The global market for IT outsourcing continues to grow. Even companies in industries previously considered to have low outsourcing activity have started to outsource more. Advantages such as scalability, competence and cost efficiency are the main reasons for which outsourcing is considered favourable to using in-house skills. IT has always been an essential tool for companies. Through strategic outsourcing, companies can increase their IT skills, and therefore improve and develop their core business to become more competitive in the market.

That said, the last couple of years have also seen an increasing reliance on insourcing. This is where companies take back their outsourced functions, utilising their in-house skills, mainly for flexibility and swifter processes, and to ensure robust cybersecurity management.

Automation and artificial intelligence (AI) services have been identified as major trends within IT outsourcing in Sweden. AI has been centre stage for some time now, with the last couple of years a boom in terms of AI system adoption. Since building and maintaining AI systems is time-consuming, costly and requires expertise, AI-as-a-Service (AIaaS) has entered the picture as a new, popular “as-a-Service” model, attracting all kinds of companies. The concept of AIaaS allows companies to rely on the infrastructure and expertise of external AIaaS providers that can supply their customers with various AI applications and functionalities through the cloud. It is worth bearing in mind that the adoption of AI generally triggers several legal issues surrounding data privacy, cybersecurity, intellectual property and regulatory matters.

As touched upon above, another key trend within IT outsourcing among Swedish companies is the current focus on cybersecurity. Recent years have seen increased cyber-attacks and security incidents in Sweden, and companies are implementing measures to counter the associated risk. For some, this means outsourcing cybersecurity operations to service providers with expertise cybersecurity, while others choose to do the opposite, investing in in-house capabilities.

Cloud computing continues to grow, with Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) being the most frequently deployed options.

Since outsourcing projects are becoming increasingly complex, both the customer and the supplier tend to assign advisors that have extensive experience with large, complex and operation-critical transactions. The idea is to assign legal experts that provide advice from a commercial and strategic perspective and that have an in-depth understanding of the commercial and technical conditions of the industry in question.

In addition, customers are now preparing for outsourcing further in advance than before. One reason for this is the extreme focus of outsourcing contracts recently, on data privacy and cybersecurity, in particular. This means that much more time is spent at the preparation stage of an outsourcing project, and that legal experts are involved earlier than previously.

Interest in IT outsourcing is notable in the healthcare and life sciences industry. In recent years, telemedicine and remote patient monitoring have become increasingly prevalent in healthcare. The shift towards remote solutions has become clear since the COVID-19 pandemic, when healthcare providers actively sought more efficient and patient-safe ways to deliver medical services. AI has also significantly transformed the healthcare landscape, offering streamlined solutions that enhance patient care and optimise medical processes. These technologies can process large amounts of data quickly and accurately, analyse complex medical data, and identify patterns and trends beyond human capability. This data-driven approach enables healthcare professionals to make more informed decisions, leading to earlier and more accurate diagnoses. AI algorithms can also predict disease outbreaks, anticipate patient needs, and optimise hospital resources, improving patient outcomes and reducing costs. Furthermore, cloud-based data management solutions have become essential tools in healthcare, providing secure, efficient, and accessible ways to store, manage, and share large volumes of medical data. One of the key benefits is scalability, allowing healthcare providers to store vast amounts of patient records, medical images, and research data without physical storage limitations. Cloud-based systems also improve data accessibility, enabling authorised healthcare professionals to securely access patient information from anywhere, promoting seamless collaboration and faster, more accurate diagnoses and treatments.

The market for business process outsourcing continues to expand, primarily because companies wish to focus on their core business while benefiting from new technologies. Business processes that have not previously been targets for outsourcing are now being outsourced to a greater extent. For small start-ups, outsourcing of business processes remains key to success.

Digitalisation, including new technology, has been identified as crucial for societal developments in Sweden. In its digitalisation strategy (“För ett hållbart digitaliserat Sverige – en digitaliseringsstrategi”, ref. N2017/03643/D), the Swedish government stresses that it wants Sweden to be the best in the world in applying digitalisation’s potential.

Emerging technologies, such as AI, Internet of Things (IoT) and robotics have also been key to the development of the outsourcing market. As mentioned in 1.1 IT Outsourcing, AI and machine learning have become increasingly popular in Sweden. Statistics Sweden, the body responsible for official statistics in the country, reported in early 2024 that the use of AI among companies in Sweden has doubled within the last five years, meaning that one out of five companies in Sweden is using some kind of AI system. Another interesting finding of Statistics Sweden is that the largest proportion of the increase stems from growth among smaller companies. However, the greatest application of AI is still being seen among larger companies.

The impact that the growing application of AI will have on outsourcing can be viewed from different angles. On the one hand, the increased demand for AI systems is boosting demand for competent service providers who can assist with the development, application and maintenance of specific AI systems. This trend could favour local contractors. On the other hand, AI systems keep getting smarter and might, in some areas, replace the need for traditional outsourcing. The same applies for robotics, which is another technology on the rise.

Another upward trend within emerging technologies that affects IT outsourcing is IoT. IoT refers to networks of interrelated physical objects that are embedded within technology that enable the exchange of data between physical objects. In simpler terms, IoT refers to items that can be connected to the internet, such as a vehicle, a smart TV and a smart monitoring system. Based on statistics from Statistics Sweden, the use of IoT has been identified as most widespread in the energy and recycling industries, followed by real estate and hospitality.

Financial institutions are showing an interest in AI and blockchain technology. In September 2024, the Swedish Financial Supervisory Authority launched an in-depth analysis to map how the Swedish financial sector uses AI, and how the companies within the industry see opportunities and challenges with the technology. Blockchain allows monetary transactions to be made in an instant, and using blockchain technology in the financial sector will most probably make the industry more competitive.

The most commonly outsourced services in Sweden are IT services, including, for instance, software development and cloud services. That said, business processes, such as human resources (HR) services, financial services, customer support services and call centre services, are also frequently outsourced.

Some of the most commonly outsourced IT services in Sweden are cloud services, which are widely utilised for document management, email, and external databases, providing scalable and flexible solutions for various organisational needs. Additionally, outsourcing IT operations and technical processing is prevalent among Swedish government agencies, municipalities, and regions. This often involves the technical processing or storage of data for the contracting authority, ensuring that data management and IT operations are handled by specialised external service providers.

It has recently been reported that companies are now looking to extend the outsourcing of simpler services, such as human resources, logistics and network services, rather than more complex functions.

There are no general legal regulations on outsourcing in Sweden.

However, outsourcing transactions in the public sector are subject to mandatory public procurement legislation, namely the Public Procurement Act (Lagen om offentlig upphandling 2016:1145) and the Public Procurement Act within the Supply Sectors (Lagen om upphandling inom försörjningssektorerna 2016:1146).

The Swedish Competition Authority (Konkurrensverket) is the supervisory authority for these sectors and the regulator on public procurement. Violation of the public procurement rules can turn out to be very expensive for the public procurer, with lengthy litigations.

There has long been some uncertainty regarding the legal conditions applicable for outsourcing by state authorities of IT operations, particularly concerning the point at which information subject to outsourcing should be disclosed. In 2023, a new provision (10 kap. 2 a §) was introduced in the Public Access to Information and Secrecy Act (Offentlighets- och sekretesslagen 2009:400) to clarify the conditions under which state authorities can outsource IT operations. This provision addresses the disclosure of confidential information to third parties for technical processing or storage. It establishes that secrecy is not an absolute barrier to disclosure, allowing authorities to involve third parties for technical needs without compromising operational capabilities. Disclosures must be appropriate to the circumstances, requiring an assessment of factors such as information sensitivity and third-party security measures. The third party’s role is limited to technical functions, reducing the risk of misuse or unauthorised access. Additionally, authorities must ensure that third parties can maintain confidentiality and security, placing responsibility on the disclosing authority. This provision balances the need for confidentiality with practical information management, ensuring responsible and judicious application.

Certain regulatory restrictions in Sweden may touch upon outsourcing of information that is highly sensitive in terms of the nation’s security. Security classified information should not be part of cross-border outsourcing transactions, where it risks ending up in the hands of foreign powers. Violations of these restrictions could lead to criminal charges. The Security Protection Act (Säkerhetsskyddslagen 2018:585) mandates that entities engaged in security-sensitive activities must conduct security analyses and implement the necessary security measures. This includes ensuring information security, physical security, and personnel security. When outsourcing such activities, entities must enter into security protection agreements with suppliers.

An example of a violation occurred in 2015, and triggered a national scandal, when the Swedish Transport Agency (Transportstyrelsen) outsourced its IT-functions to IBM. IBM decided to run the outsourced IT functions in Eastern European countries. The Swedish Transport Agency manages information on every vehicle in Sweden, including police, military, corporate, and private vehicles. Security classified information, in this case personal data concerning individuals with a driver’s license, such as Swedish military defence pilots, agents of the Swedish security services etc, was transferred to IBM under the outsourcing contract. When this security violation became publicly known during the summer of 2017, the director general of the Swedish Transport Agency was dismissed and was very heavily fined.

Certain sectors in Sweden have regulatory restrictions that are set by their own supervisory authority. The main rule in the regulated sectors (see below for examples of such sectors) is that the outsourcing party is responsible for any outsourcing in relation to the supervisory authority.

Regulatory restrictions regarding information security are also provided by the Swedish Civil Contingencies Agency (Myndigheten för samhällsskydd och beredskap). However, these regulations are to be interpreted as recommendations, as opposed to rules. According to the regulations, it is recommended that a customer is given the possibility in the outsourcing contract to examine how the service provider manages information security.

The EU General Data Protection Regulation 2016/679 (the GDPR) imposes significantly stricter requirements on, among other things, impact assessments and information security. Municipalities and regions handle large amounts of personal data, including sensitive personal data. When delegating the handling of such data to, for example, a supplier, it must first be ensured that the data will be handled correctly. There are also restrictions on which other countries personal data may be transferred to.

One not-so-obvious regulatory restriction that should be addressed is the regulation regarding unfair competition. The purpose of the unfair competition regulation is to ensure that outsourcing contracts that may give rise to anti-competitive effects are examined under the rules prohibiting anti-competitive agreements.

An outsourcing contract must also comply with the rules regulating risk of abuse regarding dominant position. However, abuse of dominant position can only apply if the supplier occupies a dominant position and, after negotiations, attach conditions to the contract that are considered abusive. In no case can the conclusion of an outsourcing contract be considered an abuse of dominant position in itself.

According to Swedish law the parties may negotiate and decide upon the governing law in the agreement. However, some Swedish industries may have sector-specific regulations that may interfere with a contractual dispute clause if the parties have decided to not take note to such regulations.

As mentioned in 1.3 New Technology, with new technologies come new regulations that are likely to have an impact on the outsourcing of services related to these technologies.

There are several industry-specific restrictions for IT outsourcing in Sweden, some of which have seen significant developments in the past year.

The Financial Sector

The financial sector in Sweden is well regulated when it comes to outsourcing. In general, the basis for outsourcing within each financial services area (eg, payment services, investment funds, etc) is outlined in national legal acts covering each area. In addition, the Swedish Financial Supervisory Authority (Finansinspektionen) has issued regulations for each area providing further details on the outsourcing arrangements. From 2019, the European Banking Authority’s Guidelines on outsourcing arrangements have constituted an additional set of rules applicable to certain types of financial institutions (eg, banks, payment services providers etc) which are also applicable in Sweden. And, finally, the EU’s Digital Operational Resilience Act 2022/2554 (DORA) will take effect on 17 January 2025, setting out requirements for financial institutions for the outsourcing of so-called information and communication technology (ICT) services to ICT third-party service providers. 

Each of the mentioned legal acts has a set of specific requirements for financial entities, as applicable. However, there are some universal rules that apply across all of them, for example:

• an outsourcing financial entity cannot be relieved of its regulatory responsibilities due to an outsourcing contract, and will always remain responsible for the parts of its operations that have been outsourced to a third party;
• an outsourcing contract must always be documented, in writing;
• an outsourcing contract must contain detailed descriptions of the service covered by outsourcing and what will apply to its provision;
• where sub-outsourcing is permitted, the provisions of the outsourcing contract will be transferred; 
• certain outsourcing types require a notification of the competent supervisory authority; and
• audit rights will be granted to the financial institution itself, its auditors and supervisory authority.

The Healthcare Sector

In Sweden, healthcare providers must ensure that the implementation and use of digital services and technical platforms comply with legal requirements and guidelines referenced in their healthcare agreements with the healthcare administration. Providers are responsible for appointing individuals to oversee regular information security and data protection activities. All digital communication and image transfers must be managed with a focus on patient and information security, adhering to relevant laws and regulations. Healthcare providers must follow existing laws and regulations for patient safety, regardless of whether care is provided physically or digitally. The same medical guidelines and rules for record-keeping, prescription, referral management, and insurance assessments apply to digital care as to physical care.

In Sweden, the Data Protection Act (Dataskyddslagen 2018:218) complements the GDPR, providing additional national regulations. When outsourcing technical processing or storage of data, healthcare providers must ensure that the service providers adhere to confidentiality requirements. This includes contractual agreements on access control and encryption to protect sensitive information. Digital accessibility is mandated by the Swedish Act on Accessibility to Digital Public Services (Lagen om tillgänglighet till digital offentlig service2018:1937) to ensure that no one is hindered from using digital services due to disabilities. This law applies to public actors and private healthcare providers performing publicly funded healthcare. In summary, technology transactions and outsourcing in the Swedish healthcare sector are governed by stringent regulations focusing on information security, patient safety, and data protection, with recent updates aligning national laws with EU regulations on medical devices.

Other examples of industrial sectors that may be subject to specific regulations are: military defence, telecom, aviation, education, energy, food, gambling, medicine and medical devices, pensions, railroad transportation, security services, nuclear power, nuclear waste and water services.

As of 25 May 2018, the GDPR is the primary data protection legislation across the EU, and therefore Sweden. The GDPR regulates, among other things, how organisations should process personal data, including the measures that should be taken if another organisation is to process personal data on behalf of the organisation, and how personal data may be processed in cross-border data flows.

According to the GDPR, personal data can be transferred without restrictions between the member states of the EU/EEA. Personal data can be transferred outside of the EU/EEA under special circumstances – eg, if the European Commission has decided that the third country ensures an adequate level of data protection, or if the controller has implemented appropriate safeguarding measures, such as applying binding corporate rules (BCR) or using standard contractual clauses (SCC) and additional security measures, if deemed necessary by the controller. Cross-border data flows can also be allowed in other specific situations and occasional cases.

In addition to the GDPR, Sweden has enacted the Data Protection Act (Dataskyddslagen 2018:218), which provides supplementary provisions to the GDPR. This act includes specific rules for the processing of personal data in certain sectors and by public authorities, ensuring that national interests and specificities are addressed.

Recent developments in Sweden include the ongoing implementation of the EU Directive 2022/2555 on measures for a high common level of cybersecurity (the “NIS 2 Directive”), which enhances cybersecurity requirements for essential and important entities, including stricter security measures and incident reporting obligations. The NIS 2 Directive also emphasises the importance of managing supplier security and ensuring compliance through national supervisory mechanisms.

Additionally, the EU Data Governance Act 2022/868, which complements the GDPR, aims to facilitate data sharing across the EU while ensuring robust data protection and security measures.

Overall, the regulatory landscape in Sweden for data processing and data security in technology transactions and outsourcing is robust, with a strong emphasis on protecting personal data and ensuring secure cross-border data flows. Organisations must stay abreast of these regulations and implement appropriate measures to comply with both EU and national requirements.

The standard supplier customer model in Sweden is the single sourcing contract between a customer and a supplier. The outsourcing contract often includes an asset transfer from the customer to the supplier of certain assets, such as contracts and employees, that are necessary for the provision of the outsourced services. The contracts typically include detailed provisions on service level agreements (SLAs), data security, confidentiality, and compliance with relevant laws and regulations. They also emphasise the importance of due diligence in selecting service providers and maintaining transparency throughout the outsourcing relationship. The main service provider has the overall responsibility for the outsourcing and is the customer's single point of contact. Therefore, the customer generally has no control over sub-suppliers if the contract does not contain an approval clause and/or a revision clause with regard to sub-suppliers.

Typically, these types of contracts have long duration periods, and five to eight years is not rare. Initially, the supplier must make large investments to be able to deliver cost cuts. The long duration periods are necessary so that the supplierscan depreciate and consolidate deliveries.

From a customer’s perspective there are advantages and disadvantages to this model. The advantages are the customer’s release from responsibility and surveillance, and also the very clear benefit of not having to manage a number of suppliers, in comparison to situations of multi-sourcing. This means that the customer does not have to spend resources on identifying who is responsible for an accident. The disadvantages are that customer is dependent on a single supplier and has no direct relationship with sub-suppliers, and thus has no control over prices and services through discussions with sub-suppliers. The lack of direct relationship with the end supplying party also makes it hard for the customer to negotiate price reductions when the market prices fall.

The customer who is the contractual party to the outsourcing contract receives the services on its own behalf. Should other members of the customer’s group receive services, this needs to be handled in the outsourcing contract. In comparison to the UK, the Swedish jurisdiction does not give beneficiaries of the services direct enforcement rights if they are not part of the contract. 

Joint ventures and multi-sourcing contracts are frequently used contract models in Sweden, in addition to the more standard single-sourcing model.

The Swedish jurisdiction has no special regulation with regard to joint ventures (JVs). Legally, this type of venture can be any kind of legal entity or simply a contractual one. However, it is common to set up a jointly owned Special Purpose Vehicle (SPV), particularly for offshoring. There are many advantages to setting up an SPV, and therefore avoiding a contractual JV. This particularly true if the JV is regulated by Swedish law, since the Swedish Act on Co-ownership from 1904 (Lagen om samäganderätt 1904:48 s.1) is not really compatible with the outsourcing age.

In some cases, the JV is set up to provide services to a single customer; in others, it becomes a new business that, in its own right, services the needs of several customers. In models where suppliers enter into a JV, they need to have a common business objective. The objective is usually that the suppliers bring together complementary products and services – eg, hardware, software and consultancy services.

This structure has several advantages for the customer, who only has to deal with a single supplier as opposed to several (see below on multi sourcing). Any service failure has nothing to do with the customer and any blame shifting that may arise will only affect suppliers – not the customer.

Joint ventures can also be set up between the supplier and one or more customers. The purpose of this model is to provide services to those customers who are also parties to the JV. This model is used when the customer wants to use the JV for a new business. The advantage is that services can be provided to other customers by using the same assets and resources, and thereby provide both the supplier and the customers with a return on their investments.

The customer may set up a JV with a local offshore partner. The customer may then leverage that local partner’s established infrastructure and local knowledge. This model can also have tax advantages.

Multi-sourcing, or selective sourcing, is quite common in Sweden. Multi-sourcing is when the customer enters into a number of contracts with different suppliers. Each supplier delivers a special part of the total delivery that is being outsourced. The outsourcing is treated as a portfolio of services rather than as a whole package. Sometimes in IT-outsourcing the customer has an integration responsibility to handle the different interfaces between the separate suppliers. One of the suppliers may also be appointed integrator, in which case the customer just holds the contractual relationship with the different suppliers. As a result, the customer can terminate a service contract if it does not function well but keep the remaining suppliers.

There are many advantages for the customer with multi-sourcing. The model gives the customer increased flexibility in terms of the duration of the contract, which tends to be shorter than in a single-sourcing arrangement. The customer may also let the suppliers compete among themselves on different parts of the contact. The customer can therefore choose the most competitive supplier for a certain part of the service, and is not forced to choose a specific supplier. The direct link to each supplier increases the possibility of making changes in the contract or exchanging one of the suppliers without the other contractual relationships being affected. It also opens up the possibility of benchmarking for certain service elements.

On the downside, the customer has responsibility for integration, and must therefore be more competent than in the single-sourcing model. A multi-sourcing model may, again, promote a culture of finger pointing among suppliers if things go wrong. The customer therefore stands an increased risk of being held responsible for problems. Suppliers may also feel reluctant to share information and data with other suppliers, since they often are competitors. Such information or data may constitute trade secrets, or at least be dressed as trade secrets. A common way to reduce such risks is to institute an Operation Level Agreement (OLA), which stipulates how the different suppliers must co-operate. The OLA regulates how a problem should be solved when there is an incident, regardless of who is liable for the incident. The OLA ensures that confidentiality issues are resolved so that data can be shared among the suppliers. Furthermore, the OLA ensures that suppliers have the same view on intellectual property rights deriving from the results that are developed and delivered to the customer.

Digital transformation, including the adoption of cloud computing, SaaS, PaaS and IaaS, has significantly impacted the contract models for outsourcing transactions in Sweden. One of the most notable changes is the shift towards service-based models, where organisations increasingly purchase IT as a service rather than relying on traditional outsourcing models. This transition is driven by the flexibility, scalability, and cost-effectiveness that cloud services offer.

The emphasis on cost efficiency and standardisation has become a critical factor in outsourcing strategies. For example, the Swedish Tax Agency (Skatteverket) prioritises these aspects in its approach to outsourcing IT functions. The maturity of the market and the potential for cost savings are key considerations in the decision-making process.

However, the increasing complexity of delivery models, including the use of global resources, virtualisation, and cloud services, has necessitated robust security measures. This is particularly relevant for cloud services, which are experiencing rapid growth. Outsourcing contracts must also comply with stringent legal and regulatory requirements, especially concerning data protection and security. Certain critical services must be operated within Sweden, and personnel involved must undergo security clearance.

Each outsourcing decision requires a thorough evaluation of the appropriate sourcing model. Organisations must consider whether to fully outsource or to purchase specific resources, depending on the unique circumstances of each case. The IT outsourcing market in Sweden is relatively mature, but continuous innovation in delivery models and solutions is driving the evolution of outsourcing contracts. This includes the adoption of new technologies and service models that cater to the growing demand for digital services.

There is also a trend towards outsourcing services that span multiple areas and provide a holistic view of processes. However, these integrated services can be challenging to manage and require careful consideration of service levels and contract terms. In summary, digital transformation has led to more dynamic and flexible outsourcing contract models in Sweden, with a strong focus on service-based solutions, cost efficiency, security, and compliance with legal and regulatory standards. Organisations must carefully evaluate their sourcing strategies to align with these evolving trends and requirements.

The customer’s business is at greatest risk during the transition and transformation phase – ie, the initial transfer of operations, when a vast number of things can go wrong. Usually, exercise of termination rights or mere expiry of the term are the main remedies at this early point. However, the customer is usually protected by a series of customer-protection clauses in the contract.

An obvious customer-protection clause to include in the contract is failure to deliver the services to the agreed service levels or failure to deliver the agreed services on time.

Price protection is very important for the customer, and customers commonly seek one of two forms of price protection:

• “most-favoured customer” clauses, obliging the service provider to charge the lowest rates when such rates are offered to or paid by other customers from the same services; or
• “benchmarking” of rates, charges and quality against current market standards through an independent assessment.

One of the service provider’s main contractual obligations is to protect the customer’s information and data against attacks and prohibited access. Common remedies following confidentiality breaches are fixed penalties for each breach followed by liquidated damages and, ultimately, immediate termination and damages.

It is important for the customer to identify all the intellectual property rights (IPR) used in the company’s business that may be outsourced and therefore might be needed by the service provider to deliver the agreed services. IPR are identified and documented in an IPR due diligence process prior to any negotiations.

All IPR internally used by the customer, including patents, designs and trademarks, that are registrable, as well as those that are non-registrable, such as copyrights, should also be identified and documented. The documentation should include details of registration number and ownership of any registered rights, including information on joint ownership and encumbrances over IPR. Any assignment agreements, licence agreements, R&D agreements, non-disclosure agreements and non-compete agreements should also be documented. For the sake of negotiation any existing or possible IPR disputes should also be identified and documented.

The customer may also perform a supplier IPR due diligence to identify IPR that belong to the supplier or a third party, which are to be used in the course of providing services to the customer. The purpose of the due diligence is to eliminate any risk of the supplier not having proper licences to third-party IPR as well as to eliminate the risk of contamination of customer IPR when using open-source software. Open-source software may not be permitted by the customer at all, but, if it is permitted, it should be checked, since the ownership of the IPR in the software might be uncertain. Open-source software is often considered as software that can be used freely; however, it is not without restrictions.

Another IPR issue that usually demands negotiation is the future ownership of the IPR that are affected by the outsourcing. When ownership of IPR has been identified, it is crucial for the parties to negotiate licences that allow each of them to use one other’s IPR and trade secrets for the purposes and the term of the outsourcing contract. This is especially important when the supplier also provides services to the customer’s competitors. The customer should ensure that the supplier is not entitled to the customer’s IPR when providing services to third parties. The outsourcing contract should contain mechanisms for the supplier to administrate such IPR (including registration, documentation and other protection) and make it easier to transfer the IPR back to the customer or to a third-party supplier when the outsourcing contract is to be terminated.

Any licences from the customer to the supplier should be limited in scope and be confined to the purposes of the outsourcing. When the supplier uses sub-suppliers, an explicit consent from the customer should be a requirement for use of the licences. The contract should also prohibit the licences from being transferred to a third party, if the customer has not given explicit consent to such transfer. The sub-supplier should, when consent is given, be subject to the same obligations as the supplier under the master outsourcing contract.

Furthermore, the customer normally seeks to obtain relevant warranties and indemnities regarding any third-party IPR that might be affected by the outsourcing. It is important that the supplier has the right to license any IPR that are subject to the outsourcing from the supplier to the customer, or at least that the supplier indemnifies the rights in the contract. The customer also normally should be indemnified that the supplier is responsible for any infringements in third-party IPR, provided that the IPR are used in accordance with the terms of the contract. Additionally, the customer should ensure that licences from the supplier to the customer also include a sublicensing right, in the event that the customer needs to exercise the licence to sub-suppliers.

Newly developed IPR are often created through the use of existing IPR or data owned by the customer or a third party. It is therefore important that the outsourcing contract specifies exactly which rights the respective party will have to the newly developed IPR. The contract should also contain the necessary licences to the newly developed IPR to enable the parties to use the IPR in the intended manner during the term of the outsourcing contract and following termination of the contract.

It is important for the customer to ensure that IPR are securely acquired from the supplier’s employees and sub-suppliers. In Sweden, the main rule is that copyright assets remain with the creator; however, there is an exception for software created by an employee – such IPR belongs to the employer, and not the employee. This exception, however, does not apply to third-party consultants that have developed software for a supplier. Additionally, under the Swedish principle of the teacher's exception (lärarundantaget), academic staff at universities and colleges in Sweden retain the rights to their creations, including software, even if developed in the course of their employment.

It is also important that the customer plans for an IPR exit strategy in the outsourcing contract. This exit strategy may contain post-termination licence arrangements to avoid disruption of the customer’s business as far as possible.

Other examples of customer protections that can be included in the outsourcing contract are service credits, indemnities for losses under specific circumstances, loss of exclusivity, price reduction, withholding of payments, payments of interest, warranties, step-in rights in cases of underperformance, termination under specific circumstances and parent company guarantees.

Typically, the supplier warrants that services are performed in accordance with applicable laws and regulations, in accordance with good industry practice and in a timely and professional manner. The supplier may also give other specific project-related assurances.

The usual contractual remedies for failure to deliver the services to the agreed service levels or failure to deliver the agreed services on time are service credits, service debits, penalties, rectification, repair or replacement of non-performance of the services at no cost for the customer and, ultimately, termination with immediate effect of the contract. A softer way to go about this final remedy is insourcing. It should be pointed out that, in Swedish jurisprudence, penalties have not yet been considered unfairly high and brought down by the courts.

Other remedies for breach of contract under Swedish general law are price reduction, claim damages, re-performance/injunction and termination for cause.

The termination of the contract may be negotiated by the parties. However, if nothing else has been agreed upon, one party may terminate a contract with immediate effect if the other has materially breached the contract – for instance, breached their contractual obligations with gross negligence or wilful misconduct. The contract should regulate under which conditions a party may terminate the contract prematurely – eg, by not delivering an essential part of the service due or not paying for the services. Often, such clauses come with a time period during which conditions can be restored. If the contract does not allow for restoration, the aggrieved party can terminate the contract with immediate effect. Other common reasons for premature termination include a party’s insolvency, bankruptcy or amalgamation.

There are no legal regulations on the minimum or the maximum term of a contract under Swedish general law, but the term and extension of a contract in the public sector may be subject to the Public Procurement Act (Lagen om offentlig upphandling2016:1145).

The contract usually contains provisions on post-termination efforts. While this is also something that the parties are free to agree on, we consider it standard practice to include a provision stating that the material belonging to the customer will be returned to the customer immediately upon termination. It is also not uncommon that the parties agree that the supplier will migrate the customer data to the new supplier of the customer.

The main rule in Sweden is that the aggrieved party is entitled to full compensation for harm sustained as a result of the contractual breach. The burden of proof for the extent of compensation lies with the party claiming the compensation. Full compensation includes direct losses, which are primarily fees and costs. If the contract does not go ahead, full compensation may constitute replacement costs for a new supplier, including the price difference between the old and the new supplier.

Under Swedish law there is a distinction between direct loss and indirect loss (also called consequential loss). Both direct loss and indirect loss can be recovered. However, indirect losses are often excluded in outsourcing contracts, since it is difficult to predict and calculate them. Examples of indirect losses are loss of production, loss of profit, loss of business and loss of goodwill. Examples of direct losses are performed time on the delivery of the services due to the customer’s breach of contract, costs for finding alternative solutions, or alternative production opportunities.

Clauses limiting liability are also common. Usually, these clauses clearly set out the highest amount at which to limit liability. Certain specific losses may be excluded from the limitation-of-liability clause. Often, these are also claims from a third party due to a party’s breach of contract. Examples of such claims are breach of intellectual property warranty claims, breach of proper conduct of personal data, confidentiality and security. The main rule under Swedish law is that exemption clauses are not valid if a contractual party is acting with gross negligence or wilful misconduct. Moreover, clauses limiting a party’s liability for damages related to personal injury or death have been deemed unenforceable by Swedish courts. Consequently, it has also been common practice not to limit liability in such circumstances.

The market practice is to limit the liability to direct losses and therefore exclude indirect losses, such as loss of profit and loss of business. The practice is also to limit the liability at a high level, excluding acts of gross negligence and willful misconduct.

Swedish law recognises a duty of loyalty between contractual parties for the duration of the contract – ie, both parties must assist one other to get the most out of the contract. This is especially relevant for lengthy contracts, such as outsourcing contracts. Therefore, a contractual party under Swedish law must not only defend its own interests, but should supports those of the contractual party if this is can be accommodated.

Implied terms may be used when something is not expressly treated in the contractual text. It may then be necessary to investigate whether the parties, through mutually implied terms, have agreed on specifics, and terms or purposes must be mutual between the parties. Since Swedish law contains a principle of free valuation of evidence, meaning that any circumstances may be brought into a litigation, the concept of duty of loyalty and the implied purpose would be important information for a contractual party entering into an outsourcing contract under Swedish law.

In Sweden, customers in technology transactions or outsourcing arrangements commonly require robust cybersecurity protection and security measures to safeguard their data and ensure business continuity. The implementation of appropriate technical and organisational measures is a requirement of primary importance. Service providers are expected to conduct thorough risk analyses, plan for and manage potential incidents, and implement measures to prevent unauthorised access and external threats. These measures are essential to maintaining operational security and protecting the data being processed.

Data security and confidentiality are paramount concerns in technology transactions. Customers expect service providers to implement robust encryption methods, stringent access controls, and perform regular security audits to protect sensitive information from breaches and unauthorised access. Ensuring the confidentiality and security of data is not only a contractual obligation but also a legal requirement under various regulations, including the GDPR.

Compliance with legal and regulatory requirements is another critical aspect of cybersecurity in outsourcing arrangements. Service providers must adhere to relevant laws and regulations, such as the GDPR and the national implementation of NIS 2 Directive, which mandate stringent data protection and cybersecurity standards. The predecessor of the NIS 2 Directive, ie the EU Directive 2016/1148, on measures for a high common level of security for network and information systems (NIS Directive), was incorporated into Swedish law through the Act on Information Security for Essential and Digital Services (Lagen om informationssäkerhet för samhällsviktiga och digitala tjänster 2018:1174) and the Regulation on Information Security for Essential and Digital Services (Förordningen om informationssäkerhet för samhällsviktiga och digitala tjänster 2018:1175). The new provisions stemming from the NIS 2 Directive are currently under consultation by the Swedish Government and are expected to enter into force in 2025. The Swedish Civil Contingencies Agency has the authority to issue regulations related to the NIS framework and has multiple regulations in force.

Business continuity planning is essential for ensuring that services remain uninterrupted in the event of disruptions. Suppliers are expected to develop and maintain comprehensive business continuity plans that include disaster recovery strategies, regular data backups, and redundancy measures. These plans are designed to minimise downtime and ensure a rapid recovery if incidents occur, thereby ensuring the continuity of critical business operations.

Swedish outsourcing contracts often contain instruments that help the customer manage and measure the supplier’s performance. The two most common forms are:

• service level agreements (SLA); and
• key performance indicators (KPI).

A closely related instrument often addressed in outsourcing contract is audit rights. Agreements usually provides a right for the customer to conduct an audit at the supplier to ensure that the supplier is carrying out work in accordance with the law and the contract. It is worth noting that, even though the contract gives the customer the right to enter the supplier’s premises, forcing a way in is considered a criminal offence under the Swedish Penal Code (Brottsbalken 1962:700).

If the technology outsourcing is cloud-based, an extra layer of data privacy and cyber security applies. From a data privacy perspective, it is important to localise the cloud to confirm whether it is based within the EU/EEA or in a third country. If the latter applies, the restrictions and obligations explained in 2.3 Restrictions on Data Processing or Data Security must be considered.

In addition to the above, sector-specific restrictions and obligations may apply.

The Swedish rules governing employee transfers from one employer to another are far-reaching and regulated, both at EU level by Directive 2001/23/EEG on the safeguarding of employees’ rights in the event of transfer of an undertaking, businesses or parts of undertakings or businesses (the Acquired Rights Directive or ARD), and at national level in Section 6b of the Swedish Act on Protection of Employees’ Rights (Lagen om anställningsskydd 1982:80).

The Acquired Rights Directive states that a transfer occurs “where there is a transfer of economic entity which retains its identity, meaning an organised grouping which has the objective of pursuing an economic activity, whether or not that activity is central or ancillary”. The ARD stipulates the minimum protection. Therefore, the laws of the Swedish Act on Protection of Employees’ Rights give, in some instances, a higher protection for employees than the ARD – an example being Section 6b of the Swedish Act on Protection of Employees’ Rights, which is applicable to all public business.

From an employment perspective, a transfer of business can occur when there is a change of employer. However, there are a number of sub-criteria to lock into this definition. In a business transfer, the new employer automatically takes over the responsibility for the contractual conditions of the previous employer. However, it is not uncommon for the new employer and the transferred employee to agree to new conditions. The new employer also takes over responsibility for obligations that have arisen prior to the transfer; therefore, it is important for the new employer to perform proper due diligence on outstanding financial obligations prior to entering into a transfer agreement and/or claim warranties.

The regulations on employee transfers are applicable to personal employment agreements as well as collective agreements. If the transferor and the transferee are bound by the same collective agreement, the agreement will be valid against the transferee. Should the transferor, but not the transferee, be bound by a collective agreement, the transferee will also be bound by the collective agreement in applicable parts. If the transferor and transferee are bound by different collective agreements, the collective agreement that the transferee is bound by prevails. However, the transferee must comply with the rules of the transferor’s previous collective agreement for one year.

The employee has the right to oppose that the employment with the current conditions is transferred to a new employer. The employee should, within a reasonable period of time (at least 14 days) of being notified about the transfer, state whether they would prefer to stay with the transferor. If an employee chooses to stay with the transferor, the employment will remain unchanged. However, the employee runs a high risk of being made redundant.

Even if the criteria set out in the Swedish Act on Protection of Employees’ Rights are not satisfied, or where there is uncertainty as to whether employee transfers will take place automatically, it is not uncommon for customers to require that the supplier contractually commit to act as though the ARD/the Swedish Act on Protection of Employees’ Rights applied, whether or not it does so by law. It is very important that the customer and the supplier agree who will be responsible for employment-related costs or liabilities. Therefore, the terms in regard to commitment to hire/employee transfers are often subject to lengthy negotiations, and the wording should be carefully considered.

The market practice in Sweden on employee transfers is that the new employer offers new conditions to the transferring employee, often with an incentive-based outcome for the employee.

Whenever the ARD/the Swedish Act on Protection of Employees’ Rights regulations apply to a transfer of employees, then a general duty to inform and consult with employees and employee representatives (eg, trade unions and works councils) arises. The timeline for such information and consultation varies, but must be assessed and addressed in the overall timeline of the project.

It is noteworthy that the transferor has an obligation to investigate whether an employee is a member of a trade union and, if so, which trade union. If an employee is a member of a trade union the transferor is obliged to consult the trade union concerned before deciding whether to transfer that employee. Not doing so may result in damage payments.

Sweden is currently experiencing a lack of domestic IT specialists. Consequently, offshoring and, in particular, nearshoring, have become increasingly popular.

There are no specific laws granting employees the right to work remotely in Sweden. Nevertheless, many employers provide remote work opportunities as part of their employer branding strategies, with the objective of achieving work-life balance and/or reducing costs.

The possibility of remote work is typically implemented through either policies or agreements. Both policies and agreements should be documented in writing, clearly outlining the terms and conditions for remote work.

Regardless of where they work, employees working remotely are subject to the same employment laws and regulations as employees who work in an office. However, remote working poses a number of challenges, including ergonomic issues, cognitive strain, reduced interaction with colleagues, blurred boundaries between work and personal time that affect working hours and mandatory rest periods, and potential feelings of isolation. It also increases information security risks. As a result, when deciding whether to allow remote work, employers often consider how to manage employee retention, loyalty, work environment standards, ensure fairness and transparency for all employees, and protect confidential information.

From a work environment perspective, employers are required to take all necessary measures to ensure a healthy work environment for remote employees. This includes providing work equipment to ensure employees can perform their tasks safely, from a physical and social perspective. Given the reduced oversight of remote workspaces, these arrangements require more effort from employees and their managers. While remote working employees need to be proactive in reporting any work environment issues, their closest managers should be adequately trained to spot and manage any red flags that may arise.

Data protection and security are critical when working remotely. Employees should be trained on proper data handling outside the office and be required to report any data protection breaches immediately. It is important to have a well-developed IT policy that outlines expectations regarding the use of technology (eg, computers, phones, cameras, microphones) and what employees should be mindful of (eg, network connections, email, internet usage), especially to delineate between personal and work use during and after working hours.

When permitting employees to work remotely from abroad on a long-term basis, employers should also be aware of potential tax implications and the possible application of local labour laws and social security regulations.