IT contracting – from negotiation to management and exit: 10 commands

Businesses are increasingly engaged in the digital transformation of their processes and in constant need of a wide array of IT services going from software (especially so-called Enterprise Resource Planning (ERP) software) to hosting services. This leads to a multiplication of IT arrangements and contracts.

Businesses are increasingly engaged in the digital transformation of their processes and in constant need of a wide array of IT services going from software (especially so-called Enterprise Resource Planning (ERP) software) to hosting services. This leads to a multiplication of IT arrangements and contracts. Often different aspects of these services (licensing, integration, maintenance/support, etc.) are the object of several distinct but interrelated agreements. This and the complexity of the services make that the negotiation and the management of IT contracts become challenging for the in-house counsel.

  1. Major IT vendors – get the balance right. It is a myth that no negotiation is possible with major IT service providers (IT SP) and BigTech. It is difficult but you can negotiate with them. If not, see to what extent the Belgian provisions on unfair b-to-b clauses can be invoked (the choice of Belgian law as applicable law would help). For financial institutions: do not forget to invoke sector specific provisions (EBA guidelines on outsourcing, the EU Digital Operational Resilience Act …).
  1. Scope – be careful what you wish for. Many IT SPs present their solution as adapted to your needs. Define first what those actually are, provide them to the vendor (e.g., in the form of an RfP) and check the offered solutions against them. Make sure that your exchanges are part of the contractual framework and are not excluded per a four-corner clause.
    The IT SP has also an obligation to duly inform you and do not hesitate to claim the IT SP’s assistance.
  1. Contract management – ménage à trois or more. Check on all contractual documents that must be concluded in the same context (licensing, integration, maintenance/support etc.) and whether they are consistent and, for example :
  • limit paying license fees before the go-live of the solution ;
  • limit paying for corrective maintenance during a contractual warranty period ;
  • check on the effect of termination of interdependent contracts ;
  • check on the IT SP legal entities which can be different in function of the type of contract, etc.
  1. Licensing – get the metrics right. Many IT arrangements include a software licensing component. Check on the metrics, e.g., whether they apply to actual, concurrent or potential users or CPUs and how that plays out in a virtualisation context (which often includes a multiplication of potential users).
  1. Open source ≠ free and unlicensed. Ask explicitly as to the use of open source in the procured IT solutions and check your future use against the license terms to which the use of open source is subject.
  1. Agile – too many cooks (can) spoil broth. The agile method of IT developments and deployments (short iterative sprint cycles vs. the classic waterfall linear approach in phases) is popular. If not well documented and in the absence of adequate IP clauses, the risk of discussions about the IP ownership of the results is quite high given its collaborative character between IT SP and customer.
  1. Vendor lock in – make sure you have the keys. IT is often the backbone of your organisation. If the failure of a particular IT SP risks to disrupt your operations, integrate contingency planning and back-ups to assure business continuity

    In case of persistent problems, you should be able to easily migrate to another solution and an exit planning should be foreseen upfront.

    In case of dependence on a particular IT SP also think about asking about the pricing principles that would applied after a first contract period. Limit the possibility for the vendor to impose significant price increases unilaterally.

    For important software developments, an escrow arrangement in case of the IT SP’s insolvency is not a luxury.
  1. Liability & remedies – get coverage. The IT SP’s liability will be assessed in the light of it “best efforts” character or whether specific results must be reached. The latter must be laid down in a Service Level Agreement (SLA), often in relation to maintenance and support as well as solution availability with defined criticality levels. In order to be effective penalties should be foreseen in case of non-compliance with the agreed levels.

    Be aware of sole remedy clauses and avoid the exclusion of some types of remedies.

    Limitation of liability clause, often excluding liability for indirect damages. Make sure that examples of indirect damages are really indirect. E.g., a loss of data in the context of software development and testing can be an indirect damage but when deployment and data migration is one of the IT SP’s tasks it may be not. Also assure that monetary limitations are commensurate with the direct damages that the IT SP could cause.
  1. Information security – a collective effort. IT SPs are an – often forgotten – element in the chain of your information security and their responsibility should be adequately addressed in the respective contracts. Regulations affecting some particular sectors (NIS 2 Directive for essential sectors plus DORA for the financial sector) have laid down concrete obligations in terms of ICT risk and data breach notifications, which affects the approach towards IT SPs.
  1. GDPR – when things get personal. Last but not least, many IT SPs process personal data, most often in capacity as a so-called “data processor” acting on instructions of the customer as “data controller” within the meaning of the inevitable GDPR. That relationship must be addressed in a “data processing agreement”. This will be part of the overall IT arrangement and it should be aligned with the latter (service description of the functions, liability etc.). The European Commission has released a model agreement in 2021. This model gains popularity but still requires significant input from the parties.

    If the IT arrangement triggers data transfers to (including access in) non-EEA countries without adequate data protection, carefully check compliance with the GDPR provisions on international data transfers which have become more difficult after the Schrems II judgment of the CJEU. Transfers to self-certified US firms under the Trans-Atlantic Data Privacy Framework will probably be a safe basis for EU-US data flows in the context of cloud computing and other IT services again. However, if data are accessible from countries such as Indian and China, extra precautionary measures should be taken (in terms of encryption and pseudonymisation).

More Partner Blogs

06 February 2023

Antitrust in 2023: 10 key themes - growing unpredictability and brand new enforcement tools

  In 2023 antitrust enforcement globally will continue to respond to calls for it to do more to...

Read More ...

03 February 2023

The importance of company culture in the attraction and retention of legal talent

  It is difficult to attract talent. Candidates are not inclined to change jobs easily. A...

Read More ...

02 February 2023

Client alert – EU Adopts Deforestation-free Products Regulation

  Days before the recent UN Biodiversity Conference (COP15), the European Parliament and the Council...

Read More ...

30 January 2023

A look at Small Modular Reactors, the nuclear industry's coveted new gem

  Small Modular Reactors (hereinafter “SMRs”) are a promising new technology in the field of nuclear...

Read More ...

18 January 2023

A 2023 To Do List for HR Professionals

A 2023 comes with a package of new labor and employment law measures that affect HR.

Read More ...