Key Market Trends and Developments

The key market trends and developments in IT outsourcing in Norway revolve around cloud adoption, cybersecurity concerns, business-driven strategies, specialisation in the vendor market, onshoring, and the potential of AI. These trends reflect the evolving needs and priorities of Norwegian businesses in an increasingly digital and interconnected world.

Outsourcing to the cloud

Norwegian businesses are increasingly adopting cloud-based outsourcing solutions. This trend is driven by the need to renew existing IT platforms to improve cyber-resilience; enable business transformation initiatives; utilise the scalability, flexibility and cost savings offered by the cloud; as well as the desire to gain access to market-leading features. However, there is also growing concern about the potential vulnerabilities and business continuity risks associated with relying heavily on a few large-scale cloud service providers (hyperscalers).

Modernisation driven by cyberthreats

Many businesses in Norway are outsourcing their IT services to modernise their legacy systems and address cybersecurity concerns. The increasing threat levels from cybercriminals and the need for faster recovery times have become key drivers for a new wave of outsourcing and business transformation initiatives. Additionally, there is a greater regulatory focus on IT security, which further encourages businesses to renew IT infrastructure, services and outsourcing schemes in general.

Business-driven outsourcing

Outsourcing strategies are no longer solely driven by IT departments. Instead, businesses are aligning their outsourcing strategies with their overall business goals. Modern technologies have the potential to drive revenue growth and cost reduction, leading to a shift in focus from IT strategy to business strategy when it comes to outsourcing decisions.

Specialisation in the vendor market

Norwegian customers are increasingly prioritising specialised vendors for outsourcing services. Rather than adopting a single source or a monolithic outsourcing approach, businesses are seeking best-of-breed services from vendors with specific expertise. This trend reflects the growing demand for niche solutions and services, as well as the recognition that specialised vendors can offer more tailored and efficient services.

From offshoring to onshoring

The trend of offshoring IT services to low-cost countries has subsided in the Norwegian market. Instead, businesses are opting for services provided by vendors geographically located in Norway. This shift is driven by geopolitical factors, IT security concerns related to data transfers, cultural challenges experienced from earlier offshoring, increased automation in IT service delivery, and the devaluation of the Norwegian krone combined with rising wages in traditional offshoring destinations.

The promise of AI

Businesses in Norway are exploring the potential of AI for automation and efficiency gains. While there is a growing interest in AI-centric outsourcing, few businesses have identified a path to AI-driven disruption in the market. However, the general expectation is that AI will play a significant role in shaping the future of IT outsourcing.

Key Market Trends and Developments

The key market trends and developments in business process outsourcing in Norway revolve around insourcing, scale-through specialised BPO, and the potential of AI. These trends reflect the evolving needs and priorities of Norwegian businesses as they seek to optimise their operations, enhance quality and leverage emerging technologies for cost reduction and efficiency gains.

Insourcing

Norwegian businesses are increasingly bringing certain processes that are closely related to their core operations back in-house. This trend is driven by a desire for better quality and innovation. Norwegian customers have had mixed experiences with BPO, leading them to seek greater control and proximity to their critical business functions. As a result, there is an increased demand for work-for-hire and consultancy services to augment internal capabilities. This trend reflects a broader tendency among Norwegian businesses to foster closer collaboration and reduce the separation between IT and business on strategic, tactical and operational levels.

Expansion of BPO beyond cost savings

While cost savings have traditionally been a primary driver for outsourcing, businesses are now seeking additional benefits from BPO engagements. These include access to specialised skills, scalability, flexibility, innovation and increased revenues.

Rise of robotic process automation (RPA)

RPA involves the use of software robots or bots to automate repetitive and rule-based tasks. This technology is increasingly being adopted in BPO to improve efficiency, accuracy and speed of processes. RPA allows businesses to automate manual tasks, reduce costs and free up human resources for more strategic and value-added activities. Norwegian banking, financial and insurance industries have extensively leveraged RPA embedded in core solutions and customer-facing platforms for many years. The current focus seems to be to evaluate the potential for AI-driven RPA in the future.

Specialisation for niche functions

There is a growing trend towards specialisation for niche functions in certain industries. Rather than outsourcing entire business processes, businesses are increasingly outsourcing specific functions or tasks that require specialised knowledge and expertise. This allows organisations to tap into the skills and capabilities of specialised vendors who have in-depth knowledge and experience in a particular area.

The promise of AI

Businesses in Norway see AI as a potential enabler for reducing costs through automation. Many businesses are currently evaluating different AI offerings in the market, but few have successfully leveraged AI to achieve this goal. The potential of AI in BPO is still being explored, and businesses are actively seeking ways to incorporate AI technologies into their outsourcing strategies.

New technology is an engine for change in the Norwegian market and drives investment in all sectors. Below are some general trends in technological developments in recent years:

• AI – the hype around AI has significantly influenced technology procurements in Norway. Many businesses are interested in exploring AI and are actively seeking investment opportunities. The legal profession has experienced a surge in demand for assistance in adopting AI, including establishing AI policies and regulatory assessments. While the potential for disruptive transformation through AI is recognised, few businesses have made substantial investments in AI-driven business transformation thus far.
• Chatbots – AI and chatbots are increasingly being used as engines for customer engagement strategies, aligning with the broader trend of customer-centric business transformations. Key drivers in such transformations are improved customer experiences, cost savings, increased efficiency, scalability, data-driven insight and availability.
• Crypto and non-fungible tokens (NFTs) – demand for blockchain, cryptocurrencies and NFTs has seemingly subsided among Norwegian businesses. Norges Bank (Norway’s central bank), along with other European central banks, is evaluating the implementation of central bank digital currency. Given the maturity of the existing payment infrastructure in Norway, the use-case for a central bank digital currency appears less clear compared to other European currencies. Norges Bank is likely to await the conclusion of the ongoing preparatory phase by the European Central Bank before reaching a conclusion on whether to adopt such measures.
• Fintech – while the term “fintech” may have lost some of its novelty, the Norwegian financial services sector is rapidly modernising. Many businesses in this sector are digitalising core functions and updating legacy IT systems to leverage the potential of new technology, aiming to reduce costs, enhance customer experiences, and mitigate information security risks. In the Norwegian financial services market, there is currently a notable surge in core-replacement projects. This trend is bringing about diversification and enhancing the competitiveness of the vendor market, which has traditionally been dominated by a few institutional players with government backgrounds.
• Cloud – international hyperscalers are enabling a surge of traditional software vendors to “climb the value chain”. There is a notable shift from traditional software licence models to software-as-a-service models. This has led to increased adoption of hosted platforms and solutions by customers, resulting in a fragmented technical and vendor landscape for Norwegian businesses. However, this trend has caused some friction, as the service capabilities of traditional software vendors may not always meet expectations. Managing a complex multi-vendor landscape also increases vendor management burdens for customers.
• Smart contracts – these have potential use-cases primarily in insurance, particularly for large-scale and standardised consumer-facing applications. However, the current regulatory environment places limitations on their widespread adoption.

In Norway, IT services, in general, remain the most commonly outsourced services along with more traditionally outsourced services, such as facility management services, canteen services and accounting department services.

There is a shift from traditional IT outsourcing towards integrator services between hyperscalers and customers.

In recent years, there has also been a growing trend for Norwegian businesses to outsource their cybersecurity needs to specialised providers. This includes services like threat monitoring, vulnerability assessments, incident response, and security consulting.

In Norway, technology transactions and outsourcing are subject to various legal and regulatory frameworks, including the following.

Data Protection and Information Security

The General Data Protection Regulation (GDPR) applies in Norway, regulating the processing of personal data. Organisations must comply with GDPR requirements when handling personal data, including when engaging in technology transactions or outsourcing that involve the processing of personal data. 

Export Controls

Norway has export control regulations that restrict the export of certain technologies, goods and services to certain countries or entities. Organisations engaged in technology transactions or outsourcing must comply with these regulations to ensure compliance with export control requirements.

Sector-Specific Regulations

Certain sectors, such as the public sector, telecommunications, financial services, healthcare and energy have specific regulations and requirements that impact technology transactions or outsourcing. Organisations operating in these sectors must comply with sector-specific regulations when engaging in such transactions.

The Norwegian regulatory landscape for technology transactions and outsourcing is significantly influenced by developments in the EU. Norway’s regulations are closely aligned with those of the EU and Norway often implements EU acts and directives into its national legislation to comply with its obligations under the EEA agreement. In recent years, several EU acts and regulations have impacted technology transactions and outsourcing in Norway. These include:

• The EU AI Act – this was published in the EU Official Journal on 12 July 2024. The EU AI Act came into force on 1 August 2024 and will be fully effective from 2 August 2026. The EU AI Act aims to establish a harmonised regulatory framework for AI systems across the EU. Once implemented in Norway, this regulation will have implications for the development, deployment and use of AI technologies in Norway, including in technology transactions and outsourcing agreements involving AI systems.
• The NIS1 and NIS2 Directives – the EU has introduced the Network and Information Security (NIS) Directive, which sets out cybersecurity and incident reporting requirements for operators of essential services and digital service providers. Norway, as an EEA member, has implemented NIS1 through the Norwegian Digital Security Act (Digitalsikkerhetsloven). The NIS2 Directive (not yet implemented), which will further strengthen cybersecurity requirements and expand the scope of the directive, will affect many Norwegian businesses through European operations and subsidiaries, supply chains and more. These directives will impact technology transactions and outsourcing agreements involving critical infrastructure and digital services. See also 2.3 Restrictions on Data Processing or Data Security.
• DORA – this is the directive on digital operational resilience in the financial sector. DORA introduces a common regulation of IT security for the entire financial sector. In this regard, particular emphasis is placed on the principle of “same activity, same risk, same rules” to ensure adequate consumer protection and a level playing field between existing financial institutions and new market players. The regulation applies to almost all financial institutions as well as certain technology providers. The regulation establishes requirements for:
1. establishing internal frameworks for managing information and communication technology (ICT) risk in organisations;
2. the role of management in ICT risk assessments;
3. monitoring the security and operation of ICT systems;
4. reporting ICT-related incidents; and
5. regular testing of operational resilience.

In the banking, pensions and insurance sectors, there are industry-specific restrictions on outsourcing in the Norwegian market, including the Norwegian ICT regulation the Norwegian Financial Supervision Act, which imposes several strict requirements on these sectors in terms of outsourcing, information security, vendor management and auditing. Notably, for outsourcing agreements entered into by Norwegian financial institutions, the Norwegian Financial Supervision Act requires all outsourcing agreements to be notified to the Norwegian Financial Supervisory Authority no later than 60 days before coming into force and before any subsequent changes, and before substitution of an outsourcing service provider. These restrictions will be further complemented and reinforced when DORA is implemented in the EU.

For Norwegian enterprises, the Norwegian Transparency Act, which came into force in 2022, has also had an impact on outsourcing activities across all sectors, as enterprises that fall under the act are responsible for ensuring that outsourcing partners and suppliers comply with fundamental human rights, including the right to privacy, and the right to fair labour conditions. This requires due diligence and monitoring of outsourcing partners, and results in an obligation to terminate an outsourcing agreement in case of breach.

International Data Transfers

In July 2023, a new EU-US Data Privacy Framework for transfers of personal data between the USA and the EU was approved by both parties. This decision facilitated legal transfers of personal data between the USA and EU after three years of intensive work by privacy professionals conducting data transfer impact assessments to consider whether transfers of personal data could be executed with appropriate safeguards to the USA. Max Schrems, the chair of the privacy consumer rights group NOYB (“None of Your Business”), the driving force behind the two previous EU Court of Justice rulings prohibiting data transfers to the USA (often referred to as the Schrems I and Schrems II rulings), has already stated that the EU-US Data Privacy Framework will also be challenged in court. Following the implementation of the EU-US Data Privacy Framework, the focus on international data transfers has been significantly reduced in the Norwegian market, and by the Norwegian Data Protection Authority (Datatilsynet). However, Datatilsynet is still an active voice both in Norway and on an EU-level in terms of international data transfers, especially for large platforms like X, TikTok and Meta. For example, Datatilsynet has concluded that there cannot legally be a Facebook-page for Datatilsynet in Norway, and following this conclusion several other public authorities, including the Norwegian Tax Directorate, have followed suit and disabled their Facebook pages. It is expected that there will be continued enforcement of the GDPR in terms also of the data processing of global platforms going forward.

Increased Government Oversight of Data Security

There has been increased regulatory scrutiny in terms of data security in the Norwegian market, as in the EU in general. This is both a consequence of the international trend of increased cybersecurity attacks, and due to increased media attention and awareness of cyber-related threats. In the last year, the highest regulatory sanction for breaches of data security in the Norwegian market was awarded by the Privacy Appeals Board (Personvernnemda) to the municipality of Østre Toten, following a ransomware attack against the municipality in 2021. Personvernnemda agreed with Datatilsynet’s decision to issue a regulatory fine of NOK4 million (approximately EUR340,000) to the municipality for lack of appropriate security measures and internal controls.

A proposal for a new Electronic Communications Act was presented to the Norwegian parliament on 12 April 2024, signalling increased supervision and the greater involvement of authorities in the data centre industry. This reflects society’s growing dependence on data centre services and an increasingly heightened threat landscape. The new rules will primarily affect providers in the data centre industry, but the customer side may also potentially be impacted. The proposed legislation includes the following requirements for the data centre industry:

• data centre operators are required to register with the relevant department before commencing operations;
• data centre operators must provide and maintain data centre services with adequate security measures;
• data centre operators must maintain appropriate emergency preparedness;
• data centre operators may be required to implement necessary usage restrictions in emergency situations; and
• the authorities are granted broad powers to specify and enforce security requirements.

Implementation of the EU NIS1 Directive

The Norwegian parliament adopted the Digital Security Act (Digitalsikkerhetsloven)in December 2023, implementing the EU NIS1 Directive. This is part of a broader effort by the Norwegian government to strengthen the legal requirements in terms of data security. However, the new act has not yet come into force.

The NIS2 Directive will not be implemented in Norway just yet, but the Norwegian government has indicated that it foresees swift implementation of the directive in due course. See also 2.1 Restrictions on Technology Transactions or Outsourcing.

In Norway, there is no specific standard contract model for outsourcing transactions that is universally recognised or mandated by law. The contract model for outsourcing transactions can vary depending on the specific needs, requirements and preferences of the parties involved.

There are a wide variety of contract models, including single-source and multi-sourcing models. The general trend is towards multi-source and away from single-source and joint venture models.

There are several recognised contract templates for IT outsourcing in Norway. The most-used contract template is the Norwegian government’s Standard Agreement (the “SSA” series) for IT procurement. The SSA series, developed by the Norwegian Digitalisation Agency (“Digdir”) provides standardised contract templates specifically tailored for IT procurement by public entities in Norway. These templates are widely used in the public sector and have gained recognition and acceptance within the industry as a whole, including in the private sector. The SSA templates aim to streamline the procurement process and provide a consistent framework for IT outsourcing contracts. They cover various aspects of IT procurement, including software development, system integration, maintenance, and support services. It is important to note that while the SSA templates provide a standardised framework, they may not cover all the unique aspects or specific requirements of every IT outsourcing transaction. Parties involved in IT outsourcing are encouraged to carefully review and tailor the contract templates to ensure they accurately reflect their intentions and address their specific circumstances.

Outsourcing transactions are made under a variety of contract models in Norway. The general trend is that businesses are increasingly moving away from single-source models and towards multi-source models. There are many drivers behind this development.

The market is gradually coming to terms with the fact that vendor side is increasingly specialised in providing specific outsourcing capabilities. By way of example, there are few competitive “one-stop shops” for handling all service towers involved in IT outsourcing.

In response to increased specialisation, customer’s are adopting a “best of breed” strategy to outsourcing. In practice, this means dividing customers’ IT and business needs into smaller components and approaching the market in a targeted way to leverage vendor specialisation. The “best of breed” strategy is increasingly preferred over “monolithic” outsourcing strategies, where the driving interest for customers is to limit the number of vendors, simplifying vendor management and procurement cost. The resulting vendor and technical landscapes are increasingly leaning towards multi-vendor rather than single-vendor landscapes.

There also appear to be fewer initiatives to establish joint venture models than before. Joint venture models were more frequently used for first-generation outsourcing waves, where internal IT functions were acquired in monolithic outsourcing schemes. In recent experience, this model is decreasing in use. This is due to most customers moving from a legacy vendor to one or several new vendors, rather than from internal IT to outsourced IT.

The digital transformation, including cloud computing, software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS), has had a significant impact on contract models for outsourcing transactions. 

The general trend is a movement away from bespoke services and applications, and towards scalable “factory” service models.

The trend is characterised by standardisation to enable scale. Within the realm of contract models, this means that markets increasingly negotiate contracts collectively, rather than individually as customers. Terms offered by vendors are transparent, but generally not subject to negotiation. This is apparent in cloud, SaaS and IaaS models offered by hyperscalers. 

The argument of “standardisation to enable scale” has also trickled down the value stream. By way of example, a growing number of “fake SaaS” vendors have been invoking standardisation as an argument for maintaining imbalanced legal and commercial positions. The “fake SaaS” vendors characteristically offer software to customers, hosted on IaaS enabled by hyperscalers. The software offering is not fully standardised, and the legal and commercial positions invoked as necessary enablers of scale, are in fact opportunistic positions designed to optimise the specific deal. The concept of “SaaS” is invoked to build credibility, and any objections are met with the argument that scaling and price points depend on the vendor maintaining a standardised offering in the market. However, the market is increasingly adapting to this approach and effectively countering the argument where it is not applicable.

As the infrastructure components of IT services are increasingly moving from traditional, hosted IT operations to cloud, the vendor market is increasingly moving towards cloud integration services. This is a natural response to the vendor market changing, while customer needs for personal, closer-to-the-business services remain the same.

The end result is a more fragmented vendor landscape and a firm trend of customers moving away from single-source models and towards multi-source models.

Customer protections and remedies in technology transactions and outsourcing in Norway closely resemble generally applicable contract law principles, varying according to the type of transaction and outsourcing.

For project services, such as application implementation and development, as well as transition and transformation projects, customers typically rely on the following protections and remedies:

• damages for direct loss for defects and delay, including compensation for a replacement purchase (dekningskjøp);
• daily penalties for delay;
• remedy of defects;
• proportionate price reductions in the case of unremedied defects; and
• indemnities for intellectual property infringement and breach of confidentiality obligations.

Customers are also increasingly adding protections for effort-based key performance indicators (KPIs), such as unsanctioned replacement of key personnel. For projects where continuity of personnel, as well as quality and customer knowledge play a significant role, adding protections to counter the vendor’s commercial incentive to shuffle personnel to new business is increasingly seen as a priority.

Damages are typically limited to 100% of the nominal contract value in project contracts. This is reflected in several standard contractual templates published by the Norwegian government’s digitalisation directorate’s “SSA” templates, largely adopted as market practice in the Norwegian markets.

For recurring services, including without limitation operational services, maintenance services, integrator services, etc, customers typically rely on the following:

• service-level requirements and standardised service-level penalties;
• damages for direct loss for defects and delay;
• remedy of defects;
• proportionate price reductions in the case of unremedied defects; and
• indemnities for intellectual property infringement and breach of confidentiality obligations.

Damages are typically limited to 100% of the nominal contract value per 12 months in recurring services contracts. This is reflected in several standard contractual templates published by the Norwegian government’s digitalisation directorate’s “SSA” templates, largely adopted as market practice in the Norwegian markets.

The customer and supplier can terminate the contract depending on the type of transaction and outsourcing arrangement. In general, standard templates in the Norwegian market tend to grant customers broader exit rights than suppliers. This is because customers are often more dependent on the services and may face a greater burden in executing a termination.

Upon termination, the customer has certain rights. These may include rights related to intellectual property, data, confidential information and exit services. The specifics of these rights will depend on the terms and conditions outlined in the contract.

In cases of termination for cause, the customer is usually granted damages and may be entitled to repayment if the purpose of the agreement has failed as a result of a material breach by the supplier.

It is currently a trend to include termination fees in contract models. This means that if the customer terminates the contract early, there will be no reduction or discount in the fees owed to the supplier. Suppliers are increasingly driven by the goal of protecting revenue and will go to great lengths to defend this position.

In Norway, the recoverable losses in a contract and under the law can be categorised as follows.

Economic Loss

Direct loss

This includes the actual and immediate losses that directly result from a breach of contract or wrongful act. These losses are typically quantifiable and can include costs incurred to rectify the breach or compensate for the damage.

Indirect loss

This includes consequential or indirect losses that are not immediately apparent or quantifiable. These losses may arise as a result of the breach, but are not the direct or immediate result of the breach of contract. Examples of indirect losses can include loss of profit, loss of goodwill, or loss of business opportunities.

Loss Incurred Due to Gross Negligence or Wilful Misconduct

In terms of legal and market practice, the liability for loss of profit, goodwill and business is generally excluded, except in cases of gross negligence or wilful misconduct. This means that unless the breach or wrongful act can be proven to be a result of gross negligence or wilful misconduct, the party responsible will not be held liable for these types of losses.

Infringement claims and other losses incurred as a result of gross negligence or wilful misconduct are typically not subject to any limitation. This means that there is no cap or restriction on the amount of damages that can be claimed in such cases. The responsible party can be held fully liable for all losses incurred as a consequence of their gross negligence or wilful misconduct.

In Norway, generally applicable contract law principles contain implied terms for contracts that are also relevant for technology or outsourcing contracts.

A key source for determining implied terms for contracts in Norway is the Norwegian Sale of Goods Act of 1988. The Sale of Goods Act sets out several key contractual principles, including without limitation:

• The requirement for deliverables to –
1. meet the reasonable expectations of the buyer; and
2. to correspond to the description provided by the seller.
• Standard contractual sanctions, such as remedy or repair, price reductions, recovery of damages, etc.

The Norwegian Contracts act of 1918 governs the generally applicable contract law principles in Norway. It provides a legal framework for the formation, interpretation and determination of the validity of contracts in Norway.

In general, the cybersecurity protections and security measures required by customers in technology transactions or outsourcing agreements in Norway will vary depending on factors such as the type of service, business risk, and sensitivity of data involved.

The general trend in technology transactions and outsourcing agreements is increasing demand for industrialised and standardised services. This has shifted the focus from customer-driven security requirements to standardisation of cybersecurity protections and security measures on the vendor-side. Customers increasingly focus on risk assessments and the due diligence of the vendors’ standard offerings, rather than requiring individual measures to meet the customer’s standard for cybersecurity protections and security measures.

Common Requirements and Practices

Some common requirements and practices include the following.

Compliance with standards

Customers often require suppliers to adhere to recognised cybersecurity standards and frameworks such as ISO 27001, SOC 2, or industry-specific standards like NORMEN for healthcare. These standards provide a baseline for evaluating the supplier’s security measures.

Incident response and business continuity

Suppliers are expected to have robust incident response plans and business continuity procedures in place. The focus for customers has increasingly shifted from perimeter protection to recovery time and recovery capabilities when assessing cyber- and security risks. This includes having mechanisms to detect and respond to cybersecurity incidents promptly, as well as back-up and recovery systems to ensure continuity of services. For business-critical solutions, there has been an accelerated move away from traditional software escrow models towards escrow-as-a-service models, where entire production environments are frequently backed up and held in escrow to enable the actual recovery of business in case of disasters. In business-critical solutions, customers also typically expect performance guarantees from the suppliers’ parent company to de-risk situations where the contracting supplier is a subsidiary.

Data protection and privacy

Control of data and privacy considerations is a key concern for customers. Suppliers may be required to implement measures to protect data confidentiality, integrity and availability, including data encryption, secure data storage, and compliance with data protection regulations such as the GDPR.

Third-party validation

Customers expect robust mechanisms for third-party audits or assessments to validate suppliers’ security measures and to provide assurance to customers that cyber-risk is within acceptable thresholds. 

Common Contractual Clauses

In technology transactions and outsourcing agreements in Norway, customers often include contractual clauses to help manage and measure the supplier’s performance. The specific clauses can vary depending on the type of service being provided. Some common contractual clauses for performance measurement and management include the following.

Acceptance test and criteria clauses

For projects involving implementation of IT applications, business transformation, establishment of infrastructure and services, etc, customers may include clauses that outline the acceptance testing process and criteria. These include defining the criteria and procedures for testing and accepting the deliverables or milestones. Clauses may specify the acceptance criteria, testing methodologies, and the customer’s right to reject non-compliant deliverables.

Service level agreements (SLAs)

For recurring services such as IT operations, application maintenance, IT help desk/user support and BPO, customers often include SLAs to define the expected performance levels. SLAs typically include measurable metrics such as up time, availability, response time, resolution time, and other key performance indicators. The clause may specify the target performance levels, consequences for non-compliance, and the process for monitoring and reporting performance.

Key performance indicators (KPIs)

Customers may include clauses that define specific KPIs, relevant to the service being provided. These KPIs could include metrics related to efficiency, quality, customer satisfaction, or any other performance indicators that are important to the customer. The clause may outline the measurement methodology, reporting frequency, and any associated incentives or penalties based on the achieved performance.

Continuous improvement and innovation

Some agreements include clauses that encourage continuous improvement and innovation from the supplier. This may involve periodic performance improvement plans, innovation initiatives, or the establishment of joint governance bodies to drive collaboration and improvement.

Sanctions and liability

Customers often include provisions related to sanctions and liability to further manage and measure the supplier’s performance in technology transactions and outsourcing agreements in Norway. These clauses help ensure that the supplier is held accountable for any deviations from contractual commitments. With the addition of an effective penalty for non-delivery, suppliers are incentivised to course-correct during delivery.

Incentives and bonus structures

Some agreements include bonus structures tied to defined KPIs. Bonuses act as incentives to encourage the supplier to achieve or exceed performance targets. A typical incentive structure used in Norwegian project contracts is the target-price model, which contains an incentive (bonus) and penalty (malus) element to the supplier’s estimate. The target-price model is used to incentivise effective delivery and reduce the risk of overruns (compared to time-and-material price models). 

When technology or outsourcing is cloud-based, there are some specific considerations to keep in mind regarding the contract terms.

Limited Commitment and Sanctions

Cloud service providers typically offer standardised service levels and commitments due to the scale and multi-tenancy nature of cloud services. Cloud vendors are, to a greater degree than traditional IT vendors, incentivised not to aggressively anchor standard terms and conditions, as this will increase cost of acquisition and hinder scalability. On the other hand, cloud models will present standard terms and conditions as non-negotiable, or largely non-negotiable, in the market to enable scale. Generally, the level of commitment and potential for sanctions are more limited in cloud agreements compared to traditional technology or outsourcing agreements. Cloud agreements grant vendors greater flexibility and lower liability per individual customer compared to traditional IT agreements. Customers are expected to trust that market forces and competition will play a significant role in regulating the quality and performance of cloud services instead of direct contractual enforcement. Hyperscalers typically limit discounts to three years with no or limited commitments to maintain specific features or functionality in SaaS offerings. In some cases, this is ignored by customers when investing in the cloud, causing hardships shortly after the implementation of business-critical cloud-based systems.

Need for System Integrators (SIs)

Cloud-based services often involve separate agreements for different service elements. For example, customers procuring infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) will typically require integrator services from local or regional vendors to cover their needs. Integrator services are procured under separate agreements with their own terms and conditions. SIs are expected to cover the gaps between customer needs and standard cloud offerings. This increases complexity, compared with traditional IT outsourcing, where vendors presented “one-stop shop” solutions for customers’ IT needs. In some cases, when SIs or outsourcing partners are involved in delivering cloud-based services, customers may impose stricter contractual clauses to ensure compliance, data protection, and security measures. This is particularly important when sensitive or regulated data is involved and when cloud services are a key component in business-critical outsourcing.

Be Aware of the Concept of “Fake Cloud” or “Cloud-washing”

It is important to be aware of the concept of “fake cloud” or “cloud-washing”, where a service may be marketed as cloud-based but does not fully meet the characteristics and benefits of true cloud services. Customers should carefully evaluate the provider’s capabilities and ensure that the contract terms accurately reflect the nature of the services being offered. The traditional trade-offs when procuring cloud, such as lack of enforceable commitments and price predictability, are only earned when a credible scale and level of standardisation has been achieved.

It is crucial for customers to thoroughly review and understand the terms and conditions of cloud-based services, including any separate agreements, to ensure that their specific requirements and concerns are adequately addressed.

Employee Transfers Subject to the Rules on Transfers of Undertakings

Transfers of employees in connection with outsourcing may be subject to the rules on transfers of undertakings in the Norwegian Working Environment Act (WEA), depending on the extent to which assets and/or employees are transferred as part of the outsourcing. Chapter 16 of the WEA implements the Acquired Rights Directive (Council Directive 2001/23/EC) from the EU. Generally, the Norwegian legislation on transfers of undertakings is similar to that of other EU/EEA countries and contains the same elements.

A transfer of undertaking as an autonomous unit

According to the WEA, a transfer of undertaking refers to the transfer of an autonomous unit that maintains its identity after the transfer. In cases where all assets and employees of a legal entity are transferred together, this criterion is typically met. However, when only certain parts of an undertaking are transferred, an assessment must be made to determine if the transferred assets form an autonomous unit. An autonomous unit is a collection of resources organised for the purpose of conducting economic activities, whether it is a primary or secondary activity. Therefore, there is a requirement for organisation and the inclusion of employees and/or assets within the unit.

Maintaining the unit’s identity and continuing its activities

The autonomous unit must also maintain its identity and continue its activities after the transfer. Firstly, the substance of the unit must be transferred to the new employer. If the identity of the unit is primarily defined by its personnel, such as IT service companies or accounting firms, a majority of the employees in the unit must be transferred to the new employer. On the other hand, if the identity of the unit is primarily defined by its assets (bus companies being one such example), a majority of the assets must be transferred. Therefore, simply outsourcing the performance of an economic activity without transferring the relevant assets and/or employees is not sufficient to be considered a transfer of undertaking.

Obligation to inform and consult with the employees and employee representatives

The main consequences of an outsourcing qualifying as a transfer of undertaking according to the WEA is that the transferring and acquiring companies have an obligation to inform and consult with the employees and employee representatives, and that the employment relationships of employees connected to the business unit being outsourced will be transferred as is to the acquirer. The transfer of undertaking regulations implies that the new employer cannot make unilateral changes in contractual terms and conditions in the (continued) employment relationship, and the transfer cannot itself constitute a valid reason for termination of employment.

Parties involved in the outsourcing

It is market practice to consider and comply with the rules on transfers of undertaking when applicable. As explained above, the applicability of these rules depends on what assets or employees are included in the transfer. This means that the parties involved in the outsourcing can influence whether or not the rules apply depending on how the transaction is structured. Therefore, the decision of whether to structure the transaction in a way that triggers a transfer of undertaking is often part of the commercial discussion between the parties when outsourcing certain business activities.

The decision to outsource all or some of a company’s business activities will typically be subject to consultation requirements.

Pursuant to Chapter 8 of the WEA, companies that regularly employ at least 50 employees, are obliged to inform about and discuss issues of importance to the employees’ employment relationships with the employees’ elected representatives. An outsourcing decision will typically be considered as an issue of importance to the employees’ employment relationships, which triggers such information and consultation requirements. The consultations must be carried out as early as possible and before any final decision is made by the company.

As discussed above in 5.1 Employee Transfers, outsourcing may also be subject to the rules on transfers of undertakings in Chapter 16 of the WEA, which sets out specific information and consultation requirements in connection with transfers of undertakings.

Additional consultation requirements may also follow from collective bargaining agreements.

The preferences for onshore, offshore or nearshore resources can vary depending on various factors such as the nature of the services, cost considerations, language requirements, cultural compatibility, time zone differences, and data protection regulations.

However, it is worth noting that in recent years, there has been a growing trend towards nearshoring or onshoring in outsourcing transactions. This is driven by factors such as the desire for closer proximity, cultural alignment, easier collaboration, and potential cost savings compared to offshore outsourcing. Nearshoring, which involves outsourcing to countries in close geographic proximity, can offer advantages such as similar time zones, cultural affinity, and easier travel and communication. The trend of nearshoring and onshoring is particularly clear in outsourcing of functions that are closer to the business and in cases involving personal data, business-critical data or other data involving regulatory or business risk when outsourcing.

Offshoring to countries with lower labour costs and specialised expertise still remains a popular option for certain types of services or industries. Offshore outsourcing can provide cost advantages and access to a larger talent pool in specific domains. Testing, dev-factories and other services that require large or specialised effort are also still being offshored to countries outside the EEA.

Work from home is subject to requirements set out in the Norwegian Home Office Regulation. Pursuant to this Regulation, employers are required to enter into a written home office agreement with all employees working from home, unless the work from home is only short term or occasional.

The home office agreement must cover the following topics:

• the scope of the work from home;
• working hours for home office work;
• any provisions regarding when the employee must be available to the employer;
• if the agreement is temporary, the expected duration;
• any provisions on the right to amend or terminate the home office agreement, deadlines for such termination, etc;
• any provisions on a probationary period for the home office arrangement;
• ownership, operation and maintenance of equipment; and
• any provisions on case management, confidentiality and storage of documents.

An important consideration for employers when deciding whether, and how, to permit remote working is the need to strike a balance between offering flexibility to individual employees on the one hand, and on the other, maintaining a good working environment and shared culture in the organisation by requiring employees to come to the office.