IT outsourcing is still on the rise in Belgium. This is partly due to a shortage of available technology professionals, which makes insourcing increasingly difficult. IT outsourcing is often driven by the need for trained, affordable and flexible manpower. Consequently, there is an increase in outsourcing outside the EEA to economically more favourable countries (eg, Northern Africa and India).
COVID-19 had a lasting impact on the use of technology in business. Virtual meetings have become the default mode of communication and collaboration, not only within a company but also amongst companies exploring or doing business. There is also a rise in the availability on the market of virtual collaboration tools (such as project management tools). These tools give an answer to one of the biggest challenges of outsourcing (in particular when this takes place abroad to countries in another continent). These tools allow businesses to keep a finger on the pulse, namely to better train the staff abroad and ensure an almost simultaneous follow up which benefits the quality of the outsourced work and facilitates swift intervention if there is an issue.
The outsourcing of cloud computing remains very popular since the cloud offers a plethora of opportunities. Other key market trends include automation, big data analysis, cybersecurity, AI, sustainability and green IT (to some extent prompted by ESG requirements).
As a result of the COVID-19 pandemic, companies have increasingly turned to outsourcing their non-core and administrative functions, which has resulted in an increase in BPO. Over the course of the last few years, the reliance on BPO has seen continuous and significant growth, which is expected to continue.
Other key market trends include the following.
New technologies, such as AI, chatbots, machine learning, robotics and robotic process automation, blockchain, cryptocurrency, NFTs, fintech and smart contracts, bring numerous opportunities for companies but go hand in hand with specific challenges, requiring far-reaching expertise in these fields, which is often missing in-house.
For instance:
Overall, these new technologies have extensively transformed the market for numerous companies, offering them the opportunity to innovate, improve efficiency and enhance service offerings. To keep up with this ever-changing technological landscape, companies are increasingly turning to IT outsourcing.
The most commonly outsourced IT services in Belgium are web development, hosting, software and application development and maintenance, helpdesk and technical support, database development and maintenance, IT consulting and infrastructure.
There is no specific regulatory framework for outsourcing transactions. However, the sector-specific rules that apply to a company may also apply to its suppliers.
Outsourcing in some sectors, such as the following, is restricted.
Public Sector
Certain outsourcing transactions in the public sector may be subject to the principles and rules of public procurement pursuant to the Belgian Public Procurement Law of 17 June 2016. This Act includes extensive obligations that should be adhered to in the context of a public procurement tender procedure and any subsequent negotiation process. The applicability of these obligations depends on the value and characteristics of the outsourcing.
Banking and Investment Sector
Outsourcing in the financial sector is extensively regulated. The main legal instruments are:
Financial institutions must limit the operational risks of outsourcing and remain fully responsible when outsourcing functions, activities and operational tasks. Additionally, outsourcing may not lead to an impairment of the quality of the organisation and, in particular, of the quality of the internal control, such as an undue increase in operational risk or an impairment of the supervisory authority's ability to monitor the institution's compliance with its obligations.
When outsourcing operational tasks of critical importance additional requirements apply. Such outsourcing must be preceded by a notification to the NBB or the FSMA, depending on the supervisory authority. This notification must include the details of the planned outsourcing. Existing outsourcing contracts undergoing material changes or events inducing such changes are subject to a similar obligation.
Please note that, depending on the financial institution, slightly different requirements in relation to outsourcing may apply. It shall therefore be important to correctly identify the legal provisions applicable to specific entities. For instance, with respect to financial credit institutions, the following specific legal instruments apply: the European Banking Authority guidelines on outsourcing of credit institutions' business activities, and the NBB guidelines applicable to less significant institutions.
Therefore, a case-by-case analysis shall always take place with respect to the functions and/or services to be outsourced as well as the regulatory status of the entity planning the outsourcing.
Insurance Sector
Outsourcing in the insurance sector is extensively regulated. The main legal instruments are:
An insurer who subcontracts operational activities must ensure that this shall not lead to:
Insurers shall inform the NBB promptly before outsourcing critical or important functions or activities or independent control functions of (i) their intention to do so; as well as (ii) later important developments as regards these functions or activities (including the decision to end the outsourcing of a function or activity). Specifically, the NBB asks insurance companies to provide information within a reasonable period of time (in principle, at the latest six weeks before the outsourcing enters into force, barring any duly justified specific derogation) with a file in accordance with the standard notification form.
When an insurer plans to outsource critical or important functions or activities, the supplier must in principle be located in Belgium or in another member state of the European Economic Area (EEA).
A critical function or activity may only be outsourced to a service provider located in a country outside the EEA if the following conditions are met:
Where the supplier of outsourced services is located in a country outside of the EEA, the insurer must also be able to guarantee:
The NBB also published additional recommendations for the specific case of outsourcing by insurers to cloud service providers, amongst others:
DORA
In addition to the foregoing, it is worth mentioning the EU Regulation on digital operational resilience for the financial sector (Regulation (EU) 2022/2554; DORA), which entered into force on 17 January 2023 and will apply as of 17 January 2025.
DORA targets Belgian entities providing financial and insurance services, as well as the Belgian branches of these entities.
Amongst others, DORA provides uniform requirements for the security of the networks and information systems of financial institutions, as well as critical third-party providers that provide them with information and communication technology (ICT) services, such as cloud computing platforms (PaaS) or data analysis services. In addition, DORA lays down requirements relating to ICT risk management, reporting of major ICT-related incidents and notification of significant cyberthreats to the competent authorities, as well as reporting operational or security payment-related incidents to the competent authorities by certain financial institutions.
The Proposed PSD3, the Payment Services Regulation (PSR) and the Regulation on a Framework for Financial Data Access (FIDA)
The proposed PSD3 and PSR require existing payment and electronic money institutions to reapply for their licence within 24 months of the PSR coming into force in order for them to rely on grandfathering provisions that allow prior licences to be valid for 30 months after PSD3 enters into force. In the context of the reapplication of the licence, the payment institutions shall demonstrate compliance with new requirements relating, amongst others, to the continuity of any critical activities by outsourced service providers, agents or distributors.
The proposed FIDA provides a licensing requirement for financial information service providers. A licence will only be provided if it is satisfied that any outsourcing arrangements will not render the financial information service provider a letterbox entity. When relying on a third party for the performance of functions which are critical for the provision of continuous and satisfactory service to customers and the performance of activities on a continuous and satisfactory basis, it must take reasonable steps to avoid undue additional operational risk. Outsourcing of important operational functions may not be undertaken in such a way as to materially impair the quality of its internal control and the ability of the supervisor to monitor the financial information service provider’s compliance with all obligations.
With the PSR, the EC has focused on strengthening anti-fraud measures. One of the proposed measures includes the requirement for payment service providers to conclude outsourcing agreements with technical service providers, when the latter provide and verify the elements of strong customer authentication for the account of the payment service provider.
Finally, to ensure effective powers of the supervisory authorities, additional investigative powers have been considered in relation to the supervision of technical service providers, operators of payment schemes and outsourcing companies used by the companies that are subject to the proposed PSR.
Cross-Border Data Flows
The processing of personal data, including cross-border data flows within the EEA and from the EEA to non-EEA countries, is subject to the provisions of the GDPR.
The GDPR restricts cross-border data flows to non-EEA countries that have not obtained an adequacy decision. It is hence especially important for international outsourcing where the supplier (and/or its sub-contractors) is (are) based outside of the EEA in a country without an adequacy decision, since additional requirements might apply. In such event, the data exporter must ensure that the data importer outside the EEA offers an equal level of protection as the level of protection under the GDPR, which can be realised for example by concluding standard contractual clauses (SCCs) or setting-up binding corporate rules (BCR) combined with additional technical measures (eg, encryption of the data with the key held by an independent party).
There has also been an increase in risk assessments in the context of data transfers outside the EEA, as companies undertake more data protection impact assessments (in this context, also referred to as "data transfer impact assessments").
Following the Schrems II-decision of the European Court of Justice ECJ), and the guidance of the European Data Protection Board (EDPB) and Belgian Data Protection Authority (BDPA) in this regard, companies are obliged to assess whether the conclusion of SCCs with a recipient in a third country (without an adequacy decision) will provide for an adequate level of protection of the personal data transferred. Hence, one cannot assume this is the case by merely concluding the SCCs, as such clauses may for example not be effectively enforceable in the third country. Depending on the outcome of such an assessment, companies wishing to set-up cross-border data flows to third countries could be required to undertake additional measures (eg, extensive pseudonymisation).
In July 2023, the European Commission (EC) published an adequacy decision for the new EU-US Data Privacy Framework, considering personal data flows between the EU and the US organised under this framework to provide for an adequate level of protection.
The NIS and NIS2 Directive
Cybersecurity in Belgium is mainly governed by the Law of 7 April establishing a framework for the security of network and information systems of public safety interest (the "NIS Law"), implementing the NIS Directive (Directive (EU) 2016/1148). The NIS Law holds various minimum cybersecurity and incident reporting requirements for operators of essential services, eg, in the energy or transport sector, and relevant digital service suppliers.
In January 2023, the NIS2 Directive (Directive (EU) 2022/2555) was adopted with the aim of:
The NIS2 Directive repeals the NIS Directive with effect from 18 October 2024. Member states have until 17 October 2024 to implement the NIS2 Directive in their national legal order. Currently, the Belgian legislator has not yet taken any action in this regard.
Guidelines
Both the Belgian Centre for Cybersecurity and the European Union Agency for Cybersecurity (ENISA) have published several guidelines, good practices and tools for companies to use to enhance their internal cybersecurity levels, which could also be useful in the context of companies’ collaboration with (IT) suppliers and partners.
Belgium has no standard contract model for outsourcing transactions. Outsourcing contracts are deemed contracts for “rent of work” (Article 1710, (old) Civil Code) and are, like any other contracts, governed by the provisions of the Belgian Civil Code governing, among others, the formation and legality of the contract and certain warranties and liabilities. Parties thus have an extensive contractual freedom and can in principle agree on anything that does not conflict with mandatory law, public order or morality.
The most traditional form of IT outsourcing is direct outsourcing. The customer and one main supplier contract directly and the main supplier delivers “end-to-end” IT services to the customer. Unless otherwise agreed upon, this structure does in principle not preclude sub-contractors of the supplier, who evidently remains responsible for their work. Although this structure reduces the complexity of the outsourcing transaction for the customer, it may lead to “supplier lock-in” (ie, high dependency on one main supplier) and unknown sub-contractors may lead to uncertainties.
The customer can also decide to contract with multiple suppliers (multi-sourcing), which implies the conclusion of multiple separate contracts with different suppliers of (parts of) services or one multi-vendor agreement. The contracts generally oblige the different suppliers to co-operate. Although this model offers more flexibility, it also complexifies the outsourcing for the customer who will need to manage the different outsourced projects (and, for example, set up a solid governance system).
The customer may also contract with a supplier that subcontracts the services in its entirety to one or more third-party supplier(s) (indirect outsourcing), often nearshore or offshore third parties. Contrary to multi-sourcing, this places the burden of the operational management on the supplier instead of the customer.
Finally, a far-reaching outsourcing partnership may be organised as a joint venture (JV), requiring a complex contractual structure (and, therefore, being a rather time-consuming and costly solution). Setting up a JV is rather rare and is mainly used when the customer and supplier wish to jointly set up a new business. Where a JV falls within scope of European or Belgian competition law, additional aspects should be taken into account (eg, prior notification to the Belgian or European competition authorities may be required).
Where digital transformation is part of the services provided, the contract’s terms are often adjusted accordingly with, for instance, specific/complex (technical) schedules describing such digital transformation tools, procedures to be used, expected results and governance mechanisms. Where required, for instance in a multi-sourcing environment, specific attention shall be invested in the liability clause and clauses related to cybersecurity and data processing; also see 4.7 Digital Transformation.
Where AI and machine learning are involved, which for instance require large-scale data processing, parties tend to give more attention to specific terms related to data protection, transparency of algorithms, active information obligation, IP, contractual milestones, logging, data governance and, in some events, even include formal AI principles and requirements related to the ethical use of AI.
Protection Stemming From the Law
In certain areas a customer is protected by legal obligations imposed on the supplier (regardless of whether a contractual clause is included in this regard), eg, personal data protection legislation and cybersecurity legislation (also see sections 2.2 Industry-Specific Restrictions, 2.3 Restrictions on Data Processing or Data Security and 4.4 Implied Terms).
In addition, pursuant to Articles VI.91/3 et seq of the Belgian Code of Economic Law, certain clauses in B2B contracts are deemed abusive and therefore null and void. Some types of clauses are always considered abusive, without any possibility to refute the qualification (eg, causing the other party to waive any remedy against the company in the event of a dispute). Other clauses are presumed to be abusive until proven otherwise (eg, granting the company the right to unilaterally modify the price, characteristics or conditions of the contract without a valid reason).
Additionally, clauses that create a manifest imbalance between the rights and obligations of the parties to a B2B contract are also prohibited and can be declared void when used. Whether a clause is deemed imbalanced shall depend on the circumstances of the contract (conclusion) and the collaboration in practice between the parties.
Contractual/Technical Protection Mechanisms
The following mechanisms are often used in IT-contracts to protect the customer (non-exhaustive):
Remedies
Contractual remedies often consist of compensation (in kind or in cash), termination rights and step-in rights. Non-contractual remedies are, among others, recourse to the Belgian Data Protection Authority (in case of a data protection violation) or the Belgian Centre for Cybersecurity (in case of a cybersecurity incident) or obtaining (provisional) measures via summary proceedings.
Termination Foreseen by Law
Unless otherwise agreed upon the following will apply.
Contractual Termination
Outsourcing contracts may be terminated according to the contractual terms agreed upon by the parties. Parties can agree on situations in which the customer may terminate the contract, for instance if there are significant breaches of service levels or serious regulatory compliance or data security and privacy breaches or in the case of insolvency. The contract may provide for the procedure to follow in such events (eg, formal notice, remediation term) and the damages being due.
It is uncommon to contractually grant the supplier extensive termination rights. If granted, this is usually in the case of the prolonged non-payment of invoices by the customer.
Basic Principle for Recoverable Losses
When a contract party is in breach of contract and causes damage, the injured party is entitled to integral recovery of the damage suffered as a consequence of the contractual breach, in kind or in cash (Article 5.86-5.87, Civil Code). In principle, all damage that is reasonably foreseeable by the parties at the time of the forming of the contract should be remedied. However, limitations and exclusions are regularly stipulated by the parties in the contract to limit their liability.
Distinction Direct and Indirect Loss
While not expressly provided for in Belgian law, it is common in contracts to make a distinction between “direct” and “indirect” damage and to exclude liability for the latter. In such event – given the lack of any legal definition in this regard and the fact that in Belgium by default any damage caused by a breach should be compensated – it is recommended to define what is understood under “indirect” damages to avoid the potentially unpredictable interpretation of a judge. Parties typically include loss of profits, loss of business (opportunities), loss of time, loss of revenue, loss of data, etc. Such exclusion of liability is in principle accepted, in so far as this does not erode the agreement.
Market Practice Regarding Loss of Profit, Goodwill, Business, Etc
See previous paragraph.
Categories of Losses That Are Not Subject to any Limitation of Liability
Contractual clauses that exclude/limit liability are in principle valid and parties have extensive contractual freedom in this regard, except if, contrary to mandatory law (Article 5.89, Civil Code):
Further, a limitation of liability may not lead to a manifest imbalance in the relationship between the parties (see 4.1 Customer Protections).
Certain obligations are mandatory by law, regardless of whether any contractual term is included in the contract in this regard. Examples of such legal obligations are the protection and processing of personal data governed by the GDPR as well as specific security obligations applying to certain sectors, such as the financial sector (see 2.2 Industry-Specific Restrictions and 2.3 Restrictions on Data Processing or Data Security).
The parties’ contractual obligations extend to the consequences conferred on them by law, good faith or customs, according to the contract’s nature and scope, thus potentially going beyond what the parties explicitly agreed upon (Article 5.71, Civil Code). Contractual terms are interpreted by the judge in a dispute and can be mitigated (to reflect the parties’ initial intention).
Good faith requires the parties to work together in a loyal way, including during the pre-contractual phase, to ensure the proper negotiation, conclusion and execution of the contract. This could imply co-operation obligations, the precontractual disclosure of certain information or the obligation to consider the other party’s interests.
Customs are highly dependent on the sector.
The most common cybersecurity protections and security measures required by customers in technology transactions or outsourcing in Belgium are:
Business continuity is often guaranteed by appropriate back-up systems, redundancy and disaster recovery plans
The most common mechanism is the use of SLAs, both in terms of availability, for example in case of a SaaS or NaaS agreement where this is expressed as a percentage (eg, monthly availability of 98%), and in terms of support and maintenance, providing for response and solution times depending on the criticality of the encountered problem. Typically, such SLAs includes penalties, often in the form of service credits, for not complying with the agreed upon service levels.
An audit right for the client is a common mechanism used to allow the customer to, either itself or through appointment of an independent third party, control the correct implementation and performance of the contract.
In general, the contractual terms remain to a large extent unchanged if the technology or outsourcing is cloud based. Nevertheless, in such event specific attention is mostly given to provisions related to data protection, often including more extensive language regarding data security (eg, encryption) and the processing of personal data (in particular if the server location is outside of the EEA). Attention is also given to an active information obligation, among others, regarding any centrally governed updates and upgrades that may affect the functioning of the software within the larger IT infrastructure of the customer (eg, links/interaction with other software programs used).
The rules governing employee transfers in outsourcing are based on the Acquired Rights Directive (Council Directive 2001/23/EC) (ARD). The ARD is implemented into Belgian national law through Collective Bargaining Agreement No 32bis (CBA No 32bis).
Three cumulative conditions must be met in order (for an outsourcing operation) to qualify as a transfer of undertaking under CBA No 32bis:
The main consequences of the applicability of CBA No 32bis can be summarised as follows.
If an outsourcing operation does not qualify as a transfer of undertaking under CBA No 32bis, no automatic transfer of employment applies. The employees may still be transferred to the new service provider but the consent of the company that outsources the activity, the new service provider and the employees would be required.
If an outsourcing operation qualifies as a transfer of undertaking under CBA No 32bis, the information and consultation requirements laid down in this CBA apply (please refer to 5.1 Employee Transfers).
If the outsourcing operation is not subject to CBA No 32bis, similar information and consultation requirements may apply, among others, if the outsourcing operation qualifies as an "important structural change", which will be often the case in practice. However, no information or consultation of individual employees will be required in the absence of employee representative bodies.
In the authors' experience, offshore outsourcing to economically more favourable countries (eg, Northern Africa, India) has grown more popular due to recent developments in cloud services and the increase in remote work options (see 1.1 IT Outsourcing). On the other hand, increasingly strict ESG obligations in the supply chain might be a deterrent for offshore outsourcing in certain cases. Although companies consider ESG, a direct impact of this on decision-making regarding outsourcing in practice has not (yet) been seen.
Belgian law distinguishes between two types of remote working, both with their own framework.
Employees working remotely are entitled to the same employment terms and conditions as comparable employees working at the company premises.
The primary business considerations raised by employers when considering whether to allow remote working include employee retention, less need for office space and a larger talent pool for recruitment.
When allowing employees to work remotely abroad (for the long term), employers should consider the risk that the applicability of local labour laws and social security regimes may be triggered. Another consideration includes that the employees who are working remotely abroad may not always be covered by the work accidents insurance coverage in the event of work accidents abroad.
Boulevard de l’Empereur 3
Keizerslaan
B-1000 Brussels
Belgium
+32 2 551 15 15
info@liedekerke.com www.liedekerke.com