or service levels are enforced as a result obligation or a best-efforts obligation. In principle, KPIs and service levels are considered as best-effort obligations under Dutch law. However, best-efforts obligations are notoriously difficult to enforce by the other party. Therefore, parties often decide to agree on a result obligation or to carve out specific penalties for not meeting (certain) KPIs or service levels.
Should the technology or outsourcing be cloud-based, the contract terms will basically remain the same, as the terms are generally drafted in a technology-agnostic manner. However, there may be additional detail in respect of data security and the processing location, depending on the jurisdictions involved. In other words, specific requirements in relation to encryption may be included for some types of data.
The rules governing employee transfers in outsourcing are based on the ARD. Under the ARD, employees who are predominantly working on the activities that are to be transferred will – where the ARD (as implemented in the Netherlands) applies and the activities are continued on an “as is” basis – transfer to the service provider by operation of law, together with their applicable employment terms and conditions. In general, the ARD will apply if significant assets are to be transferred to continue the economic activity or – in the case of labour-intensive activities – the majority of the employees (considering number and expertise) will be offered employment by the new service provider. EU and Dutch case law on ARD/Transfer of Undertakings Protection of Employment (TUPE) is numerous and granular but, in essence, is based on ever-increasing protection of employment/employees. This should ensure that employees are protected from redundancy situations and “follow their work”.
Market practice on employee transfers in the Netherlands is:
Works council consultation (ie, the right to advice prior to implementing the proposed decision) is almost always required (under Article 25 of the Dutch Works Councils Act).
Trade union consultation is required for companies or groups of companies employing more than 50 employees in the Netherlands who fall in scope of a generally binding collective labour agreement applicable to an entire industry if control in (part of) the “undertaking” is transferred or if this requirement follows from the applicable collective labour agreement. The requirement also applies to legal entities that have concluded a company-specific collective labour agreement.
Trade union consultation is also required where it is anticipated that 20 or more employees will be made redundant within a timeframe of three months.
There has not been much change in the frequency of (or customer preference for) onshore, offshore or nearshore resources when it comes to outsourcing transactions in the Netherlands yet. However, research by the Dutch sourcing platform shows that companies expect an increase in nearshoring in the EU or just outside the EU, whereas traditional offshoring is expected to decline. It remains to be seen whether this will materialise. In practice, major global players mostly appear to be combining nearshoring and offshoring because cost advantages – as well as certain skill sets and processes – are more effectively captured through the use of at least one centralised offshore location.
Where remote work is still performed in the Netherlands, requirements in respect of worker safety will also apply to the remote work location.
Where remote work is performed outside the European Economic Area (EEA), the GDPR’s restrictions on the transfer of personal data will come into play to the extent that EU personal data is used by the remote worker. This is because the EU personal data will then automatically have been processed outside the EEA by being transmitted to the remote location.
Beethovenstraat 545
1083 HK Amsterdam
The Netherlands
+31 651 289 224
+31 20 301 7350
Herald.Jongen@gtlaw.com www.gtlaw.com