Technology & Outsourcing 2024

Last Updated October 10, 2024

Sweden

Law and Practice

Authors



Bird & Bird is an international law firm that supports organisations being changed by the digital world or those leading that change. The firm has over 1,600 lawyers in 32 offices across Europe, North America, the Middle East, Asia Pacific and Africa. Bird & Bird’s lawyers combine exceptional legal expertise with deep industry knowledge and refreshingly creative thinking to help clients achieve their commercial goals. The firm’s technology sourcing practice advises on a comprehensive range of technology transactions, which include complex outsourcings and managed services deals, system implementation projects, telecoms infrastructure and regulatory matters, strategic alliances and collaboration agreements, cloud computing deals, and contracts for deploying AI and blockchain-based solutions.

The global market for IT outsourcing continues to grow. Even companies in industries previously considered to have low outsourcing activity have started to outsource more. Advantages such as scalability, competence and cost efficiency are the main reasons for which outsourcing is considered favourable to using in-house skills. IT has always been an essential tool for companies. Through strategic outsourcing, companies can increase their IT skills, and therefore improve and develop their core business to become more competitive in the market.

That said, the last couple of years have also seen an increasing reliance on insourcing. This is where companies take back their outsourced functions, utilising their in-house skills, mainly for flexibility and swifter processes, and to ensure robust cybersecurity management.

Automation and artificial intelligence (AI) services have been identified as major trends within IT outsourcing in Sweden. AI has been centre stage for some time now, with the last couple of years a boom in terms of AI system adoption. Since building and maintaining AI systems is time-consuming, costly and requires expertise, AI-as-a-Service (AIaaS) has entered the picture as a new, popular “as-a-Service” model, attracting all kinds of companies. The concept of AIaaS allows companies to rely on the infrastructure and expertise of external AIaaS providers that can supply their customers with various AI applications and functionalities through the cloud. It is worth bearing in mind that the adoption of AI generally triggers several legal issues surrounding data privacy, cybersecurity, intellectual property and regulatory matters.

As touched upon above, another key trend within IT outsourcing among Swedish companies is the current focus on cybersecurity. Recent years have seen increased cyber-attacks and security incidents in Sweden, and companies are implementing measures to counter the associated risk. For some, this means outsourcing cybersecurity operations to service providers with expertise cybersecurity, while others choose to do the opposite, investing in in-house capabilities.

Cloud computing continues to grow, with Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) the most frequently deployed options.

Since outsourcing projects are becoming increasingly complex, both the customer and the supplier tend to assign advisors that have extensive experience with large, complex and operation-critical transactions. The idea is to assign legal experts that provide advice from a commercial and strategic perspective and that have an in-depth understanding of the commercial and technical conditions of the industry in question.

In addition, customers are now preparing for outsourcing further in advance than before. One reason for this is the extreme focus of outsourcing agreements recently, on data privacy and cybersecurity, in particular. This means that much more time is spent at the preparation stage of an outsourcing project, and that legal experts are involved earlier than previously.

Interest in IT outsourcing is notable in the healthcare and life sciences industry. In recent years, telemedicine and remote patient monitoring have become increasingly prevalent in healthcare. The shift towards remote solutions has become clear since the COVID-19 pandemic, when healthcare providers actively sought more efficient and patient-safe ways to deliver medical services. AI has also significantly transformed the healthcare landscape, offering streamlined solutions that enhance patient care and optimise medical processes. These technologies can process large amounts of data quickly and accurately, analyse complex medical data, and identify patterns and trends beyond human capability. This data-driven approach enables healthcare professionals to make more informed decisions, leading to earlier and more accurate diagnoses. AI algorithms can also predict disease outbreaks, anticipate patient needs, and optimise hospital resources, improving patient outcomes and reducing costs. Furthermore, cloud-based data management solutions have become essential tools in healthcare, providing secure, efficient, and accessible ways to store, manage, and share large volumes of medical data. One of the key benefits is scalability, allowing healthcare providers to store vast amounts of patient records, medical images, and research data without physical storage limitations. Cloud-based systems also improve data accessibility, enabling authorised healthcare professionals to securely access patient information from anywhere, promoting seamless collaboration and faster, more accurate diagnoses and treatments.

The market for business process outsourcing continues to expand, primarily because companies wish to focus on their core business while benefiting from new technologies. Business processes that have not previously been targets for outsourcing are now being outsourced to a greater extent. For small start-ups, outsourcing of business processes remains key to success.

Digitalisation, including new technology, has been identified as crucial for societal developments in Sweden. In its digitalisation strategy (“För ett hållbart digitaliserat Sverige – en digitaliseringsstrategi”, ref. N2017/03643/D), the Swedish government stresses that it wants Sweden to be the best in the world in applying digitalisation’s potential.

Emerging technologies, such as AI, Internet of Things (IoT) and robotics have also been key to the development of the outsourcing market. As mentioned in 1.1 IT Outsourcing, AI and machine learning have become increasingly popular in Sweden. Statistics Sweden, the body responsible for official statistics in the country, reported in early 2024 that the use of AI among companies in Sweden has doubled within the last five years, meaning that one out of five companies in Sweden is using some kind of AI system. Another interesting finding of Statistics Sweden is that the largest proportion of the increase stems from growth among smaller companies. However, the greatest application of AI is still being seen among larger companies.

The impact that the growing application of AI will have on outsourcing can be viewed from different angles. On the one hand, the increased demand for AI systems is boosting demand for competent service providers who can assist with the development, application and maintenance of specific AI systems. This trend could favour local contractors. On the other hand, AI systems keep getting smarter and might, in some areas, replace the need for traditional outsourcing. The same applies for robotics, which is another technology on the rise.

Another upward trend within emerging technologies that affects IT outsourcing is the Internet of Things (IoT). IoT refers to networks of interrelated physical objects that are embedded within technology that enable the exchange of data between physical objects. In simpler terms, IoT refers to items that can be connected to the internet, such as a vehicle, a smart TV and a smart monitoring system. Based on statistics from Statistics Sweden, the use of IoT has been identified as most widespread in the energy and recycling industries, followed by real estate and hospitality.

Financial institutions are showing an interest in AI and blockchain technology. In September 2024, the Swedish Financial Supervisory Authority launched an in-depth analysis to map how the Swedish financial sector uses AI, and how the companies within the industry see opportunities and challenges with the technology. Blockchain allows monetary transactions to be made in an instant, and using blockchain technology in the financial sector will most probably make the industry more competitive.

The most commonly outsourced services in Sweden are IT services, including, for instance, software development and cloud services. That said, business processes, such as human resources (HR) services, financial services, customer support services and call centre services, are also frequently outsourced.

Some of the most commonly outsourced IT services in Sweden are cloud services, which are widely utilised for document management, email, and external databases, providing scalable and flexible solutions for various organisational needs. Additionally, outsourcing IT operations and technical processing is prevalent among Swedish government agencies, municipalities, and regions. This often involves the technical processing or storage of data for the contracting authority, ensuring that data management and IT operations are handled by specialised external service providers.

It has recently been reported that companies are now looking to extend the outsourcing of simpler services, such as human resources, logistics and network services, rather than more complex functions.

There are no general legal regulations on outsourcing in Sweden.

However, outsourcing transactions in the public sector are subject to mandatory public procurement legislation, namely the Public Procurement Act (Lagen om offentlig upphandling) and the Public Procurement Act within the Supply Sectors (Lagen om upphandling inom försörjningssektorerna).

The Swedish Competition Authority (Konkurrensverket) is the supervisory authority for these sectors and the regulator on public procurement. Violation of the public procurement rules can turn out to be very expensive for the public procurer, with lengthy litigations.

There has long been some uncertainty regarding the legal conditions applicable for outsourcing by state authorities of IT operations, particularly concerning the point at which information subject to outsourcing should be disclosed. In 2023, a new provision (10 kap. 2 a §) was introduced in the Public Access to Information and Secrecy Act (Offentlighets- och sekretesslagen) to clarify the conditions under which state authorities can outsource IT operations. This provision addresses the disclosure of confidential information to third parties for technical processing or storage. It establishes that secrecy is not an absolute barrier to disclosure, allowing authorities to involve third parties for technical needs without compromising operational capabilities. Disclosures must be appropriate to the circumstances, requiring an assessment of factors such as information sensitivity and third-party security measures. The third party’s role is limited to technical functions, reducing the risk of misuse or unauthorised access. Additionally, authorities must ensure that third parties can maintain confidentiality and security, placing responsibility on the disclosing authority. This provision balances the need for confidentiality with practical information management, ensuring responsible and judicious application.

Certain regulatory restrictions in Sweden may touch upon outsourcing of information that is highly sensitive in terms of the nation’s security. Security classified information should not be part of cross-border outsourcing transactions, where it risks ending up in the hands of foreign powers. Violations of these restrictions could lead to criminal charges. The Security Protection Act (2018:585) mandates that entities engaged in security-sensitive activities must conduct security analyses and implement the necessary security measures. This includes ensuring information security, physical security, and personnel security. When outsourcing such activities, entities must enter into security protection agreements with suppliers.

An example of a violation occurred in 2015, and triggered a national scandal, when the Swedish Transport Agency (Transportstyrelsen) outsourced its IT-functions to IBM. IBM decided to run the outsourced IT functions in Eastern European countries. The Swedish Transport Agency manages information on every vehicle in Sweden, including police, military, corporate, and private vehicles. Security classified information, in this case personal data concerning individuals with a driver’s license, such as Swedish military defence pilots, agents of the Swedish security services etc, was transferred to IBM under the outsourcing agreement. When this security violation became publicly known during the summer of 2017, the director general of the Swedish Transport Agency was dismissed and was very heavily fined.

Certain sectors in Sweden have regulatory restrictions that are set by their own supervisory authority. The main rule in the regulated sectors (see below for examples of such sectors) is that the outsourcing party is responsible for any outsourcing in relation to the supervisory authority.

Regulatory restrictions regarding information security are also provided by the Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap). However, these regulations are to be interpreted as recommendations, as opposed to rules. According to the regulations, it is recommended that a customer is given the possibility in the outsourcing agreement to examine how the service provider manages information security.

The EU General Data Protection Regulation 2016/679 (GDPR) imposes significantly stricter requirements on, among other things, impact assessments and information security. Municipalities and regions handle large amounts of personal data, including sensitive personal data. When delegating the handling of such data to, for example, a supplier, it must first be ensured that the data will be handled correctly. There are also restrictions on which other countries personal data may be transferred to.

One not-so-obvious regulatory restriction that should be addressed is the regulation regarding unfair competition. The purpose of the unfair competition regulation is to ensure that outsourcing agreements that may give rise to anti-competitive effects are examined under the rules prohibiting anti-competitive agreements.

An outsourcing agreement must also comply with the rules regulating risk of abuse regarding dominant position. However, abuse of dominant position can only apply if the supplier occupies a dominant position and, after negotiations, attach conditions to the agreement that are considered abusive. In no case can the conclusion of an outsourcing agreement be considered an abuse of dominant position in itself.

According to Swedish law the parties may negotiate and decide upon the governing law in the agreement. However, some Swedish industries may have sector-specific regulations that may interfere with a contractual dispute clause if the parties have decided to not take note to such regulations.

As mentioned in 1.3 New Technology, with new technologies come new regulations that are likely to have an impact on the outsourcing of services related to these technologies.

There are several industry-specific restrictions for IT outsourcing in Sweden, some of which have seen significant developments in the past year.

The Financial Sector

The financial sector in Sweden is well regulated when it comes to outsourcing. In general, the basis for outsourcing within each financial services area (eg, payment services, investment funds, etc) is outlined in national legal acts covering each area. In addition, the Swedish Financial Supervisory Authority (Finansinspektionen) (the SFSA) has issued regulations for each area providing further details on the outsourcing arrangements. From 2019, the European Banking Authority’s Guidelines on outsourcing arrangements have constituted an additional set of rules applicable to certain types of financial institutions (eg, banks, payment services providers etc) which are also applicable in Sweden. And, finally, the EU’s Digital Operational Resilience Act (DORA) will take effect on 17 January 2025, setting out requirements for financial institutions for the outsourcing of so-called information and communication technology (ICT) services to ICT third-party service providers (ICT TPSP).

Each of the mentioned legal acts has a set of specific requirements for financial entities, as applicable. However, there are some universal rules that apply across all of them, for example:

  • an outsourcing financial entity cannot be relieved of its regulatory responsibilities due to an outsourcing agreement, and will always remain responsible for the parts of its operations that have been outsourced to a third party;
  • an outsourcing arrangement must always be documented, in writing;
  • an outsourcing agreement must contain detailed descriptions of the service covered by outsourcing and what will apply to its provision;
  • where sub-outsourcing is permitted, the provisions of the outsourcing agreement will be transferred to the sub-outsourcee; 
  • certain outsourcing types require a notification of the competent supervisory authority; and
  • audit rights will be granted to the financial institution itself, its auditors and supervisory authority.

The Healthcare Sector

In Sweden, healthcare providers must ensure that the implementation and use of digital services and technical platforms comply with legal requirements and guidelines referenced in their healthcare agreements with the healthcare administration. Providers are responsible for appointing individuals to oversee regular information security and data protection activities. All digital communication and image transfers must be managed with a focus on patient and information security, adhering to relevant laws and regulations. Healthcare providers must follow existing laws and regulations for patient safety, regardless of whether care is provided physically or digitally. The same medical guidelines and rules for record-keeping, prescription, referral management, and insurance assessments apply to digital care as to physical care.

In Sweden, the Data Protection Act (2018:218) complements the GDPR, providing additional national regulations. When outsourcing technical processing or storage of data, healthcare providers must ensure that the service providers adhere to confidentiality requirements. This includes contractual agreements on access control and encryption to protect sensitive information. Digital accessibility is mandated by the Swedish Act (2018:1937) on Accessibility to Digital Public Services to ensure that no one is hindered from using digital services due to disabilities. This law applies to public actors and private healthcare providers performing publicly funded healthcare. In summary, technology transactions and outsourcing in the Swedish healthcare sector are governed by stringent regulations focusing on information security, patient safety, and data protection, with recent updates aligning national laws with EU regulations on medical devices.

Other examples of industrial sectors that may be subject to specific regulations are: military defence, telecom, aviation, education, energy, food, gambling, medicine and medical devices, pensions, railroad transportation, security services, nuclear power, nuclear waste and water services.

As of 25 May 2018, the GDPR is the primary data protection legislation across the EU, and therefore Sweden. The GDPR regulates, among other things, how organisations should process personal data, including the measures that should be taken if another organisation is to process personal data on behalf of the organisation, and how personal data may be processed in cross-border data flows.

According to the GDPR, personal data can be transferred without restrictions between the member states of the EU/EEA. Personal data can be transferred outside of the EU/EEA under special circumstances – eg, if the European Commission has decided that the third country ensures an adequate level of data protection, or if the controller has implemented appropriate safeguarding measures, such as applying binding corporate rules (BCR) or using standard contractual clauses (SCC) and additional security measures, if deemed necessary by the controller. Cross-border data flows can also be allowed in other specific situations and occasional cases.

In addition to the GDPR, Sweden has enacted the Data Protection Act (2018:218), which provides supplementary provisions to the GDPR. This act includes specific rules for the processing of personal data in certain sectors and by public authorities, ensuring that national interests and specificities are addressed.

Recent developments in Sweden include the introduction of the EU Directive 2022/2555 on measures for a high common level of cybersecurity (the “NIS 2 Directive”), which enhances cybersecurity requirements for essential and important entities, including stricter security measures and incident reporting obligations. The NIS 2 Directive also emphasises the importance of managing supplier security and ensuring compliance through national supervisory mechanisms.

Additionally, the EU Data Governance Act 2022/868, which complements the GDPR, aims to facilitate data sharing across the EU while ensuring robust data protection and security measures.

Overall, the regulatory landscape in Sweden for data processing and data security in technology transactions and outsourcing is robust, with a strong emphasis on protecting personal data and ensuring secure cross-border data flows. Organisations must stay abreast of these regulations and implement appropriate measures to comply with both EU and national requirements.

The standard supplier customer model in Sweden is the single sourcing contract between a customer and a supplier. The outsourcing contract often includes an asset transfer from the customer to the supplier of certain assets, such as contracts and employees, that are necessary for the provision of the outsourced services. The agreements typically include detailed provisions on service level agreements (SLAs), data security, confidentiality, and compliance with relevant laws and regulations. They also emphasise the importance of due diligence in selecting service providers and maintaining transparency throughout the outsourcing relationship. The main service provider has the overall responsibility for the outsourcing and is the customer's single point of contact. Therefore, the customer generally has no control over sub-suppliers if the agreement does not contain an approval clause and/or a revision clause with regard to sub-suppliers.

Typically, these types of agreements have long duration periods, and five to eight years is not rare. Initially, the supplier must make large investments to be able to deliver cost cuts. The long duration periods are necessary so that the supplierscan depreciate and consolidatedeliveries.

From a customer’s perspective there are advantages and disadvantages to this model. The advantages are the customer’s release from responsibility and surveillance, and also the very clear benefit of not having to manage a number of suppliers, in comparison to situations of multi-sourcing. This means that the customer does not have to spend resources on identifying who is responsible for an accident. The disadvantages are that customer is dependent on a single supplier and has no direct relationship with sub-suppliers, and thus has no control over prices and services through discussions with sub-suppliers. The lack of direct relationship with the end supplying party also makes it hard for the customer to negotiate price reductions when the market prices fall.

The customer who is the contractual party to the outsourcing agreement receives the services on its own behalf. Should other members of the customer’s group receive services, this needs to be handled in the outsourcing agreement. In comparison to the UK, the Swedish jurisdiction does not give beneficiaries of the services direct enforcement rights if they are not part of the contract. 

Joint ventures and multi-sourcing contracts are frequently used contract models in Sweden, in addition to the more standard single-sourcing model.

The Swedish jurisdiction has no special regulation with regard to joint ventures (JVs). Legally, this type of venture can be any kind of legal entity or simply a contractual one. However, it is common to set up a jointly owned Special Purpose Vehicle (SPV), particularly for offshoring. There are many advantages to setting up an SPV, and therefore avoiding a contractual JV. This particularly true if the JV is regulated by Swedish law, since the Swedish Act on Co-ownership from 1904 (Lagen om samäganderätt) is not really compatible with the outsourcing age.

In some cases, the JV is set up to provide services to a single customer; in others, it becomes a new business that, in its own right, services the needs of several customers. In models where suppliers enter into a JV, they need to have a common business objective. The objective is usually that the suppliers bring together complementary products and services – eg, hardware, software and consultancy services.

This structure has several advantages for the customer, who only has to deal with a single supplier as opposed to several (see below on multi sourcing). Any service failure has nothing to do with the customer and any blame shifting that may arise will only affect suppliers – not the customer.

Joint ventures can also be set up between the supplier and one or more customers. The purpose of this model is to provide services to those customers who are also parties to the JV. This model is used when the customer wants to use the JV for a new business. The advantage is that services can be provided to other customers by using the same assets and resources, and thereby provide both the supplier and the customers with a return on their investments.

The customer may set up a JV with a local offshore partner. The customer may then leverage that local partner’s established infrastructure and local knowledge. This model can also have tax advantages.

Multi-sourcing, or selective sourcing, is quite common in Sweden. Multi-sourcing is when the customer enters into a number of agreements with different suppliers. Each supplier delivers a special part of the total delivery that is being outsourced. The outsourcing is treated as a portfolio of services rather than as a whole package. Sometimes in IT-outsourcing the customer has an integration responsibility to handle the different interfaces between the separate suppliers. One of the suppliers may also be appointed integrator, in which case the customer just holds the contractual relationship with the different suppliers. As a result, the customer can terminate a service agreement if it doesn’t function well but keep the remaining suppliers.

There are many advantages for the customer with multi-sourcing. The model gives the customer increased flexibility in terms of the duration of the agreement, which tends to be shorter than in a single-sourcing arrangement. The customer may also let the suppliers compete among themselves on different parts of the contact. The customer can therefore choose the most competitive supplier for a certain part of the service, and is not forced to choose a specific supplier. The direct link to each supplier increases the possibility of making changes in the contract or exchanging one of the suppliers without the other contractual relationships being affected. It also opens up the possibility of benchmarking for certain service elements.

On the downside, the customer has responsibility for integration, and must therefore be more competent than in the single-sourcing model. A multi-sourcing model may, again, promote a culture of finger pointing among suppliers if things go wrong. The customer therefore stands an increased risk of being held responsible for problems. Suppliers may also feel reluctant to share information and data with other suppliers, since they often are competitors. Such information or data may constitute trade secrets, or at least be dressed as trade secrets. A common way to reduce such risks is to institute an Operation Level Agreement (OLA), which stipulates how the different suppliers must co-operate. The OLA regulates how a problem should be solved when there is an incident, regardless of who is liable for the incident. The OLA ensures that confidentiality issues are resolved so that data can be shared among the suppliers. Furthermore, the OLA ensures that suppliers have the same view on intellectual property rights deriving from the results that are developed and delivered to the customer.

Digital transformation, including the adoption of cloud computing, Software as a Service (SaaS), and Infrastructure as a Service (IaaS), has significantly impacted the contract models for outsourcing transactions in Sweden. One of the most notable changes is the shift towards service-based models, where organisations increasingly purchase IT as a service rather than relying on traditional outsourcing models. This transition is driven by the flexibility, scalability, and cost-effectiveness that cloud services offer.

The emphasis on cost efficiency and standardisation has become a critical factor in outsourcing strategies. For example, the Swedish Tax Agency (Skatteverket) prioritises these aspects in its approach to outsourcing IT functions. The maturity of the market and the potential for cost savings are key considerations in the decision-making process.

However, the increasing complexity of delivery models, including the use of global resources, virtualisation, and cloud services, has necessitated robust security measures. This is particularly relevant for cloud services, which are experiencing rapid growth. Outsourcing contracts must also comply with stringent legal and regulatory requirements, especially concerning data protection and security. Certain critical services must be operated within Sweden, and personnel involved must undergo security clearance.

Each outsourcing decision requires a thorough evaluation of the appropriate sourcing model. Organisations must consider whether to fully outsource or to purchase specific resources, depending on the unique circumstances of each case. The IT outsourcing market in Sweden is relatively mature, but continuous innovation in delivery models and solutions is driving the evolution of outsourcing contracts. This includes the adoption of new technologies and service models that cater to the growing demand for digital services.

There is also a trend towards outsourcing services that span multiple areas and provide a holistic view of processes. However, these integrated services can be challenging to manage and require careful consideration of service levels and contract terms. In summary, digital transformation has led to more dynamic and flexible outsourcing contract models in Sweden, with a strong focus on service-based solutions, cost efficiency, security, and compliance with legal and regulatory standards. Organisations must carefully evaluate their sourcing strategies to align with these evolving trends and requirements.

The customer’s business is at greatest risk during the transition and transformation phase – ie, the initial transfer of operations, when a vast number of things can go wrong. Usually, exercise of termination rights or mere expiry of the term are the main remedies at this early point. However, the customer is usually protected by a series of customer-protection clauses in the agreement.

An obvious customer-protection clause to include in the contract is failure to deliver the services to the agreed service levels or failure to deliver the agreed services on time.

Price protection is very important for the customer, and customers commonly seek one of two forms of price protection:

  • “most-favoured customer” clauses, obliging the service provider to charge the lowest rates when such rates are offered to or paid by other customers from the same services; or
  • “benchmarking” of rates, charges and quality against current market standards through an independent assessment.

One of the service provider’s main contractual obligations is to protect the customer’s information and data against attacks and prohibited access. Common remedies following confidentiality breaches are fixed penalties for each breach followed by (liquidated) damages and, ultimately, immediate termination and damages.

It is important for the customer to identify all the intellectual property rights (IPR) used in the company’s business that may be outsourced and therefore might be needed by the service provider to deliver the agreed services. IPR are identified and documented in an IPR due diligence process prior to any negotiations.

All IPR internally used by the customer, including patents, designs and trademarks, that are registrable, as well as those that are non-registrable, such as copyrights, should also be identified and documented. The documentation should include details of registration number and ownership of any registered rights, including information on joint ownership and encumbrances over IPR. Any assignment agreements, licence agreements, R&D agreements, non-disclosure agreements and non-compete agreements should also be documented. For the sake of negotiation any existing or possible IPR disputes should also be identified and documented.

The customer may also perform a supplier IPR due diligence to identify IPR that belong to the supplier or a third party, which are to be used in the course of providing services to the customer. The purpose of the due diligence is to eliminate any risk of the supplier not having proper licences to third-party IPR as well as to eliminate the risk of contamination of customer IPR when using open-source software. Open-source software may not be permitted by the customer at all, but, if it is permitted, it should be checked, since the ownership of the IPR in the software might be uncertain. Open-source software is often considered as software that can be used freely; however, it is not without restrictions.

Another IPR issue that usually demands negotiation is the future ownership of the IPR that are affected by the outsourcing. When ownership of IPR has been identified, it is crucial for the parties to negotiate licences that allow each of them to use one other’s IPR and trade secrets for the purposes and the term of the outsourcing agreement. This is especially important when the supplier also provides services to the customer’s competitors. The customer should ensure that the supplier is not entitled to the customer’s IPR when providing services to third parties. The outsourcing agreement should contain mechanisms for the supplier to administrate such IPR (including registration, documentation and other protection) and make it easier to transfer the IPR back to the customer or to a third-party supplier when the outsourcing agreement is to be terminated.

Any licences from the customer to the supplier should be limited in scope and be confined to the purposes of the outsourcing. When the supplier uses sub-suppliers, an explicit consent from the customer should be a requirement for use of the licences. The agreement should also prohibit the licences from being transferred to a third party, if the customer has not given explicit consent to such transfer. The sub-supplier should, when consent is given, be subject to the same obligations as the supplier under the master outsourcing agreement.

Furthermore, the customer normally seeks to obtain relevant warranties and indemnities regarding any third-party IPR that might be affected by the outsourcing. It is important that the supplier has the right to license any IPR that are subject to the outsourcing from the supplier to the customer, or at least that the supplier indemnifies the rights in the agreement. The customer also normally should be indemnified that the supplier is responsible for any infringements in third-party IPR, provided that the IPR are used in accordance with the terms of the agreement. Additionally, the customer should ensure that licences from the supplier to the customer also include a sublicensing right, in the event that the customer needs to exercise the licence to sub-suppliers.

Newly developed IPR are often created through the use of existing IPR or data owned by the customer or a third party. It is therefore important that the outsourcing agreement specifies exactly which rights the respective party will have to the newly developed IPR. The agreement should also contain the necessary licences to the newly developed IPR to enable the parties to use the IPR in the intended manner during the term of the outsourcing agreement and following termination of the agreement.

It is important for the customer to ensure that IPR are securely acquired from the supplier’s employees and sub-suppliers. In Sweden, the main rule is that copyright assets remain with the creator; however, there is an exception for software created by an employee – such IPR belongs to the employer, and not the employee. This exception, however, does not apply to third-party consultants that have developed software for a supplier.

It is also important that the customer plans for an IPR exit strategy in the outsourcing agreement. This exit strategy may contain post-termination licence arrangements to avoid disruption of the customer’s business as far as possible.

Other examples of customer protections that can be included in the outsourcing contract are service credits, indemnities for losses under specific circumstances, loss of exclusivity, price reduction, withholding of payments, payments of interest, warranties, step-in rights in cases of underperformance, termination under specific circumstances and parent company guarantees.

Typically, the supplier warrants that services are performed in accordance with applicable laws and regulations, in accordance with good industry practice and in a timely and professional manner. The supplier may also give other specific project-related assurances.

The usual contractual remedies for failure to deliver the services to the agreed service levels or failure to deliver the agreed services on time are service credits, service debits, penalties, rectification, repair or replacement of non-performance of the services at no cost for the customer and, ultimately, termination with immediate effect of the contract. A softer way to go about this final remedy is insourcing. Insourcing is when the customer takes back some of the most critical parts of the services but uses the supplier for other parts. It should be pointed out that, in Swedish jurisprudence, penalties have not yet been considered unfairly high and brought down by the courts.

Other remedies for breach of contract under general law are price reduction, claim damages, re-performance/injunction and termination for cause.

The termination of the contract may be negotiated by the parties. However, if nothing else has been agreed upon, one party may terminate a contract with immediate effect if the other has materially breached the contract – for instance, breached their contractual obligations with gross negligence or wilful misconduct. The agreement should regulate under which conditions a party may terminate the agreement prematurely – eg, by not delivering an essential part of the service due or not paying for the services. Often, such clauses come with a time period during which conditions can be restored. If the agreement does not allow for restoration, the aggrieved party can terminate the agreement with immediate effect. Other common reasons for premature termination include a party’s insolvency, bankruptcy or amalgamation.

There are no legal regulations on the minimum or the maximum term of a contract under Swedish general law, but the term and extension of a contract in the public sector may be subject to the Public Procurement Act.

The contract usually contains provisions on post-termination efforts. While this is also something that the parties are free to agree on, we consider it standard practice to include a provision stating that the material belonging to the customer will be returned to the customer immediately upon termination. It is also not uncommon that the parties agree that the supplier will migrate the customer data to the new supplier of the customer.

The main rule in Sweden is that the aggrieved party is entitled to full compensation for harm sustained as a result of the contractual breach. The burden of proof for the extent of compensation lies with the party claiming the compensation. Full compensation includes direct losses, which are primarily fees and costs. If the contract does not go ahead, full compensation may constitute replacement costs for a new supplier, including the price difference between the old and the new supplier.

Under Swedish law there is a distinction between direct loss and indirect loss (also called consequential loss). Both direct loss and indirect loss can be recovered. However, indirect losses are often excluded in outsourcing agreements, since it is difficult to predict and calculate them. Examples of indirect losses are loss of production, loss of profit, loss of business and loss of goodwill. Examples of direct losses are performed time on the delivery of the services due to the customer’s breach of contract, costs for finding alternative solutions, or alternative production opportunities.

Clauses limiting liability are also common. Usually, these clauses clearly set out the highest amount at which to limit liability. Certain specific losses may be excluded from the limitation-of-liability clause. Often, these are also claims from a third party due to a party’s breach of contract. Examples of such claims are breach of intellectual property warranty claims, breach of proper conduct of personal data, confidentiality and security. The main rule under Swedish law is that exemption clauses are not valid if a contractual party is acting with gross negligence or wilful misconduct. Moreover, clauses limiting a party’s liability for damages related to personal injury or death have been deemed unenforceable by Swedish courts. Consequently, it has also been common practice not to limit liability in such circumstances.

The market practice is to limit the liability to direct losses and therefore exclude indirect losses, such as loss of profit and loss of business. The practice is also to limit the liability at a high level, excluding acts of gross negligence and willful misconduct.

Swedish law recognises a duty of loyalty between contractual parties for the duration of the contract – ie, both parties must assist one other to get the most out of the contract. This is especially relevant for lengthy contracts, such as outsourcing contracts. Therefore, a contractual party under Swedish law must not only defend its own interests, but should supports those of the contractual party if this is can be accommodated.

Implied terms may be used when something is not expressly treated in the contractual text. It may then be necessary to investigate whether the parties, through mutually implied terms, have agreed on specifics, and terms or purposes must be mutual between the parties. Since Swedish law contains a principle of free valuation of evidence, meaning that any circumstances may be brought into a litigation, the concept of duty of loyalty and the implied purpose would be important information for a contractual party entering into an outsourcing agreement under Swedish law.

In Sweden, customers in technology transactions or outsourcing arrangements commonly require robust cybersecurity protection and security measures to safeguard their data and ensure business continuity. The implementation of appropriate technical and organisational measures is a requirement of primary importance. Service providers are expected to conduct thorough risk analyses, plan for and manage potential incidents, and implement measures to prevent unauthorised access and external threats. These measures are essential to maintaining operational security and protecting the data being processed.

Data security and confidentiality are paramount concerns in technology transactions. Customers expect service providers to implement robust encryption methods, stringent access controls, and perform regular security audits to protect sensitive information from breaches and unauthorised access. Ensuring the confidentiality and security of data is not only a contractual obligation but also a legal requirement under various regulations, including the GDPR.

Compliance with legal and regulatory requirements is another critical aspect of cybersecurity in outsourcing arrangements. Service providers must adhere to relevant laws and regulations, such as the GDPR and the Network and Information Systems (NIS) NIS 2 Directive, which mandate stringent data protection and cybersecurity standards. The predecessor to the NIS 2 Directive – EU Directive 2016/1148 – on measures for a high common level of security for network and information systems (NIS Directive), was incorporated into Swedish law through the Act (2018:1174) on Information Security for Essential and Digital Services and the Regulation (2018:1175) on Information Security for Essential and Digital Services. The new provisions stemming from the NIS 2 Directive are currently under consultation by the Swedish Government and are expected to enter into force in the beginning of 2025. The Swedish Civil Contingencies Agency (MSB) has the authority to issue regulations related to the NIS framework and has multiple regulations in force.

Business continuity planning is essential for ensuring that services remain uninterrupted in the event of disruptions. Suppliers are expected to develop and maintain comprehensive business continuity plans that include disaster recovery strategies, regular data backups, and redundancy measures. These plans are designed to minimise downtime and ensure a rapid recovery if incidents occur, thereby ensuring the continuity of critical business operations.

Swedish outsourcing agreements often contain instruments that help the customer manage and measure the supplier’s performance. The two most common forms are:

  • service level agreements (SLA); and
  • key performance indicators (KPI).

A closely related instrument often addressed in outsourcing agreement is audit rights. Agreements usually provides a right for the customer to conduct an audit at the supplier to ensure that the supplier is carrying out work in accordance with the law and the agreement. It is worth noting that, even though the agreement gives the customer the right to enter the supplier’s premises, forcing a way in is considered a criminal offence under the Swedish Penal Code.

If the technology outsourcing is cloud-based, an extra layer of data privacy and cyber security applies. From a data privacy perspective, it is important to localise the cloud to confirm whether it is based within the EU/EEA or in a third country. If the latter applies, the restrictions and obligations explained in 2.3 Restrictions on Data Processing or Data Security must be considered.

In addition to the above, sector-specific restrictions and obligations may apply.

The Swedish rules governing employee transfers from one employer to another are far-reaching and regulated, both at EU level by Directive 2001/23/EEG on the safeguarding of employees’ rights in the event of transfer of an undertaking, businesses or parts of undertakings or businesses (the Acquired Rights Directive or ARD), and at national level in Section 6b of the Swedish Act on Protection of Employees’ Rights (Lagen om anställningsskydd).

The Acquired Rights Directive states that a transfer occurs “where there is a transfer of economic entity which retains its identity, meaning an organised grouping which has the objective of pursuing an economic activity, whether or not that activity is central or ancillary”. The ARD stipulates the minimum protection. Therefore, the laws of the Swedish Act on Protection of Employees’ Rights give, in some instances, a higher protection for employees than the ARD – an example being Section 6b of the Swedish Act on Protection of Employees’ Rights, which is applicable to all public business.

From an employment perspective, a transfer of business can occur when there is a change of employer. However, there are a number of sub-criteria to lock into this definition. In a business transfer, the new employer automatically takes over the responsibility for the contractual conditions of the previous employer. However, it is not uncommon for the new employer and the transferred employee to agree to new conditions. The new employer also takes over responsibility for obligations that have arisen prior to the transfer; therefore, it is important for the new employer to perform proper due diligence on outstanding financial obligations prior to entering into a transfer agreement and/or claim warranties.

The regulations on employee transfers are applicable to personal employment agreements as well as collective agreements. If the transferor and the transferee are bound by the same collective agreement, the agreement will be valid against the transferee. Should the transferor, but not the transferee, be bound by a collective agreement, the transferee will also be bound by the collective agreement in applicable parts. If the transferor and transferee are bound by different collective agreements, the collective agreement that the transferee is bound by prevails. However, the transferee must comply with the rules of the transferor’s previous collective agreement for one year.

The employee has the right to oppose that the employment with the current conditions is transferred to a new employer. The employee should, within a reasonable period of time (at least 14 days) of being notified about the transfer, state whether they would prefer to stay with the transferor. If an employee chooses to stay with the transferor, the employment will remain unchanged. However, the employee runs a high risk of being made redundant.

Even if the criteria set out in the Swedish Act on Protection of Employees’ Rights are not satisfied, or where there is uncertainty as to whether employee transfers will take place automatically, it is not uncommon for customers to require that the supplier contractually commit to act as though the ARD/the Swedish Act on Protection of Employees’ Rights applied, whether or not it does so by law. It is very important that the customer and the supplier agree who will be responsible for employment-related costs or liabilities. Therefore, the terms in regard to commitment to hire/employee transfers are often subject to lengthy negotiations, and the wording should be carefully considered.

The market practice in Sweden on employee transfers is that the new employer offers new conditions to the transferring employee, often with an incentive-based outcome for the employee.

Whenever the ARD/the Swedish Act on Protection of Employees’ Rights regulations apply to a transfer of employees, then a general duty to inform and consult with employees and employee representatives (eg, trade unions and works councils) arises. The timeline for such information and consultation varies, but must be assessed and addressed in the overall timeline of the project.

It is noteworthy that the transferor has an obligation to investigate whether an employee is a member of a trade union and, if so, which trade union. If an employee is a member of a trade union the transferor is obliged to consult the trade union concerned before deciding whether to transfer that employee. Not doing so may result in damage payments.

Sweden is currently experiencing a lack of domestic IT specialists. Consequently, offshoring and, in particular, nearshoring, have become increasingly popular.

There are no specific laws granting employees the right to work remotely in Sweden. Nevertheless, many employers provide remote work opportunities as part of their employer branding strategies, with the objective of achieving work-life balance and/or reducing costs.

The possibility of remote work is typically implemented through either policies or agreements. Both policies and agreements should be documented in writing, clearly outlining the terms and conditions for remote work.

Regardless of where they work, employees working remotely are subject to the same employment laws and regulations as employees who work in an office. However, remote working poses a number of challenges, including ergonomic issues, cognitive strain, reduced interaction with colleagues, blurred boundaries between work and personal time that affect working hours and mandatory rest periods, and potential feelings of isolation. It also increases information security risks. As a result, when deciding whether to allow remote work, employers often consider how to manage employee retention, loyalty, work environment standards, ensure fairness and transparency for all employees, and protect confidential information.

From a work environment perspective, employers are required to take all necessary measures to ensure a healthy work environment for remote employees. This includes providing work equipment to ensure employees can perform their tasks safely, from a physical and social perspective. Given the reduced oversight of remote workspaces, these arrangements require more effort from employees and their managers. While remote working employees need to be proactive in reporting any work environment issues, their closest managers should be adequately trained to spot and manage any red flags that may arise.

Data protection and security are critical when working remotely. Employees should be trained on proper data handling outside the office and be required to report any data protection breaches immediately. It is important to have a well-developed IT policy that outlines expectations regarding the use of technology (eg, computers, phones, cameras, microphones) and what employees should be mindful of (eg, network connections, email, internet usage), especially to delineate between personal and work use during and after working hours.

When permitting employees to work remotely from abroad on a long-term basis, employers should also be aware of potential tax implications and the possible application of local labour laws and social security regulations.

Bird & Bird Advokat KB

Norrlandsgatan 15
111 43 Stockholm
Sweden

+46 (0)85 063 2000

Stockholm@twobirds.com https://www.twobirds.com/
Author Business Card

Trends and Developments


Authors



Bird & Bird is an international law firm that supports organisations being changed by the digital world or those leading that change. The firm has over 1,600 lawyers in 32 offices across Europe, North America, the Middle East, Asia Pacific and Africa. Bird & Bird’s lawyers combine exceptional legal expertise with deep industry knowledge and refreshingly creative thinking to help clients achieve their commercial goals. The firm’s technology sourcing practice advises on a comprehensive range of technology transactions, which include complex outsourcings and managed services deals, system implementation projects, telecoms infrastructure and regulatory matters, strategic alliances and collaboration agreements, cloud computing deals, and contracts for deploying AI and blockchain-based solutions.

The Swedish outsourcing market is increasingly influenced by new technology and its risks. There has been a boom in the use of technologies such as artificial intelligence (AI), machine learning, robotics, Internet of Things (IoT) and blockchain in recent years, and the trend is not expected to cool off. Rather, we are witnessing a vast increase in companies using or looking to use new technologies in within their organisation to speed up existing processes and automate others. However, digitalisation and new technologies do not only bring exciting opportunities. They also increase companies’ exposure to cybersecurity threats, such as malware, ransomware and phishing attacks.

For these reasons, it is increasingly important to ensure that outsourcing agreements factor in the increased risks that implementing new technologies creates by establishing clear expectations on compliance, security, and risk.

The EU legislator has identified the risks related to new technologies and the trend of digitalisation and released significant new legislation tackling novel technologies such as AI, but also broader legislation on data (including non-personal data), and cybersecurity.

The EU General Data Protection Regulation 2016/679 (the GDPR) is also maturing as a result of clarifications at EU and national institutions, so it is not difficult to see that outsourcing requires due diligence if digital assets, such as data, are to be protected. Also, an unstable business environment due to geopolitical developments further complicates this already complex legal environment.

Adoption of AI

The EU Regulation 2024/1689 on Artificial Intelligence (the “AI Act”) entered into force in August 2024, making it the first comprehensive piece of legislation on artificial intelligence globally. The new AI Act requires companies to analyse their use of AI from a new viewpoint, whether as developers creating new AI solutions or as users adopting another provider’s AI solution. As such, the AI Act is likely to affect everyone in the chain.

Companies faced with the challenge of implementing AI in their organisation are increasingly turning to their Privacy & Data Protection teams to take the lead. This is no surprise, as data protection supervisory authorities across the EU are assigned the role as national implementors and lead supervisory authorities for the AI Act. Several natural synergies have also brought about this change.

While the new requirements will start to apply in increments, with the most severe restrictions taking effect six months after entering into force, companies must consider all ramifications, not least on outsourcing. The use of AI requires careful scrutiny from a data-protection and security standpoint. In particular, the use of publicly available generative AI or generative AI that learns from input requires users to consider which personal data is appropriate, if at all, for input.

On outsourcing agreements, legal teams increasingly have to consider contracting partners’ use of AI, and which protective measures to take. Some companies already stipulate that no AI must be used in particularly sensitive cases, or that AI use must be limited to closed versions that do not learn from the input of company and personal data.

Compliance With the AI Act

Legal teams will need to digest the new AI Act and take note of what is required for their specific use of the technology. Depending on the extent of AI adoption within the organisation, the compliance work required for the adoption of AI may be similar to that of the GDPR in 2018, – ie, organisational and technical systems will be put in place, together with staff training and transparency information for users.

Transparency is likely to become an even hotter topic, as the AI Act (and the already existing GDPR) requires that companies assess how AI impacts the individual. This is part of a wider EU approach to ensure human-centric AI and placing requirements on human intervention, human review and human oversight.

The issue in meeting these transparency requirements is that AI, and in particular generative AI, is complex. How a result is created, or which parameters affect the outcome of a decision are not always fully understood. The “black box” (AI systems whose internal workings are not visible or remain unknown to human users) problem will be one of the biggest hurdles in the near future. Traditional explanations are approximate guesses at best, and use of counterfactuals is likely to increase, as well as explanations such as “if this parameter had been different, this would have been the outcome”.

Requiring explanations will be particularly interesting from a contractual standpoint, when providers themselves may be unaware in how their AI systems operate.

Cybersecurity Threats and Compliance Requirements

Security measures are not only increasing in relevance due to external factors such as cybersecurity threats. Pressure is also mounting for security-sensitive companies to step up their resilience to cybersecurity threats due to new legislation from the EU. And all this is exacerbated by foreign powers attempting to impact companies using the digital realm.

The introduction of EU Directive 2022/2555 on measures for a high common level of cybersecurity (the “NIS 2 Directive”) steps up requirements versus its predecessor, EU Directive 2016/1148, on measures for a high common level of security for network and information systems (NIS Directive), aiming to prevent and mitigate increased cybersecurity threats. Combined with the AI Act and the maturing data-protection field, companies are under increasing legislative and compliance pressure; these requirements are, in turn, also imposed upon outsourcing partners to ensure compliance across the entire chain.

Contracting and due diligence processes require the involvement of IT and cybersecurity experts to ensure that the standards of suppliers and partners are up to par with both legislation and internal demands. This puts companies in a position where they either adopt the strictest requirements or have multiple solutions for different segments.

Examples using marketing tools and outsourced marketing

Compliance and contractual risks are very real; as the GDPR matures and the supervisory authorities work through their backlogs, a larger share of data protection-related cases is being seen in the CJEU.

The Swedish Authority for Privacy Protection (IMY) has recently focused on the use of Meta Pixels within marketing analytics. Most recently, IMY issued sanctions to two pharmacies that were using the technology.

In both decisions, IMY concluded that the companies, acting as data controllers, activated the automatic type of Meta pixel’s advanced matching function (AAM). Meta Pixel is a script-based tool in the form of a snippet of code that records visitors’ actions and transfers the information to Meta. The primary goal of using the Meta Pixel was to measure the effectiveness of the companies’ marketing on Meta’s social media platforms Facebook and Instagram.

During the investigations, it emerged that Meta had implemented a so-called filtering mechanism designed to detect and delete information (such as health-related data) transferred to Meta in violation of Meta’s policy. However, IMY concluded that the Meta Pixel did not contain a filtering mechanism that prevented the transfer of data to Meta. The filtering mechanism is in fact designed to filter out potentially sensitive data, but it only works after the data is transferred to Meta.

Both companies faced issues due to the improper configuration and use of Meta Pixels which led to the unintended transfer of personal data to Meta. In one case, a particular function was used without a prior risk assessment; in the other, a specific function was unintentionally activated, and poor monitoring resulted in this being undetected.

The cases exemplify the risks involved in adopting new (or established) technologies without due care internally and externally. In these instances, the internal compliance routines were lacking. However, the safety mechanisms put in place by Meta to prevent problems were also insufficient, with the result that the companies acting as controllers were fined.

What Qualifies as “Force Majeure”?

The geopolitical climate does not only impact the cybersecurity and digital space. Disruptions in supply chains, cost increases, and fluctuating currencies due to ongoing conflicts and the after-effects of the pandemic are still under discussion within the context of “force majeure”.

Recently, we have seen several commercial disputes where outsourcing companies affected by cyberattacks claim relief from liability towards their customers by citing force majeure. Whether cyberattacks should be attributed to force majeure in Sweden is highly disputed, and in the absence of case law guidance, we expect dialogue around the subject to intensify.

Generally, when determining whether a situation should be considered a force majeure event, considerable weight should be placed on the wording of the contract between parties (and particularly the force majeure clause). If the contract explicitly states that cyberattacks will be considered a force majeure event, it will be difficult to argue the opposite. If the contract does not specify that cyberattacks will be considered force majeure events, there is greater room to support this argument.

With force majeure representing very specific events, such as natural disasters and war, and cyberattacks becoming increasingly common, it is likely that the Swedish courts would conclude that a company that has not taken appropriate technical and organisational measures in advance to prevent cyberattacks will not be able to attribute cyberattacks to force majeure.

Similarly, commercial disputes have arisen over whether damages due to the war and the pandemic indirectly affecting a contract can be claimed under force majeure. While these events are specifically mentioned, it may be difficult to pinpoint how these have, for instance, affected the currency exchange rates and, therefore, the contract for long-term outsourcing arrangements.

As there is no clear guidance under Swedish law, commercial discussions to maintain long-term relationships and retain suppliers would be preferable to legal wrangles in which the party claiming damages could face a long uphill battle.

Where Does This Leave the Market Today?

Ongoing geopolitical issues are still having lasting effects on commercial disputes. However, Sweden’s outsourcing market is increasingly affected by other factors, such as the faster pace of digitalisation, adoption of new technologies and the increase in cybersecurity threats.

The adoption of AI within organisations creates challenges in data protection and cybersecurity, both for organisations implementing the technology and for those outsourcing activities to vendors utilising the technology, with the compliance burden getting heavier for both parties.

Due diligence is increasing in importance as a result, and IT and cybersecurity experts are still significantly involved, particularly as suppliers will have to apply a different set of regulations depending on the sectors in which their customers operate, and where data-intensive sectors or sectors of public importance are concerned.

On the contracting side, use of special instructions on AI in outsourcing activities as well as cybersecurity requirements is increasing, stemming from external regulations and internal requirements. However, compliance is not the only aspect affecting contracting.

The cybersecurity threat also impacts more “traditional” contracting clauses and contract law interpretation as commercial disputes on the scope of force majeure events are increasingly focused on whether cybersecurity events are covered or not. Organisations need to take a holistic approach to outsourcing and ensure that their teams, whether internal or external, are equipped with legal, technical and security skills in compliance and contracting.

As the technological advancements look to continue, these teams must also stay up to date with the latest developments in technology, interpreting “older” legislation and the most recent legislative acts as the field matures and tries to keep up with the market.

Bird & Bird Advokat KB

Norrlandsgatan 15
111 43 Stockholm
Sweden

+46 (0)85 063 2000

Stockholm@twobirds.com www.twobirds.com/
Author Business Card

Law and Practice

Authors



Bird & Bird is an international law firm that supports organisations being changed by the digital world or those leading that change. The firm has over 1,600 lawyers in 32 offices across Europe, North America, the Middle East, Asia Pacific and Africa. Bird & Bird’s lawyers combine exceptional legal expertise with deep industry knowledge and refreshingly creative thinking to help clients achieve their commercial goals. The firm’s technology sourcing practice advises on a comprehensive range of technology transactions, which include complex outsourcings and managed services deals, system implementation projects, telecoms infrastructure and regulatory matters, strategic alliances and collaboration agreements, cloud computing deals, and contracts for deploying AI and blockchain-based solutions.

Trends and Developments

Authors



Bird & Bird is an international law firm that supports organisations being changed by the digital world or those leading that change. The firm has over 1,600 lawyers in 32 offices across Europe, North America, the Middle East, Asia Pacific and Africa. Bird & Bird’s lawyers combine exceptional legal expertise with deep industry knowledge and refreshingly creative thinking to help clients achieve their commercial goals. The firm’s technology sourcing practice advises on a comprehensive range of technology transactions, which include complex outsourcings and managed services deals, system implementation projects, telecoms infrastructure and regulatory matters, strategic alliances and collaboration agreements, cloud computing deals, and contracts for deploying AI and blockchain-based solutions.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.