The key market developments in IT outsourcing are:

• significantly heightened awareness of, and focus on, privacy and data security;
• increasing focus on “as a service” contracts to replace traditional models;
• the transition to the cloud, including service providers themselves moving to infrastructure as a service (IaaS);
• the increasing importance of service integration and architecture integration, given that customers work with a larger number of service providers;
• pressure on IT departments as service providers to work directly within the business of the customer;
• the development of new ways of contracting service levels, through Experience Level Agreements (XLA); and
• the development of new pricing models, through pricing based on (business) value creation.

The key market developments in BPO are:

• BPO is becoming less about labour arbitrage and costs savings, and more about technology transformation and automation/robotics, as well as adding value to the business;
• application of the principles of the EU Acquired Rights Directive (ARD) as minimum (onshore) or offering an attractive redundancy package (nearshore/offshore); and
• companies implementing Robotic Processing Automation (RPA) as an alternative to BPO, although most programmes are not yet yielding the intended results.

A development that may potentially prove relevant is the ongoing high labour shortage in the Netherlands. To the extent the Dutch economy continues to experience this shortage, companies may elect to start outsourcing business processes that can effectively no longer be staffed in the Netherlands. In any case, this trend is likely to be relevant in the mid-to-long term as the Dutch population ages.

The impact of new technology on the outsourcing market is as follows.

• The permanent increase in the use of videoconferencing and other virtual collaboration tools (as a result of COVID-19) and companies’ increased facility with these tools should simplify working with offshore counterparts, thereby increasing the potential scope for BPO.
• Customers are struggling to build up internal capacity to address new technologies and are therefore relying more on IT providers to provide these capabilities, which may drive an increase in IT service operators (ITSOs).
• AI and robotics are heavily impacting service providers in their delivery centres, which were traditionally built around labour arbitration – thereby enabling increased automation.
• Blockchain/smart contracts are typically applied in a larger ecosystem that requires a different mode of co-operation from traditional client–service provider relationships. (However, the importance of these technologies is currently negligible and the current cool-down of crypto markets is likely to slow development there.)

The most commonly outsourced services in the Netherlands are:

• IT, including software as a service (SaaS), IaaS, and other IT outsourcing;
• HR;
• financial services;
• data security; and
• accounting.

Rules and restrictions on outsourcing apply only in some regulated markets – primarily, the financial, insurance, asset management and pensions industries. In other markets, freedom of contract rules.

As regards technology transactions, the Dutch government has been implementing policies and laws aimed at reducing strategic dependence on foreign powers for vital technologies and knowledge, as well as preventing the acquisition of specific technologies, companies, infrastructure or know-how that are considered vital to the security of the Netherlands. Investment screening and approval is currently required for acquisitions in the power and telecommunications industries and a similar sectoral law is being crafted for the defence industry. Such screenings are conducted by the Dutch Investment Screening Bureau (Bureau Toetsing investeringen, BTI). In the next year, the Dutch foreign direct investment (FDI) screening will expand as new technologies and vital processes are brought into its scope. For example, in February 2024, a motion was passed by the Dutch Parliament calling for the government to included vegetable and seed breeding companies in the scope of the Investments, Mergers and Acquisitions (Security Screening) Act, (Wet veiligheidstoets investeringen, fusies en overnames, Vifo Act).

The Dutch government is currently seeking to expand its ability to screen foreign takeovers of tech companies for national security risks, particularly by adding more sensitive technologies under the Vifo Act.

Act Implementing the EU FDI Screening Regulation

A non-sector-specific piece of legislation, which will apply where no sector-specific act exists, was also adopted to implement the EU FDI Screening Regulation. This “act on investment screening in respect of national security risks” entered into force at the end of 2023. Under this act, any transaction (broadly defined) – whether initiated by a foreign or Dutch person – that poses a risk to Dutch national security interests will be subject to screening and approval by the Dutch Ministry of Economic Affairs and Climate Policy. Such a risk may be deemed to exist where the transaction could:

• create a strategically relevant dependency on foreign powers;
• pose a risk to the continuity of vital processes; or
• impair the integrity and exclusivity of knowledge or information of vital or strategic relevance to the Netherlands.

Note that, in most cases, control is not a requirement for a transaction to be deemed relevant (eg, obtaining just 10% of the votes in a general meeting or the ability to appoint a director may also trigger the requirement for investment screening). If the transaction is deemed to pose a risk to Dutch national security, conditions may be applied to the transaction or the transaction may be prohibited.

Note also that the act will have retrospective effect, starting from 1 March 2020. In other words, a transaction performed prior to the law’s enactment but after 1 March 2020 may still be reviewed, so companies need to take this into consideration.

With regard to technology transactions, approvals are currently required for acquisitions in the power and telecommunications industries and a similar sectoral act is being crafted for the defence industry, with a consultation on this act, which ended on 1 September 2024.

From a compliance perspective, other than in respect of data protection regulation, industry-specific restrictions mainly exist in the financial, insurance, asset management and pensions industries and the regulations are mostly based on EU legislation. The regulations concerned include the Dutch Financial Supervision Act (FSA) (and a number of directives and resolutions under that act), the Solvency II Directive and the Solvency II Regulations, the Alternative Investment Fund Managers Directive 2011 (AIFMD), the Pension Act, the Dutch Central Bank’s (De Nederlandsche Bank, or DNB) good practices for insurers and separate guidelines for other sectors, and the European Banking Authority (EBA) guidelines on outsourcing to cloud service providers. The main principles of these regulations boil down to the following:

• responsibility cannot be outsourced;
• a written agreement that contains sufficient means for the customer to monitor performance is required;
• mandatory disclosure by the service provider of circumstances that may affect continuity is required;
• the customer should be granted sufficient audit rights;
• a risk analysis is required;
• in some sectors, the customer must be able to terminate at will (against a termination fee);
• there must be restrictions on the further subcontracting of obligations by the service provider and, where such further subcontracting does take place, control and transparency must be retained by the service provider in respect of the outsourced services; and
• notice of the intended outsourcing to supervisors is often required.

DORA

The Digital Operational Resilience Act (DORA) defines binding standards for financial institutions aimed to ensure operational security when outsourcing to third-party service providers. These standards impose binding requirements with regard to governance mechanisms, security reviews and resilience testing, incident reporting, and the contract language used with third parties – with the aim of ensuring that the client remains fully in control of, and accountable for, IT security and risk management.

From a content perspective, many of the requirements set out in DORA are already part of the EBA and European Insurance and Occupational Pensions Authority (EIOPA) guidelines relating to ICT security and risk management. Nonetheless, some requirements have become stricter or more specific, and a full review of existing practices, processes and contract language is advisable to ensure full compliance.

A highly significant change for service providers is that DORA brings them under the direct supervision of the relevant European Supervisory Authorities. Supervisory authorities will be able to assess compliance, require changes to non-compliant practices, and penalise service providers for non-compliance.

DORA came into effect on 14 December 2022 – following which, in-scope companies will now have two years to become compliant (ie, all outsourcing agreements being negotiated at this time should already take DORA into consideration).

The restrictions on data processing and data security are based on the EU General Data Protection Regulation (GDPR). The GDPR restricts cross-border personal data flows to countries that do not offer an adequate level of protection (most countries do, with only a few exceptions). Standard contractual clauses (SCCs) and binding corporate rules continue to be the data transfer mechanisms that are generally most relied upon by organisations when transferring personal data.

The Dutch Government’s Cloud Policy

From the perspective of data protection, the Dutch government is highly pragmatic and – compared to other European countries – quite progressive in its embrace of the cloud, as evidenced in the landmark agreement between the Dutch State and Microsoft in 2019, its agreement with Google in 2022, and the most recent framework agreement with Amazon Web Services in 2023. This stance was also demonstrated by the risk-based assessment of data transfers adopted by the Dutch Ministry of Justice and Security (“the Ministry”) in the Data Protection Impact Assessment (DPIA) on Microsoft Teams.

In February 2022, the Ministry published a DPIA on Microsoft Teams, OneDrive and SharePoint. As part of this DPIA, the Ministry also published a data transfer impact assessment (DTIA), based on the Rosenthal format for DTIAs. The outcome of the DTIA was, in summary, that it is extremely unlikely that personal data from Dutch government customers is unlawfully accessed by US authorities or by authorities in other countries where Microsoft uses sub-processors. Therefore, the risk was assessed as low and the use of Microsoft Teams could continue.

In Austria and Germany, some decisions have been made that point in the direction of rejecting the risk-based approach, so it remains to be seen what (if anything) the European Data Protection Board (EDPB) and the local supervisory authorities will say about this. The Dutch government’s new cloud policy states that most classified government data may be stored in the cloud, as long as certain requirements are met.

Schrems II Ruling and EDPB Guidance

The Schrems II ruling and the guidance provided by the EDPB continue to keep data controllers who use SCCs busy because, under this ruling, controllers must assess whether – given their use of SCCs – there is an adequate level of protection in the third country. That is, data controllers cannot simply assume this to be the case, as SCC may not be effectively enforceable in said country. Although the EDPB provides six-step recommendations on measures that data controllers and processors can take to simplify the task of enabling compliant data transfers through SCCs, the task at hand is not that simple. Specifically, Step 3 – the rule of law test – is complex to perform.

Particularly notable for outsourcings involving Indian vendors is the new India Digital Personal Data Protection Act (DPDA). The DPDA offers a lower degree of data protection to non-Indian personal data when such personal data is processed in connection with an outsourcing agreement. This will likely influence the assessment of whether any additional measures are necessary to enable compliant data transfers to India through SCCs.

Note that the EC has recently adopted an adequacy decision for the EU–US Data Privacy Framework (EU–US DPF), which is the successor of the Privacy Shield. This will (again) allow for data transfers between organisations in EU and those located in the USA who have self-certified against the principles of the EU–US DPF. As its predecessors (the “Safe Harbour” agreement and the Privacy Shield) were ultimately invalidated by the ECJ, it remains to seen whether the EU–US DPF will be upheld. Binding corporate rules provide multinational companies with a framework for international data transfers; however, it should be noted that the Dutch Data Protection Authority has a significant backlog on approving binding corporate rules.

The NIS and NIS2 Directives

Data security is currently mainly governed by the law on the security of network and information systems (the “Cybersecurity Act”), which implements the EU Directive on the security of network and information systems (the “NIS Directive”) and consolidates other relevant legislation into one act. The Cybersecurity Act establishes a certification framework for IT digital products, services and processes. The NIS Directive identifies sectors that are vital for the aspects of economy and society that rely heavily on IT (eg, energy, transport, banking and healthcare). These sectors have to take appropriate security measures and ensure swift notification of any incidents to the relevant authorities.

Additionally, in keeping with the NIS Directive, the Cybersecurity Act also obliges providers of digital services (other than small enterprises) under Dutch jurisdiction to notify material data breaches in respect of their services to the National Computer Security Incident Response Team and the Minister of Economic and Environmental Affairs.

A variety of sector-specific laws directly or indirectly govern cybersecurity relating to, among other things, energy production and distribution, water, telecommunications, seaports, airports, rail, financial services, healthcare, government bodies and other critical infrastructure.

A key development that is starting to become relevant is the progress on NIS2, which will replace the NIS Directive. The NIS2 Directive came into force in 2023, and EU member states must implement the directive into national legislation by 17 October 2024. The NIS2 Directive will have significantly broader scope than NIS. The NIS2 Directive will cover all medium-to-large enterprises and public organisations that perform important functions for the economy or society as a whole. By way of an example, the new directive will also cover social media service providers and the public administration. The NIS2 Directive should also increase the level of harmonisation across member states in respect of scope, security and incident reporting, national supervision and enforcement powers and sanctions, as well as improve the pan-European collaboration of competent authorities.

Although NIS2 is not yet in force, clients and service providers entering into long-term agreements should take stock of the requirements imposed by NIS2 to ensure future compliance. In this respect, the Dutch National Cyber Security Centre (NCSC) is a government resource that publishes useful information.

There is no standard outsourcing agreement in the Netherlands.

The association of IT service providers, NL Digital, has standard terms but these do not generally apply to outsourcing. Sourcing Netherlands, the association for outsourcing, has developed a fairly balanced standard form for an outsourcing agreement, which is sometimes implemented. Sophisticated customers will contract on the basis of their own tailored agreement. These agreements are similar to the market standard agreements in the UK and USA. They are very detailed and contain approximately 20 schedules.

The usual model consists of an asset transfer agreement and a separate services agreement. For large cross-border projects, a framework structure is used – comprising a framework asset transfer agreement and a separate framework services agreement – under which local-to-local asset transfer agreements and services agreements are concluded.

Although alternative models are sometimes used, 95% of outsourcing will be contracted one-to-one, with an asset transfer agreement and a separate services agreement. Multi-vendor agreements (between the customer and a number of service providers) are also common. Joint ventures (JVs) are rare, mainly because a JV structure is rather complicated and expensive. This will only be used where the customer and service providers wish jointly to set up a new business.

One new development, which is currently underway, is a shift towards contracting based on customer experience, business outcomes and value creation – rather than contracting only or primarily on a fixed cost, fixed service-level basis.

Digital transformations have not, as yet, led to significant changes in contract models for sophisticated customers with sufficient clout. Some smaller changes that have been noted are as follows.

• Where IaaS or platform as a service (PaaS) are used as part of the services, it is not uncommon to see part of these terms being passed through to the customer back-to-back (ie, restricting the claims against the service provider to the extent allowed by the pass-through terms), depending on how much clout the customer has to shift the discrepancy in liabilities to the service provider.
• Where digital transformations are part of the scope, it is common to see more complex schedules describing digital transformation plans and expected results, ways of working and governance employed in the transformation.
• Where digital transformations include AI and/or machine learning as part of the scope, there has been an increase in specific terms relating to data protection, transparency of algorithms, and data governance aspects of AI.
• Where digital transformations include AI and/or machine learning as part of the scope, there is also a trend towards clients setting up and enforcing formal AI principles and codes of conduct (which may in some cases be more stringent than any current applicable law) so as to provide additional guidance to suppliers on the ethical use of AI.
• Where digital transformations are part of the scope, there has also been an increase in “pseudo-agile” terms – ie, service providers and customers will attempt to include obligations in the contract and project governance to employ agile ways of working, while still also incorporating obligations on the outcome.

The main customer protections are:

• no exclusivity for the service provider;
• no volume commitment for the customer;
• a detailed service description;
• appropriate service levels;
• tailored service credits;
• an appropriate governance and contract change structure;
• a benchmark clause (like-for-like comparison of pricing and service levels);
• a step-in right;
• GDPR compliance; and
• an audit clause.

By the Customer

The customer can terminate the contract for cause. Significant breaches of service levels and serious regulatory compliance or data security and privacy incidents are often specifically mentioned as providing cause for termination. Sometimes, outsourcing or services agreements provide a termination right to the customer where there has been a change of control in the service provider, especially in contracts relating to mission-critical services or services provided to regulated financial institutions.

Customers can also, almost always, terminate for convenience. In the case of termination for convenience, the customer must pay termination compensation. There is no fixed formula for calculating this compensation, as this is a matter of freedom of contract. In general, the compensation consists of unrecovered costs and a small lost-margin component. Furthermore, in the financial industry, the customer may terminate the agreement if a regulator requires a termination.

By the Service Provider

The service provider can usually only terminate for material breach (most notably, prolonged non-payment of invoices). It is highly unusual to allow a service provider to terminate for convenience.

Dutch statutory law does not define the difference between direct and indirect loss. Under the influence of Anglo-American contracts and terms, the concept is often used in Dutch law agreements. In such an event, it is wise to precisely define the damages considered direct and those considered indirect. However, it can be hard to reach agreement on these distinctions – given that the customer will try to include as much as possible under the definition of direct damages, whereas the service provider wishes to exclude as much as possible from this definition.

It may, therefore, be better practice to refer to the statutory definition of damages and leave the decision to the courts. This means that damages that are reasonably attributable to the event that caused the damages, and to the party that caused the damages, must be paid. In addition, pure loss of profit and turnover can be excluded.

Dutch statutory law does not define a maximum amount for damages. As a result, it is advisable to cap the liability of both parties. The market standard caps vary between 12 and 36 months of fees.

Dutch law provides for certain implied terms in relation to the quality of goods sold and the provision of services. However, these implied terms are typically not mandatory in B2B contracts and are usually explicitly excluded or superseded by the contents of the contract.

In addition to contractual obligations under Article 28 of the GDPR, contracts commonly include:

• requirements for the service provider to take appropriate technical and organisational security measures and continuously improve these requirements to remain in line with relevant state-of-the-art measures;
• requirements for the service provider to materially comply with the customer’s security policies and standards (or the service provider’s own policies, if they are equivalent or better);
• requirements for the service provider to test its security regularly using scenarios that are appropriate to the particular services and improve the security as required;
• requirements for the service provider to meet obligations incumbent on it under data protection law and not to act so as to cause the customer to breach its obligations under data protection law;
• requirements for the service provider to support the customer in meeting its obligations vis-à-vis its regulator and its data subjects;
• restrictions on the ability of the service provider to export data or employ subcontractors without the explicit consent of the customer;
• restrictions on the ability of the service provider to use data for its own purposes;
• requirements to support the remediation of data breaches, regardless of whether the service provider is at fault for the relevant data breach;
• a governance set-up for joint response to data breaches and other cybersecurity incidents;
• a contractual indemnity with an elevated cap for the benefit of the customer with regard to damages suffered by the customer resulting from breaches of data protection legislation caused by the actions of the service provider;
• a requirement for the service provider to insure itself appropriately in respect of cybersecurity incidents;
• a step-in right for the customer, where required, to safeguard the security and integrity of data or services; and
• audit rights in respect of data and cybersecurity.

Traditionally, performance measurement and management in technology and outsourcing are seen as critical aspects of ensuring efficiency, quality, and accountability in these industries. In technology, key performance indicators (KPIs) and service levels are often meticulously tracked to gauge the effectiveness of software development, system operations, and project management. Metrics such as code quality, system uptime, response times, resolution times and user satisfaction are commonly monitored.

This rigorous approach to performance measurement and management came under fire from scholars and consultants, who point at the watermelon effect (green on the outside, red on the inside) – by which they mean that sometimes all service-level agreement dashboards are on green, while the end user is unhappy. In other words, the wrong metrics are measured. This has led to the use of XLAs, which measure end-user satisfaction, end-to-end performance, and contribution to the success of the business of the customer.

A common point of discussion when negotiating outsourcing or technology agreements governed by Dutch law is whether KPIs or service levels are enforced as a result obligation or a best-efforts obligation. In principle, KPIs and service levels are considered as best-effort obligations under Dutch law. However, best-efforts obligations are notoriously difficult to enforce by the other party. Therefore, parties often decide to agree on a result obligation or to carve out specific penalties for not meeting (certain) KPIs or service levels.

Should the technology or outsourcing be cloud-based, the contract terms will basically remain the same, as the terms are generally drafted in a technology-agnostic manner. However, there may be additional detail in respect of data security and the processing location, depending on the jurisdictions involved. In other words, specific requirements in relation to encryption may be included for some types of data.

The rules governing employee transfers in outsourcing are based on the ARD. Under the ARD, employees who are predominantly working on the activities that are to be transferred will – where the ARD (as implemented in the Netherlands) applies and the activities are continued on an “as is” basis – transfer to the service provider by operation of law, together with their applicable employment terms and conditions. In general, the ARD will apply if significant assets are to be transferred to continue the economic activity or – in the case of labour-intensive activities – the majority of the employees (considering number and expertise) will be offered employment by the new service provider. EU and Dutch case law on ARD/Transfer of Undertakings Protection of Employment (TUPE) is numerous and granular but, in essence, is based on ever-increasing protection of employment/employees. This should ensure that employees are protected from redundancy situations and “follow their work”.

Market practice on employee transfers in the Netherlands is:

• application of the principles of the ARD as minimum (onshore) or to offer an attractive redundancy package (nearshore/offshore); and
• for the service provider to offer attractive (to a certain extent harmonised or at least equivalent) employment terms and conditions package after the transfer date.

Works council consultation (ie, the right to advice prior to implementing the proposed decision) is almost always required (under Article 25 of the Dutch Works Councils Act).

Trade union consultation is required for companies or groups of companies employing more than 50 employees in the Netherlands who fall in scope of a generally binding collective labour agreement applicable to an entire industry if control in (part of) the “undertaking” is transferred or if this requirement follows from the applicable collective labour agreement. The requirement also applies to legal entities that have concluded a company-specific collective labour agreement.

Trade union consultation is also required where it is anticipated that 20 or more employees will be made redundant within a timeframe of three months.

There has not been much change in the frequency of (or customer preference for) onshore, offshore or nearshore resources when it comes to outsourcing transactions in the Netherlands yet. However, research by the Dutch sourcing platform shows that companies expect an increase in nearshoring in the EU or just outside the EU, whereas traditional offshoring is expected to decline. It remains to be seen whether this will materialise. In practice, major global players mostly appear to be combining nearshoring and offshoring because cost advantages – as well as certain skill sets and processes – are more effectively captured through the use of at least one centralised offshore location.

Where remote work is still performed in the Netherlands, requirements in respect of worker safety will also apply to the remote work location.

Where remote work is performed outside the European Economic Area (EEA), the GDPR’s restrictions on the transfer of personal data will come into play to the extent that EU personal data is used by the remote worker. This is because the EU personal data will then automatically have been processed outside the EEA by being transmitted to the remote location.