The IT outsourcing industry remains strong, with increasing demand for specialist expertise and for automation technology being two of the main drivers. According to Statista, revenue in the UK IT outsourcing market is projected to reach GBP34.60bn billion in 2025. From 2025 to 2030, revenue is expected to maintain a steady annual growth rate of 7.18%, resulting in a substantial market volume of GBP48.04 billion by the end of 2030.  The key drivers for businesses outsourcing IT functions continue to be lower costs, access to expertise, ability to scale IT projects up or down without the delays of scaling in-house teams, the ability to focus on core business functions as IT challenges are dealt with externally, enhanced security, proactive support and maintenance (offering improved resilience) and greater opportunities for innovation.

Organisations are also increasingly using AI outsourcing, which allows them to benefit from cutting-edge AI technology. Uses for AI outsourcing include customer assistance, data analytics and cybersecurity (see 1.4 Outsourced Services for more detail).

As cybersecurity becomes an ever-greater concern for all business, with a recent Deloitte survey finding that 70% of respondents discuss cybersecurity as a regular board agenda item (on a monthly or quarterly basis), UK businesses are increasingly seeking expertise in this area to manage their cybersecurity risk. The cybersecurity outsourcing market continues to be highly competitive, as growing concerns over cybersecurity continue to result in a trend towards developing deeper relationships with fewer IT service providers. According to Logpoint’s European Cybersecurity Sector 2024 report – a survey of 1,762 senior decision-makers and influencers – 52% of UK businesses used third-party services for security operations and a further 28% of respondents planned to follow suit in the coming years.

Data protection remains a key issue for tech outsourcing. In recent years, there has been a continued drive to develop new mechanisms to facilitate international transfers of personal data, most recently in respect of transfers from the European Economic Area (EEA) to US organisations that have self-certified to the EU/US Data Privacy Framework (DPF), and in respect of the UK’s extension to the DPF under which transfers can be made from the UK to such US organisations (see 2.3 Restrictions on Data Processing or Data Security).

The UK government’s data protection reforms set out in the new Data (Use and Access) Act 2025 have not resulted in radical changes to the UK’s existing legal framework for data protection, nor are they expected to put the EU’s adequacy decision at risk (when the decision is reviewed, the deadline for which is December 2025). Some outsourcings may, however, benefit from the relaxation of the rules around automated decision-making contemplated by this new legislation.

Inflation is not only having a major impact on the cost of living, but also on the IT outsourcing industry. Wage inflation and cost increases will affect those suppliers who cannot find a way to pass on these costs. IT contracts are typically shorter, with more flexible termination and/or charging rights; however, now there will be a focus on payment mechanisms and indexation clauses more than ever.

Lastly, the introduction (as a result of Brexit) of a UK points-based immigration system has made it more difficult and costly for UK outsourcing providers to recruit staff from the EEA. This has had an impact across a wide range of sectors, including services requiring technically skilled staff such as computer programmers. Businesses employ various ways to obtain skills from overseas workers – for example, entering into a form of agency agreement with an overseas business that then provides developers from all over the world, rather than the classic “outsourcing” model. The UK government is working to reform this points-based immigration system to reduce overall migration, whilst also seeking to make policy changes to address perceived skills gaps in the UK economy.

Cost reduction through increasing efficiencies and productivity in business operations – while allowing businesses to focus more on their core functions – remains one of the key drivers for BPO. According to Grand View Research, the global business process outsourcing market is projected to grow at a compound annual growth rate of 9.8% from 2025–2030, with the finance and accounting segment accounting for 21% of the revenue share in 2024. The rise of AI has also seen many organisations outsourcing customer care processes to service providers who can provide AI technology to assist with customer service queries, with the customer services segment projected to grow at a compound growth rate of 11.2% from 2025–2030 (see 1.3 New Technology for more detail on this).

Demand for BPO services in the public sector rose during recent years, with government contracts being a significant source of revenue for the industry. Before coming into power in July 2024, the Labour Party pledged to “bring about the biggest wave of insourcing of public services in a generation” and, as reported in the Local Government Chronicle, more recently in a Local Government Association conference in July 2025, the Deputy Prime Minister at the time said the government was “working to undo the ideological presumption of outsourcing by default as part of our plan to make work pay”. The effects of this shift in attitude are yet to be seen, with the government stating that the best time to achieve value for money for publicly run services will be when existing contracts expire or are terminated for a failure to deliver. Outsourcers currently supplying services to public sector bodies should be aware that when these contracts expire, public sector bodies will be required to undertake a proportionate public interest test to understand whether that work could be more effectively done in-house and the contract may also be subject to mandatory re-tendering requirements under public procurement rules (see 2.2 Industry-Specific Restrictions).

The location of service providers has also shifted, with “nearshoring” being an increasingly popular alternative to offshoring. Nearshoring is a form of outsourcing where companies partner with a service provider in a country in the same region. By way of an example, countries such as Romania and Bosnia have become nearshoring centres for business in Western Europe. However, despite cited benefits of nearshoring being cultural familiarity and mitigated risks, it is expected that offshoring is likely to remain the most cost-effective – and therefore popular – solution.

Changes to the UK immigration system (as outlined in 1.1 IT Outsourcing) continue to make it challenging to recruit staff, including call centre staff.

Robotic process automation (RPA) and cloud-based services continue to have a major impact on the outsourcing sector. Despite high initial set-up costs, automation is often considered a solution for improved productivity, increased employee satisfaction and enhanced customer experience. However, adoption of RPA through outsourcing is becoming increasingly sophisticated, shifting to a more granular focus on overcoming implementation challenges and developing smarter solutions. The use of AI has also become widespread, with much higher acceptance than in previous years, as businesses in diverse sectors (eg, insurance and hospitality) look to AI to optimise business processes and operational efficiency through automated hiring processes, training, and data analysis. Organisations are also increasingly utilising outsourced service providers for dealing with customer queries through AI chatbots, which can provide 24/7 customer service for simpler queries and thereby free up time for customer service representatives to focus on the more complex queries.

The use of blockchain technology will continue to rise throughout 2025 and 2026, driving a requirement for professional expertise in the implementation and operation of such solutions, meaning that many businesses will increasingly look externally for such support in the form of IT outsourcing, according to Vanguard X. This is of particular relevance in the financial services sector (see 2.2 Industry-Specific Restrictions) given the introduction of general operational resilience rules for UK financial services firms and the FCA’s anticipated development of new, sector-specific outsourcing rules for UK stablecoin issuers.

The rapidly changing regulatory landscape will continue to encourage businesses to turn to specialised outsourced service providers for support in navigating and mitigating the regulatory risks associated with such new technologies.

The most commonly outsourced services in the UK are IT services, as discussed in more detail at 1.1 IT Outsourcing. Other common outsourced services include payroll services, which can include pay and tax calculations, interfacing with HMRC (including filing and paying taxes) and keeping payroll records, as well as HR support. Customer relationship management is another popular service to outsource in the UK, including the use of call centres and the outsourcing of complaints handling and claims processing. UK organisations also frequently outsource aspects of their supply chains such as warehousing, logistics and delivery services. Facilities management, printing and accounting are also commonly outsourced in the UK.

Although the UK regulates the employment aspects of most outsourcing and M&A transactions (see 5. Employment Matters), it does not have any other overarching legislation that seeks to regulate outsourcing transactions on a non-sector-specific basis. That being said:

• businesses should be mindful of regulations specific to their industry sector that might have an impact on the outsourced service and the way it is carried out, service levels and other contractual obligations (see 2.2 Industry-Specific Restrictions);
• public sector outsourcings can be subject to rules on public procurement and new UK legislation in the form of the Procurement Act 2023 came into force on 24 February 2025 (see 2.2 Industry-Specific Restrictions);
• certain outsourcing arrangements may be subject to EU or UK merger control legislation – although this is relatively rare in practice; and
• outsourcings involving data – especially personal data – are subject to regulation in the UK (see 2.3 Restrictions on Data Processing or Data Security).

As noted in a number of cases below, the new Labour government and the UK’s departure from the EU could lead to changes in regulation, given that the UK may decide to diverge from the EU in some areas. In the majority of cases, this is expected to be an evolutionary process that will take time to implement, as it requires consultation with industry and the passing of new legislation.

Financial Services

Outsourcing transactions relating to financial services are subject to sector-specific regulation, as outlined here.

Regulatory authorities

The majority of financial services firms in the UK are regulated by the Financial Conduct Authority (FCA). Some of those firms (such as banks, large investment firms, insurers, building societies, and credit unions) are also subject to prudential supervision by the Prudential Regulation Authority (PRA). The FCA and the PRA have each published specific and detailed rules governing outsourcing arrangements entered into by regulated firms – although the provisions vary depending on the type of financial services business undertaken. Firms that are regulated only by the FCA will need to comply with the FCA outsourcing rules relevant to their type of firm, whereas firms that are regulated by both the FCA and PRA must also comply with the relevant PRA outsourcing rules. A number of rules in this area were originally derived from EU law, and may be subject to future changes as the UK continues to review this “assimilated EU law” over time. To date, the FCA and PRA have largely restated EU-derived outsourcing provisions without material amendments.

The Bank of England regulates UK financial market infrastructures (FMIs) and has equivalent rules governing outsourcing arrangements.

Oversight

It is a key principle that a firm remains responsible for compliance with any applicable regulatory rules concerning any outsourced services. This means that the firm will need to exercise proper oversight and monitor the performance of outsourced service providers to verify that any relevant regulatory requirements are being satisfied. Where the firm fails to do so, it may be subject to enforcement action. The FCA and PRA outsourcing rules typically require the firm to carry out due diligence on any proposed service provider to ensure that the provider has the capacity to provide the necessary services effectively. In addition, the firm will normally be required to ensure that the outsourcing contract contains certain mandatory provisions – for example, those relating to ongoing co-operation and/or enhanced termination rights.

A firm must normally provide advance notification to the relevant regulator when proposing to enter into (or make significant changes to) a material outsourcing arrangement. Broadly, this is required where any failure or weakness in the outsourced services might cast serious doubt upon the firm’s continuing satisfaction of the conditions for authorisation or compliance with the general regulatory principles applicable to it.

In December 2024, the FCA, PRA and Bank of England each published proposed new operational incident and third-party reporting rules, broadening these existing notification obligations to cover “material third-party arrangements”, which would continue to include (but would not be limited to) material outsourcings. Finalised rules are expected by the end of 2025.

Critical third parties

Under the Financial Services and Markets Act 2000 (as amended), third parties providing critical services to authorised firms, payment and e-money institutions and FMIs may be designated as “critical” by HM Treasury. If designated, the services provided by such critical third parties (CTPs) will be subject to direct oversight by the regulators, which will be armed with information-gathering and enforcement powers.

The new regime is intended to address concerns around the fact that a large number of regulated firms and FMIs are dependent on a small number of third-party service providers and the associated risks to the financial system should any such third party fail. Accordingly, a third party may be designated as a CTP only if a failure in, or disruption to, the provision of the relevant services could threaten the stability of, or confidence in, the UK financial system. This assessment will include the materiality of the services provided and the number and type of service recipients.

While the regime is only likely to affect outsourcings involving a relatively small number of very large and/or highly specialised service providers (particularly those which are cloud-based), the requirements it will impose upon them will be onerous. In November 2024, the FCA, PRA and Bank of England published their respective final rules for designated CTPs, including detailed provisions on governance, risk and incident management, operational resilience and termination of services. At the time of writing (September 2025), no CTPs have yet been designated by HM Treasury, although some designations are expected by the end of 2025 following consultation.

Public Sector Outsourcings

Depending on the nature of the contract and its value, a public sector outsourcing can be subject to UK public procurement rules – although these apply to a wide range of contracts, not just outsourcing transactions. By way of example, the awarding authority can be required to advertise the contract, observe certain timings with regard to responses to tender, etc, and ensure that all bidders are treated equally and without discrimination. Public procurement rules are most likely to have a significant effect on the timing of the pre-contract procedure, the criteria for selection of successful tenderers, and the duration of the outsourcing contract.

Following the UK’s departure from the EU, UK public procurement law has been reformed and new legislation in the form of the Public Procurement Act 2023 came into effect on 24 February 2025. This legislation aims to create a more streamlined, efficient and transparent system for public bodies. Although the new Act therefore makes some aspects of public procurement more straightforward, the reforms are more evolutionary than revolutionary.

The Act does not have retrospective effect and therefore will not affect procurements commenced before 24 February 2025. It should also be borne in mind that, owing to the provisions of the Brexit Withdrawal Agreement, EU public procurement rules continue to apply in limited circumstances – for example, to framework contracts where the tender process (for the framework itself) was commenced on or before 31 December 2020.

Critical Infrastructure and National Security

Organisations supplying critical national infrastructure – for example, those in sectors such as electricity supply, oil and gas, water, transportation, healthcare and digital infrastructure (including cloud computing storage providers) – and meeting certain size thresholds are subject to the Network and Information Systems Regulations (the “NIS Regulations”). The UK government plans to introduce the Cyber Security and Resilience Bill by the end of 2025. This is expected to place greater emphasis on the importance of supply chain cyber management and make the regulations applicable to a broader range of digital services providers. At the time of writing (September 2025), the Cyber Security and Resilience Bill has not yet been introduced to Parliament.

In brief, the NIS Regulations require in-scope organisations to:

• take appropriate and proportionate technical and organisational measures in order to manage the security risks posed to them (eg, measures to protect against cyber-attacks); and
• report incidents to regulators in certain circumstances.

Where organisations are outsourcing the provision, management or maintenance of any element of the systems on which they rely to provide such infrastructure, they will need to consider how to ensure that the outsourced activities continue to meet the standards required by the NIS Regulations.

More generally, outsourcings involving critical infrastructure and other matters regarded as important to UK national security may be subject to scrutiny under the National Security and Investment Act 2021. This allows the UK government to review (and, in extreme cases, to block) the transfers of certain businesses or assets on the grounds of protecting national security.

Other Sectors

The parties to an outsourcing will also need to consider any relevant sector-specific regulations, such as requirements for licences or authorisations. These are not normally intended to regulate outsourcing per se but, rather, to regulate the activity that is covered by the outsourcing. In the UK, the sectors listed below are subject to industry-specific regulation by the regulator listed in brackets:

• aviation (Civil Aviation Authority);
• consumer credit (FCA);
• education and childcare (Ofsted);
• energy (Ofgem);
• food (Food Standards Agency);
• gambling (Gambling Commission);
• health and social care (Care Quality Commission);
• medicines and medical devices (Medicines and Healthcare Products Regulatory Agency);
• pensions (Pensions Regulator);
• rail (Office of Rail and Road);
• road transport (Driver and Vehicle Standards Agency);
• security services (Security Industry Authority);
• telecommunications, broadcasting and postal services (Ofcom); and
• water and sewerage services (Ofwat).

This list is not exhaustive and the activities covered by the outsourcing may mean that there is a need for licences, permits or approvals from other bodies such as local authorities, the Health and Safety Executive or government departments. By way of example, certain defence or security-related activities may require Ministry of Defence approval or be subject to review under the National Security and Investment Act 2021.

Data protection laws are likely to apply where the outsourced services require the supplier to process personal data on behalf of the customer. “Personal data” includes names, contact details, or other data that relates to an identified or identifiable natural person. In the UK, the relevant laws are the UK GDPR (which is based on the EU’s General Data Protection Regulation (EU GDPR)) and the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025) (collectively, the “Data Protection Laws”). Nevertheless, the EU GDPR will continue to apply to those organisations that fall within its territorial scope. In the UK, the Data Protection Laws are enforced by the Information Commissioner’s Office (ICO).

Many outsourcing arrangements – in particular, business process outsourcings and IT outsourcings – are likely to result in the supplier handling personal data on behalf of the customer and in respect of which the customer is the data controller (ie, the entity that determines the purposes and means of processing of such data). The supplier will be a processor in such situations. Where this is the case, as well as the supplier having a number of direct obligations to comply with under the Data Protection Laws, the customer must also be satisfied that the supplier will implement appropriate technical and organisational measures to ensure that the supplier’s processing of such data will meet the requirements of the Data Protection Laws – in particular, the requirement to keep the data safe and secure. The customer must carry out due diligence on the supplier in order to be satisfied of this.

The Data Protection Laws also stipulate that, if the supplier is processing personal data on behalf of the customer and in its capacity as a data processor, the contract between the customer and the supplier must address certain issues (see 4.5 Data Protection and Cybersecurity) – namely, requiring the supplier to:

• keep the data safe and secure; and
• help the customer in complying with its own obligations – for example, when data subjects seek to enforce their rights in respect of data held by the supplier on behalf of the customer.

It may well be the case in some outsourcing arrangements – in particular, some BPOs such as pensions administration – that the nature and manner of the outsourced services requires the supplier to effectively act as a data controller in respect of any data it processes. If this is the case, then the supplier will have to comply with obligations placed on it by the Data Protection Laws in its capacity as a data controller.

Overseas Transfers of Personal Data

Personal data transferred to the supplier for processing outside the UK must be exported in compliance with the Data Protection Laws, ultimately to ensure that the standard of protection for such data under the Data Protection Laws travels with the data. This issue will need to be addressed where, for example, the outsourcing involves “offshoring” of service provision to a territory outside the UK.

Similar rules apply to customers that fall within scope of the EU GDPR and where data will have to be transferred to a supplier located outside the EEA. If the country in which the supplier is located has not been granted an adequacy decision by the UK government (essentially, finding that the data protection laws of the destination country are adequate and meaning that the data can flow freely to the supplier without the need to put additional measures in place to protect it), then an alternative safeguarding mechanism must be relied on.

The most used safeguarding mechanism is to incorporate a set of standard contractual clauses (SCCs) that have been pre-approved by the European Commission (in the case of the EU GDPR) or the UK Parliament (in the case of the UK GDPR). These require the supplier to put measures in place to make sure that personal data is kept safe. The use of SCCs must be supported by a transfer risk assessment. Broadly, this requires the parties to carry out due diligence and a formal risk assessment to ensure that the laws and practices of the supplier’s country provide an equivalent standard of data protection to those in the UK or EEA (as applicable), particularly when it comes to access by public and surveillance authorities to personal data. Account must be taken of the nature of the data being transferred and how it will be processed. Due diligence must also be conducted into the measures the data importer (in this case, the supplier or outsourcing provider) will take to keep the data safe and secure. In some cases, the transfer risk assessment might lead the parties to conclude that the data transfer element of the outsourcing will need to be suspended and the data kept onshore. It is therefore worth considering this issue early on in the transaction.

The International Data Transfer Agreement (IDTA) and the Addendum came into force in March 2022 in relation to data transfers to third countries subject to the UK GDPR. In June 2021, the EU adopted its new SCCs. The UK Addendum is a “bolt-on” to the EU SCCs.

As noted in 1.1 IT Outsourcing, the UK extension to the Data Privacy Framework enables personal data to be transferred from the UK to US organisations that have self-certified to the DPF without the need for reliance on SCCs or for a transfer risk assessment to be completed.

In some cases, alternative mechanisms or specific derogations may be available for transferring the data – for example, suppliers may have obtained approval from the ICO for binding corporate rules that allow them to export data to other group companies based outside the UK, without the need for specific contractual arrangements governing the transfer. Alternatively, it may be possible to obtain express consent to the transfer from the data subjects whose data is being transferred.

Issues during negotiations

The Data Protection Laws also potentially have an impact when an outsourcing contract is being negotiated, as personal data will be transferred in respect of employees who are transferring over from the customer to the supplier (see 5.1 Employee Transfers). In these circumstances, care needs to be taken to ensure that personal data is shared and transferred in a lawful manner, with a clear legal basis under the Data Protection Laws for such a transfer. Any personal data transferred outside the UK will again need to be transferred using one of the above-mentioned transfer gateways or derogations.

Critical infrastructure

As outlined in 2.2 Industry-Specific Restrictions, organisations that supply critical national infrastructure and meet certain size thresholds are subject to the NIS Regulations. These regulations may have an impact on the outsourcing of activities relevant to the provision of such infrastructure. By way of example, where handling of data is outsourced, the customer will be required to ensure that the supplier takes appropriate measures to protect against cyber-attacks – even if it is not “personal data”.

Penalties for breach of such laws

The ICO can impose civil fines of up to GBP17.5 million – or 4% of the breaching undertaking’s annual worldwide turnover in the preceding year – for the most serious breaches of the Data Protection Laws. In the case of breach, the ICO can also issue an enforcement notice against a business requiring it to take (or refrain from taking) specified steps in order to comply with the Data Protection Laws.

The Data Protection Laws contain a number of criminal offences – notably, offences relating to the unlawful obtaining of personal data and selling or offering to sell such data.

It should be noted that individuals can lodge complaints with the ICO in respect of alleged breaches of the Data Protection Laws and bring an action for damages against the relevant business. Fines may also be imposed for data breaches under sectoral regulatory regimes. By way of example, financial services firms have been fined substantial sums for failure to keep customer data secure.

The maximum penalty for breach of the NIS Regulations is GBP17 million, again for the most serious breaches. As with the Data Protection Laws, competent authorities under the NIS Regulations can issue enforcement notices and also have powers to investigate and audit compliance of organisations that fall within the scope of the regulations.

Outsourcing can take a number of forms in the UK. Although there is no “standard” model, a direct outsourcing is the most common structure adopted by the parties. This allows a customer to streamline its operations to focus on its core activities, taking advantage of economies of scale available to the supplier as well as the supplier’s expertise.

A direct outsourcing is the simplest of the outsourcing structures, with the contract(s) being directly between the customer and the supplier. However, the outsourcing will become more complex if the customer procures the outsourced services on behalf of itself and group companies. In this case, an “agency” model is often adopted, or a third-party rights clause may enable group companies to have directly enforceable rights.

Direct outsourcings typically comprise a single contract (or sometimes multiple contracts) dealing with core issues such as service standards, price, duration, and limitations on liability and subcontracting, with schedules setting out (among other things) a description of the services provided, service levels, the consequences of failing to meet service levels, governance arrangements, and any transferred assets and staff. If the supplier does not have sufficient assets to meet its contractual liabilities or is not the main trading entity in the group, the customer may require a parent company guarantee (see 4.1 Customer Protections).

Other contractual models commonly used for outsourcing include indirect outsourcing, multi-sourcing, joint ventures or partnerships, outsourcing via a captive entity, and build-operate-transfer structures.

Indirect Outsourcing

An indirect outsourcing is similar to a direct outsourcing, except that the customer appoints a supplier (usually domiciled in the UK) that immediately subcontracts the services to a different supplier (usually domiciled in a foreign jurisdiction). The principal reason a customer may choose this model is that it will wish to interface with, monitor, and enforce its rights against a UK-based supplier, rather than a foreign supplier.

Multi-Sourcing

Multi-sourcing is where the customer enters into contracts with different suppliers for separate elements of its service requirements. An advantage of this model (in addition to those achieved with a direct outsourcing) is to avoid being over-reliant on a single supplier ‒ although this only applies where identical services are sourced from several different suppliers. However, maintaining an effective interfacing between the various suppliers to ensure a seamless overall service (ie, Service Integration and Management or SIAM) can add additional cost and complexity. The outsourcing contract will typically impose contractual obligations on suppliers to co-operate with one another and to participate in a common governance process, involving regular meetings between all of the parties.

Joint Venture or Partnership

The setting up of a joint-venture company, contractual joint venture or partnership to provide services enables the customer to maintain a greater degree of control than the other legal outsourcing structures, to benefit from the supplier’s expertise and to share in the profits generated by the third-party business of the joint venture. Joint ventures can take many forms and are usually complicated (and expensive) to set up and maintain.

Captive Entity

A captive entity model is where the customer outsources its processes to a wholly owned subsidiary to provide the outsourced services exclusively to it and takes advice from local suppliers on a consultancy basis. This model is sometimes known as a “shared services division” if the captive entity is servicing different divisions of the same conglomerate company. Although this structure will give the customer greater operational control, possible tax benefits, and integration with the supplier/group company, the customer will not be passing the risk of performing the services to a third-party provider and the upfront set-up costs and ongoing costs are likely to be significant.

Build-Operate-Transfer

A build-operate-transfer model of outsourcing is where the customer contracts a third-party supplier to build and operate a facility, which is then transferred to the customer. It is possible that the customer may ask the supplier to operate the facility for the longer term. Although this model is low risk, it can be expensive.

Outsourcing to, for example, cloud-based providers is essentially a form of direct outsourcing. As such, this trend has not ‒ in the majority of sectors ‒ produced any radically new contract models. However, it has had a significant impact on the terms on which services are outsourced.

Suppliers such as cloud providers are typically unwilling to negotiate contracts that are, to a significant degree, tailored to the customer’s individual needs. This is usually because such an approach would undermine their ability to achieve significant economies of scale by offering a broadly standardised service to a large number of customers. The argument for imposing standard terms is particularly strong for public cloud services (whereas private cloud services are closer to a traditional outsourcing deal). While contract models have tended to become more standardised and customers have more limited scope to secure contractual protections that reflect their own individual needs and preferences, some (still limited) opportunities for negotiation in key areas have opened up as the market has matured and become more competitive.

That said, cloud service providers are facing increasing scrutiny over provisions which make it more difficult for customers to switch to a competitor. In the UK, the Competition and Markets Authority may take steps to require Amazon Web Services and Microsoft to amend their contract terms and, in the EU, cloud service providers are required (from 12 September 2025) to comply with the EU Data Act. This is designed to prevent vendor “lock-in” and may have a knock-on effect on terms available to UK customers.

Common protections for the customer in an outsourcing contract include service levels or key performance indicators (KPIs) in relation to the standard of performance of the services, often linked to a service credits or liquidated damages regime if the service levels/KPIs are not met. These are discussed in more detail at 4.6 Performance Measurement and Management.

Customers will usually want to consider additional forms of contractual protection, besides any service credits/liquidated damages regime. These will typically include undertakings given by the supplier, including an undertaking that it will provide the services with reasonable care and skill, in accordance with good industry practice and all applicable laws and regulations. The supplier could also be required to warrant the accuracy of information provided by it as part of the tender process, that it has particular accreditations, or that it operates in accordance with a particular quality assurance system. If these undertakings or warranties are breached by the supplier, the customer would then be entitled to pursue a claim for damages.

The customer could also seek indemnities from the supplier in respect of specified loss, such as loss suffered by the customer as a result of the supplier’s breach of applicable laws (including Data Protection Laws) or against future liability in respect of employees transferred to the supplier as part of the outsourcing (see 5. Employment Matters). Additionally, the customer may require a supplier of outsourced services to hold certain insurance ‒ for example, in respect of damage to persons or property ‒ and to note the customer’s interest on its policy. It is also important for obligations to be imposed on the supplier to maintain a “business continuity plan” and make adequate back-up and disaster recovery arrangements.

In addition, the customer may seek a parent company guarantee (PCG) to secure the performance of the supplier’s obligations under the contract if there is any concern that the supplier may not have sufficient assets to meet its liabilities under the contract or is not the main trading entity in its group. The customer may also require the supplier to provide an annual statement (in the form of a board minute) confirming that its directors consider the supplier able to fulfil its obligations under the contract (and the customer may request the same from the supplier’s parent company in respect of the latter’s obligations under the PCG).

Although these contractual protections will allow the customer to seek compensation from the supplier for failure to comply with the contract, they do not specifically address under-performance. As a result, it is not uncommon for a customer to seek “step-in” rights, allowing it to take over the management of an under-performing service or to appoint a third party to manage (or supervise) the service on its behalf. Less serious problems with under-performance can sometimes be resolved through use of rectification plans, contract management and governance provisions, which typically require the supplier to appoint a contract manager who will meet regularly with the customer’s representative to discuss and seek to resolve issues in accordance with a rectification plan. These provisions may also include a right for the customer to veto proposals from the supplier to dispose of key assets or re-deploy key staff involved in the provision of the services – thereby preventing any deterioration in performance that might be caused by such disposal/re-deployment.

Rights of termination in a variety of circumstances should also be included to protect the customer (see 4.2 Termination). In addition, customers should ensure that, in the event of termination, the supplier remains under an obligation to provide assistance to the customer when migrating the service to a new provider. As part of this, the supplier should be required to draw up an “exit plan” at the outset of the contract and update it on a regular basis (at least annually) in consultation with and/or with the consent of the customer. It is very important, particularly in business-critical outsourcing arrangements, for an exit plan to be prepared early in the relationship because, if it is left until an exit event occurs (be that a termination event or expiry), the circumstances at the time may mean that the outgoing service provider has little incentive to engage fully in the process, which could have an impact on transition.

Under English law, parties have considerable freedom to decide on the circumstances in which a contract can be terminated. By way of example, a customer may seek a right to terminate a long-term outsourcing contract on notice without cause prior to expiry of its term without any compensation being payable (often called a termination for convenience). However, the supplier may not be prepared to grant such a termination right or may insist on financial compensation being payable by the customer in the event of early termination for convenience. Although it is possible to challenge such provisions on the basis that they amount to an unlawful contractual penalty, they will normally be enforceable provided that the level of compensation is not out of all proportion to the supplier’s loss arising from early termination.

Express Termination Rights and CIGA

In most outsourcing contracts, both parties will have express contractual rights to terminate the contract if the other party commits a material breach of its terms (typically after the expiry of a cure period) or undergoes an insolvency-related event. However, the Corporate Insolvency and Governance Act 2020 (CIGA) introduced further provisions into the Insolvency Act 1986, including in relation to contracts for the supply of goods or services. Under CIGA, clauses that enable a supplier to terminate a supply contract (or change other terms) upon an insolvency or formal restructuring procedure are ineffective.

CIGA also introduced a prohibition on terminating a supply contract based on past breaches of the contract once the company enters an insolvency process or restructuring procedure. This means that – subject to certain exclusions (eg, suppliers who provide financial services and those who are covered by the existing continuation of essential supplies provisions) – suppliers can be obliged under the outsourced supply contracts to continue to supply to a customer once it enters an insolvency or restructuring process, even where there are pre-insolvency arrears. Suppliers can also be prevented from making the payment of such arrears a condition of continued supply. The relevant outsourcing contract may only be terminated with the consent of the customer or (if the customer is in administration or liquidation) the appointed insolvency practitioner, or with the leave of the court (if the court is satisfied that the continuation of the contract would cause the supplier hardship). If the supplier’s right to terminate arises after the insolvency or formal restructuring process begins (eg, for non-payment of goods supplied after that time), then there is no prohibition on termination.

Given how difficult CIGA makes it for suppliers to rely on insolvency termination triggers, suppliers may seek to include earlier triggers so as to permit termination before the “relevant insolvency procedures” contemplated in CIGA – for instance, if the customer gives notice of its intention to appoint an administrator (as opposed to the actual appointment of an administrator). In addition, suppliers may seek to further mitigate the impact of CIGA by including a requirement for the customer to provide ongoing financial information to monitor any signs of distress of the customer and/or review their procedures for responding to late payment by customers to pick up on any potential signs of financial difficulties.

Force Majeure

In addition to the above termination rights, the contract may also contain termination rights in circumstances where a party is prevented from carrying out its obligations under the contract for a specified period owing to a “force majeure” event. Force majeure clauses exist in a variety of different forms; as a result, whether a “force majeure event” has occurred is highly fact-specific and depends on the precise drafting of the relevant force majeure clause. The occurrence of a force majeure event does not necessarily mean that a party will be relieved of liability for any failure in performance or delay in performance. Again, this will turn on whether the drafting of the clause and factual matrix supports such an outcome.

Partial Termination and Change of Control

The customer may also seek to include a right to terminate where the supplier commits specified service failures and may insist that such termination rights can be exercised in respect of the affected services only or in respect of the contract as a whole. Another termination right commonly requested by the customer is a right for the customer to terminate upon a change of control or ownership of the supplier. A well-drafted change of control clause will also include an obligation for the supplier to provide notice:

• of any prospective change of control (subject to relevant confidentiality obligations); and
• within a specified number of days of any change of control occurring.

Repudiatory Breach

In addition to the express termination rights set out in the contract, under English common law, an innocent party will normally have a right to terminate a contract for “repudiatory breach”, where the other party breaches a condition of a contract. A condition of a contract is a term that goes to the essence of the contract – whether or not a term is to be categorised as a condition will be a matter of contractual interpretation in each case.

Damages

If the contract is terminated for breach, the innocent party may be able to claim damages for losses suffered as a result of the breach (see 4.3 Liability). Termination for repudiatory breach will often allow greater scope for a damages claim than reliance on an express clause allowing termination for material breach. If a party terminates in circumstances where it was not in fact entitled to do so (eg, because the breach was neither material nor repudiatory), that party may be exposed to a damages claim for unlawful termination.

Under English contract law, only loss that was in the reasonable contemplation of the parties at the time the contract was entered into (as a probable result of a breach of it) is recoverable. Outsourcing contracts will typically distinguish between direct and indirect loss. Direct loss means any loss arising naturally and directly from the breach according to the usual course of things or “ordinary circumstances”. Indirect (or consequential) loss refers to loss that does not arise naturally but could have reasonably been foreseen by the parties because of special circumstances made known at the time of entering into the contract.

If a supplier breaches the terms of an outsourcing contract and the breach directly results in loss to the customer (including loss of business or profits), or if the customer incurs expenses in remedying the breach or obtaining replacement services, such loss is likely to be recoverable by the customer as direct loss. If, however, the supplier’s breach results in the customer incurring liability towards a third party under a separate contract ‒ the terms of which were brought specifically to the supplier’s attention during a tender process or during pre-contractual negotiations (but which would not otherwise have been in the reasonable contemplation of the supplier upon entering into the contract) ‒ then the loss incurred by the customer under the third-party contract is likely to be categorised as indirect loss.

Whether a loss is a direct loss or an indirect loss is ultimately a question of fact. This has important implications for both customers and suppliers, as set out here.

Market Practice

The customer in an outsourcing arrangement will usually try to ensure that it is able, under the contract, to recover all direct loss incurred by it (including direct loss of profit, business and revenue). It is often sensible to expressly set out particular heads of loss that are recoverable, so as to evidence that these are agreed to constitute direct loss.

The supplier, on the other hand, will usually seek to exclude liability for:

• indirect, special or consequential loss; and
• loss of business, profit or revenue (including where these constitute a direct loss).

Market practice by suppliers is to list specific types of loss that are wholly excluded, with the most common being loss of revenue, loss of actual or anticipated profit, and loss of reputation or goodwill.

It is important to note that loss of profits (together with the aforementioned other categories of loss) can amount to a direct or indirect loss. Therefore, if a contract excludes the right to recover indirect, special or consequential loss, the innocent party may still be entitled to recover loss of profits that arise naturally and directly from the breach (ie, direct loss). As such, if a supplier wishes to exclude its liability for loss of profits, this should be done expressly and separately from any exclusion of indirect, special or consequential loss.

In practice, the types of loss recoverable under the contract will typically be a matter for negotiation between the parties.

Categories of Loss Not Typically Subject to Any Limitation of Liability

Most outsourcing contracts will be subject to the Unfair Contract Terms Act 1977 (UCTA). Where UCTA applies, the parties to a contract cannot exclude or limit liability for death or personal injury that arises from negligence. This rule applies under all circumstances, regardless of whether the contract was entered into on one party’s standard terms and regardless of the relative bargaining power of the contracting parties.

It is possible to limit or exclude other types of loss caused by negligence (ie, other than personal injury or death), provided that the clause meets the test of “reasonableness” set out in UCTA (which requires the court to assess a range of factors). If the contract is on standard terms, further provisions of UCTA may also be need to be considered. However, many outsourcing agreements are relatively “bespoke” contracts that have been subject to significant negotiation between the parties ‒ in which case, these further provisions are unlikely to be relevant. In practice, however, the courts are generally reluctant to intervene under UCTA unless they consider that there is either:

• a significant imbalance between the parties in terms of bargaining power; or
• the clause leaves the innocent party with no meaningful remedy for the most significant types of breach likely to occur under the contract.

Under common law, parties cannot include clauses attempting to exclude liability for fraudulent misrepresentation or dishonesty. Any such clause will be found to be unreasonable and have no effect. Consequently, the only categories of loss not typically subject to any limitation or exclusion of liability are death or personal injury due to negligence and fraud/dishonesty.

Leaving aside the above-mentioned legal restrictions on excluding or limiting liability (but subject to them), contracting parties will typically seek to agree specific financial limitations on their liability. This can take a number of different forms – for example, a liability cap may apply on a per claims basis or in respect of all claims arising in a specified period or in aggregate for the entire duration of the contract. The parties will often agree to carve out certain types of loss from the liability caps where appropriate to do so, such that any liability for those losses will be unlimited. In the UK, this would most often be the case in respect of liability for third-party IP infringement claims, breach of confidentiality and breach of anti-bribery and corruption obligations. It is also common for parties to agree to specific liability caps for specific types of loss, sometimes referred to as “super caps”. However, with regard to liability caps generally (in terms of their structure, scope and quantum), much will depend on the nature of the arrangement and the relative bargaining power of the parties.

Under English law, a contract (including any outsourcing contract) will consist of the express terms agreed between the parties, together with any terms that are deemed to be implied by either usage or custom, the parties’ previous course of dealings, common law, or statute.

The most relevant statutory implied terms in relation to outsourcing contracts are those set out in the Supply of Goods and Services Act 1982. These include:

• an implied obligation on a supplier of services to carry out such services with reasonable care and skill;
• an implied term that the supplier will carry out the service within a reasonable time; and
• an implied term that the party contracting with the supplier will pay a reasonable charge (where the contract is silent on such matters or timing/charges are left to be determined by the parties).

However, the outsourcing contract often specifically excludes these terms and replaces them with specific provisions, with the intention that all relevant obligations are set out expressly in the written contract.

Where assets are being transferred, a term will be implied by statute that the party transferring the asset has title to it and is able to transfer it. Where the outsourcing involves supply of goods (eg, an IT outsourcing that includes the supply of hardware to the customer), then terms will be implied that the goods are of satisfactory quality and fit for their purpose.

Implied terms as to title to assets cannot be excluded or restricted. Those relating to satisfactory quality, fitness for purpose and certain other matters can only be restricted where this meets the reasonableness requirement set out in the Unfair Contract Terms Act 1977. Typically, however, most suppliers will seek to exclude these terms and substitute their own alternative warranties.

Beyond these statutory terms, it is comparatively rare for terms to be implied into outsourcing contracts. This is because they are generally documented in a reasonable level of detail and the English courts will therefore have regard primarily to the express terms of the contract. However, there are circumstances in which additional terms could still be implied. The most common of these is where the parties have failed to address certain issues in their written contract; a term may be implied where it is necessary to give the contract “business efficacy”. Such interventions tend to be used sparingly by the English courts, which are generally reluctant to be drawn into “writing the parties’ contract for them”.

That said, where a contract provides for an exercise of discretion – for example, where a party’s consent is required for a particular change – the courts will typically imply terms requiring that discretion to be exercised rationally, in good faith and consistently with its contractual purpose. In addition, because many outsourcing contracts will be relational contracts (ie, long-term, involving a high degree of communication, trust and co-operation and perhaps even exclusive, among other factors), similar constraints may sometimes be implied into other contractual provisions. This is usually on the basis that those constraints are necessary to ensure that the relationship – as formalised in the contract – works as intended. However, as a general rule, the more detailed the contract, the lower the chance of the courts implying additional terms to any significant extent.

It is also possible for terms to be implied based on “custom and usage” ‒ ie, normal market practice or where there has been previous course of dealing between the parties. However, these would typically only be relevant where the express terms of the contract do not address the relevant issue in sufficient detail. By way of example, if an outsourcing contract had expired but the parties continued to deal with one another without having agreed a new contract, an English court might imply terms similar to those contained in the expired contract (based on the parties’ previous course of dealing).

The Data Protection Laws (see 2.3 Restrictions on Data Processing or Data Security) require certain prescribed provisions to be included in contracts with suppliers that process personal data on behalf of the customer, so as to ensure that minimum security levels are met in respect of any personal data which is processed. These include requirements for the supplier to:

• only process data in accordance with instructions from the customer;
• assist the customer with achieving compliance with its own obligations to take appropriate measures to ensure security of processing; and
• back up its obligations with subcontractors to the extent that they process personal data.

Following changes introduced by the UK GDPR, data processors are now directly liable for some infringements. As a result, it is not uncommon to see provisions included in contracts to protect their position. Also, given the far higher penalties now available, specific liability apportionment for losses resulting from a breach of contractual provisions (and statutory obligations) is becoming more common.

In some cases, the supplier may be processing personal data as a standalone data controller rather than as a data processor on behalf of the customer ‒ for example, in some contracts for the outsourcing of pension fund administration. In these situations, the contract will usually include clauses requiring the supplier to keep personal data safe and secure, and to comply with its obligations as a data controller under the Data Protection Laws, particularly in respect of any personal data that the customer may transfer to it or vice versa.

Sector-specific legislation and guidelines (see 2.2 Industry-Specific Restrictions) also impose requirements in relation to data and cybersecurity (for both personal and non-personal data), which are often flowed down to suppliers within an information security schedule. Similarly, such legislation and guidelines impose requirements in relation to business continuity ‒ for example, the implementation, maintenance and testing of business continuity and disaster recovery plans, as well as requiring business continuity to be addressed in relation to exit. These matters are commonly addressed as part of separate business continuity and exit schedules.

As noted in 4.1 Customer Protections, outsourcing contracts often include specific service levels or key performance indicators (KPIs) in relation to the standard of performance of services.

These are typically set out either in the outsourcing contract itself or in a separate service-level agreement (SLA) appended to the contract. They will generally be linked to obligations on the supplier in respect of monitoring and reporting on service levels/KPIs, often combined with audit rights for the customer to allow the customer to audit the service provider’s compliance with the contract.

If the supplier does not meet the specified service levels set out in the contract, the contract may provide that the customer is entitled to financial compensation in the form of service credits or liquidated damages. From the customer’s perspective, the effectiveness of a service credits/liquidated damages regime depends on two main factors. First, the customer must ensure that the service levels/KPIs measure the aspects of performance about which it is most concerned – otherwise it may have no meaningful remedy at all under the service credits/liquidated damages regime. Second, the service levels/KPIs need to reflect a satisfactory standard of performance. If they can still be met even when the practical outcomes ‒ from the customer’s perspective ‒ are sub-standard, then they will not provide a meaningful level of contractual protection. It is also important that the relevant service levels/KPIs are sufficiently precise and objectively measurable.

Many outsourcing contracts also include benchmarking clauses, which allow a customer to determine if other service providers can offer the same services at a lower price or better services at the same price. A benchmarking exercise will typically involve the appointment of a third-party benchmarking consultant to measure the services and processes provided by the existing service provider against other providers known to be leaders in the same outsourcing industry. The contracting parties will need to agree whether the findings of the benchmarking consultant’s report should result in an automatic adjustment to the service charges, for example, or simply result in a non-binding renegotiation.

Given the points made in 4.5 Data Protection and Cybersecurity about the direct liability of data processors for compliance with certain data protection obligations, cloud-based outsourcing suppliers will often include provisions designed to protect their position. More generally, as noted at 3.3 Digital Transformation, there is typically less scope when using cloud-based suppliers for customers to negotiate “bespoke” contractual protections. However, regulators ‒ for whom data protection and cybersecurity in the cloud has been a particular focus ‒ are increasingly less accepting of cloud service providers’ traditional lack of transparency and refusal to risk-share on data issues. This has forced some providers to improve their standard positions in this area or offer sector-specific addenda that include enhanced protections.

Given the limited opportunity to negotiate terms, it is all the more important for customers to carry out due diligence on potential suppliers in order to confirm that the service provided by the cloud-based supplier will comply with Data Protection Laws.

In the UK, most arrangements are governed by the Transfer of Undertakings (Protection of Employment) Regulations 2006 (the “TUPE regulations”). The effect of the TUPE regulations is that employees who are wholly or mainly assigned to the services being outsourced automatically transfer by operation of law to the new provider of the services.

The TUPE regulations apply to an initial outsourcing, where the customer’s employees who are wholly or mainly assigned to the activity being outsourced will transfer to the supplier. They will also apply to a change in supplier, where employees of the outgoing supplier who are wholly or mainly assigned to the services will automatically transfer to the incoming supplier. The TUPE regulations also apply to an insourcing, where the outsourcing is terminated and the activities are brought back in-house. In this situation, the relevant employees would transfer from the incumbent supplier back to the customer.

Where the TUPE regulations apply, the relevant employees will transfer on their existing terms and conditions, with continuity of employment preserved. All accrued employment rights and historic liabilities in connection with the transferring employees will also transfer.

Market Practice

The TUPE regulations apply by operation of law and it is not possible to contract out of them. However, in practice, the parties to an outsourcing arrangement will typically allocate the employment risks through warranties and indemnities in the outsourcing contract. It is usual for the parties to allocate the risks on both entry and exit. It is often market practice for the indemnities on entry to mirror those on exit so that if, for example, the supplier has been indemnified for employment risks on entry into the outsourcing, they will agree to indemnify an incoming supplier against the same risks on exit.

It is also very common for the outsourcing contract to include provisions regarding matters relating to employees during the term of the contract, including any restrictions on changes to terms by the supplier, requirements to provide a list of employees working on the services, and restrictions on changing the personnel assigned to the services.

Impact of Brexit

The UK’s withdrawal from the EU has not resulted in any significant changes to the HR aspects of outsourcings. That said, as noted in 1.1 IT Outsourcing, the introduction of the UK points-based immigration system post-Brexit has made recruitment of EEA staff more difficult and costly for UK outsourcing providers. In addition, following Brexit, the UK government has made a small change to the information and consultation obligation under the TUPE regulations (see 5.2 Role of Trade Unions or Workers’ Councils).

Where the TUPE regulations apply, the outgoing employer (the “transferor”) must inform and consult with employee representatives about the transfer. Where the employer recognises a trade union, the appropriate employee representatives will be trade union representatives. If no trade union is recognised, the employer must either arrange for the election of representatives from the affected employees or consult with existing employee representatives where these are in place ‒ for example, where there is a works council or other employee forum.

The transferor must inform the employee representatives about the fact of the transfer, its timing, the reasons for it and the consequences for employees. Where the outgoing employer envisages taking any “measures”, it must also consult the employee representatives about those measures. The term “measures” covers any changes to employees’ day-to-day working lives, including changes to terms and conditions or working practices, or plans to make redundancies.

To assist with the transferor’s consultation duty, if the transferee proposes any measures that would affect the transferred employees after the transfer, it must notify the transferor of the measures before the transfer. If any of the transferee’s existing employees will be affected by the transfer, the transferee must also consult employee representatives of its own workforce.

These obligations historically applied regardless of the number of employees involved in the outsourcing. However, in the wake of Brexit, the UK government has changed the TUPE regulations so that employers are now able to inform and consult employees directly on an outsourcing where there is no recognised trade union and either the employer has fewer than 50 employees or fewer than ten employees are affected by the transfer.

Events such as the COVID-19 pandemic and the Russian invasion of Ukraine have prompted some businesses to reassess their reliance on global supply chains with a view to simplifying them. In some cases, this has led to certain offshored activities being brought back onshore or prompted businesses to explore nearshoring (when previously they might have been more attracted by offshoring).

However, much depends on the level of risk from having an outsourcing provider located in another jurisdiction. Most outsourcings are primarily focused on services, which in many cases can be provided remotely from another jurisdiction relatively straightforwardly, whereas businesses involved in physical goods supply chains may have more concerns about increased risk as a result of the distances involved. Indeed, offshoring remains an option that many customers are willing to examine, particularly where there are significant savings to be made on labour costs. Recent statistics suggest that offshoring has not declined in popularity ‒ for example, in a survey of outsourcing intentions in 2023, 33% of businesses indicated that they would be looking at offshoring (as against 27% for nearshoring and 19% for onshoring).

Nevertheless, customers are increasingly conscious that offshoring to certain jurisdictions may pose an increased risk of data breaches. Another common concern is that, although savings can be made on labour costs through offshoring, this may prove to be a false economy if the quality of service provision is below the requisite standard because staff lack the necessary skill levels. These considerations are often brought to the fore when outsourcing services involve customer relationship management (such as call centres) and can result in businesses deciding to opt for onshoring or nearshoring instead.

Another driver for nearshoring in the UK market is an increase in the number of service providers based in Eastern Europe. This region is obviously geographically closer to the UK than many jurisdictions often used for offshoring (such as India or the Philippines).

The TUPE regulations cover employees working remotely if they are wholly or mainly assigned to the services being outsourced. Such remote workers would transfer to the new supplier along with any other employees who are wholly or mainly assigned to the services. However, for the TUPE regulations to apply, there must be an organised grouping of employees in Great Britain at the time of the outsourcing (or insourcing or change in service provider). If some or all of the employees are working remotely abroad, the TUPE regulations may not apply, as there may not be an organised grouping of employees in Great Britain.

In general, there is very little regulation on remote working in the UK; this is largely a matter for agreement between an employer and its employees. Many employers will have a policy on remote working, even though there is no legal requirement to do so. Employers must, however, ensure they comply with their existing legal obligations in relation to remote workers ‒ including duties relating to health and safety and duties under the Data Protection Laws.

The primary business considerations raised by customers when considering whether, and how, to permit remote working are around service delivery – ie, whether remote working will impact the delivery of the services being outsourced. This depends on the nature of the services, the type of work performed, the level of supervision and administrative support required, and whether technology supports the remote delivery of services.