In recent years, the main trends and developments in the IT outsourcing market include the following:

• cloud computing, including outsourcing IT services such as software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS);
• internet of things (IoT);
• artificial intelligence (AI) and machine learning;
• tokenisation of assets through blockchain technology; and
• big data.

The emergence of new services/developments in the market has led to a flurry of new regulations and/or recommendations to govern this trend in a number of sectors, in particular highly regulated sectors such as the finance industry. New certification standards for technological products have also flourished, such as ISO certification and AFNOR (“The French Standards Association”) certification. These market trends and developments in IT outsourcing, involving the worldwide sharing of an exponential amount of personal data, have also highlighted the importance of complying with the General Data Protection Regulation (GDPR) requirements.

COVID-19 had at least the benefit of accelerating and democratising the use of new outsourcing technologies, in particular within companies. The most revealing examples are the development of teleworking for employees and intra- and extra-company collaboration tools (eg, Teams, Zoom, Google Meet). Today, these trends are standard practice for a large number of employees in France.

The business process outsourcing (BPO) market is a fast-growing industry that has become an integral part of the global economy, and France is no exception. 

In recent years, several factors have been driving the increasing adoption of BPO services, as outlined below.

• Financial benefits: Organisations that use BPO services are well aware that this practice enables cost savings and the reduction of the operating costs while benefiting from the expertise and infrastructure of an external service provider.
• Flexibility: BPO outsourcing can give organisations greater flexibility to adjust the way the management of the outsourced business is processed, facilitate better adaptation to market dynamics and greater agility and adaptability.
• Focus on key functions: Organisations that use BPO services can delegate business functions that are not directly related to their core activities to another company. This allows such organisations to focus on their core business.
• Increased productivity: Specialist service providers are experts in their fields, so they help to ensure the quality of the tasks to be carried out (such service providers generally benefit from best practices and cutting-edge technologies).

COVID-19 has encouraged the use of BPO services to ensure business continuity in crisis situations. Indeed, outsourcing was a security measure in a complicated health context where employees were confined and forced to telework.

However, it is important to note that the first major disadvantage of BPO is the loss of control, in particular related to the sharing of data for the provision of services. Indeed, there is no direct control over the outsourcing of services provided or over the service providers. This can result in difficulties in controlling quality and ensuring compliance with legal requirements (in particular, data protection laws and security requirements). It is therefore essential to ensure (through contractual provisions, regular audits) that the service providers have robust cybersecurity measures in place before committing to outsourced activities. 

The impact of new technology on the outsourcing market is as follows:

• Chatbots: ChatGPT has had a meteoric rise, with more than 100 million users by the start of 2023. Chat GPT was a pioneer in this field, and today major new technology companies are launching their own AIs, like Google with Gemini or Meta with Llama 3. In France, many companies such as Mistral AI have raised significant funds to develop AI tools for individuals or companies. Also, organisations have developed their own in-house AI. AXA, for example, in partnership with Microsoft, has implemented Secure GPT with the same features as Chat GPT to secure its data. This tool has already marked a turning point in the digital transformation of numerous sectors, including the legal business.
• AI/machine learning: In France, many start-ups are betting on their AI or machine learning AI systems to stand out in many fields, including legaltech, fintech and greentech.
• Fintechs: France has seen the emergence of a number of successful fintechs in a wide range of business, such as fundraising apps, insurance apps, mobile payment apps, neobank apps and crowdfunding apps. These fintechs compete directly with traditional banks and insurance companies.

Such new technologies are accompanied by increasingly demanding safety requirements, which means that the market has to adapt, from both a technical and legal point of view, in order to comply with the new legal safety requirements and consumer demands in terms of security and transparency.

The most commonly outsourced services in France are:

• outsourced IT services;
• data hosting;
• HR management; and
• finance (accounting/billing).

In France, there is no general law governing technology transactions or outsourcing. 

However, the rise of IT outsourcing has resulted in the adoption of various legal frameworks (at a local and EU level) in order to govern IT outsourcing or technology transactions in specific sectors or for specific categories of services.

The main developments of the last few years are from the following legal/administrative frameworks.

Main Legal Applicable Frameworks

• Regulation (EU) 2022/2065 of 19 October 2022 on a single market for digital services and amending Regulation 2000/31/EC (“DSA”) has been applicable since 17 February 2024. It progressively replaces the French law transposing the 2000 directive, No 2004-575 of 21 June 2004, known as the LCEN (loi pour la confiance dans l'économie numérique).
• Regulation (EU) 2022/1925 of 14 September 2022 on contestable and fair markets in the digital sector (known as the Digital Markets Act (DMA)), and amending Regulations (EU) 2019/1937 and (EU) 2020/1828, has been applicable since 2 May 2023. It provides a framework for the activities of the largest platforms known as Gatekeepers and designated by the European Commission on 5 September 2023.
• The French Act No 2024-449 of 21 May 2024, aimed at securing and regulating the digital space (SREN) was adopted to comply with the DSA and the DMA and reinforce the protection of Internet users. It also amends the LCEN French law of 2004.
• Act No 2018-133 of 26 February 2018 implementing the NIS1 Directive, provides cybersecurity obligations (in particular, the notification obligation to relevant regulators in the case of an IT incident) for specific actors (ie, essential service operators and digital service providers). With the new NIS 2 directive, it will probably soon be abrogated.
• The French Data Protection Act (FDPA) No 78-17 of 6 January 1978, as amended by French Act No 2018-493 of 20 June 2018 and two decrees of 1 August 2018 and 12 December 2018, implements the GDPR to govern data protection issues resulting from, inter alia, technology transactions and outsourcing (eg, drafting of a data processing agreement, implementation of standard contractual clauses for on-board data processing).

Additionally, because the issue of personal and non-personal data has taken on paramount importance in recent years, particularly with the rise of digital technology (including outsourcing and cloud services), the EU has decided to put in place a legal framework to make the most of its economic potential, in particular:

• Regulation (EU) 2022/868 of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724, known as the Data Governance Act (DGA), which governs the sharing of personal and non-personal data by setting up intermediation structures.

Upcoming Legal Framework

• The first European regulation on artificial intelligence of 13 June 2024, laying down harmonised rules on artificial intelligence, known as the IA Act, will apply from 2 August 2026.
• Regulation (EU) 2023/2854 of 13 December 2023 on harmonised rules on fair access to and use of data, and amending Regulation (EU) 2017/2394 and Regulation (EU) 2020/1828, known as the Data Act, will apply from 12 September 2025. It relates to the protection and sharing of IoT data (personal and non-personal) between companies and users, and will enable the facilitation of data portability and service interoperability between cloud service providers.
• Regulation (EU) 2022/2554 of 14 December 2022, known as the Digital Operational Resilience Act (DORA), will apply from 17 January 2025. It focuses on ensuring operational resilience in the financial sector, introducing cybersecurity obligations for financial institutions such as banks and insurance companies. This includes regulations related to the outsourcing of information and communication technology (ICT) services to third-party providers.
• Regulation (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union, known as Network and Information Security 2 (SRI or NIS 2), repeals and extends the scope of the NIS 1 Directive and provides measures for a high common level of cybersecurity across the EU. Currently in the process of being transposed into French law, it must be fully transposed by 17 October 2024 at the latest.

A proposal for a regulation on cybersecurity requirements for products with digital elements, known as the Cyber Resilience Act (CRA), was published on 15 September 2022. The text was adopted by the European Parliament at first reading on 12 March 2024. It must now be formally adopted by the Council. It relates to the European cybersecurity strategy.

Main Administrative Framework

• The National Cybersecurity Agency for France (ANSSI) published an updated version of its certification framework for cloud service providers (SecNumCloud).
• In addition to the SecNumCloud certification framework, ANSSI published “Recommendations for hosting sensitive information systems in the cloud” on 9 July 2024. To meet the security challenges posed by the cloud, ANSSI has developed a series of recommendations for hosting in the cloud, which specify the types of cloud offerings to be preferred, depending on the type of information system, the sensitivity of the data and the level of threat.
• ANSSI published “Safety guidelines for a generative AI system” on 29 April 2024. The guidelines focus on generative AI system architecture, and are designed to raise awareness among administrations and businesses of the risks associated with generative AI and to promote the best practices that should be followed, from the design and training phases of an AI model through to its deployment and use in production.
• The European Banking Authority (EBA) adopted guidelines on outsourcing for the banking industry, which have been approved by the French Bank and Insurance Authority (ACPR).

On a voluntary basis, companies can submit their products for international certification with ISO, represented in France by AFNOR. For example, Standard 42001 for AI was published in 2023, specifying requirements for establishing, implementing, maintaining and continuously improving an artificial intelligence system within an organisation.

The banking and insurance sectors are particularly regulated with regard to technology transactions and outsourcing.

When a banking institution outsources services considered “essential” or “significant”, it is subject to a certain number of obligations laid down by the EBA’s Guidelines on Outsourcing. Some of the obligations shall be provided in the contract the banking institution entered into with its IT provider (eg, specific provisions related to security, reversibility, audit, termination, sub-processing). 

The recent DORA Regulation provides requirements for financial institutions which apply, among other things, to the management of risks associated with third-party providers, in particular the management of outsourcing risks. Moreover, the DORA Regulation also lists the minimum contractual provisions to be included in outsourcing contracts, and this list is further extended by additional clauses where significant ICT services are outsourced. DORA will become the main digital security regulation for the financial sector. 

The health sector is also regulated. As set out in Article L.1111-8 of the French Public Health Code, modified by the French Law SREN of 21 May 2024: “Any natural or legal person who hosts personal health data collected during prevention, diagnosis, care or medico-social monitoring activities on behalf of natural or legal persons at the origin of the production or collection of this data or on behalf of the patients themselves, must be approved or certified for this purpose”. Thus, health data hosts (HDS) have been required to obtain HDS certification. The HDS certification aims to guarantee the quality of service of healthcare hosting providers.

The French Data Protection Act (FDPA) establishes restrictions on technology transactions and outsourcing related to data processing and data security.

• To be lawful, data processing must respect the main principals of the GDPR, such as purpose limitation, lawfulness, fairness and transparency, data minimisation, accuracy, storage limitation, integrity and confidentiality.

• Data processing must ensure appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures. Such security measures should be clearly defined in agreements with data processors (eg, IT or cloud providers).
• In the case of personal data breach (ie, breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed), the French Data Supervisory Authority (CNIL) shall be notified without undue delay and not later than 72 hours of the breach.
• In the case of use of a data processor (eg, IT or cloud providers), a contractual framework (listing all the requirements provided by Article 28 of the GDPR) shall be put in place between the provider and the client.
• In the case of data transfers to a third party based outside the European Economic Area (EEA), the use of Standard Contractual Clauses (SCCs) can be used. However, since the Schrems II ruling, the use of SCCs is not enough to ensure secure data transfers. A transfer impact assessment (TIA) must be performed in order to ensure that the legislation applicable to the data importer (in particular on interference by public authorities in access to personal data) allows for the level of protection required by EU law and respects the guarantees provided by the SCCs.
• On 10 July 2023, the European Commission adopted a new adequacy decision concerning the USA. Personal data can therefore be transferred freely to the USA, but only to companies on the list published by the US Department of Commerce. Thus, data transfers to the USA performed by a company which is not on the list are still subject to SCCs provided such transfers have been subject to a positive TIA.

There is no standard contract model for outsourcing transactions in France. 

Most of the time, the outsourcing agreement takes the form of a master service agreement which can, if relevant, be completed by application/transaction agreements and modified by amendment. Specific appendices can also be joined to the outsourcing agreement, such as those related to the service levels, the financial modalities, the schedules, the security measures, etc.

The joint venture (JV) contract or multi-sourcing contract may be used in France, but the bilateral outsourcing contract is the most common structure. 

Digital transformation has, to a certain extent, affected the following contract models for outsourcing transactions:

• The GDPR requires the contractual provision of certain mandatory information in the case of data processing by data processors (eg, IT or cloud providers) or in the case of on-board data processing (implementation of SCCs).
• The EBA Guidelines on outsourcing require the contractual provision of certain mandatory information in the case of outsourcing of “essential” services (for the banking sector).
• The increase in the sharing and flow of data (both personal and non-personal) means that contractual obligations relating to security, portability, interoperability and reversibility need to be strengthened. This is reflected in the addition of a number of technical appendices.
• The liability clause increasingly provides a framework for contractual failures relating to security breaches, security incidents, data leaks, breaches of data protection requirements, etc.

There is a trend towards contractual guarantees for security measures in IT and cloud contracts, which is justified both by the ever-increasing cybersecurity risks and by increasingly strict legislation on IT suppliers and certain sectors (eg, financial).

As a preliminary basis, IT or outsourcing agreements are ordinary contracts subject to the general and common rules of contract and civil law. There are no specific legal rules related to such agreements. The specific features found in these contracts relate to contractual freedom and business practices.

The main customer protections and remedies in technology transactions and outsourcing are:

• technical appendix, including a service level agreement (SLA), business continuity plans, disaster recovery plan, reversibility plan, safety insurance plan and quality assurance plan;
• calendar with binding dates;
• payment of financial compensation (penalties) in the event of non-compliance with the SLA and timeframes;
• imposing an obligation of results (obligation de résultat) on the service provider instead of an obligation of means (obligation de moyen); 
• possibility to audit the service provider; 
• GDPR requirements provided by Article 28 in the case of use of a data processor;
• acceptance testing (provisional and final acceptance);
• strong contractual warranties (on the security and the outsource service provided);
• significant compensation in the case of breach of substantial contractual obligation (eg, breach of data protection laws, security incidents);
• protective termination clause (involving reversibility and the right to terminate for cause and for convenience for the customer);
• given the technical nature of IT agreements, the service provider’s duty to advise, warn, and collaborate with the customer to ensure proper implementation and risk mitigation; and
• intellectual property clause ensuring the peaceful enjoyment of the use of the provided outsourced service and the defence against counterfeiting.

The terms of contract termination are typically governed contractually. In most cases, a contract can be terminated for the following reasons:

• for cause, which may involve a material breach of the contract by a party, such as security incidents, persistent breaches of the SLA, or failure to adhere to timelines;
• for convenience, where an exit fee may be negotiated; termination can occur (i) at any time by mutual consent of both parties, or (ii) unilaterally by one party, provided the other party has expressly agreed to this possibility in the agreement;
• in the case of force majeure; and
• in the case of a fixed-term contract upon the expiry of the contract.

Before terminating a contract, it is common practice for the customer to issue a formal notice, with a contractually defined notice period that is reasonable and not excessively short, allowing the other party time to remedy the breach.

The consequences of contract termination are also governed by the contract. In particular, in outsourcing agreements, the “reversibility” of data – ensuring its return or transfer – can be a critical issue, which the customer must negotiate with caution.

Distinction Between Direct Loss and Indirect Loss

According to Article 1240 of the French Civil Code, the loss must be “direct” (in addition to being certain and legitimate) to be eligible for compensation.

In accordance with this article, the French doctrine makes a distinction between direct loss (the damage must be the direct result of the breach) and indirect loss (the damage is not the direct result of the breach). 

Legal/Market Practice Regarding Loss of Profit, Goodwill, Business, Etc

In practice, most outsourcing contracts contain a clause excluding compensation for indirect losses (such indirect losses are usually listed in the contract): eg, loss of customers, image and reputation loss, operating loss, commercial loss, loss of earnings, business loss and profit loss. Such list is often negotiated between the parties. The service provider will usually seek the broadest possible definition of indirect loss and may attempt to include loss of data or breaches of data protection laws within the scope of exclusions.

Categories of Losses Not Subject to Limitation of Liability

• Personal injury: Liability for bodily harm caused to a contracting party or a third party cannot be contractually limited or excluded.
• Under Article 1231-3 of the French Civil Code, any clause limiting liability is null and void if the non-performance of the contractual obligation is due to intentional or gross misconduct.
• Moreover, under French law, the limitation of liability must not affect an essential obligation of the contract. Article 1170 of the French Civil Code provides that “any clause which deprives the debtor’s essential obligation of its substance shall be deemed unwritten”.

There is no applicable information in this jurisdiction. The expression “implied term” seems to be specific to common law.

The most common cybersecurity protections and security measures required by customers in technology transactions or outsourcing are the following.

• The provision of a data processing addendum or agreement (DPA) in the contract where the service providers act as a data processor: The DPA lists all the mandatory obligations provided by Article 28 of the GDPR that the service providers shall meet. In particular, such provisions concern the obligations to implement appropriate security measures to protect personal data.
• The contractual provision of certain mandatory information in the case of outsourcing of “essential” services by a bank institution as required by the EBA Guidelines on Outsourcing (mostly related to security and audit): Compliance with the EBA Guidelines is, in particular, reflected in the contractual commitment and implementation by the supplier of internal security procedures, such as business continuity plans, disaster recovery plans, reversibility plans, safety insurance plans and quality assurance plans.

On the technical side, most French clients also aim to host their data with providers offering hosting services based within the EEA. 

The most common contractual clauses that help the customer manage and measure the supplier’s performance in technology transactions and outsourcing are the following.

• The SLA: Criteria for the performance of service levels are assessed and measured. In the case of a breach of key performance indicators (KPIs) by the provider, the client typically negotiates the payment of “penalties” by the provider (which the service provider will try to limit or cap). The goal is to force/encourage the supplier to provide its services in compliance with the KPIs (timeframe, quality indicators, service level indicators (availability, responsiveness, etc)) which have been negotiated and approved by both parties.
• The audit clause: Auditing is an extremely important task when it comes to controlling the provider’s IT system and adhering to its contractual obligations and performance. Such a clause ensures transparency between the parties bound by the IT contract, notably in the event of important/confidential/sensitive information being transferred to the provider. The importance of this clause in contract negotiations has been reinforced for financial entities by the DORA regulation. Indeed, the DORA regulation includes several provisions that strengthen the management of information and communication technology (ICT) third-party risk, including the provision of audit clause in contracts with ICT third-party service providers. This is part of DORA’s wider efforts to secure the EU’s financial ecosystem in the face of growing technological threats.

Generally speaking, the terms do not differ significantly and remain more or less the same. In the case of cloud-based outsourcing, particular attention will be paid to:

• the safety of the transfer and the location of the data centre;
• the reversibility provisions; and
• security provisions.

In this very specific situation, the application of the requirements of the GDPR must be ensured, particularly in terms of security, transparency and use of appropriate safeguards (SCCs). 

Article L. 1124-1 of the French Labour Code stipulates that “when there is a change in the legal situation of the employer, in particular by succession, sale, merger, transformation of the business and incorporation of the company, all employment contracts in force on the date of the change continue to exist between the new employer and the company’s employees”. 

In accordance with well-established case law, Article L. 1224-1 of the Labour Code applies if the following two conditions are both met: 

• The activity transferred must constitute an autonomous economic entity – ie, an organised group of tangible and intangible assets allocated to the exercise of an economic activity with its own economic purpose (which may be characterised in particular by autonomous accounting, its own means of operating resources dedicated to the activity in question, or management autonomy). 
• The business must be continued by the transferee and its identity maintained by the transferee.

The business must comprise several elements necessary for the operation of its activity, ie: 

• tangible assets (in particular equipment, tools and goods) and/or intangible assets (customer base, patents, licences, industrial designs and models, industrial, literary or artistic property rights, etc); and
• personnel specific to the business transferred – ie, dedicated to that business. 

The legal definition of a transfer of business activity determines the application of Article L. 1224-1 of the French Labour Code. Thus, if the transfer is legally a sale of a business or a partial transfer of assets, it is generally accepted that Article L. 1224-1 applies. 

Subject to compliance with these conditions, in the event of the transfer of an activity in accordance with Article L. 1224-1 of the Labour Code, the employment contracts of the employees dedicated to the activity are automatically transferred. The consent of the employees is then not required, and each employee retains, after the automatic transfer of their employment contract, all the applicable contractual provisions (eg, remuneration, seniority, place of work and working hours).

This applies to all employees holding an employment contract at the time of the legal transfer, whether the contract is open-ended or fixed-term, part-time or full-time, even if the employment contract is suspended at the time of the transfer. 

Persons whose employment contracts are suspended on the date of the transfer (in particular for maternity leave, parental leave or unpaid leave) will have their employment contracts transferred under the same conditions and on the same date as other employees.

When a company employs more than 50 people, it is required to establish a works council with comprehensive responsibilities or adapt the existing one to undertake more extensive tasks. The works council serves as a platform for employees’ collective expression on various aspects of the company’s operations, including economic and financial development, working conditions, job training, and production techniques. It must also be consulted on matters concerning the organisation and overall functioning of the business, as well as redundancies. However, it is important to note that the opinions of the works council are not binding on the company. The outsourcing of certain activities or services, particularly those related to employees, may also require consultation with the works council.

In the last few months, French companies have been keen to relocate their IT providers to France or other EU countries due to: (i) the adoption of the US Cloud Act enacted on 23 March 2018; and (ii) the adoption of the FDPA and the GDPR, which provide a strict framework for international transfers of personal data outside EU countries. Such transfers are only possible if the recipient country ensures an adequate and sufficient level of protection. If this is not the case, appropriate safeguards, such as SCCs, shall be implemented, and a TIA shall be performed. 

These legal constraints discourage companies from opting for offshore resources in outsourcing transactions, particularly where client or employee personal data, including sensitive information such as social security numbers or health data, is involved. 

Moreover, while offshore outsourcing may offer financial advantages, it can introduce additional challenges beyond the legal domain. These challenges include language and cultural differences, varying working habits, and time zone disparities, which can be particularly problematic during emergencies. As a result, French companies often view onshore and nearshore outsourcing as solutions that mitigate these difficulties and complexities.

Under French legal rules, teleworking can be implemented either by a company-wide agreement, a charter or a mutual agreement with the employer. 

In any case, it is recommended to sign an addendum to the employment contract defining the contours of teleworking (number of days, reversibility, teleworking rights, insurance, etc). In the case of litigation, it is always better to have a written agreement specifying the teleworking conditions.

From a French perspective, the obligations raised by remote working are as follows:

• The employee must ensure that their home is suitable for teleworking (provide proof of insurance to the employer in this regard) and meet their usual contractual obligations (working hours, availability, workload, etc).
• The employer must ensure compliance with working time rules and employee workload monitoring. In addition, teleworkers must enjoy the same rights as if they were working on-site (ie, lunch vouchers). 

The main fear for clients is the workload of employees who telework. On the one hand, certain employers fear that the employee will not work enough hours, whereas others fear that employees will work too many hours and will not alert the employer of any difficulties they are encountering. Consequently, it is important to find the balance between both situations. Moreover, clients want employees to continue to be mobile and be available for professional travel when required, even if they are teleworking.

Clients generally seek legal advice on how to implement teleworking, while ensuring that the arrangement can be reversed if the employee does not perform their duties properly or does not want to continue teleworking. They also consult lawyers regarding compensation for teleworking, such as reimbursement for home office use and professional expenses, which is generally mandatory and regulated by specific French laws.

One difficulty can be raised when the employee does not want to perform their duties remotely or from home, whereas the company (ie, a foreign company) does not have an office in France. In such cases, it is important to have an open discussion with the employee to identify the best solution, ensuring they have appropriate working conditions and an optimal work environment. 

It is important to underline that the rise in remote working has led to new legal disputes. 

Many employees who were able to telework during the COVID-19 pandemic have decided to move away from their place of work. However, when they were asked to return to their place of work, they refused, claiming that teleworking was a right they were entitled to. However, under French law, telecommuting is not a right and remains subject to employer approval.