The UK Outsourcing market continues to see growth, albeit at a slower rate than in previous decades. 48% of UK companies outsourced work in 2023 and the total IT and Business Processing Outsourcing market was projected to reach over £54 billion in 2024.

The Financial Services, Technology and Professional Services sectors are key growth sectors for outsourcing operations, particularly through ‘as-a-service’ outsourcing where the service is provided remotely, often via cloud-based solutions, and AI enabled services.

Conversely, public sector outsourcing has seen more measured growth in recent years, as a result of high-profile outsourcing failures (such as the collapse of Carillion in 2018, which impacted many public sector construction and service arrangements) and a pullback in outsourcing following the COVID boom. There has also been a marked shift away from large providers and long-term mega deals to the use of a number of smaller outsourcing providers and deals, and in certain cases public services being brought back in-house.

Many key outsourcing suppliers in the UK market are part of larger, multinational groups. They include Accenture, Capgemini, Wipro, IBM/Kyndryl and TCS from the traditional sourcing market, and AWS, Google, Microsoft, Oracle, Salesforce and SAP from the software ‘as-a-service’ market.

As a general point, the government is keen to drive growth in both the UK’s technology and professional service sectors and is investing in areas such as digital infrastructure, all of which should benefit the outsourcing sector.

As a buyer of outsourced services, the government used to be one of the UK’s main outsourcing customers, regularly engaging in long-term, high profile and high value arrangements. Since the well-publicised collapse of outsourcing provider Carillion in 2018, which impacted hundreds of public sector contracts and led to calls for public sector outsourcing to end, it has taken an increasingly careful approach to outsourcing in the public sector. Concerns that the UK’s National Health Service could be privatised ‘by the back door’ via outsourcing arrangements also means that certain public sector outsourcing remains a political touchpoint.

That said, the current UK government, which came to power in July 2024, has said it is seeking to manage a £22 billion ‘black hole’ in public finances, and many of its current tech-related policies are therefore focussed on using technology to optimise public services, particularly in the NHS. This increasing pressure to enhance efficiency while reducing costs in public service delivery therefore means that outsourcing is likely to remain a significant feature of government operations.

In terms of the regulatory approach to outsourcing, most UK regulators want to ensure that the organisations they regulate outsource in a responsible manner and that outsourcing does not create additional risks (for example financial regulators are concerned about the impact of outsourcing on financial stability and the ability of regulated firms to meet their obligations – see question 3.2 for more information on this). Regulators are keen to stress that organisations cannot outsource their risk. They may therefore hold organisations responsible for the actions of their outsource service providers, particularly where the organisation has failed to carry out sufficient due diligence or supervision/oversight.

Outsourcing in the public sector is governed by the UK’s public procurement laws. These have recently been updated. Contracting authorities intending to start procuring a public contract (which can include an outsourcing arrangement) on or after 24 February 2025 will therefore need to check if they need to comply with the new procurement regime introduced by the Procurement Act 2023 (PA 2023) and the Procurement Regulations 2024 (SI 2024/692) (PR 2024). Contracting authorities covered by this regime include those wholly or mainly funded by public funds, or subject to public authority oversight (whether funded publicly or operating on a commercial basis).  Certain private sector entities can also be classed as contracting authorities for the purposes of the PA 2023 (see question 4.1 below).

The new rules consolidate and update the UK’s public procurement regime. It was previously governed by four different regulations and there were multiple competitive tendering procedures available. The new regime sits under a single framework and contains two competitive tendering procedures for all public contracts – the open procedure and the competitive flexible procedure (although contracting authorities may also be able to use direct award or award under a framework under certain conditions). A public contract must be procured using one of these procedures wherever the relevant criteria are met and no exemptions apply.

In addition to complying with relevant procurement rules, there are various other rules which may need to be followed in respect of public sector outsourcing. For example, the UK government has required suppliers bidding for certain types of public contracts to hold Cyber Essentials or Cyber Essentials Plus certification (or demonstrate that equivalent controls are in place) to ensure appropriate cyber security controls are in place and reduce cyber security risks in supply chains. Also the Outsourcing Playbook (published as a result of the Carillion collapse) aims to improve the way the UK government works with private companies and, in particular, more tightly regulates the public sector decision-making to use private outsourcing, particularly for expensive and/or complex projects (introducing, for example, requirements for delivery model assessments and project validation reviews).

The public sector rules discussed in question 3.1 do also apply to certain private sector organisations operating in sectors which were formerly under national ownership (for example, postal services and utilities companies). These were previously governed by a separate regime – the Utilities Contracts Regulations 2016 – but the Procurement Act 2023 simplified and reduced the volume of procurement legislation.

Apart from this, there are no specific UK procurement laws that apply exclusively to private sector organisations. Private sector procurement is generally governed by common law principles and contractual agreements as well as general and sector specific laws (see question 5).

In the UK, there is no overarching legislation specifically governing outsourcing. However, several general and sector-specific laws are highly relevant. For example, contract law is particularly important. The foundation of any outsourcing arrangement is the contract, which is primarily governed by common law principles. Key provisions in any outsourcing agreement will generally include those governing the terms of service, liability, termination and dispute resolution (see questions 21 and 22).

Other issues typically covered an outsourcing agreement are also governed by specific legal regimes.  Examples here include intellectual property (see questions 9 and 10), data privacy (see questions 12 and 13), employment (see questions 16 and 17) and tax (see question 18). In addition, competition issues may arise (see questions 7 and 8) and an array of digital laws and regulatory guidance (for example around artificial intelligence) may be relevant, particularly where the outsourcing involves the provision of technology or technology-based services (see question 15).

For more information on the sector specific rules which may apply, see question 6.

Note: the UK is made up of England, Wales, Scotland and Northern Ireland. Scotland and Northern Ireland have their own legal systems and this chapter therefore focusses on the laws of England and Wales.

In addition to the general rules mentioned in question 5, a number of sector-specific rules are designed to ensure that sufficient safeguards are in place when outsourcing. For example, public procurement rules (see question 3) govern public sector outsourcing, ensuring transparency and fairness in procurement, while the UK’s Network and Information Systems Regulations impose security and incident notification obligations on operators of essential services and relevant digital service providers (which include cloud providers).

In relation to the financial services sector, there are specific requirements for regulated firms to follow when they outsource. These requirements differ depending on the type of regulated firm and the function being outsourced. For instance “material outsourcings” (where a failure in the services could prevent a regulated firm from complying with key regulatory threshold conditions, principles and fundamental rules) are subject to more extensive requirements.

The regulatory regime relating to outsourcing in the financial services sector comprises various rules, regulations, expectations and guidance, including those set out in the Financial Conduct Authority’s Handbook, Prudential Regulatory Authority’s Rulebook and (in respect of the insurance sector) UK solvency legislation.

In addition, from January 2025, a new critical third parties (CTP) regime took effect which gave financial regulators direct oversight of certain third party service providers (in respect of the services they provide to regulated firms). This unusual extension of the reach of the financial regulators, beyond traditional financial services firms, is a response to the risks that outsourcing could pose to the financial sector.

The UK’s merger control regime is voluntary, meaning that outsourcing arrangements will not “require” notification under its rules in any scenario.  However the Competition and Markets Authority (CMA) can investigate a deal on its own initiative up to four months after it becomes public or after closing (whichever is later).  Choosing not to engage with the CMA where a deal meets the relevant thresholds can therefore carry risks.

Outsourcing arrangements can in theory trigger a voluntary notification, but in practice this is rare.  A deal will only fall within the CMA’s jurisdiction if it results in two or more “enterprises” ceasing to be distinct.  CMA guidance states that outsourcing arrangements involving ongoing supply arrangements will not generally meet this threshold, although they may do so where they involve the long-term or permanent transfer of assets, rights and/or employees to the outsourcing service supplier where these could be used to supply services to third parties.  For example, the CMA would likely regard the transfer of a significant number of employees under TUPE as a strong factor in favour of finding a combination of “enterprises”, unless the agreement provided for their retransfer on termination.

If an outsourcing arrangement does meet this threshold, it will fall within the CMA’s jurisdiction if it meets any of the CMA’s turnover, share of supply or ‘hybrid’ tests (revised on 1 January 2025).

If an outsourcing arrangement is not a merger then it should be self-assessed under antitrust rules, either as a horizontal agreement (between two competitors) or a vertical agreement (between companies active at different levels of the supply chain).  The question is whether the agreement might prevent, restrict or distort competition, either by object or effect; and, if so. whether there are (broadly speaking) economic benefits flowing to consumers which could outweigh those distortions and which could not be achieved by less restrictive means.

Outsourcing agreements between competitors are significantly more risky from an antitrust perspective than those between companies at different levels of the supply chain, particularly if they could lead to the exchange of sensitive information.  By contrast, certain vertical agreements might benefit from an exemption from the need to carry out an individual self-assessment.

The type of IP that will be created in the course of an outsourcing arrangement will vary depending on the business function that is being outsourced and the nature of the services being provided. Any outsourcing agreement will usually need to be drafted broadly to capture any IP rights (including copyright, database rights, know-how and patents) that may be created during the course of the arrangement. Copyright, however, which is an unregistered right in the UK, is often of most relevance. This is because it protects “literary works” (amongst other things), which includes written documents and, perhaps more importantly, computer software. As most outsourcing arrangements will involve the supplier operating some of the customer’s IT systems and providing certain IT services to the customer, it is common for new code to be written during the term of the arrangements, which will attract copyright protection automatically (provided it is original and that certain qualifying criteria are satisfied). Particular consideration will also need to be given to the ownership of rights in reports and data (which may be protectable by a combination of copyright, database rights, trade secrets and duties of confidentiality, although there is no UK IP right in ‘data’ per se) – see further question 11.

Yes. Under the laws of England and Wales, the default position is that any IP that is created by the supplier will be owned by the supplier, unless the contract says otherwise. The customer and the supplier will therefore need to agree how IP created during the course of the outsourcing arrangement should be dealt with and who should own it, which is largely a commercial point for negotiation.

Where supplier-created IP is to be owned by the customer, the outsourcing agreement will need to contain appropriate provisions to assign that IP from the supplier to the customer. It is also possible to assign in advance future UK copyright and database rights (but other IP rights may require a future assignment to be effected).

It is also common under the outsourcing agreement for the parties to license each other relevant IP rights. For example, the supplier may license, rather than assign, rights which are developed in the course of the agreement to the customer and, even where an assignment is agreed, the customer may still require a licence to underlying (background) supplier IP which is incorporated or integrated in, or otherwise required for the use of, the assigned IP. The supplier may also require a licence to use certain customer IP in the provision of the services. Key points for negotiation will include the scope of the permitted use of each party’s IP (for example, whether the IP will be available for use only as required to provide or receive the services, or in the parties’ wider businesses), and whether the licences will survive the expiry or termination of the outsourcing agreement.

Confidential information, know-how and trade secrets are often of particular relevance in an outsourcing arrangement. In most cases, the customer will share its confidential information with the supplier (as part of the initial transfer and during the lifetime of the arrangement) and will likely receive confidential information from the supplier too. New confidential information may also be created during the term of the agreement. Given this, it is important to understand how confidential information, know-how and trade secrets are protected.

There are two principal regimes under the laws of England and Wales:

• the common law relating to the breach of confidence; and
• the Trade Secrets (Enforcement, etc.) Regulations 2018, which implemented those parts of the EU Trade Secrets Directive (Directive 2016/943) that were not already part of UK law.

Trade Secrets are generally regarded as a special subset of confidential information, protecting a ‘higher grade’ of confidential information. Know-how might be protected as either a trade secret or so-called “lower grade” confidential information depending on the know-how in question.

Whilst confidential information, know-how and trade secrets are usually subject to the IP provisions, it is also common for the outsourcing agreement to include robust confidentiality obligations with an indemnity where these provisions are breached.

The processing of personal data is governed by both the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

The UK GDPR is closely aligned with the EU General Data Protection Regulation, but the DPA 2018 includes certain provisions tailoring the regime for the United Kingdom. These rules are in the process of being updated by the Data (Use and Access) Bill.

The UK GDPR regulates the processing of personal data by data controllers (an entity which decide the purpose and means of the processing – this is often the customer in an outsourcing arrangement) and data processors (who process data on behalf of a controller – often the outsourcing supplier). It sets out principles, rights and obligations in relation to personal data which cover issues such as fairness, accuracy and security. Many of these are very relevant in an outsourcing relationship.

For example, under the UK GDPR, when a customer appoints an outsourcing supplier who is processing personal data on that customer’s behalf as part of the services, the customer must carry out sufficient due diligence on the supplier, enter into a written contract with them which contains certain prescribed provisions (for example around following instructions and security), audit them regularly and ensure that the supplier deletes or returns data at the end of the arrangement. It is also common to require the supplier to notify the customer in the event that they suffer from a personal data breach.

Where the processing under the outsourcing could pose a high risk to individuals’ privacy (for example because of the nature of the processing involved or the technology being used) then the customer must also conduct a data protection impact assessment – a form of risk assessment specified by the UK GDPR.

Non-compliance with the UK GDPR can result in regulatory action, including fines. For more information see question 23.

The UK currently has no specific framework for regulating the processing and sharing of non-personal data. However, the UK government has proposed introducing data-sharing ‘Smart Data’ schemes under the Data (Use and Access) Bill. The schemes would help with the secure sharing of customers’ data, upon their request, with third-party providers. The proposed schemes build on the success of the UK’s Open Banking initiative.

Sector-specific regulations – such as those in finance, healthcare and telecommunications –may also impose specific requirements for data handling and sharing.

Finally, organisations must also ensure that data-sharing agreements do not lead to anti-competitive practices, particularly (but not exclusively) where data is being shared between competitors.

Supply chain risk is a key and growing cyber risk area. The UK has seen a number of high-profile cyber incidents where a breach at an outsourcing provider has impacted multiple customer organisations (e.g. the 2023 Capita breach). Outsourcing customers are therefore particularly focussed on security and breach/incident notification obligations in their outsourcing arrangements.

In terms of cyber laws, the UK has a number of laws which manage cyber risk, including the following:

• The UK General Data Protection Regulation (see question 6) contains security and breach notification obligations where personal data is involved, and the data regulator (the Information Commissioner’s Office) has recently issued a fine of £3.07 million to an IT provider (Advanced Computer Software Group) following a cyber breach which impacted its customers.
• The Network and Information Systems (NIS) Regulations (2018) aim to increase cyber resilience in certain critical sectors. They also impose security and incident notification obligations on in-scope organisations, which include operators of essential services in sectors such as energy, transport and health and relevant digital service providers (currently cloud computing services, online search engines and online marketplaces). The UK government plans to introduce the Cyber Security and Resilience Bill which, among other things, will expand the NIS Regulations to cover more digital services, which is likely to directly impact managed service providers. On 1 April 2025 the UK government published a statement providing further detail on the enhanced security requirements, incident reporting duties and regulatory powers expected to be in the Bill.
• Specific rules are also relevant. For example, telecoms operators and internet service providers must follow security and breach notification obligations under the Privacy and Electronic Communications Regulations 2003 whilst the Product Security and Telecommunications Infrastructure Act 2022 and related regulations have established a new regulatory regime to increase the security of consumer connectable devices and products. Cyber also continues to be a regulatory priority for the financial regulators, and regulated firms must ensure they robustly manage and monitor cyber risk, particularly where they outsource.
• Cyber breaches often also give rise to issues under the Computer Misuse Act 1990, which creates a number of offences where there has been unauthorised access or interference with a computer or a distributed denial of service attack. At the time of writing, the UK Government is also consulting on whether to introduce specific laws relating to ransomware attacks and payments. The proposals include a ban on ransomware payments for all public sector bodies, including local government, and for owners and operators of Critical National Infrastructure that are regulated or that have competent authorities (building on the current ban for central government departments). The consultation also seeks views on whether essential suppliers to these sectors should be included in the new rules.

Amongst the technologies commonly used in outsourcing arrangements, some merit specific attention. For example:

• Cloud: cloud services are widely used in the UK. The UK government has a ‘cloud first’ policy for the public sector and the financial regulators consider cloud providers to be critical third parties that require regulation (see question 4 above). The security around cloud services is primarily regulated by the Network and Information System Regulations (2018), which impose security and incident notification obligations on them (see question 14.2). Additionally, the Competition Markets Authority is investigating the supply of public cloud infrastructure services following concerns about the difficulty of switching suppliers.
• AI: as AI deployment increases within the UK, organisations are procuring certain AI services through their key managed service providers (Microsoft CoPilot being a key example). The UK has taken a sector-specific approach to AI regulation, with the data, financial, competition and medical regulators taking a particular interest in AI development and deployment within their remit. The UK’s AI framework is underpinned by a set of five principles, to which all regulators must have regard, and centralised functions (like a sandbox and risk register). The UK Government’s response to the AI Opportunities Action Plan it commissioned also discusses enabling safe and trusted AI development and adoption through regulation, safety and assurance. It will, for example, consult on new proposed AI legislation for the most powerful AI models and is currently consulting on how to ensure the UK has a competitive copyright regime.
• Robotic Process Automation (RPA): RPA has been a widely used technology in outsourcing arrangements for many years, particularly given its ability to innovate and automate many back-office functions. Developments in intelligent automation, which combine technologies such as RPA and AI, mean its popularity is set to continue. While there is no specific legal regime governing RPA, other regimes may be applicable (for example the laws around AI, personal data and intellectual property).
• Blockchain and other distributed ledger technologies (DLTs): while blockchain and other DLTs are not generally used to provide mainstream outsourcing services, they are increasingly used to manage supply chain issues. Also, where organisations (in sectors such as financial services) are looking to develop blockchain or similar solutions, the development of the technology itself is often outsourced. The use of DLTs raises a number of complex legal issues and risks (e.g. privacy concerns) but does not currently have its own regulatory regime.

In the UK, the Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”) may have specific implications for outsourcing arrangements. TUPE contains provisions governing “service provision changes”, which include a scenario where activities cease to be carried out by a client on its own behalf and are carried out instead by a contractor on the client’s behalf. Similar provisions also govern insourcings and second-generation outsourcings. There are however four additional conditions which must be met:

• The activities must be fundamentally the same before and after the service provision change.
• The activities must not consist wholly or mainly of the supply of goods (as opposed to services) for the client’s use.
• Immediately before the service provision change, there must be an organised group of employees situated in Great Britain with the principal purpose of carrying out the relevant activities on behalf of the client.
• There must be an intention that the activities will not be carried out on a one-off basis nor under a contract of short duration.

The implications of TUPE are explored further in question 17 below.

If TUPE applies, the employment contracts of the employees assigned to the relevant services are automatically transferred to the contractor. If it is unclear which employees are in fact assigned, the outsourcing agreement will typically contain provisions to specify which employees are expected to transfer, and deal with any unintended transfers.

In addition, all of the transferor’s rights, powers, duties and liabilities in connection with the employees will pass to the transferee (with some limited exceptions). It is therefore important for an outsourcing agreement to apportion costs and liabilities by means of warranties and indemnities. TUPE also prescribes a form of statutory due diligence, whereby the transferor must provide the transferee with “employee liability information” about the transferring employees. This is particularly important on second-generation outsourcings, where the outgoing contractor may be otherwise unwilling to assist the incoming contractor.

If any employee is dismissed by reason of the outsourcing, this will be automatically unfair under TUPE (potentially giving rise to enhanced compensation), unless there is an economic, technical or organisation reason for the dismissal (which is difficult to establish outside a redundancy scenario). TUPE also renders void any changes to an employee’s terms and conditions which is made by reason of the transfer, which can present challenges where there is a need to harmonise terms.

Before the transfer takes place, the employer of affected employees must undertake an information and consultation process, typically with elected employee representatives. There is no prescribed timeframe for this process, although it would commonly take several weeks. Failure to comply may result in protective awards of up to 13 weeks’ pay per affected employee.

Depending on the nature of the service being outsourced, there may be a supply on which VAT (Value Added Tax) is payable.

• Where the service provider and the service recipient are both based in the UK, the service provider charges and collects VAT. However, where the service provider is based outside the UK, it may not have to charge any VAT. Instead, the service recipient may (depending on its location) be required to operate the reverse charge procedure and account for VAT relating to the supply, as if it had made the supply itself.
• Where both the service provider and the service recipient make taxable supplies and fully recover their input VAT, any VAT payable on the service fees should be fully recoverable by the service recipient. However, if the service recipient makes exempt supplies, its input VAT would not be fully recoverable, or only in accordance with its partial exemption method.

The service recipient will also be concerned that the payment of service fees is a deductible cost for tax purposes. In addition, if any payments are to related parties, the parties will need to consider whether any adjustments need to be made under transfer pricing rules, (rules which broadly require that, in calculating a company’s corporation tax liability, an arm’s length price is used for supplies between related parties), and, if there is a cross-border element, whether any payments will be subject to deductions or withholdings on account of tax.

The UK has a range of ESG-related legislation including the Greenhouse Gas Emissions Trading Scheme Order 2020, Modern Slavery Act 2015, Bribery Act 2010 and Waste Electrical and Electronic Equipment Regulations 2013. There are also climate reporting provisions in the Companies Act 2006 and UK Listing Rules. Given that outsourcing service providers are often a key part of an organisation’s supply chain, it is common for outsourcing customers to carry out due diligence on ESG issues when selecting their suppliers, and to seek assurances from their suppliers around compliance with such laws. For example, organisations need to prepare an annual slavery and human trafficking statement under the Modern Slavery Act and these statements often include details of the organisation’s due diligence processes and terms with their suppliers.

In relation to climate-related disclosures under the Companies Act 2006 and UK Listing Rules (which are expected to be updated and amended to create the UK Sustainability Reporting Standards in 2025/26), organisations may require information from their supply chain in order to meet their reporting obligations. EU ESG-related initiatives, such as the Corporate Sustainability Due Diligence Directive, which requires organisations to carry out due diligence on parts of their value chain and have plans to address any adverse human rights and environmental impacts they find, are also creating pressure on the UK to follow suit. In both cases, outsourcing arrangements may need to be structured in a way that provides for these expectations to be met.

Large organisations will often procure their major outsourcing arrangements on a global, or at least multi-jurisdictional, basis. This creates a number of issues which must be considered, including how to structure the global arrangement in a way that ensures sufficient central control while enabling local implementation (including any required changes to the structure or terms of the outsourcing to ensure compliance with mandatory local laws and regulations). The fact that the arrangement involves the provision of services or transfer of assets across borders may also create issues. For example:

• Under the UK General Data Protection Regulation (UK GDPR), where the outsourcing arrangement involves personal data being transferred outside the UK, that personal data can only be transferred if the recipient jurisdiction provides a level of protection which is essentially equivalent to that in the UK. Accordingly, the UK GDPR only permits transfers where the UK Government has assessed the third country as providing an adequate level of protection, where appropriate safeguards are put in place, or where a number of narrow exemptions apply. An example of an appropriate safeguard which is commonly used in outsourcing arrangements would be where standard data protection clauses issued by the UK Information Commissioner’s Office (ICO) are entered into by the parties to the outsourcing, or between the supplier and its sub-contractors (depending on where in the chain the data transfer takes place). It should be noted that the Data (Use and Access) Bill is set to amend the current UK GDPR international transfer provisions, including by replacing the ‘essentially equivalent’ standard with a ‘not materially lower’ standard.
• There may be tax considerations where services are being received and/or supplied in different jurisdictions.
• If the outsourcing arrangement includes the export or transfer of goods, software or technology (including data, information and technical assistance) which either has a military use or comprises dual-use items (i.e. items which could be used for both civilian and military applications which may include, for example, encryption technologies), then the UK’s strategic export controls may apply. The exporter may require an export licence, and it is a criminal offence to export controlled goods without the correct licence. Outsourcing arrangements therefore sometimes contain provisions to confirm compliance with export control laws.

Outsourcing arrangements typically involve detailed negotiations around the liability provisions, and it is common for many heads of loss to be contractually excluded. In general, commercial parties may apportion risk of loss as they see fit and contractual exclusions of liability tend to be enforceable provided that clear drafting is used. When construing a liability clause, there is a presumption that neither party intends to abandon remedies arising by law, and clear words are needed to rebut that presumption, with limitations likely to be looked on more favourably than exclusions.

That said, there are certain limits on such contractual exclusions and a clause should not exclude a party’s liability for breach of all its obligations or leave a party without any meaningful remedy for breach. Certain types of liability cannot be excluded, and some may only be excluded where the term is reasonable. For example, a party cannot exclude liability for its own fraud or for death or personal injury caused by a lack of reasonable care. Also, a limitation on liability for misrepresentation is void unless it is reasonable. Where an outsourcing involves a transfer of goods, liability for supplying the goods without the right to do so cannot be excluded, limits on liability for statutory implied terms as to quality, description and sample are void unless reasonable, and terms must be interpreted as supplementing, rather than ousting, statutory implied terms where possible. More generally, where businesses deal on one party’s written standard terms of business, the Unfair Contract Terms Act 1977 provides that any term limiting that party’s liability for breach is void unless reasonable.

Outsourcing arrangements often contain a variety of mechanisms to resolve disputes.

There may be detailed governance and service management processes within the outsourcing agreement, aimed at identifying and managing potential service issues and other sources of dispute, and a tiered escalation process aimed at resolving disputes without recourse to legal remedies. The agreement may also allow for the payment of specific service credits (linked to a failure to meet agreed service levels) and/or liquidated damages (which, under the laws of England and Wales, will be void if they amount to a penalty) in the event of performance issues, which may help avoid protracted disputes as to the amount of compensation that may be payable in such circumstances. Alternative remedies provided for in the contract may include proactive remediation obligations on the supplier and step-in provisions which give the customer an ability to take over certain aspects of the supplier’s operations and/or responsibilities on a temporary or longer-term basis.

For contractual disputes that cannot be resolved between the parties, an outsourcing agreement will need to specify whether such disputes will ultimately be resolved in the courts or by arbitration. The courts of England and Wales are well-respected and recognised as providing a flexible and robust forum for the resolution of contractual disputes whilst London is widely considered to be one of the preferred arbitral seats and the law of England and Wales is frequently chosen by parties as the governing law for international arbitration. The London Court of International Arbitration is a leading international arbitral institution based in the UK. In addition, the parties may agree to follow a mediation process prior to launching court or arbitration proceedings.

In terms of contractual remedies, as a basic distinction breach of a condition (which is a significant term of the contract – often described as one which goes to the heart of the contract) provides both a potential damages claim and a right to terminate whereas breach of other terms (warranties) only gives rise to a right to claim damages.

There are other remedies available under the laws of England and Wales, for example injunctions and specific performance, but these are not typically called upon in a long-term service arrangement.

In practice, many contractual disputes relating to outsourcing arrangements are resolved by the parties by means of a settlement arrangement and/or contract renegotiation, rather than termination and/or formal damages claims. This is particularly true when the nature of the outsourcing is such that the parties are focused on preserving a long-term relationship or, where the party in breach is the supplier, the customer would find it difficult to transition to another supplier.

The parties to an outsourcing arrangement can face regulatory enforcement action if things go wrong. For example:

• GDPR: a breach of the UK GDPR can result in a fine of up to the greater of £17.5 million and 4% of annual worldwide turnover and both service providers and customers can be fined, depending on the circumstances. For example, in March 2025, the ICO issued a fine of £3.07 million to an IT supplier (Advanced Computer Software Group) following a breach of the UK GDPR’s security obligations. The security failings resulted in them suffering a ransomware attack which impacted their customers, including NHS service providers, and vulnerable individuals. Fines are not, however, the ICO’s only possible sanction. It can also issue reprimands, enforcement notices and information notices. In the last two years, under the latest Information Commissioner (John Edwards) the ICO has made greater use of its non-fining powers. This has included ‘naming and shaming’ organisations for non-compliance by issuing public reprimands, and publishing data sets containing lists of organisations who have self-reported data breach incidents.
• Financial regulation: the regulators have a wide range of enforcement powers that they may exercise with respect to a regulated firm, including issuing fines. For example, Equifax was fined by both the data regulator (the ICO) and the Financial Conduct Authority following a data breach where it failed to monitor and manage the security of consumer data it had outsourced to its parent company. Other examples of measures the regulators may take include public censure, issuing private warnings, auditing the regulated firm or prohibiting an individual from carrying out regulated activities. In the case of a supplier that constitutes a critical third party, the regulators can also impose conditions or limitations on the services the relevant party provides to the regulated firm.