IT outsourcing covers several different aspects of services, such as digital workspace (eg, end user services), data centre services (eg, application operation or IT infrastructure services), application management, application development and maintenance, SIAM services and network services.
For the majority of these services, there has been no major development, and services are provided more or less as they have been over the last ten years.
The real development is within IT infrastructure and SIAM services.
IT infrastructure or data centre services are being revolutionised and commoditised through the use of cloud services from MS Azure, AWS, and Google. This means that the number of servers in vendor specific data centres is rapidly decreasing and that the well-known data centre outsourcing model is being replaced. A data centre provider will today mostly serve as a “cloud broker” or manager/enabler of public cloud environment, instead of providing infrastructure services itself.
In many agreements, the complex and risky part is the transition and transformation to a public cloud environment and securing the expected savings rather than the daily delivery of data centre services.
For some years now, SIAM has been heavily hyped, but most companies would keep service integration in-house. SIAM is now becoming a service that is available through most leading global providers and which is contracted for as part of IT infrastructure outsourcing arrangements.
Business process outsourcing (BPO) is starting to become more common the Danish market, particularly for Danish companies with a global footprint. However, the majority of Danish outsourcings cases still fall within IT outsourcing.
New technology is changing how outsourced services are being provided and sold, and the underlying costs of producing said services.
Many outsourcing providers market AI or data driven services as separately payable, value-adding services. Mostly, such additional services require upfront investments and implementation activities. So far, the results of such initiatives in the realm of IT infrastructure outsourcing seem to be meagre.
Dealing with robotics remains a question of strategies. Should the customer licence or control robotics, and thereby be able to change the operating service providers flexibly, or use the robotics offerings on an as a service basis offered by BPO providers, but then suffer from the associated technological lock-in. The choice of strategies will decide issues such as:
There are no general legal or regulatory restrictions on outsourcing under Danish law that separately regulate outsourcing transactions. However, specific outsourcing regulatory restrictions exist for companies in the specific industries. These provide limitations and additional requirements on outsourcing transactions.
Danish financial undertakings are subject to the Danish Financial Business Act, Consolidated Act No 1146 of 11 September 2020 (Financial Business Act), as well as the Danish Executive Order No 877 of 12 June 2020) (the "Outsourcing Order") issued under this legislation. The Financial Business Act imposes restrictions on the outsourcing of certain types of financial services by a financial institution (known as a "financial undertaking" under the Financial Business Act). Further, some restrictions on outsourcing follow from the general duties imposed on financial undertakings by the Financial Business Act. In 2020 the new Outsourcing Order was issued replacing the old outsourcing order.
A prevailing principle of the Financial Business Act is that financial undertakings' compliance with the Financial Business Act remains with the financial undertaking even after any functions have been outsourced to a third party. An outsourcing contract must include adequate provisions to ensure that the financial undertaking is at all times able to monitor and audit the activities of the supplier.
When a financial undertaking decides to outsource the financial undertaking in question must comply with the Outsourcing Order. The new Outsourcing Order is an implementation of the European Banking Association (EBA) revised "guidelines for outsourcing" in relation to outsourcing undertakings issued on 25 February 2019.
A wider definition of outsourcing
The EBA guidelines and the Outsourcing Order imposes a wider definition of "outsourcing" entailing a more comprehensive regulation of financial undertakings that intend to outsource areas of activities within their business. In addition, the new legislation imposes extended requirements on outsourcing arrangements that are deemed critical or important to the financial institution. This means that prior to any outsourcing, financial institutions must conduct an assessment of the criticality and importance of the outsourced business process to identify which of the requirements under the new legislation are necessary to meet in order to ensure compliance.
The EBA Guidelines and the Outsourcing Order implement a variety of new requirements, eg, on governance structure, notice obligations and contractual requirements. An important new governance-related requirement is a list of specific overarching responsibilities that cannot be delegated from the institution’s management to an outsourcing supplier. Another element is the required mitigating measures relating to conflict of interest, internal audit and the mandatory implementation of an outsourcing policy and register. Further, the FSA is provided with significant rights to get insight into financial institutions’ outsourcing arrangements.
The Outsourcing Order requires all outsourcing relationships to be governed by a written outsourcing agreement that allocates a long list of specific rights and obligations between the financial institution and supplier. Many of these rights and obligations are already common market practices for large IT outsourcing agreements, such as service levels, reporting requirements and frequency, information on service delivery locations. However, the extended audit and inspection right for the financial institution and public authorities towards the suppliers and sub-suppliers are beyond market practice.
The new contractual requirements are mandatory legal requirements and must be implemented into all new outsourcing agreements after 1 July 2020 and into existing outsourcing agreements no later than 31 December 2022.
Specific Restrictions Applicable to Investment Management Companies' Outsourcing
Sections 102 to 105 of the Financial Business Act impose specific restrictions regarding outsourcing by Danish investment management companies. According to these provisions, an investment management company's outsourcing of administrative functions to a third party requires a board decision. An investment management company cannot outsource its investment decisions or other core activities to a third party.
To the extent that an investment management company can outsource administrative functions, it must ensure that the relevant third party is duly qualified and capable of handling the tasks outsourced. The third party will always be subject to instructions from the investment management company.
An investment management company is required to inform the Danish Financial Supervisory Authority of the content of its outsourcing agreements.
Specific Restrictions Applicable to Securities Dealers' Outsourcing
Executive Order No 921 of 26 June 2017 on the Organisational Requirements Applicable to Securities Dealers imposes specific restrictions on securities dealers' outsourcing of essential operational functions, investment services or investment activities. The requirements are similar to the requirements under the Outsourcing Order for financial undertakings when they outsource significant areas of activity.
A securities dealer is therefore required to make sure that the supplier has the ability to manage the outsourced functions. This also entails a requirement to make sure the supplier has the relevant permits to manage the outsourcing. The security dealer must conduct continuous testing of the supplier to make sure the supplier lives up to the requirements of the outsourcing contract and relevant legislation.
To the extent that a securities dealer outsources portfolio management for a retail client to a supplier established outside the EEA the securities dealer will be required to check that:
The European Insurance and Occupational Pension Authority (EIOPA) issued a consultation paper on 1 July 2019 on the draft guidelines for outsourcing to cloud service providers (the "EIOPA Guidelines"). On 6 February 2020, the EIOPA issued the final report on the guidelines ("EIOPA-BoS-20-002").
The EIOPA Guidelines apply to competent authorities and insurers and reinsurers (undertakings) and are intended to clarify how the outsourcing provisions in Directive 2009/138/EC on the taking-up and pursuit of the business of insurance and reinsurance (the "Solvency II Directive") and the Commission Delegated Regulation (EU) 2015/35 supplementing Solvency II Directive (the "Delegated Regulation") needs to be applied in case of outsourcing to cloud service providers.
In addition, to avoid regulatory fragmentation, the EIOPA Guidelines are intended to mirror and take account of the EBA guidelines on outsourcing arrangements EBA/GL/2019/02 (EBA Guidelines) and the GDPR, which may also apply to such undertakings.
The guidelines apply from 1 January 2021, and undertakings should review and amend accordingly existing cloud outsourcing arrangements to ensure compliance with the guidelines by 31 December 2022.
The EIOPA Guidelines will not be implemented into the Danish legislative framework, as Delegated Regulation Article 274 regulates outsourcing for insurance and reinsurance undertakings at an EU-level.
Energy and Utilities
Denmark has implemented Directive (EU) 2016/1148 on measures for a high common level of security of network and information systems across the Union (the "Network and Information Security Directive" or NISD) with Danish Act No 436 of 8 May 2018 (the "NIS Act"), which imposes extended legal IT security requirements on some businesses dealing in energy (for example, oil and gas) infrastructure. Businesses subject to the NIS Act are publicly identified by the public authority in charge of the respective sectors as operators of essential services.
Outsourcing of activities covers an extremely broad range of sectors, many of which are subject to sector-specific regulation, such as requirements for licences or authorisations. Therefore, it is not possible to give a brief but comprehensive overview of the regulatory requirements.
Data Protection and Data Security
The GDPR was adopted in May 2016 and applied directly in all EU member states without the need for transposition from 25 May 2018. The GDPR applies directly in Denmark and is supplemented by the Danish Data Protection Act (DDPA). Both a customer and a supplier will have to comply with the GDPR and the DDPA, which sets out different responsibilities for controllers and processors.
Initial Risk Assessment and Due Diligence
A customer can only use a supplier who can provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subjects. Thus, the customer must conduct an initial risk assessment of the supplier to establish whether the supplier can guarantee compliance with the requirements of the GDPR.
The War Rule for the Public Sector
Denmark has adopted a special rule known as the "war rule", according to which the Danish Minister of Justice in consultation with the relevant minister is authorised to lay down rules to the effect that personal data processed in specified IT systems on behalf of public administrative bodies, must be stored, in full or in part, exclusively in Denmark.
On 30 June 2020, the Danish Minister of Justice issued Danish Executive Order No 1104 of 30 June 2020, which states that the following IT systems are covered by the war rule:
Transfer of Personal Data to Third Countries
Provided the war-rule does not apply, personal data can be transferred to a service provider outside the EU if the transfer happens to jurisdictions recognised by the European Commission as offering an adequate level of protection or if the transfer is otherwise subject to adequate safeguards recognised by the European Commission (for example, if the transfer is based on the EU model clauses). In accordance with the new Standard Contractual Clauses released by the European Commission on 4 June 2021 and the guidance by European Data Protection Board, organisations must perform a transfer impact assessment to determine whether the personal data will be adequately protected. The practice follows EU rules and guidance and are similar to other EU member states.
The customer and supplier must adhere to the security requirements set out in Article 32 of the GDPR with respect to personal data. According to Article 32, the customer and the supplier must, among other things, implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk and must ensure compliance with those measures on an ongoing basis.
In Denmark, ISO 27001 has been chosen as the official information security standard applicable to all government authorities. ISO 27001 has mandatorily applied to all government authorities since January 2014. All other public authorities must comply with the principles set out in the standard.
Banking secrecy is regulated in Chapter 9 of the Financial Business Act applicable to certain financial undertakings. Any person who receives confidential information during the performance of their duties for a financial undertaking is subject to a general duty of confidentiality.
With Denmark being a member of the EU, the FSA will follow international standards issued by the European Supervisory Authorities with respect to banking secrecy and international standards implemented through EU legislation.
Sanctions for Non-compliance Regarding Data Protection and Data Security
Failure to comply with the data protection legislation in Denmark may result in fines set under the GDPR. There are two tiers of administrative fine for non-compliance with the GDPR, depending on the type and scope of the infringement:
Sanctions for Non-compliance Regarding Banking Secrecy
Breaches of the banking secrecy legislation are punishable with fines and, in more serious cases, by imprisonment for up to four months. More severe penalties can also be imposed under other legislation such as the Danish Criminal Code. When determining the level of the fine, the severity of the violation and the size of the financial undertaking in breach will be taken into account.
A data processing agreement complying with the requirements set out in the GDPR needs to be in place when processing personal data. Further, standard contractual clauses will have to be executed for transfers out of the EU/EEA to countries without an adequacy decision.
In recent years IT security has become more of a focus point for companies and stricter and more regulated IT security requirements are being regulated in outsourcing contracts applying throughout the information supply chain. Any potential weaknesses in a supplier's or sub-contractor's systems can potentially expose the outsourcing customer to security and/or data breaches. IT security compliance is commonly addressed through the security standard ISO 27001, but higher levels of security standards can be introduced in more complex projects such as outsourcing by financial institutions. Further, annual standard audit reports carried out by independent third parties, such as ISAE 3402 and ISAE 3000, is often seen as a standard requirement in outsourcing contracts.
In Denmark, there are only agreed documents (or quasi-agreed standards) for public procurement contracts. In August 2020 a new a data centre contract, referred to as “K04”, was released. This contract is used by public authorities.
From time to time, there have been various initiatives to establish a standard data centre contract using a template. However, this template is not widely used and is rarely used for large-scale business-critical outsourcing.
When major companies outsource large and complex IT or BPO services, it is almost always that the contract bundle as such is provided by external law firms, while service descriptions, service levels, and price books are provided by consultancies.
The most normal sourcing model is still single sourcing contracts, in which a customer outsources, eg, all its IT infrastructure services to a single service provider. The contracts will typically include transfer of various assets and employees.
If the proposed supplier is not the main trading entity within its group, or does not have sufficient assets to meet its potential contractual liabilities, the customer will usually require the supplier's parent company to issue a parent company guarantee in the customer's favour.
During the last ten years, there has been a trend towards shorter contract terms. Normally, contract terms would be around five to eight years with an opportunity to extend for another 12–24 months. Now, it is more common to see a contract term of three to five years (or even shorter), though an opportunity to extend for 12–24 months remains.
Indirect outsourcing is similar to a direct outsourcing, except that the customer appoints a supplier that immediately subcontracts to a different supplier. Often, the second supplier is located outside Denmark, and the first supplier is based in Denmark. This structure is used to some extent in Denmark.
The most normal commercial models are still a combination of fixed fees (for one-time services as, eg, the transition services) and a base charge model combining fixed charge elements (for, eg, cross functional services) and unit prices for all consumption based services. It is normal to see ARC/RRC models with pre-agreed discount levels.
In respect of termination service charges, we have experienced a shift from trying to include such charges in the base charges (and thereby reduce the cost as much as possible during a tender process) to a model where most of the termination services are based on a time and material fee model. This shift is likely triggered by the customer’s acknowledgement of the fact that the supplier should be kept incentivised to perform such termination services once the agreement has been terminated or has expired.
Multi-sourcing where the customer enters into contracts with different suppliers for separate elements of its requirements are sometimes used. The number of multi-sourcing arrangements is increasing due to the higher level of expertise required by the customer leading them to receive the services from different high-level suppliers. In such arrangements, the customer must ensure interfaces/service integration between the different services are carefully managed to encourage the seamless provision of an overall service. This will usually involve requiring suppliers to participate in a joint governance process.
The customer may also wish to impose contractual obligations on suppliers to co-operate with one another without the involvement of the customer. This structure is used to some extent in Denmark, but requires a mature customer and mature suppliers.
Joint Venture or Partnership
Under the joint venture model the customer will transfer assets, employees and the service provision to a special purpose vehicle jointly owned by the customer and the supplier. This is not a commonly used structure in Denmark.
Build Operate Transfer (BOT)
The BOT structure is similar to the captive entity structure, but where the process of building and stabilising the running of the entity is outsourced to a supplier, after which the entity is transferred to the company. This structure is used to some extent in Denmark.
Captives have dominated the BPO for the last 20 years in Denmark, and Danish companies have built a large presence in Poland, other parts of Eastern Europe, and in India. Today, there may be a slight tendency that companies will closely evaluate hybrid or Global Business Services options before enlarging current operations or establishing new captives. The divestment of shared service centre operations has occurred, but has yet to become a market trend.
Most outsourcing contracts will grant a customer additional remedies than provided by law, but will also limit the remedies for breach available to a customer under the law. Customer protections typically include the following.
Termination for convenience or specific cause is as negotiated between the contracting parties. Under the general principles of Danish law, a contracting party can terminate for material breach. Material breach generally occurs either in case of a very significant breach or a series of re-occurring breaches adding up to constitute a material breach.
While breaches of outsourcing agreements frequently occur, it will require significant events to take place before a material breach is deemed to occur under the general principles of Danish law. A material breach is therefore a rare occurrence. In outsourcing agreements, the contracting parties often specify a number of events that constitute a material breach, including for example continuous non-performance of key service levels for a certain period of time.
Termination for Convenience
It is market standard to include termination for convenience provisions in the agreements for the customers, with specified notice periods depending on the size and criticality of the services provided. Whether the supplier has the right to terminate an outsourcing agreement for convenience also depends on how business-crucial the outsourced services are to the customer. If the services are important for the customer's daily business, the supplier will not have a right to terminate for convenience.
In the rare case that the supplier is granted a right to terminate for convenience, the notice period is customarily 12 months to ensure that the customer has sufficient time to make necessary changes within its organisation and find a replacement supplier.
The default position under Danish law is that a party can claim full coverage of its losses (direct and indirect) provided that:
The vast majority of outsourcing agreements will be subject to limitation of liability provisions, setting out a total cap of damages and excluding certain types of losses, eg, indirect losses.
Although there is a distinction under Danish law between direct and indirect losses, there is no precise definition of indirect losses versus direct losses, and the definition of indirect losses are often subject to intense discussions – especially when a party has suffered a loss. For example, it has been subject to ongoing discussions if internal administrative cost is to be considered a direct or indirect loss. Sometimes, parties try to pre-define types of losses as direct losses.
Loss of profit, loss of business, and loss of goodwill are typically types of indirect losses. In general, costs directly relating to remedy of the breach itself or to purchase a substitute service will normally be considered as a direct loss.
The vast majority of outsourcing agreements also include a liability cap, which is either limited to a percentage of the total charges paid or payable during a period of, eg, preceding 12 months leading up to the default or to the total charges paid or payable under the service order in question.
There are, however, certain situations where it will often not be possible to limit a party’s losses, eg, in terms of death or physical injury or in cases of gross negligence or wilful misconduct. Such situations will often be excluded from the limitation of liability provisions.
In addition, the parties (often the customer) will normally try to exclude certain other types of losses from the limitation of liability provisions. These are normally losses based on third-party infringement claims and losses due to breach of the confidentiality obligations.
Duty of Loyalty
There is a general duty of loyalty between contracting parties, which entails that each contracting party must care for other party’s interests. This is recognised as an unwritten principle of Danish law. Similarly, Danish law recognises a principle of prohibition of the abuse of rights.
Quality of Services and Goods
A number of statutory and case law implied terms apply to the quality of goods and services provided under an outsourcing agreement. This includes that the services and goods must be of a satisfactory quality (meet the customer’s reasonable expectations) and be fit for purpose. However, as outsourcing contracts often contains detailed service descriptions the implied quality terms are usually only used in the interpretation of the service descriptions when the contract is unclear or silent on certain matters.
The Danish Act on Transfers of Undertakings (the “Transfer Act”) incorporating EC Directive 2001/23, provides for certain protection of the employees in relation to transfers of undertakings.
If the initial outsourcing constitutes a transfer of business or part of a business, employees will be transferred by operation of Danish law.
When determining whether an initial outsourcing constitutes a transfer of business under the Transfer Act, EU case law is relevant. Pursuant to EU case law, the relevant criteria are:
Change of Supplier
If the criteria above in relation to the transfer of a business are fulfilled, a change of supplier might constitute a business transfer.
According to Danish law, such transfer will generally be considered to be two business transfers (from the current supplier back to the transferor and then from the transferor to the supplier).
Termination (or Expiry)
Termination of an outsourcing arrangement (irrespective of the cause) might also be considered a transfer of business in accordance with Transfer Act if the above criteria are fulfilled. In such case, employees will be transferred back to the transferor.
If a transfer of undertaking takes place, the rights and obligations of the employees along with their individual employment terms and any collective bargaining agreements will be transferred to the transferee. As a general rule, following and as a consequence of such transfer, the transferee becomes solely liable towards the employees for any financial obligations arising from the employment before the transfer.
As a consequence of a business transfer being subject to Transfer Act, it is not a requirement to obtain consent to the transfer by the affected employees as these will be transferred “automatically”.
The automatic transfer by operation of law does not apply in relation to employees' rights to old age, invalidity or survivor's benefits. This exception is, however, very limited since the transferee will enter into the obligation to pay pension contributions but not into the obligation to pay pension benefits. In Denmark it is rarely seen that the employer has an obligation to pay such benefits. Generally, employees in Denmark are governed by pension schemes with defined contributions and not a defined benefit and an employer's obligation is usually fulfilled by paying the pension contributions in question.
Collective Bargaining Agreements
If the relevant employees employed by the transferor are covered by a collective bargaining agreement, the transferee will, as a starting point, automatically adopt the collective agreement and become party to such agreement.
However, the transferee may give notice to the unions within a certain time limit following the transfer date, stating that the transferee does not want to adopt the collective bargaining agreement(s) to which the transferor was a party. If the transferee gives such notice, the transferee does not become a party to the collective agreement. However, the transferee is still obliged to fulfil other employees' rights following from the waived collective agreement, such as the employees' right to payment for extra hours, pension contributions, protection against unfair dismissal, until the ordinary expiry of the collective agreement.
According to the Transfer Act, the transferor must in due time before the transfer inform the employees’ representatives of:
In addition, employers with at least 35 employees are in certain cases (including in case of a transfer of undertaking) obliged to inform and consult the employees before a final decision is made. The obligation to inform and consult are set forth in the Danish Act on Information and Consultation of Employees and/or applicable collective bargaining agreements. However, the duty to inform and consult are substantially similar.
The purpose of the act is to ensure that the employees are informed at an appropriate point in time of issues which are of importance to the employment, and that the employees are consulted on the basis of this information.
Special rules will apply in case of collective dismissals (including collective dismissals as a result of constructive dismissals).
In outsourcing situations, employees are generally outsourced based on the Transfer Act as described above. There is furthermore a tradition of involving unions and employee representatives throughout the process.
It is customary that the customer and the supplier agrees to share relevant information necessary by either party to comply with the Transfer Act. Further, it is also market practice that each party agree on indemnity clauses holding the other party harmless from claims and liabilities that relates to the period where the employee was employed with the indemnifying party.
The terms applicable to asset transfer in outsourcing arrangements vary depending on the assets in question.
Transfer of contracts to a new debtor generally requires consent from the creditor, except where the parties have agreed otherwise.
With respect to intellectual property rights under a software licence agreement, the general rule is that these are not assignable unless the licensor has granted such right to the licensee. The mere operation of software in infrastructure outsourcing generally requires consent from the licensor. For a company seeking to outsource, this means that the company shall obtain consent from all licensors of software that a potential supplier will use to provide services to the company.
Trade Marks, Designs, Copyrights, Etc
Transfer of EU trade marks and EU designs is subject to registration with EUIPO to have effect against a third party. This means that registration of a transfer is not a condition for the validity of the transfer, but if a transfer is not registered by the relevant authority, the successor may not invoke the rights arising from the trade mark or design registration. The same is the case with Danish trade mark and design registrations, which may be recorded with the Danish Patent and Trademark Office.
Transfers of other intellectual property rights such as copyrights, non-EU trade marks, patents, utility model and non-EU designs do not require any registrations to have effect against a third party. It is generally recommended that the parties enter into an asset transfer agreement and undertake relevant registration with the relevant authorities with respect to all registered rights.
Movable property is transferrable without being subject to any formalities, however, motor vehicles must be registered with the Danish Motor Vehicle Agency. For transfer of real estate, a deed of conveyance must be completed for registration with the Danish Land Registration Court.
Business Continuity and Cybersecurity
The COVID-19 pandemic has had a direct impact on the priorities of outsourcing deals. When the COVID-19 pandemic initially hit Denmark in early 2020 many companies put planned or upcoming outsourcing projects on hold to deal with the implications of the COVID crisis. Now companies are commencing the renegotiation of existing and sourcing of new outsourcing projects but this time with an increased focus on business continuity planning and digitalisation. In addition, the Danish market has in recent years been hit with a number of high-profile cyber-attacks against large companies and with the general worldwide increased cybersecurity threat and stricter regulatory requirements; information security is becoming a key element of outsourcing deals.
Business Continuity Planning
Business continuity management is nothing new in outsourcing deals, but for most companies the COVID-19 situation has been the greatest test of their business continuity plans yet. COVID-19 affected the entire global economy and caused issues with supply chains. In Denmark, companies have for many years outsourced a number of core IT, business process, and support functions to India and other offshore countries. With the lockdowns in India and other major offshore outsourcing countries, it was made apparent that existing business continuity plans were in many cases not sufficient to manage a global crisis.
The focus in business continuity plans has often been on multiple physical backup sites that the outsourcing provider in case of an incident should be able to quickly redeploy its resources to in order to start delivering services from. However, in practice such rapid redeployment is not without its own risks and challenges and the plans are often not focused on country- or global-wide lockdowns as was the case in 2020 and 2021.
Business continuity plans will today have to include possibilities of remote working that puts a stronger emphasis on logical security measures and employee policies. Home connections and a home physical environment are less secure than security in customary corporate settings and outsourcing providers will have to consider how sufficient security measures can be implemented in a home environment.
Further, business continuity plans must address how confidentiality is secured when employees can access business critical information from anywhere via diverse devices. Human error is one of the main causes of security breaches, which are difficult to control when the workforce is working from home.
Devices used for remote working may be used at locations where other people are present or the device may be used by other members of the household. This entails that the outsourcing provider must have strict and GDPR compliant policies in place on how to secure confidentiality of customer data when working remotely that are agreed with the customer and included in the outsourcing agreement. As a result, the concept of “zero trust” has emerged.
Security and maintaining confidentiality are obvious elements to address. During the pandemic service providers were swift to distribute workstations and upgrade bandwidth of home connections. Then the weakest point become management of leadership. How do you conduct controlling and team leadership of BPO team accustomed to a highly hierarchical management style often with very little traditional for autonomous decision making? The same applies to application and maintenance work but potentially less so to infrastructure operations except when dealing with incident resolution. Therefore, future business continuity planning must not only be crafted and tested in respect of technical abilities but also be able to stand the test of effecting management and controlling actions.
Influence from the financial sector
In Denmark, the Outsourcing Order from 2010 was replaced with a new Outsourcing Order in 2020 implementing the IBA guidelines from 2019. The Outsourcing Order requires among other things that the outsourcing company has business continuity plans in place and that the outsourcing contracts contains requirements to the supplier’s execution and testing of business continuity plans. The new Outsourcing Order focuses heavily on documentation of the measures implemented to comply with the requirements, which has resulted in more detailed contractual requirements, an even higher focus on reporting, security, and exit planning.
As outsourcing providers and advisors become more familiar with the increased regulatory requirements within the financial sector, including detailed documentation requirements, it is expected that some of the same requirements will be carried over to contracts outside of the financial sector. This includes more detailed business continuity plans, documentation, and regular testing of the plans inspired by the financial outsourcing deals.
In recent years there has been more focus on technology and automation to secure productivity gains and lower costs. In addition to these benefits, new technology and automation can be used in a company’s business continuity planning by relying less on physical location and dedicated workforce. The push to more digitalisation has been ongoing for years now and the pandemic has not made this trend any less relevant.
Increased threat level
With the increased digitalisation, IT systems are becoming more and more critical to the individual businesses and society. While digitalisation brings many advantages, it also makes companies more vulnerable to cyber-attacks. In the last five years, the Danish market has been hit by a number of high profiled security breaches and cyber-attacks and the global market has experienced an increased level of threat. With many people working from home during the COVID-19 pandemic, online business activities have dramatically increased and there has been a significant increase in cyber-related attacks on a global scale.
As a consequence of this, companies are investing more in information security in its organisation and information security plays a larger role in outsourcing contracts today than would have previously been the case. It is anticipated that increasingly detailed and comprehensive security requirements will be seen, including the expectation that service providers will be certified under ISO27001 or similar standards.
More regulatory requirements focusing on cybersecurity
Cybersecurity is not a requirement stemming solely from internally needs. Cybersecurity has also become a focus area of new legislation and guidelines from public authorities. Most of these requirements are coming from the EU and are implemented in all member states:
The GDPR came into force in 2018 and brought with it regulatory requirements to the technical and organisational security measures that companies must have in place when processing personal data. With Article 28 of the GDPR and the new standard contractual clauses applicable when transferring data outside of the EU, companies are forced to actively consider and document the organisational and technical measures that are put in place to safeguard the personal data being processed by outsourcing suppliers. Failing to comply with such requirements, both the outsourcing company and the supplier could face significant fines.
Around the same time as the GDPR, the NIS directive was also implemented in EU member states in 2018 imposing security obligations and incident reporting obligation on operators of essential services and digital services providers. Only two years after the date the directive should have been implemented in member states, the EU Commission in December 2020 published its proposal to replace the NIS Directive with a NIS2 Directive crediting this to a response to the growing threats posed with digitalisation and the surge in cyber-attacks. The Commission also stated the revision was “further justified by the sudden increase in the dependence on information technology during the COVID-19 crisis”.
The draft NIS2 Directive in its current form will significantly increase the scope of sectors and companies comprised by the directive and will follow in GDPR’s footsteps and bring along fines of up to 2% of the company’s global turnover or EUR10 million. The NIS2 Directive will abolish the distinction between operators of essential services and digital services providers and instead work with two categories: essential and important entities. Where the NIS Directive only applied to a small number of outsourcing deals, the NIS2 Directive will – depending on the final outcome of the bill – likely lead to the NIS requirements becoming applicable in significant more outsourcing deals.
Other laws coming
In April 2021 the EU Commission presented the proposal for new legislation focusing on regulating the use of AI (the “AI Regulation”). While the AI Regulation focuses on a number of risks and requirements when using AI systems, a key element in the risk assessment will be cybersecurity.
Further, the new ePrivacy regulation that is intended to replace the existing ePrivacy directive has been in the making since 2017 and was initially intended to take effect alongside the GDPR. The ePrivacy regulation will when implemented come with requirements to protect privacy in relation to electronic communications.
Impact on outsourcing contracts
Cybersecurity requirements and risk assessments have been a stable part of outsourcing agreements for years. However, with the development in new legislation and the increased cybersecurity risks, compliance requirements, attention to mitigation of risks, and contractual anchoring regarding cybersecurity is increasing. Outsourcing contracts will have a larger focus on more detailed cybersecurity provisions, and thorough cybersecurity risks assessments will have to be carried out before entering into new outsourcing deals (both large and small). Further, with the rapid change in threat level and new cybersecurity threats, businesses and the outsourcing providers must on a continuous basis throughout the duration of the outsourcing agreement assess whether the technical and organisational security measures are sufficient to protect the business’ IT systems and data from new threats. What was sufficient at the time of entering into the outsourcing arrangement may not be sufficient years after. Such continuous improvements will come with a cost to the outsourcing provider and the outsourcing agreement should consider how such costs are allocated.
The new legislation that has been already been implemented and legislation being proposed all have in common that it will not be enough to ensure that sufficient IT security measures are in place, companies must also be able to document that relevant assessment were made before contracting and that ongoing reassessment and testing take place.
Cybersecurity requirements is not only being implemented directly between the outsourcing customer and supplier. The outsourcing contract must also ensure security throughout the entire supply chain. Any potential weaknesses in a supplier's or sub-supplier's systems can potentially expose the outsourcing customer to security and/or data breaches.
An Accelerated Trend
COVID-19 has not been the cause of the increased focus on business continuity planning and cybersecurity, but it has accelerated a trend that was present when the pandemic first hit.
With companies becoming more aware of the risks of not having sufficient and robust business continuity plans and cybersecurity measures in place and the increase in documentation and compliance requirements coming from the EU, a continuation of interest in these areas of outsourcing deals is expected over the coming years.