IT outsourcing is still on the rise in Belgium. This is partly owing to a shortage of available technology professionals, which makes insourcing increasingly difficult. IT outsourcing is often driven by the need for trained, affordable and flexible manpower. Consequently, there is an increase in outsourcing outside the EEA to more economically favourable regions and countries (eg, North Africa and India).
COVID-19 had a lasting impact on the use of technology in business. Virtual meetings have become the default mode of communication and collaboration, not only within companies but also among companies exploring or doing business. There is also a rise in availability on the market of virtual collaboration tools (such as project management tools). These tools give an answer to one of the biggest challenges of outsourcing (in particular, when this takes place abroad to countries in another continent). These tools allow businesses to keep a finger on the pulse – namely, to better train staff abroad and ensure an almost simultaneous follow-up, which benefits the quality of the outsourced work and facilitates swift intervention if there is an issue.
The outsourcing of cloud computing remains very popular since the cloud offers a plethora of opportunities. Other key market trends include:
As a result of the COVID-19 pandemic, companies have increasingly turned towards outsourcing their non-core and administrative functions, which has resulted in an increase in BPO. Over the course of the last few years, the reliance on BPO has seen continuous and significant growth, which is expected to continue.
Other key market trends include the following.
New technologies (such as AI, chatbots, machine learning, robotics and robotic process automation, blockchain, cryptocurrency, NFTs, fintech and smart contracts) bring numerous opportunities for companies but go hand in hand with specific challenges, requiring far-reaching expertise in these fields that is often missing in-house. For instance:
Overall, these new technologies have extensively transformed the market for numerous companies, offering them the opportunity to innovate, improve efficiency and enhance service offerings. To keep up with this ever-changing technological landscape, companies are increasingly turning to IT outsourcing.
The most commonly outsourced IT services in Belgium are:
There is no specific regulatory framework for outsourcing transactions. However, the sector-specific rules that apply to a company may also apply to its suppliers.
Outsourcing is restricted in some sectors, such as the following.
Public Sector
Certain outsourcing transactions in the public sector may be subject to the principles and rules of public procurement pursuant to the Belgian Public Procurement Law of 17 June 2016. This Act includes extensive obligations that should be adhered to in the context of a public procurement tender procedure and any subsequent negotiation process. The applicability of these obligations depends on the value and characteristics of the outsourcing.
Banking and Investment Sector
Outsourcing in the financial sector is extensively regulated. The main legal instruments are:
Financial institutions must limit the operational risks of outsourcing and remain fully responsible when outsourcing functions, activities and operational tasks. Additionally, outsourcing may not lead to an impairment of the quality of the professional service or of the organisation and, in particular, of the quality of the internal control (such as an undue increase in operational risk or an impairment of the supervisory authority’s ability to monitor the institution’s compliance with its obligations).
Additional requirements apply when outsourcing operational tasks of critical importance. Such outsourcing must be preceded by a notification to the NBB or the FSMA, depending on the supervisory authority. This notification must include the details of the planned outsourcing. Existing outsourcing contracts undergoing material changes, or events inducing such changes, are subject to a similar obligation.
Please note that, depending on the financial institution, slightly different requirements may apply in relation to outsourcing. It shall therefore be important to correctly identify the legal provisions applicable to specific entities. For instance, with respect to financial credit institutions, the following specific legal instruments apply:
Therefore, a case-by-case analysis shall always take place with respect to the functions and/or services to be outsourced as well as the regulatory status of the entity planning the outsourcing.
Insurance Sector
Outsourcing in the insurance sector is extensively regulated. The main legal instruments are:
An insurer who subcontracts operational activities must ensure that this shall not lead to:
Insurers must inform the NBB promptly before outsourcing critical or important functions, or activities or independent control functions, of:
Specifically, the NBB asks insurance companies to provide information within a reasonable period of time (in principle, at the latest six weeks before the outsourcing enters into force, barring any duly justified specific derogation) with a file in accordance with the standard notification form.
When an insurer plans to outsource critical or important functions or activities, the supplier must, in principle, be located in Belgium or in another member state of the European Economic Area (EEA).
A critical function or activity may only be outsourced to a service provider located in a country outside the EEA if the following conditions are met:
Where the supplier of outsourced services is located in a country outside the EEA, the insurer must also be able to guarantee:
The NBB has also published additional recommendations for the specific case of outsourcing by insurers to cloud service providers, among others:
DORA
In addition to the foregoing, it is worth mentioning the EU Regulation on digital operational resilience for the financial sector (Regulation (EU) 2022/2554; DORA), which entered into force on 17 January 2023 and will apply as of 17 January 2025.
DORA targets Belgian entities providing financial and insurance services, as well as the Belgian branches of these entities.
Among others, DORA provides uniform requirements for the security of the networks and information systems of financial institutions, as well as critical third-party providers that provide them with information and communication technology (ICT) services, such as cloud computing platforms (PaaS) or data analysis services.
In addition, DORA lays down requirements relating to:
In February 2024, the FSMA conducted a survey on financial institutions subject to its supervision, to carry out an initial self-assessment of their level of preparedness for the requirements of DORA. The FSMA concluded, among other things, that:
The FSMA will rely on these initial findings to guide its future supervisory actions, and will also conduct more detailed investigations to deepen its assessment of the entities’ compliance with the requirements of DORA.
The Proposed PSD3, the Payment Services Regulation (PSR) and the Regulation on a Framework for Financial Data Access (FIDA)
The proposed PSD3 and PSR require existing payment and electronic money institutions to reapply for their licence within 24 months of the PSR coming into force, in order for them to rely on grandfathering provisions that allow prior licences to be valid for 30 months after PSD3 enters into force. In the context of the reapplication of the licence, the payment institutions must demonstrate compliance with new requirements relating to (among others) the continuity of any critical activities by outsourced service providers, agents or distributors.
The proposed FIDA includes a licensing requirement for financial information service providers. A licence will only be provided if it is satisfied that any outsourcing arrangements will not render the financial information service provider a letterbox entity. When relying on a third party for the performance of functions that are critical for the provision of continuous and satisfactory service to customers, and for the performance of activities on a continuous and satisfactory basis, it must take reasonable steps to avoid undue additional operational risk. Outsourcing of important operational functions may not be undertaken in such a way as to materially impair the quality of its internal control and the ability of the supervisor to monitor the financial information service provider’s compliance with all obligations.
With the PSR, the European Commission (EC) has focused on strengthening anti-fraud measures. One of the proposed measures includes the requirement for payment service providers to conclude outsourcing agreements with technical service providers, when the latter provide and verify the elements of strong customer authentication for the account of the payment service provider.
Finally, to ensure effective powers of the supervisory authorities, additional investigative powers have been considered in relation to the supervision of technical service providers, operators of payment schemes and outsourcing companies used by the companies that are subject to the proposed PSR.
Cross-Border Data Flows
The processing of personal data, including cross-border data flows within the EEA and from the EEA to non-EEA countries, is subject to the provisions of the GDPR.
The GDPR restricts cross-border data flows to non-EEA countries that have not obtained an adequacy decision. Hence, this is especially important for international outsourcing where the supplier and/or its subcontractors are based outside the EEA in a country without an adequacy decision, since additional requirements might apply. In such event, the data exporter must ensure that the data importer outside the EEA offers an equal level of protection to the level of protection under the GDPR, which can be realised by (for example) concluding standard contractual clauses (SCCs) or setting up binding corporate rules (BCRs) combined with additional technical measures (eg, encryption of the data with the key held by an independent party).
There has also been an increase in risk assessments in the context of data transfers outside the EEA, as companies undertake more data protection impact assessments (in this context, also referred to as “data transfer impact assessments”).
Following the Schrems II decision of the European Court of Justice (ECJ), and the guidance of the European Data Protection Board (EDPB) and the Belgian Data Protection Authority (BDPA) in this regard, companies are obliged to assess whether the conclusion of SCCs with a recipient in a third country (without an adequacy decision) will provide for an adequate level of protection of the personal data transferred. Hence, one cannot assume this is the case by merely concluding the SCCs, as such clauses may (for example) not be effectively enforceable in the third country. Depending on the outcome of such an assessment, companies wishing to set-up cross-border data flows to third countries could be required to undertake additional measures (eg, extensive pseudonymisation).
In July 2023, the EC published an adequacy decision for the new EU-US Data Privacy Framework, considering personal data flows between the EU and the USA organised under this framework as providing for an adequate level of protection.
In January 2024, the EC concluded its review of 11 of the 16 existing adequacy decisions, and has confirmed that personal data transferred from the EU to Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay continues to benefit from adequate data protection safeguards.
The NIS and NIS2 Directives
Cybersecurity in Belgium is mainly governed by the Law of 7 April 2019 establishing a framework for the security of network and information systems of public safety interest (the “NIS Law”), implementing the NIS Directive (Directive (EU) 2016/1148). The NIS Law holds various minimum cybersecurity and incident-reporting requirements for operators of essential services (eg, in the energy or transport sector) and relevant digital service suppliers.
In January 2023, the NIS2 Directive (Directive (EU) 2022/2555) was adopted with the aim of:
The NIS2 Directive repeals the NIS Directive with effect from 18 October 2024.
The NIS2 Directive has been transposed into Belgian law by the Act of 26 April 2024 establishing a framework for the cybersecurity of networks and information systems of general interest for public security (the “NIS2 Act”). The NIS2 Act will apply as of 18 October 2024.
Guidelines
Both the Belgian Centre for Cybersecurity and the European Union Agency for Cybersecurity (ENISA) have published several guidelines, good practices and tools for companies to use to enhance their internal cybersecurity levels, which could also be useful in the context of companies’ collaboration with (IT) suppliers and partners.
Belgium has no standard contract model for outsourcing transactions. Outsourcing contracts are deemed contracts for “rent of work” (Article 1710, (old) Civil Code) and are, like any other contracts, governed by the provisions of the Belgian Civil Code regulating (among others) the formation and legality of contracts as well as certain warranties and liabilities. Parties thus have an extensive contractual freedom and can, in principle, agree on anything that does not conflict with mandatory law, public order or morality.
The most traditional form of IT outsourcing is direct outsourcing. The customer and one main supplier contract directly, and the main supplier delivers “end-to-end” IT services to the customer. Unless otherwise agreed upon, this structure does not, in principle, preclude subcontractors of the supplier, who evidently remains responsible for their work. Although this structure reduces the complexity of the outsourcing transaction for the customer, it may lead to “supplier lock-in” (ie, high dependency on one main supplier) and unknown subcontractors may lead to uncertainties.
The customer can also decide to contract with multiple suppliers (multi-sourcing), which implies the conclusion of multiple separate contracts with different suppliers of (parts of) services or one multi-vendor agreement. The contracts generally oblige the different suppliers to co-operate. Although this model offers more flexibility, it also complexifies the outsourcing for the customer, who will need to manage the different outsourced projects (and, for example, set up a solid governance system).
The customer may also contract with a supplier that subcontracts the services in its entirety to one or more third-party suppliers (indirect outsourcing), often nearshore or offshore third parties. Contrary to multi-sourcing, this places the burden of the operational management on the supplier instead of the customer.
Finally, a far-reaching outsourcing partnership may be organised as a joint venture (JV), requiring a complex contractual structure (and, therefore, being a rather time-consuming and costly solution). Setting up a JV is rather rare and is mainly used when the customer and supplier wish to jointly set up a new business. Where a JV falls within the scope of European or Belgian competition law, additional aspects should be taken into account (eg, prior notification to the Belgian or European competition authorities may be required).
Where digital transformation is part of the services provided, the contract’s terms are often adjusted accordingly with, for instance:
Where required – for instance, in a multi-sourcing environment – specific attention should be paid to the liability clause and clauses related to cybersecurity and data processing; see also 4.7 Digital Transformation.
Where AI and machine learning are involved (which require large-scale data processing), parties tend to pay more attention to specific terms related to:
Protection Stemming From the Law
In certain areas, a customer is protected by legal obligations imposed on the supplier, regardless of whether a contractual clause is included in this regard – for example, personal data protection legislation and cybersecurity legislation (see also 2.2 Industry-Specific Restrictions, 2.3 Restrictions on Data Processing or Data Security and 4.4 Implied Terms).
In addition, pursuant to Articles VI.91/3 et seq of the Belgian Code of Economic Law, certain clauses in business-to-business (B2B) contracts are deemed abusive and therefore null and void. Some types of clauses are always considered abusive, without any possibility to refute the qualification (eg, causing the other party to waive any remedy against the company in the event of a dispute). Other clauses are presumed to be abusive until proven otherwise (eg, granting the company the right to unilaterally modify the price, characteristics or conditions of the contract without a valid reason).
Additionally, clauses that create a manifest imbalance between the rights and obligations of the parties to a B2B contract are also prohibited and can be declared void when used. Whether a clause is deemed imbalanced shall depend on the circumstances of the contract (conclusion) and the collaboration in practice between the parties.
Contractual/Technical Protection Mechanisms
The following mechanisms are often used in IT contracts to protect the customer (non-exhaustive):
Remedies
Contractual remedies often consist of compensation (in kind or in cash), termination rights and step-in rights. Non-contractual remedies (among others) have recourse to the Belgian Data Protection Authority (in the case of a data protection violation) or the Belgian Centre for Cybersecurity (in the case of a cybersecurity incident), or to obtaining (provisional) measures via summary proceedings.
Termination Foreseen by Law
Unless otherwise agreed upon, the following will apply.
A contract with an indefinite term can be terminated by either party giving a reasonable notice period (Article 5.75, Civil Code). What is deemed reasonable will depend on the circumstances (eg, intensity and duration of the existing collaboration, dependency on services). In such event, in principle, no damages will be due.
For convenience, the customer can always unilaterally terminate the outsourcing contract of a clearly defined work, such as the installation of an IT system or an outsourcing contract with a fixed duration (Article 1794, (old) Civil Code). Consequently, the customer will have to reimburse the supplier for all their expenses, work and everything they could have gained from the outsourcing contract.
Either party can dissolute the contract for cause, in the case of a severe contractual breach by the other party (subject to post factum judicial control) (Article 5.90, Civil Code). When an outsourcing contract is dissolved, in principle this only applies to the future (ex nunc), since it is often impossible to return the services that have already been performed. The party in breach will, in principle, have to reimburse the other party’s damage (eg, costs of finding and onboarding another supplier, costs of any interim solution), subject to any contractual liability terms, as the case may be (eg, liability cap).
Contractual Termination
Outsourcing contracts may be terminated according to the contractual terms agreed upon by the parties. Parties can agree on situations in which the customer may terminate the contract – for instance, in the case of:
The contract may provide for the procedure to follow in such events (eg, formal notice, remediation term) and the damages due.
It is uncommon to contractually grant the supplier extensive termination rights. This is usually granted in the case of prolonged non-payment of invoices by the customer.
Basic Principle for Recoverable Losses
When a contract party is in breach of contract and causes damage, the injured party is entitled to integral recovery of the damage suffered as a consequence of the contractual breach, in kind or in cash (Article 5.86 and 5.87, Civil Code). In principle, all damage that is reasonably foreseeable by the parties at the time of the forming of the contract should be remedied. However, limitations and exclusions are regularly stipulated by the parties in the contract to limit their liability.
In principle, the recovery of damages caused by the non-performance of a contractual obligation was exclusively governed by the rules of contract law. Therefore, the concurrence prohibition existed, which meant that the contracting parties did not have the choice between a contractual or a non-contractual liability claim, even if the faults were extra-contractual. It also followed that the principal injured party could not sue the auxiliary person (eg, subcontractor) directly on a non-contractual basis, but could only make a claim to the main contractor. This is called the quasi-immunity of the performing agent. Under these principles, the defaulting party or auxiliary person could only be held non-contractually liable in two situations, namely:
With the introduction of the new Book 6 of the Civil Code (which comes into force on 1 January 2025 and will apply to an ongoing contract), these principles will be abolished, and the principal injured party does have the choice of bringing both a contractual and an extra-contractual claim against their contracting party or directly against the auxiliary agent (Article 6.3, Civil Code).
The abolition of these core principles raises fundamental issues that are also essential to outsourcing, and that should be taken into account when carefully drafting agreements. The law prescribes double protection for the auxiliary person (except in cases of impairment of physical or psychological integrity caused by fault, or in cases of wilful misconduct), who can raise defences from both the principal agreement and the sub-agreement against the claimant principal.
Distinction Between Direct and Indirect Loss
While not expressly provided for in Belgian law, it is common in contracts to make a distinction between “direct” and “indirect” damage, and to exclude liability for the latter. In such event – given the lack of any legal definition in this regard and the fact that, in Belgium, by default any damage caused by a breach should be compensated – it is recommended to define what is understood under “indirect” damages to avoid the potentially unpredictable interpretation of a judge. Parties typically include (among others):
In principle, such exclusion of liability is accepted, in so far as this does not erode the agreement.
Categories of Losses That Are Not Subject to Any Limitation of Liability
In principle, contractual clauses that exclude/limit liability are valid and parties have extensive contractual freedom in this regard – except if, contrary to mandatory law (Article 5.89, Civil Code), they:
Specifically in B2B commercial relationships, contractual clauses that exonerate the liability for gross negligence are presumed to be unlawful, unless proven otherwise (Article VI.91/5, 6° Belgian Code of Economic Law).
Further, a limitation of liability may not lead to a manifest imbalance in the relationship between the parties (see 4.1 Customer Protections).
Certain obligations are mandatory by law, regardless of whether any contractual term is included in the contract in this regard. Examples of such legal obligations are the protection and processing of personal data governed by the GDPR, as well as specific security obligations applying to certain sectors, such as the financial sector (see 2.2 Industry-Specific Restrictions and 2.3 Restrictions on Data Processing or Data Security).
The parties’ contractual obligations extend to the consequences conferred on them by law, good faith or customs, according to the contract’s nature and scope, thus potentially going beyond what the parties explicitly agreed upon (Article 5.71, Civil Code). Contractual terms are interpreted by the judge in a dispute and can be mitigated (to reflect the parties’ initial intention).
Good faith requires the parties to work together in a loyal way, including during the pre-contractual phase, to ensure the proper negotiation, conclusion and execution of the contract. This could imply co-operation obligations, the precontractual disclosure of certain information or the obligation to consider the other party’s interests.
Customs are highly dependent on the sector.
The most common cybersecurity protections and security measures required by customers in technology transactions or outsourcing in Belgium are:
Business continuity is often guaranteed by appropriate back-up systems, redundancy and disaster recovery plans.
The most common mechanism is the use of SLAs, both in terms of availability (for example, in the case of a SaaS or NaaS agreement where this is expressed as a percentage, such as monthly availability of 98%), and in terms of support and maintenance, providing for response and solution times depending on the criticality of the encountered problem. Typically, such SLAs include penalties – often in the form of service credits – for not complying with the agreed-upon service levels.
An audit right for the client is a common mechanism used to allow the customer to – either itself or through appointment of an independent third party – control the correct implementation and performance of the contract.
In general, the contractual terms remain unchanged to a large extent if the technology or outsourcing is cloud-based. Nevertheless, in such event specific attention is mostly given to provisions related to data protection, often including more extensive language regarding data security (eg, encryption) and the processing of personal data (particularly if the server location is outside the EEA). Attention is also given to an active information obligation (among others) regarding any centrally governed updates and upgrades that may affect the functioning of the software within the larger IT infrastructure of the customer (eg, links/interaction with other software programs used).
Governing Rules and Conditions
The rules governing employee transfers in outsourcing are based on the Acquired Rights Directive (Council Directive 2001/23/EC) (ARD). The ARD is implemented into Belgian national law through Collective Bargaining Agreement No 32bis (CBA No 32bis).
Three cumulative conditions must be met in order (for an outsourcing operation) to qualify as a transfer of undertaking under CBA No 32bis:
The main consequences of the applicability of CBA No 32bis can be summarised as follows.
Automatic transfer of employment
The employment agreements (including all rights and obligations) primarily pertaining to the “going concern” existing at the time of the transfer are automatically transferred from the company – along with the assets – to the new service provider. Certain exceptions do apply with respect to the continuation of certain supplementary social benefit schemes.
Protection against dismissal
The transferring employees may not be dismissed by the company or by the new service provider on the ground of a TUPE transfer – ie, the Transfer of Undertakings (Protection of Employment) mechanism was introduced to regulate the transfer of a (part of a) business to a new employer and to protect employee rights during this process. As an exception, dismissal may be permitted, though only for gross misconduct or for economic, technical or organisational reasons.
Joint liability
The company and the new service provider are jointly and severally liable for the payment of debts (eg, salary arrears and bonuses) existing at the date of the TUPE transfer, with the exception of debts in respect of certain supplementary social benefit schemes. This means that the employee may collect full compensation from any party.
Information and consultation requirements
The company and the new service provider must inform and consult their employee’s representatives in the works council (or, in the absence thereof, the trade union delegation or the relevant committee for prevention and protection at work) before any decision on the TUPE transfer is taken and, in any event, before any public disclosure. In the absence of any employee representative bodies, the individual employees must be informed (but need not be consulted).
If an outsourcing operation does not qualify as a transfer of undertaking under CBA No 32bis, no automatic transfer of employment applies. The employees may still be transferred to the new service provider, but the consent of the company that outsources the activity, of the new service provider and of the employees would be required.
If an outsourcing operation qualifies as a transfer of undertaking under CBA No 32bis, the information and consultation requirements laid down in this CBA apply (please refer to 5.1 Employee Transfers).
If the outsourcing operation is not subject to CBA No 32bis, similar information and consultation requirements may apply if (among others) the outsourcing operation qualifies as an “important structural change”, which will often be the case in practice. However, no information or consultation of individual employees will be required in the absence of employee representative bodies.
In the authors’ experience, offshore outsourcing to more economically favourable regions and countries (eg, North Africa, India) has grown more popular owing to recent developments in cloud services and the increase in remote work options (see 1.1 IT Outsourcing). On the other hand, increasingly strict environmental, social and governance (ESG) obligations in the supply chain might be a deterrent for offshore outsourcing in certain cases. Although companies consider ESG, in practice a direct impact of this on decision-making regarding outsourcing has not (yet) been seen.
Belgian law distinguishes between two types of remote working, both with their own framework.
Employees working remotely are entitled to the same employment terms and conditions as comparable employees working at the company premises.
The primary business considerations raised by employers when considering whether to allow remote working include:
When allowing employees to work remotely abroad (for the long-term), employers should consider the risk that the applicability of local labour laws and social security regimes may be triggered. Another consideration is that the employees who are working remotely abroad may not always be covered by work accidents insurance coverage in the event of work accidents abroad.
Boulevard de l’Empereur 3
Keizerslaan
B-1000 Brussels
Belgium
+32 2551 1515
info@liedekerke.com www.liedekerke.com