IT outsourcing is still on the rise in Belgium. This is partly due to a shortage of available technology professionals, which makes insourcing increasingly difficult. IT outsourcing is often driven by the need for trained, affordable and flexible manpower. Consequently, there is an increase in outsourcing outside the EEA to economically more favourable countries (eg, Northern Africa and India). 

COVID-19 had a lasting impact on the use of technology in business. Virtual meetings have become the default mode of communication and collaboration, not only within a company but also amongst companies exploring or doing business. There is also a rise in the availability on the market of virtual collaboration tools (such as project management tools). These tools give an answer to one of the biggest challenges of outsourcing (in particular when this takes place abroad to countries in another continent). These tools allow businesses to keep a finger on the pulse, namely to better train the staff abroad and ensure an almost simultaneous follow up which benefits the quality of the outsourced work and facilitates swift intervention if there is an issue. 

The outsourcing of cloud computing remains very popular since the cloud offers a plethora of opportunities. Other key market trends include automation, big data analysis, cybersecurity, AI, sustainability and green IT (to some extent prompted by ESG requirements).

As a result of the COVID-19 pandemic, companies have increasingly turned to outsourcing their non-core and administrative functions, which has resulted in an increase in BPO. Over the course of the last few years, the reliance on BPO has seen continuous and significant growth, which is expected to continue. 

Other key market trends include the following.

• Automation and intelligent process automation (IPA): the further development of technologies such as AI, machine learning and robotic process automation have increased automation in BPO. The automation of repetitive tasks improves efficiency, reduces costs and speeds up processing times.
• Knowledge process outsourcing (KPO): there has been a shift from the BPO of repetitive tasks to more knowledge-based processes. KPO services include training, consultancy and research, such as intellectual property research or business and market research, and R&D. They offer customers the opportunity to benefit from the knowledge of experienced individuals and companies, without having to integrate them into their internal business structures.

New technologies, such as AI, chatbots, machine learning, robotics and robotic process automation, blockchain, cryptocurrency, NFTs, fintech and smart contracts, bring numerous opportunities for companies but go hand in hand with specific challenges, requiring far-reaching expertise in these fields, which is often missing in-house. 

For instance: 

• AI and machine learning enable the development of intelligent automation tools allowing the streamlining and optimisation of various IT processes;
• increasing the use of AI techniques for text and data mining and analysis (also given the text and data mining exception in the DSM Directive (Directive (EU) 2019/790), which can nevertheless be limited by technical restrictions (eg, captchas);
• chatbots and robotic process automation allow for the automation of repetitive tasks, enhancing customer support and improving overall productivity; and 
• fintech and smart contracts impact financial transactions and contract management processes. 

Overall, these new technologies have extensively transformed the market for numerous companies, offering them the opportunity to innovate, improve efficiency and enhance service offerings. To keep up with this ever-changing technological landscape, companies are increasingly turning to IT outsourcing.

The most commonly outsourced IT services in Belgium are web development, hosting, software and application development and maintenance, helpdesk and technical support, database development and maintenance, IT consulting and infrastructure. 

There is no specific regulatory framework for outsourcing transactions. However, the sector-specific rules that apply to a company may also apply to its suppliers.

Outsourcing in some sectors, such as the following, is restricted. 

Public Sector

Certain outsourcing transactions in the public sector may be subject to the principles and rules of public procurement pursuant to the Belgian Public Procurement Law of 17 June 2016. This Act includes extensive obligations that should be adhered to in the context of a public procurement tender procedure and any subsequent negotiation process. The applicability of these obligations depends on the value and characteristics of the outsourcing. 

Banking and Investment Sector

Outsourcing in the financial sector is extensively regulated. The main legal instruments are:

• the Law of 25 April 2014 on the legal status and supervision of credit institutions;
• the Law of 20 July 2022 on the legal status and supervision of stockbroking firms and containing various provisions;
• NBB Circular 2021_21, Circular 2021_28, Circular 2020_23, Circular 2019_19, Circular 2019_09, Circular_2009_17;
• Circular PPB 2005/2 on sound management practices with regard to outsourcing by financial institutions;
• Communication of the Financial Services and Markets Authority (FSMA), 2022_19 of 8 June 2022, relating to the ESMA guidelines on outsourcing to cloud service providers; and
• FSMA Circular 2019_23 of 5 August 2019.

Financial institutions must limit the operational risks of outsourcing and remain fully responsible when outsourcing functions, activities and operational tasks. Additionally, outsourcing may not lead to an impairment of the quality of the organisation and, in particular, of the quality of the internal control, such as an undue increase in operational risk or an impairment of the supervisory authority's ability to monitor the institution's compliance with its obligations. 

When outsourcing operational tasks of critical importance additional requirements apply. Such outsourcing must be preceded by a notification to the NBB or the FSMA, depending on the supervisory authority. This notification must include the details of the planned outsourcing. Existing outsourcing contracts undergoing material changes or events inducing such changes are subject to a similar obligation.

Please note that, depending on the financial institution, slightly different requirements in relation to outsourcing may apply. It shall therefore be important to correctly identify the legal provisions applicable to specific entities. For instance, with respect to financial credit institutions, the following specific legal instruments apply: the European Banking Authority guidelines on outsourcing of credit institutions' business activities, and the NBB guidelines applicable to less significant institutions.

Therefore, a case-by-case analysis shall always take place with respect to the functions and/or services to be outsourced as well as the regulatory status of the entity planning the outsourcing.

Insurance Sector

Outsourcing in the insurance sector is extensively regulated. The main legal instruments are:

• the Law of 13 March 2016 regarding the statute and supervision of insurance and reinsurance companies;
• Delegated Regulation 2015/35 (Solvency II);
• Circular NBB_2020_18 on the recommendations of the Bank in relation to cloud outsourcing; and
• the EIOPA Guidelines on outsourcing to cloud service providers.

An insurer who subcontracts operational activities must ensure that this shall not lead to:

• seriously compromising the quality of the insurer’s governance;
• unduly increased operational risk;
• the ability of the National Belgian Bank (NBB) to monitor the company’s compliance with its legal and regulatory obligations being compromised; and
• the continuous and satisfactory service to policyholders, insured persons and beneficiaries of insurance contracts or persons concerned by the execution of reinsurance contracts being undermined.

Insurers shall inform the NBB promptly before outsourcing critical or important functions or activities or independent control functions of (i) their intention to do so; as well as (ii) later important developments as regards these functions or activities (including the decision to end the outsourcing of a function or activity). Specifically, the NBB asks insurance companies to provide information within a reasonable period of time (in principle, at the latest six weeks before the outsourcing enters into force, barring any duly justified specific derogation) with a file in accordance with the standard notification form.

When an insurer plans to outsource critical or important functions or activities, the supplier must in principle be located in Belgium or in another member state of the European Economic Area (EEA). 

A critical function or activity may only be outsourced to a service provider located in a country outside the EEA if the following conditions are met:

• there is an appropriate co-operation agreement between the NBB and the prudential supervisory authority in the supplier’s country or, if the service provider is part of a group that is subject to supervision at group level, there is a co-ordination agreement for a college of supervision to which the NBB and the prudential supervisory authority of the third country are a member; and
• said agreement guarantees that the NBB has the ability to acquire, upon request, the essential information for executing its tasks, as well as obtain suitable access to any relevant data, documents, premises or staff in the third country for the exercise of its supervisory powers.

Where the supplier of outsourced services is located in a country outside of the EEA, the insurer must also be able to guarantee:

• that itself, its accredited statutory auditor and the NBB will be able to exercise and enforce their right of access and review; and
• that it has the capacity to restructure and liquidate in Belgium (the information needed for this purpose should be accessible at all times in Belgium).

The NBB also published additional recommendations for the specific case of outsourcing by insurers to cloud service providers, amongst others:

• in case of outsourcing to cloud service providers of critical or important operational functions or activities, the insurer, where appropriate, should reflect the changes in its risk profile due to its cloud outsourcing arrangements in its own risk and solvency assessment; and
• the insurer should ensure in its selection and assessment process that the cloud service provider is suitable for providing the relevant services according to the criteria defined by its written outsourcing policy (due diligence process).

DORA

In addition to the foregoing, it is worth mentioning the EU Regulation on digital operational resilience for the financial sector (Regulation (EU) 2022/2554; DORA), which entered into force on 17 January 2023 and will apply as of 17 January 2025.

DORA targets Belgian entities providing financial and insurance services, as well as the Belgian branches of these entities.

Amongst others, DORA provides uniform requirements for the security of the networks and information systems of financial institutions, as well as critical third-party providers that provide them with information and communication technology (ICT) services, such as cloud computing platforms (PaaS) or data analysis services. In addition, DORA lays down requirements relating to ICT risk management, reporting of major ICT-related incidents and notification of significant cyberthreats to the competent authorities, as well as reporting operational or security payment-related incidents to the competent authorities by certain financial institutions. 

The Proposed PSD3, the Payment Services Regulation (PSR) and the Regulation on a Framework for Financial Data Access (FIDA)

The proposed PSD3 and PSR require existing payment and electronic money institutions to reapply for their licence within 24 months of the PSR coming into force in order for them to rely on grandfathering provisions that allow prior licences to be valid for 30 months after PSD3 enters into force. In the context of the reapplication of the licence, the payment institutions shall demonstrate compliance with new requirements relating, amongst others, to the continuity of any critical activities by outsourced service providers, agents or distributors.

The proposed FIDA provides a licensing requirement for financial information service providers. A licence will only be provided if it is satisfied that any outsourcing arrangements will not render the financial information service provider a letterbox entity. When relying on a third party for the performance of functions which are critical for the provision of continuous and satisfactory service to customers and the performance of activities on a continuous and satisfactory basis, it must take reasonable steps to avoid undue additional operational risk. Outsourcing of important operational functions may not be undertaken in such a way as to materially impair the quality of its internal control and the ability of the supervisor to monitor the financial information service provider’s compliance with all obligations.

With the PSR, the EC has focused on strengthening anti-fraud measures. One of the proposed measures includes the requirement for payment service providers to conclude outsourcing agreements with technical service providers, when the latter provide and verify the elements of strong customer authentication for the account of the payment service provider.

Finally, to ensure effective powers of the supervisory authorities, additional investigative powers have been considered in relation to the supervision of technical service providers, operators of payment schemes and outsourcing companies used by the companies that are subject to the proposed PSR.

Cross-Border Data Flows

The processing of personal data, including cross-border data flows within the EEA and from the EEA to non-EEA countries, is subject to the provisions of the GDPR. 

The GDPR restricts cross-border data flows to non-EEA countries that have not obtained an adequacy decision. It is hence especially important for international outsourcing where the supplier (and/or its sub-contractors) is (are) based outside of the EEA in a country without an adequacy decision, since additional requirements might apply. In such event, the data exporter must ensure that the data importer outside the EEA offers an equal level of protection as the level of protection under the GDPR, which can be realised for example by concluding standard contractual clauses (SCCs) or setting-up binding corporate rules (BCR) combined with additional technical measures (eg, encryption of the data with the key held by an independent party).

There has also been an increase in risk assessments in the context of data transfers outside the EEA, as companies undertake more data protection impact assessments (in this context, also referred to as "data transfer impact assessments"). 

Following the Schrems II-decision of the European Court of Justice ECJ), and the guidance of the European Data Protection Board (EDPB) and Belgian Data Protection Authority (BDPA) in this regard, companies are obliged to assess whether the conclusion of SCCs with a recipient in a third country (without an adequacy decision) will provide for an adequate level of protection of the personal data transferred. Hence, one cannot assume this is the case by merely concluding the SCCs, as such clauses may for example not be effectively enforceable in the third country. Depending on the outcome of such an assessment, companies wishing to set-up cross-border data flows to third countries could be required to undertake additional measures (eg, extensive pseudonymisation). 

In July 2023, the European Commission (EC) published an adequacy decision for the new EU-US Data Privacy Framework, considering personal data flows between the EU and the US organised under this framework to provide for an adequate level of protection. 

The NIS and NIS2 Directive

Cybersecurity in Belgium is mainly governed by the Law of 7 April establishing a framework for the security of network and information systems of public safety interest (the "NIS Law"), implementing the NIS Directive (Directive (EU) 2016/1148). The NIS Law holds various minimum cybersecurity and incident reporting requirements for operators of essential services, eg, in the energy or transport sector, and relevant digital service suppliers.

In January 2023, the NIS2 Directive (Directive (EU) 2022/2555) was adopted with the aim of:

• expanding the scope of application to more sectors and entities;
• harmonising the rules for identifying these entities (using a size limit as an automatic and uniform criterion);
• expanding security requirements;
• increasing the involvement and responsibility of executives and boards of directors;
• harmonising and strengthening the sanctions and supervisory powers of competent authorities;
• clarifying incident reporting obligations (eg, deadlines, information to be included); and
• strengthening supply chain security.

The NIS2 Directive repeals the NIS Directive with effect from 18 October 2024. Member states have until 17 October 2024 to implement the NIS2 Directive in their national legal order. Currently, the Belgian legislator has not yet taken any action in this regard.

Guidelines

Both the Belgian Centre for Cybersecurity and the European Union Agency for Cybersecurity (ENISA) have published several guidelines, good practices and tools for companies to use to enhance their internal cybersecurity levels, which could also be useful in the context of companies’ collaboration with (IT) suppliers and partners.

Belgium has no standard contract model for outsourcing transactions. Outsourcing contracts are deemed contracts for “rent of work” (Article 1710, (old) Civil Code) and are, like any other contracts, governed by the provisions of the Belgian Civil Code governing, among others, the formation and legality of the contract and certain warranties and liabilities. Parties thus have an extensive contractual freedom and can in principle agree on anything that does not conflict with mandatory law, public order or morality. 

The most traditional form of IT outsourcing is direct outsourcing. The customer and one main supplier contract directly and the main supplier delivers “end-to-end” IT services to the customer. Unless otherwise agreed upon, this structure does in principle not preclude sub-contractors of the supplier, who evidently remains responsible for their work. Although this structure reduces the complexity of the outsourcing transaction for the customer, it may lead to “supplier lock-in” (ie, high dependency on one main supplier) and unknown sub-contractors may lead to uncertainties. 

The customer can also decide to contract with multiple suppliers (multi-sourcing), which implies the conclusion of multiple separate contracts with different suppliers of (parts of) services or one multi-vendor agreement. The contracts generally oblige the different suppliers to co-operate. Although this model offers more flexibility, it also complexifies the outsourcing for the customer who will need to manage the different outsourced projects (and, for example, set up a solid governance system).

The customer may also contract with a supplier that subcontracts the services in its entirety to one or more third-party supplier(s) (indirect outsourcing), often nearshore or offshore third parties. Contrary to multi-sourcing, this places the burden of the operational management on the supplier instead of the customer.

Finally, a far-reaching outsourcing partnership may be organised as a joint venture (JV), requiring a complex contractual structure (and, therefore, being a rather time-consuming and costly solution). Setting up a JV is rather rare and is mainly used when the customer and supplier wish to jointly set up a new business. Where a JV falls within scope of European or Belgian competition law, additional aspects should be taken into account (eg, prior notification to the Belgian or European competition authorities may be required).

Where digital transformation is part of the services provided, the contract’s terms are often adjusted accordingly with, for instance, specific/complex (technical) schedules describing such digital transformation tools, procedures to be used, expected results and governance mechanisms. Where required, for instance in a multi-sourcing environment, specific attention shall be invested in the liability clause and clauses related to cybersecurity and data processing; also see 4.7 Digital Transformation. 

Where AI and machine learning are involved, which for instance require large-scale data processing, parties tend to give more attention to specific terms related to data protection, transparency of algorithms, active information obligation, IP, contractual milestones, logging, data governance and, in some events, even include formal AI principles and requirements related to the ethical use of AI.

Protection Stemming From the Law

In certain areas a customer is protected by legal obligations imposed on the supplier (regardless of whether a contractual clause is included in this regard), eg, personal data protection legislation and cybersecurity legislation (also see sections 2.2 Industry-Specific Restrictions, 2.3 Restrictions on Data Processing or Data Security and 4.4 Implied Terms).

In addition, pursuant to Articles VI.91/3 et seq of the Belgian Code of Economic Law, certain clauses in B2B contracts are deemed abusive and therefore null and void. Some types of clauses are always considered abusive, without any possibility to refute the qualification (eg, causing the other party to waive any remedy against the company in the event of a dispute). Other clauses are presumed to be abusive until proven otherwise (eg, granting the company the right to unilaterally modify the price, characteristics or conditions of the contract without a valid reason). 

Additionally, clauses that create a manifest imbalance between the rights and obligations of the parties to a B2B contract are also prohibited and can be declared void when used. Whether a clause is deemed imbalanced shall depend on the circumstances of the contract (conclusion) and the collaboration in practice between the parties.

Contractual/Technical Protection Mechanisms

The following mechanisms are often used in IT-contracts to protect the customer (non-exhaustive):

• non-disclosure agreements or confidentiality clauses;
• extensive service-level agreements (SLA) both in terms of availability and maintenance, including a penalty mechanism;
• appropriate change request procedure;
• no exclusivity for the supplier;
• no contractual termination rights for the supplier;
• no volume commitment for the customer;
• audit right;
• benchmarking provisions;
• escrow arrangements; 
• pseudonymisation; and
• appropriate exit clauses to govern the collaboration after contract termination.

Remedies 

Contractual remedies often consist of compensation (in kind or in cash), termination rights and step-in rights. Non-contractual remedies are, among others, recourse to the Belgian Data Protection Authority (in case of a data protection violation) or the Belgian Centre for Cybersecurity (in case of a cybersecurity incident) or obtaining (provisional) measures via summary proceedings.

Termination Foreseen by Law

Unless otherwise agreed upon the following will apply.

• A contract with an indefinite term can be terminated by either party giving a reasonable notice period (Article 5.75, Civil Code). What is deemed reasonable will depend on the circumstances (eg, intensity and duration of the existing collaboration, dependency on services). In such event, in principle, no damages will be due.
• The customer can always, for convenience, unilaterally terminate the outsourcing contract of a clearly defined work, such as the installation of an IT-system or an outsourcing contract with a fixed duration (Article 1794, (old) Civil Code). Consequently, the customer will have to reimburse the supplier for all its expenses, work and everything they could have gained from the outsourcing contract.
• Either party can dissolute the contract for cause, in case of a severe contractual breach by the other party (subject to a post-factum judicial control) (Article 5.90, Civil Code). When an outsourcing contract is dissolved, this in principle only applies to the future (ex nunc) since it is often impossible to return the services that have already been performed. The party in breach will in principle have to reimburse the other party’s damage (eg, costs of finding and onboarding another supplier, costs of any interim solution), subject to any contractual liability terms as the case may be (eg, liability cap).

Contractual Termination

Outsourcing contracts may be terminated according to the contractual terms agreed upon by the parties. Parties can agree on situations in which the customer may terminate the contract, for instance if there are significant breaches of service levels or serious regulatory compliance or data security and privacy breaches or in the case of insolvency. The contract may provide for the procedure to follow in such events (eg, formal notice, remediation term) and the damages being due.

It is uncommon to contractually grant the supplier extensive termination rights. If granted, this is usually in the case of the prolonged non-payment of invoices by the customer.

Basic Principle for Recoverable Losses

When a contract party is in breach of contract and causes damage, the injured party is entitled to integral recovery of the damage suffered as a consequence of the contractual breach, in kind or in cash (Article 5.86-5.87, Civil Code). In principle, all damage that is reasonably foreseeable by the parties at the time of the forming of the contract should be remedied. However, limitations and exclusions are regularly stipulated by the parties in the contract to limit their liability.

Distinction Direct and Indirect Loss

While not expressly provided for in Belgian law, it is common in contracts to make a distinction between “direct” and “indirect” damage and to exclude liability for the latter. In such event – given the lack of any legal definition in this regard and the fact that in Belgium by default any damage caused by a breach should be compensated – it is recommended to define what is understood under “indirect” damages to avoid the potentially unpredictable interpretation of a judge. Parties typically include loss of profits, loss of business (opportunities), loss of time, loss of revenue, loss of data, etc. Such exclusion of liability is in principle accepted, in so far as this does not erode the agreement.

Market Practice Regarding Loss of Profit, Goodwill, Business, Etc 

See previous paragraph.

Categories of Losses That Are Not Subject to any Limitation of Liability

Contractual clauses that exclude/limit liability are in principle valid and parties have extensive contractual freedom in this regard, except if, contrary to mandatory law (Article 5.89, Civil Code):

• they exonerate or limit the liability in the event of wilful misconduct or fraud; 
• they exonerate or limit the liability for faults damaging the physical integrity of a person; or
• they erode the contract, eg, when liability for loss of data is excluded even though the storage of data, data maintenance and back-ups of data are essential elements of the contract.

Further, a limitation of liability may not lead to a manifest imbalance in the relationship between the parties (see 4.1 Customer Protections).

Certain obligations are mandatory by law, regardless of whether any contractual term is included in the contract in this regard. Examples of such legal obligations are the protection and processing of personal data governed by the GDPR as well as specific security obligations applying to certain sectors, such as the financial sector (see 2.2 Industry-Specific Restrictions and 2.3 Restrictions on Data Processing or Data Security). 

The parties’ contractual obligations extend to the consequences conferred on them by law, good faith or customs, according to the contract’s nature and scope, thus potentially going beyond what the parties explicitly agreed upon (Article 5.71, Civil Code). Contractual terms are interpreted by the judge in a dispute and can be mitigated (to reflect the parties’ initial intention). 

Good faith requires the parties to work together in a loyal way, including during the pre-contractual phase, to ensure the proper negotiation, conclusion and execution of the contract. This could imply co-operation obligations, the precontractual disclosure of certain information or the obligation to consider the other party’s interests.

Customs are highly dependent on the sector.

The most common cybersecurity protections and security measures required by customers in technology transactions or outsourcing in Belgium are:

• adherence to the technical and organisational measures as required under the GDPR, including continuous testing, improvement and updating;
• requirements in terms of collaboration and responsibilities in case of a personal data or cybersecurity breach (eg, joint response, notification obligations, address data subject requests);
• compliance with the customer’s cybersecurity guidelines and policies;
• adherence/obtainment of certain certifications (eg, ISO norms);
• restrictions on the use of sub-contractors and, where allowed, the obligation to conclude back-to-back contractual terms;
• requirement to demonstrate/obtain appropriate cybersecurity insurance;
• step-in right for the customer; and
• audit right for the customer (or any third-party expert it may appoint in this regard).

Business continuity is often guaranteed by appropriate back-up systems, redundancy and disaster recovery plans

The most common mechanism is the use of SLAs, both in terms of availability, for example in case of a SaaS or NaaS agreement where this is expressed as a percentage (eg, monthly availability of 98%), and in terms of support and maintenance, providing for response and solution times depending on the criticality of the encountered problem. Typically, such SLAs includes penalties, often in the form of service credits, for not complying with the agreed upon service levels. 

An audit right for the client is a common mechanism used to allow the customer to, either itself or through appointment of an independent third party, control the correct implementation and performance of the contract. 

In general, the contractual terms remain to a large extent unchanged if the technology or outsourcing is cloud based. Nevertheless, in such event specific attention is mostly given to provisions related to data protection, often including more extensive language regarding data security (eg, encryption) and the processing of personal data (in particular if the server location is outside of the EEA). Attention is also given to an active information obligation, among others, regarding any centrally governed updates and upgrades that may affect the functioning of the software within the larger IT infrastructure of the customer (eg, links/interaction with other software programs used).

The rules governing employee transfers in outsourcing are based on the Acquired Rights Directive (Council Directive 2001/23/EC) (ARD). The ARD is implemented into Belgian national law through Collective Bargaining Agreement No 32bis (CBA No 32bis).

Three cumulative conditions must be met in order (for an outsourcing operation) to qualify as a transfer of undertaking under CBA No 32bis:

• a change of employer;
• the transfer is the result of a legal transfer of assets or merger; and
• a transfer of a (part of a) business through an asset transfer as a "going concern", ie, an economic entity maintaining its identity, that has similar company facilities, staff, company equipment, commercial contracts, clientele base, etc.

The main consequences of the applicability of CBA No 32bis can be summarised as follows.

• Automatic transfer of employment: the employment agreements (including all rights and obligations) primarily pertaining to the "going concern" existing at the time of the transfer are automatically transferred from the company, along with the assets, to the new service provider. Certain exceptions do apply with respect to the continuation of certain supplementary social benefit schemes.
• Protection against dismissal: the transferring employees may not be dismissed by the company or by the new service provider on the ground of a TUPE-transfer (ie, the Transfer of Undertakings (Protection of Employment) mechanism was introduced to regulate the transfer of a (part of) business to a new employer and protect employee rights during this process). As an exception, dismissal may be permitted, however, only for gross misconduct or for economic, technical or organisational reasons. 
• Joint liability: the company and the new service provider are jointly and severally liable for the payment of debts (eg, salary arrears and bonuses) existing at the date of the TUPE-transfer, with the exception of debts in respect of certain supplementary social benefit schemes. This means that the employee may collect full compensation from any party. 
• Information and consultation requirements: the company and the new service provider must inform and consult their employee’s representatives in the works council (or, in absence thereof, the trade union delegation, or absent any trade union delegation, the committee for prevention and protection at work) before any decision on the TUPE-transfer being taken and, in any event, before any public disclosure. In the absence of any employee representative bodies, the individual employees must be informed (but not consulted).

If an outsourcing operation does not qualify as a transfer of undertaking under CBA No 32bis, no automatic transfer of employment applies. The employees may still be transferred to the new service provider but the consent of the company that outsources the activity, the new service provider and the employees would be required.

If an outsourcing operation qualifies as a transfer of undertaking under CBA No 32bis, the information and consultation requirements laid down in this CBA apply (please refer to 5.1 Employee Transfers).

If the outsourcing operation is not subject to CBA No 32bis, similar information and consultation requirements may apply, among others, if the outsourcing operation qualifies as an "important structural change", which will be often the case in practice. However, no information or consultation of individual employees will be required in the absence of employee representative bodies.

In the authors' experience, offshore outsourcing to economically more favourable countries (eg, Northern Africa, India) has grown more popular due to recent developments in cloud services and the increase in remote work options (see 1.1 IT Outsourcing). On the other hand, increasingly strict ESG obligations in the supply chain might be a deterrent for offshore outsourcing in certain cases. Although companies consider ESG, a direct impact of this on decision-making regarding outsourcing in practice has not (yet) been seen.

Belgian law distinguishes between two types of remote working, both with their own framework.

• Structural remote work (CBA No 85) is defined as a way of organising and/or executing the work, with the use of information and communication technology, as part of an employment agreement, where tasks that could also be executed at the company’s premises are executed outside of the company’s premises. Moreover, structural telework requires that employees perform telework on a regular and permanent basis (ie, at least one day per week).
• Occasional remote work (Article 22-28, Law of 5 March 2017 on workable and agile work) provides a framework enabling the employees to work remotely in the event of force majeure (such as unforeseen weather conditions) or for personal reasons (such as a medical appointment).

Employees working remotely are entitled to the same employment terms and conditions as comparable employees working at the company premises. 

The primary business considerations raised by employers when considering whether to allow remote working include employee retention, less need for office space and a larger talent pool for recruitment.

When allowing employees to work remotely abroad (for the long term), employers should consider the risk that the applicability of local labour laws and social security regimes may be triggered. Another consideration includes that the employees who are working remotely abroad may not always be covered by the work accidents insurance coverage in the event of work accidents abroad.