IT contracting – from negotiation to management and exit: 10 commands

Businesses are increasingly engaged in the digital transformation of their processes and in constant need of a wide array of IT services going from software (especially so-called Enterprise Resource Planning (ERP) software) to hosting services. This leads to a multiplication of IT arrangements and contracts.

Businesses are increasingly engaged in the digital transformation of their processes and in constant need of a wide array of IT services going from software (especially so-called Enterprise Resource Planning (ERP) software) to hosting services. This leads to a multiplication of IT arrangements and contracts. Often different aspects of these services (licensing, integration, maintenance/support, etc.) are the object of several distinct but interrelated agreements. This and the complexity of the services make that the negotiation and the management of IT contracts become challenging for the in-house counsel.

  1. Major IT vendors – get the balance right. It is a myth that no negotiation is possible with major IT service providers (IT SP) and BigTech. It is difficult but you can negotiate with them. If not, see to what extent the Belgian provisions on unfair b-to-b clauses can be invoked (the choice of Belgian law as applicable law would help). For financial institutions: do not forget to invoke sector specific provisions (EBA guidelines on outsourcing, the EU Digital Operational Resilience Act …).
  1. Scope – be careful what you wish for. Many IT SPs present their solution as adapted to your needs. Define first what those actually are, provide them to the vendor (e.g., in the form of an RfP) and check the offered solutions against them. Make sure that your exchanges are part of the contractual framework and are not excluded per a four-corner clause.
    The IT SP has also an obligation to duly inform you and do not hesitate to claim the IT SP’s assistance.
  1. Contract management – ménage à trois or more. Check on all contractual documents that must be concluded in the same context (licensing, integration, maintenance/support etc.) and whether they are consistent and, for example :
  • limit paying license fees before the go-live of the solution ;
  • limit paying for corrective maintenance during a contractual warranty period ;
  • check on the effect of termination of interdependent contracts ;
  • check on the IT SP legal entities which can be different in function of the type of contract, etc.
  1. Licensing – get the metrics right. Many IT arrangements include a software licensing component. Check on the metrics, e.g., whether they apply to actual, concurrent or potential users or CPUs and how that plays out in a virtualisation context (which often includes a multiplication of potential users).
  1. Open source ≠ free and unlicensed. Ask explicitly as to the use of open source in the procured IT solutions and check your future use against the license terms to which the use of open source is subject.
  1. Agile – too many cooks (can) spoil broth. The agile method of IT developments and deployments (short iterative sprint cycles vs. the classic waterfall linear approach in phases) is popular. If not well documented and in the absence of adequate IP clauses, the risk of discussions about the IP ownership of the results is quite high given its collaborative character between IT SP and customer.
  1. Vendor lock in – make sure you have the keys. IT is often the backbone of your organisation. If the failure of a particular IT SP risks to disrupt your operations, integrate contingency planning and back-ups to assure business continuity

    In case of persistent problems, you should be able to easily migrate to another solution and an exit planning should be foreseen upfront.

    In case of dependence on a particular IT SP also think about asking about the pricing principles that would applied after a first contract period. Limit the possibility for the vendor to impose significant price increases unilaterally.

    For important software developments, an escrow arrangement in case of the IT SP’s insolvency is not a luxury.
  1. Liability & remedies – get coverage. The IT SP’s liability will be assessed in the light of it “best efforts” character or whether specific results must be reached. The latter must be laid down in a Service Level Agreement (SLA), often in relation to maintenance and support as well as solution availability with defined criticality levels. In order to be effective penalties should be foreseen in case of non-compliance with the agreed levels.

    Be aware of sole remedy clauses and avoid the exclusion of some types of remedies.

    Limitation of liability clause, often excluding liability for indirect damages. Make sure that examples of indirect damages are really indirect. E.g., a loss of data in the context of software development and testing can be an indirect damage but when deployment and data migration is one of the IT SP’s tasks it may be not. Also assure that monetary limitations are commensurate with the direct damages that the IT SP could cause.
  1. Information security – a collective effort. IT SPs are an – often forgotten – element in the chain of your information security and their responsibility should be adequately addressed in the respective contracts. Regulations affecting some particular sectors (NIS 2 Directive for essential sectors plus DORA for the financial sector) have laid down concrete obligations in terms of ICT risk and data breach notifications, which affects the approach towards IT SPs.
  1. GDPR – when things get personal. Last but not least, many IT SPs process personal data, most often in capacity as a so-called “data processor” acting on instructions of the customer as “data controller” within the meaning of the inevitable GDPR. That relationship must be addressed in a “data processing agreement”. This will be part of the overall IT arrangement and it should be aligned with the latter (service description of the functions, liability etc.). The European Commission has released a model agreement in 2021. This model gains popularity but still requires significant input from the parties.

    If the IT arrangement triggers data transfers to (including access in) non-EEA countries without adequate data protection, carefully check compliance with the GDPR provisions on international data transfers which have become more difficult after the Schrems II judgment of the CJEU. Transfers to self-certified US firms under the Trans-Atlantic Data Privacy Framework will probably be a safe basis for EU-US data flows in the context of cloud computing and other IT services again. However, if data are accessible from countries such as Indian and China, extra precautionary measures should be taken (in terms of encryption and pseudonymisation).

More Partner Blogs

25 juni 2024

Je slides voor je laten praten en andere fouten bij presentaties

Hoe vaak zat je al in een meeting of een seminar, waarbij je – verveeld – amper de aandacht kon...

Lees meer...

25 juni 2024

Transposition of the NIS 2 Directive into Belgian law to strengthen cybersecurity

The law establishing a framework for the cybersecurity of network and information systems of...

Lees meer...

24 juni 2024

Synthetic data – a miracle cure or a data protection headache?

Synthetic data, a term lacking a precise legal definition, broadly refers to data artificially...

Lees meer...

24 juni 2024

Takeaways from the Belgian Presidency of the Council of the EU on Climate and Energy Topics

In the aftermath of the European elections, institutions are adjusting their priorities for the...

Lees meer...

20 juni 2024

Chemicals PFAS restriction proposal

The introduction of the 'essential use' concept and its possible impact on the PFAS restriction...

Lees meer...