The UK outsourcing market in 2026 remains a mature and strategically significant component of the UK services economy, characterised by steady growth, increasing technological sophistication and a continued shift from cost-driven contracting towards value‑based sourcing models. The market, which continues to be dominated by both IT and business process outsourcing, is expected to grow at a compound annual growth rate of 10.2% through to 2030, and the UK is the leading IT outsourcing market in Europe. Growth continues to be driven by the pursuit of cost efficiencies (particularly against a backdrop of rising employment costs, opportunities for synergies resulting from the use of AI and the pressure to reduce internal overheads) alongside the strategic need to access specialist skills through third‑party providers.

Demand is increasing for ‘as‑a‑service’ models, under which services are delivered remotely (often via cloud‑based platforms) and on a subscription basis. Additionally, AI is expected to play an increasingly important role within the outsourcing market, as providers shift from experimental AI use (primarily to augment/enhance existing offerings) towards offering autonomous agentic AI systems. From a customer perspective, ESG credentials, security and geopolitical resilience are becoming increasingly important factors in the selection of outsourced service providers.

In terms of the focus of demand, financial services, government and public sector services, healthcare, retail and telecommunications are all particularly active sectors for outsourcing.

Many key outsourcing suppliers in the UK market are part of larger, multinational groups. They include Accenture, Capgemini, Wipro, Kyndryl and TCS from the traditional sourcing market, and AWS, Google, Microsoft, Oracle, Salesforce and SAP from the software ‘as-a-service’ and cloud market. On the BPO side, providers such as Capita and TTEC continue to hold substantial market share.

As a general point, the government is keen to drive growth in both the UK’s technology and professional service sectors and is investing in areas such as digital infrastructure, all of which should bring benefits to the broader outsourcing sector.

As a buyer of outsourced services, the government used to be one of the UK’s main outsourcing customers, regularly engaging in long-term, high profile and high value arrangements. Since the well-publicised collapse of outsourcing provider Carillion in 2018, which impacted hundreds of public sector contracts and led to calls for public sector outsourcing to end, it has taken an increasingly careful approach to outsourcing in the public sector. Concerns that the UK’s National Health Service could be privatised ‘by the back door’ via outsourcing arrangements also means that certain public sector outsourcing remains a political touchpoint.

The current UK government is operating under a strict fiscal mandate to ensure the day-to-day budget is in surplus by the 2029/2030 forecast year. Whilst there remains a drive to use technology to optimise public services, particularly in the NHS, there are signs that the government’s view is shifting from regarding public sector outsourcing as a way to optimise and save to viewing it with increased scepticism and emphasising that there should not be an ‘outsourcing by default’ attitude. The Cabinet Office recently announced that departments will be told to assess whether outsourced service contracts worth over £1m could be delivered more effectively in-house, while larger departments spending more than £100m a year on contracts will be expected to publish an insourcing strategy setting out how they plan to bring services back in-house in instances where this represents better value. See also the implications of the Employment Rights Act 2025 as detailed in question 16 below.

In terms of the regulatory approach to outsourcing, most UK regulators want to ensure that the organisations they regulate outsource in a responsible manner and that outsourcing does not create additional risks (for example financial regulators are concerned about the impact of outsourcing on financial stability and the ability of regulated firms to meet their obligations – see question 6 for more information on this). Regulators are keen to stress that organisations cannot outsource their risk. They may therefore hold organisations responsible for the actions of their outsourced service providers, particularly where the organisation has failed to carry out sufficient due diligence or supervision/oversight. At the same time, some outsource providers are facing increased regulation. For example, the Cyber Security and Resilience Bill brings managed service providers in scope of the UK’s cyber laws designed to protect critical services – see question 14 for more information.

Outsourcing in the public sector is governed by the UK’s public procurement laws. Since 24 February 2025, in-scope contracting authorities intending to start procuring a public contract (which can include an outsourcing arrangement) need to comply with the procurement regime introduced by the Procurement Act 2023 (PA 2023) and the Procurement Regulations 2024 (SI 2024/692) (PR 2024). Contracting authorities covered by this regime include those wholly or mainly funded by public funds, or subject to public authority oversight (whether funded publicly, or operating on a commercial basis in the case of utilities contracts).  Certain private sector entities can also be classed as contracting authorities for the purposes of the PA 2023 (see question 4 below).

These rules consolidated and updated the UK’s public procurement regime. It was previously governed by four different regulations and there were multiple competitive tendering procedures available (which continue to apply to procurements which began prior to 24 February 2025). The updated regime sits under a single framework and contains two competitive tendering procedures for all public contracts – the open procedure and the competitive flexible procedure (although contracting authorities may also be able to use direct award or award under a framework under certain conditions). A public contract must be procured using one of these procedures wherever the relevant criteria are met and no exemptions apply.

In addition to complying with relevant procurement rules, there are various other rules which may need to be followed in respect of public sector outsourcing. For example, the UK government has required suppliers bidding for certain types of public contracts to hold Cyber Essentials or Cyber Essentials Plus certification (or demonstrate that equivalent controls are in place) to ensure appropriate cyber security controls are in place and reduce cyber security risks in supply chains. Also the Outsourcing Playbook (published as a result of the Carillion collapse) aims to improve the way the UK government works with private companies and, in particular, more tightly regulates the public sector decision-making to use private outsourcing, particularly for expensive and/or complex projects (introducing, for example, requirements for delivery model assessments and project validation reviews).

The public sector rules discussed in question 3 do also apply to certain private sector organisations operating in sectors defined as “utility activities” under the PA 2023 (for example, the provision of a public electricity transmission network). These were previously governed by the Utilities Contracts Regulations 2016 (UCRs) – but the PA 2023 consolidated and updated this aspect of procurement legislation (as noted in question 3, the UCRs will continue to apply to procurements which began before 24 February 2025).

Apart from this, there are no specific UK procurement laws that apply exclusively to private sector organisations. Private sector procurement is generally governed by common law principles and contractual agreements as well as general and sector specific laws (see question 5).

In the UK, there is no overarching legislation specifically governing outsourcing. However, several general and sector-specific laws are highly relevant. For example, contract law is particularly important. The foundation of any outsourcing arrangement is the contract, which is primarily governed by common law principles. Key provisions in any outsourcing agreement will generally include those governing the terms of service, liability, termination and dispute resolution (see questions 21 and 22).

Other issues typically covered in an outsourcing agreement are also governed by specific legal regimes. Examples here include intellectual property (see questions 9 and 10), data privacy and cyber security (see questions 12, 13 and 14), employment (see questions 16 and 17) and tax (see question 18). In addition, competition issues may arise (see questions 7 and 8) and an array of digital laws and regulatory guidance (for example around artificial intelligence) may be relevant, particularly where the outsourcing involves the provision of technology or technology-based services (see question 15).

For more information on the sector specific rules which may apply, see question 6.

Note: the UK is made up of England, Wales, Scotland and Northern Ireland. Scotland and Northern Ireland have their own legal systems and this chapter therefore focusses on the laws of England and Wales.

In addition to the general rules mentioned in question 5, a number of sector-specific rules are designed to ensure that sufficient safeguards are in place when outsourcing. For example, public procurement rules (see question 3) govern public sector outsourcing, ensuring transparency and fairness in procurement, while the UK’s Network and Information Systems Regulations impose security and incident notification obligations on operators of essential services and relevant digital service providers (which include cloud providers, with updates to the regime also looking to bring managed service providers in scope – see question 14).

In relation to the financial services sector, there are specific requirements for regulated firms to follow when they outsource. These requirements differ depending on the type of regulated firm and the function being outsourced. For instance “material outsourcings” (where a weakness or failure of the services could prevent a regulated firm from complying with key regulatory threshold conditions, principles and fundamental rules) are subject to more extensive requirements.

The regulatory regime relating to outsourcing in the financial services sector comprises various rules, regulations, expectations and guidance, including those set out in the Financial Conduct Authority’s Handbook and Prudential Regulation Authority’s Rulebook.

In addition, from January 2025, a critical third parties (CTP) regime took effect which gave financial regulators direct oversight of certain third party service providers (in respect of the services they provide to regulated firms). This unusual extension of the reach of the financial regulators, beyond traditional financial services firms, is a response to the risks that outsourcing could pose to the financial sector.

The UK’s merger control regime is voluntary, meaning that outsourcing arrangements will not “require” notification under its rules in any scenario.  However the Competition and Markets Authority (CMA) can investigate a deal on its own initiative up to four months after it becomes public or after closing (whichever is later).  Choosing not to engage with the CMA where a deal meets the relevant thresholds can therefore carry risks.

Outsourcing arrangements can in theory trigger a voluntary notification, but in practice this is rare.  A deal will only fall within the CMA’s jurisdiction if it results in two or more “enterprises” ceasing to be distinct.  CMA guidance states that outsourcing arrangements involving ongoing supply arrangements will not generally meet this threshold, although they may do so where they involve the long-term or permanent transfer of assets, rights and/or employees to the outsourcing service supplier where these could be used to supply services to third parties.  For example, the CMA would likely regard the transfer of a significant number of employees under TUPE as a strong factor in favour of finding a combination of “enterprises”, unless the agreement provided for their retransfer on termination.

If an outsourcing arrangement does meet this threshold, it will fall within the CMA’s jurisdiction if it meets any of the CMA’s turnover, share of supply or ‘hybrid’ tests.

If an outsourcing arrangement is not a merger then it should be self-assessed under antitrust rules, either as a horizontal agreement (between companies active at the same level of the supply chain) or a vertical agreement (between companies active at different levels of the supply chain). The question is whether the agreement might prevent, restrict or distort competition, either by object or effect; and, if so, whether there are (broadly speaking) economic benefits flowing to consumers which could outweigh those distortions and which could not be achieved by less restrictive means.

Outsourcing agreements between competitors (i.e. those active at the same level of the supply chain) are significantly more risky from an antitrust perspective than those between companies at different levels of the supply chain, particularly if they could lead to the exchange of sensitive information.  By contrast, certain vertical agreements might benefit from an exemption from the need to carry out an individual self-assessment.

The type of IP that will be created in the course of an outsourcing arrangement will vary depending on the business function that is being outsourced and the nature of the services being provided. Any outsourcing agreement will usually need to be drafted broadly to capture any IP rights (including copyright, database rights, know-how and patents) that may be created during the course of the arrangement. Copyright, however, which is an unregistered right in the UK, is often of most relevance. This is because it protects “literary works” (amongst other things), which includes written documents and, perhaps more importantly, computer software. As most outsourcing arrangements will involve the supplier operating some of the customer’s IT systems and providing certain IT services to the customer, it is common for new code to be written during the term of the arrangements, which will attract copyright protection automatically (provided it is original and that certain qualifying criteria are satisfied). Particular consideration will also need to be given to the ownership of rights in reports and data (which may be protectable by a combination of copyright, database rights, trade secrets and duties of confidentiality, although there is no UK IP right in ‘data’ per se) – see further question 11.

Yes. Under the laws of England and Wales, the default position is that any IP that is created by the supplier will be owned by the supplier, unless the contract says otherwise. The customer and the supplier will therefore need to agree how IP created during the course of the outsourcing arrangement should be dealt with and who should own it, which is largely a commercial point for negotiation.

Where supplier-created IP is to be owned by the customer, the outsourcing agreement will need to contain appropriate provisions to assign that IP from the supplier to the customer. It is also possible to assign in advance future UK copyright and database rights (but other IP rights may require a future assignment to be effected).

It is common under the outsourcing agreement for the parties to license each other relevant IP rights. For example, the supplier may license, rather than assign, rights which are developed in the course of the agreement to the customer and, even where an assignment is agreed, the customer may still require a licence to underlying (background) supplier IP which is incorporated or integrated in, or otherwise required for the use of, the assigned IP. The supplier may also require a licence to use certain customer IP in the provision of the services. Key points for negotiation will include the scope of the permitted use of each party’s IP (for example, whether the IP will be available for use only as required to provide or receive the services, or in the parties’ wider businesses), and whether the licences will survive the expiry or termination of the outsourcing agreement.

Confidential information, know-how and trade secrets are often of particular relevance in an outsourcing arrangement. In most cases, the customer will share its confidential information with the supplier (as part of the initial transfer and during the lifetime of the arrangement) and will likely receive confidential information from the supplier too. New confidential information may also be created during the term of the agreement. Given this, it is important to understand how confidential information, know-how and trade secrets are protected.

There are two principal regimes under the laws of England and Wales:

• the common law relating to the breach of confidence; and
• the Trade Secrets (Enforcement, etc.) Regulations 2018, which implemented those parts of the EU Trade Secrets Directive (Directive 2016/943) that were not already part of UK law.

Trade secrets are generally regarded as a special subset of confidential information, protecting a ‘higher grade’ of confidential information. Know-how might be protected as either a trade secret or so-called “lower grade” confidential information depending on the know-how in question.

Whilst confidential information, know-how and trade secrets are usually subject to the IP provisions, it is also common for the outsourcing agreement to include robust confidentiality obligations with an indemnity where these provisions are breached.

The processing of personal data is governed by both the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018). The UK GDPR is closely aligned with the EU General Data Protection Regulation, but the DPA 2018 includes certain provisions tailoring the regime for the United Kingdom. The Data (Use and Access) Act 2025 has made some modest amendments to the UK GDPR and the DPA 2018.

The UK GDPR regulates the processing of personal data by data controllers (an entity which decide the purpose and means of the processing – this is often the customer in an outsourcing arrangement) and data processors (who process data on behalf of a controller – often the outsourcing supplier). It sets out principles, rights and obligations in relation to personal data which cover issues such as fairness, accuracy and security. Many of these are very relevant in an outsourcing relationship.

For example, under the UK GDPR, when a customer appoints an outsourcing supplier who is processing personal data on that customer’s behalf as part of the services, the customer must carry out sufficient due diligence on the supplier, enter into a written contract with them which contains certain prescribed provisions (for example around following instructions and security), audit them regularly and ensure that the supplier deletes or returns data at the end of the arrangement. It is also common to require the supplier to notify the customer in the event that they suffer a personal data breach.

Where the processing under the outsourcing could pose a high risk to individuals’ privacy (for example because of the nature of the processing involved or the technology being used) then the customer must also conduct a data protection impact assessment – a form of risk assessment specified by the UK GDPR.

Non-compliance with the UK GDPR can result in regulatory action, including fines. For more information see question 23.

The UK currently has no specific framework for regulating the processing and sharing of non-personal data. However, the UK government is intending to develop new ‘Smart Data’ data-sharing schemes in sectors across the economy, including finance, communications and energy, using the powers and regulatory framework introduced by the Data (Use and Access) Bill. The new Smart Data schemes would facilitate the secure sharing of customers’ data, upon their request, with third-party providers. The proposed schemes seek to build on the success of the UK’s Open Banking initiative.

Sector-specific regulations – such as those in finance, healthcare and telecommunications –may also impose specific requirements for data handling and sharing.

Finally, organisations must also ensure that data-sharing agreements do not lead to anti-competitive practices, particularly (but not exclusively) where data is being shared between competitors.

Supply chain risk is a key and growing cyber risk area. The UK has seen a number of high-profile cyber incidents where a breach at an outsourcing provider has impacted multiple customer organisations (e.g. the 2023 Capita breach which resulted in Capita being fined in 2025). Outsourcing customers are therefore particularly focussed on security and breach/incident notification obligations in their outsourcing arrangements.

In terms of cyber laws, the UK has a number of laws which manage cyber risk, including the following:

• The UK General Data Protection Regulation (see question 6) contains security and breach notification obligations where personal data is involved, and the data regulator (the Information Commissioner’s Office) issued a number of cyber related fines in 2025.
• The Network and Information Systems (NIS) Regulations (2018) aim to increase cyber resilience in certain critical sectors. They also impose security and incident notification obligations on in-scope organisations, which include operators of essential services in sectors such as energy, transport and health and relevant digital service providers (currently cloud computing services, online search engines and online marketplaces). The UK government is in the process of updating this regime via the Cyber Security and Resilience Bill. It was published in November 2025 and is working its way through the legislative processive. The Bill will, among other things, expand the NIS Regulations to cover more digital services, including managed service providers.
• Specific rules are also relevant. For example, internet service providers must follow security and breach notification obligations under the Privacy and Electronic Communications Regulations 2003, the Telecommunications (Security) Act 2021 strengthens security obligations for telcos and the Product Security and Telecommunications Infrastructure Act 2022 and related regulations have established a new regulatory regime to increase the security of consumer connectable devices and products. Cyber also continues to be a regulatory priority for the financial regulators, who have recently introduced a new regime for reporting operational incidents and material third party arrangements, which applies from 18 March 2027. Regulated firms must ensure they robustly manage and monitor cyber risk, particularly where they outsource.
• Cyber breaches often also give rise to issues under the Computer Misuse Act 1990, which creates a number of offences where there has been unauthorised access to, or interference with, a computer or a distributed denial of service attack.
• The UK Government is also planning to introduce specific laws relating to ransomware attacks and payments. The proposals include a ban on making ransomware payments for all public sector bodies, including local government, and for owners and operators of Critical National Infrastructure that are regulated or that have competent authorities (building on the current ban for central government departments). There is also discussion on whether essential suppliers to these sectors should be included in the new rules.

Amongst the technologies commonly used in outsourcing arrangements, some merit specific attention. For example:

• Cloud: cloud services are widely used in the UK. The UK government has a ‘cloud first’ policy for the public sector and the financial regulators consider cloud providers to be prime examples of the types of critical third parties that warrant regulatory oversight (see question 6 above). The security around cloud services is primarily regulated by the Network and Information System Regulations (2018), which impose security and incident notification obligations on them (see question 14). The Competition and Markets Authority (CMA) is also closely monitoring the cloud market, and actively engaging with Microsoft and Amazon Web Services.
• AI: AI deployment is increasing within UK organisations, with some procuring certain AI services through their key managed service providers (Microsoft CoPilot being a key example). The UK has taken a sector-specific approach to AI regulation, with the data, financial, competition and medical regulators taking a particular interest in AI development and deployment within their remit. The UK’s data regulator, for example, has published lots of AI guidance and is expected to publish statutory AI guidance during the course of 2026. The UK Government’s response to the AI Opportunities Action Plan it commissioned discusses enabling safe and trusted AI development and adoption through regulation, safety and assurance. There has also been discussion around the introduction of new AI-specific legislation for the most powerful AI models (although the plans around this are currently unclear) and a number of consultations on how to ensure the UK has a competitive copyright regime (the latest of which has led to confirmation that no ‘AI-friendly’ changes to the UK’s IP laws are currently planned).
• Robotic Process Automation (RPA): RPA has been a widely used technology in outsourcing arrangements for many years, particularly given its ability to innovate and automate many back-office functions. Developments in intelligent automation, which combine technologies such as RPA and AI, mean its popularity is set to continue. While there is no specific legal regime governing RPA, other regimes may be applicable (for example the laws around AI, personal data and intellectual property).
• Blockchain and other distributed ledger technologies (DLTs): while blockchain and other DLTs are not generally used to provide mainstream outsourcing services, they are increasingly used to manage supply chain issues. Also, where organisations (in sectors such as financial services) are looking to develop blockchain or similar solutions, the development of the technology itself is often outsourced. The use of DLTs raises a number of complex legal issues and risks (e.g. privacy and resilience concerns) but does not currently have its own regulatory regime.

In the UK, the Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”) may have specific implications for outsourcing arrangements. TUPE contains provisions governing “service provision changes”, which include a scenario where activities cease to be carried out by a client on its own behalf and are carried out instead by a contractor on the client’s behalf. Similar provisions also govern insourcings and second-generation outsourcings. There are however four additional conditions which must be met:

• The activities must be fundamentally the same before and after the service provision change.
• The activities must not consist wholly or mainly of the supply of goods (as opposed to services) for the client’s use.
• Immediately before the service provision change, there must be an organised group of employees situated in Great Britain with the principal purpose of carrying out the relevant activities on behalf of the client.
• There must be an intention that the activities will not be carried out on a one-off basis nor under a contract of short duration.

The implications of TUPE are explored further in question 17 below.

The Employment Rights Act 2025 contains a number of provisions which will have implications for outsourcing arrangements. These include:

• New automatic unfair dismissal liability where an employer dismisses employees (in a non-redundancy scenario) for the principal reason of replacing them with people who are not employees of the employer (e.g. agency / self-employed contractors), who will carry out substantially the same activities as the dismissed employee (new section 104K of the Employment Rights Act 1996). This could frequently be engaged in outsourcing scenarios. Although if TUPE applies to the outsourcing, there would not technically be a “dismissal” of transferring employees, this still leaves plenty of scope for dismissals to be caught outside of the TUPE protections. This measure is due to be implemented in January 2027.
• A new Part 5A is inserted into the Procurement Act 2023, to allow the Secretary of State to make regulations to prescribe outsourcing contract provisions to prevent less favourable treatment for transferring workers in outsourcing contracts. This may involve a return to something like the two-tier code, which was withdrawn in 2010. The implementation date of this measure has not yet been confirmed.
• Large employers who are required to produce gender pay gap reports will need to include, within that report, the identity of any outsourced service providers (section 34 of the Employment Rights Act 2025). The intention seems to be to create increased transparency of supply chains, which may drive a change towards greater gender pay equality. Again, the implementation date of this measure has not yet been confirmed.

The government has also committed to bring forward a new Equality (Race and Disability) Bill, which will (amongst other measures) ensure that outsourcing of services can no longer be used by employers to avoid paying equal pay. The Bill has not yet been published, and no further details of this measure have been announced.

If TUPE applies, the employment contracts of the employees assigned to the relevant services are automatically transferred to the contractor. If it is unclear which employees are in fact assigned, the outsourcing agreement will typically contain provisions to specify which employees are expected to transfer, and deal with any unintended transfers.

In addition, all of the transferor’s rights, powers, duties and liabilities in connection with the employees will pass to the transferee (with some limited exceptions). It is therefore important for an outsourcing agreement to apportion costs and liabilities by means of warranties and indemnities. TUPE also prescribes a form of statutory due diligence, whereby the transferor must provide the transferee with “employee liability information” about the transferring employees. This is particularly important on second-generation outsourcings, where the outgoing contractor may be otherwise unwilling to assist the incoming contractor.

If any employee is dismissed by reason of the outsourcing, this will be automatically unfair under TUPE (potentially giving rise to enhanced compensation), unless there is an economic, technical or organisation reason for the dismissal (which is difficult to establish outside a redundancy scenario). TUPE also renders void any changes to an employee’s terms and conditions which is made by reason of the transfer, which can present challenges where there is a need to harmonise terms.

Before the transfer takes place, the employer of affected employees must undertake an information and consultation process, typically with elected employee representatives. There is no prescribed timeframe for this process, although it would commonly take several weeks. Failure to comply may result in protective awards of up to 13 weeks’ pay per affected employee.

Depending on the nature of the service being outsourced, there may be a supply on which VAT (Value Added Tax) is payable.

• Where the service provider and the service recipient are both based in the UK, the service provider charges and collects VAT. However, where the service provider is based outside the UK, it may not have to charge any VAT. Instead, the service recipient may (depending on its location) be required to operate the reverse charge procedure and account for VAT relating to the supply as if it had made the supply itself.
• Where both the service provider and the service recipient make taxable supplies and fully recover their input VAT, any VAT payable on the service fees should be fully recoverable by the service recipient. However, if the service recipient makes exempt supplies, its input VAT would not be fully recoverable, or only in accordance with its partial exemption method.

The service recipient will also be concerned that the payment of service fees is a deductible cost for tax purposes. In addition, if any payments are to related parties, the parties will need to consider whether any adjustments need to be made under transfer pricing rules (rules which broadly require that, in calculating a company’s corporation tax liability, an arm’s length price is used for supplies between related parties) and, if there is a cross-border element, whether any payments will be subject to deductions or withholdings on account of tax.

The UK has a range of ESG-related legislation which may apply to outsourcing companies and their suppliers. These include broad obligations such as those under the Health and Safety at Work etc. Act 1974, Employment Rights Act 2025, Modern Slavery Act 2015 and Bribery Act 2010, as well as more targeted legislation such as the Waste Electrical and Electronic Equipment Regulations 2013 (as amended in 2025) and Greenhouse Gas Emissions Trading Scheme Order 2020. There are also climate reporting provisions in the Companies Act 2006 and UK Listing Rules, and requirements for some companies to prepare an annual slavery and human trafficking statement under the Modern Slavery Act.

Since outsourcing service providers are often a significant part of an organisation’s supply chain, it is common for outsourcing customers to carry out due diligence on ESG issues when selecting their suppliers, seek assurances from their suppliers around compliance with such laws, impose ESG-related policies on them, and conduct regular audits or other monitoring activities. Contractual terms may include information rights, so that the outsourcing company can fulfil its own ESG reporting requirements (or voluntary disclosures) by obtaining information from its suppliers. This may include, for example, data on carbon emissions, or disclosures on labour irregularities. For example, the UK government recently published updated statutory guidance on what Modern Slavery Act statements should include in relation to an organisation’s due diligence processes and terms with their suppliers.

In relation to climate-related disclosures under the Companies Act 2006 and UK Listing Rules, the UK Sustainability Reporting Standards (UK SRS) were published on 25 February 2026 and are available for companies to report against on a voluntary basis. Updated UK Listing Rules on mandatory reporting against the UK SRS are expected to come into force from 1 January 2027. EU ESG-related initiatives, such as the Corporate Sustainability Due Diligence Directive, Deforestation Regulation and Forced Labour Regulation, may also impact outsourcing companies and their suppliers if they have a presence or operational activity in the EU. Outsourcing arrangements may need to be structured in a way that provides for these expectations to be met.

Large organisations will often procure their major outsourcing arrangements on a global, or at least multi-jurisdictional, basis. This creates a number of issues which must be considered, including how to structure the global arrangement in a way that ensures sufficient central control while enabling local implementation (including any required changes to the structure or terms of the outsourcing to ensure compliance with mandatory local laws and regulations). The fact that the arrangement involves the provision of services or transfer of assets across borders may also create issues. For example:

• Under the UK data protection regime, where the outsourcing arrangement involves personal data being transferred outside the UK, that personal data can only be transferred if the recipient jurisdiction provides a level of protection which is not materially lower than that in the UK. Accordingly, transfers are only permitted where the UK Government has assessed the third country as providing an adequate level of protection, where appropriate safeguards are put in place, or where one of a number of narrow exemptions apply. An example of an appropriate safeguard which is commonly used in outsourcing arrangements would be where standard data protection clauses issued by the UK Information Commissioner’s Office (ICO) are entered into by the parties to the outsourcing, or between the supplier and its sub-contractors (depending on where in the chain the data transfer takes place).
• There may be tax considerations where services are being received and/or supplied in different jurisdictions.
• If the outsourcing arrangement includes the export or transfer of goods, software or technology (including data, information and technical assistance) which either has a military use or comprises dual-use items (i.e. items which could be used for both civilian and military applications which may include, for example, encryption technologies), then the UK’s strategic export controls may apply. The exporter may require an export licence, and it is a criminal offence to export controlled goods without the correct licence. Outsourcing arrangements therefore sometimes contain provisions to confirm compliance with export control laws.

Outsourcing arrangements typically involve detailed negotiations around the liability provisions, and it is common for many heads of loss to be contractually excluded. In general, commercial parties may apportion risk of loss as they see fit and contractual exclusions of liability tend to be enforceable provided that clear drafting is used. When construing a liability clause, there is a presumption that neither party intends to abandon remedies arising by law, and clear words are needed to rebut that presumption, with limitations likely to be looked on more favourably than exclusions.

That said, there are certain limits on such contractual exclusions and a clause should not exclude a party’s liability for breach of all its obligations or leave a party without any meaningful remedy for breach. Certain types of liability cannot be excluded, and some may only be excluded where the term is reasonable. For example, a party cannot exclude liability for its own fraud in inducing a contract or for death or personal injury caused by a lack of reasonable care. Also, a limitation on liability for misrepresentation is void unless it is reasonable. Where an outsourcing involves a transfer of goods, liability for supplying the goods without the right to do so cannot be excluded, limits on liability for statutory implied terms as to quality, description and sample are void unless reasonable, and terms must be interpreted as supplementing, rather than ousting, statutory implied terms where possible. More generally, where businesses deal on one party’s written standard terms of business, the Unfair Contract Terms Act 1977 provides that any term limiting that party’s liability for breach is void unless reasonable.

Outsourcing arrangements often contain a variety of mechanisms to resolve disputes.

There may be detailed governance and service management processes within the outsourcing agreement, aimed at identifying and managing potential service issues and other sources of dispute, and a tiered escalation process aimed at resolving disputes through negotiation without recourse to legal remedies, followed by alternative dispute resolution processes such as mediation before a party can commence formal legal proceedings. The agreement may also allow for the payment of specific service credits (linked to a failure to meet agreed service levels) and/or liquidated damages (which, under the laws of England and Wales, will be void if they amount to a penalty) in the event of performance issues, which may help avoid protracted disputes as to the amount of compensation that may be payable in such circumstances. Alternative remedies provided for in the contract may include proactive remediation obligations on the supplier and step-in provisions which give the customer an ability to take over certain aspects of the supplier’s operations and/or responsibilities on a temporary or longer-term basis.

For contractual disputes that cannot be resolved between the parties, an outsourcing agreement will need to specify whether such disputes will ultimately be resolved in the courts or by arbitration. The courts of England and Wales are well-respected and recognised as providing a flexible and robust forum for the resolution of contractual disputes whilst London is widely considered to be one of the preferred arbitral seats and the law of England and Wales is frequently chosen by parties as the governing law for international arbitration. The London Court of International Arbitration is a leading international arbitral institution based in the UK.

In terms of contractual remedies, as a basic distinction breach of a condition (which is a significant term of the contract – often described as one which goes to the heart of the contract) provides both a potential damages claim and a right to terminate whereas breach of other terms (warranties) only gives rise to a right to claim damages.

Other potential remedies under English law, for example injunctions and specific performance, are not typically available for breach of a long-term service arrangement.

In practice, many contractual disputes relating to outsourcing arrangements are resolved by the parties commercially by means of a settlement arrangement and/or contract renegotiation, rather than termination and/or formal damages claims. This is particularly true when the nature of the outsourcing is such that the parties are focused on preserving a long-term relationship or, where the party in breach is the supplier, the customer would find it difficult to transition to another supplier.

The parties to an outsourcing arrangement can face regulatory enforcement action if things go wrong. For example:

• GDPR: a breach of the UK GDPR can result in a fine of up to the greater of £17.5 million and 4% of annual worldwide turnover and both service providers and customers can be fined, depending on the circumstances. For example, in October 2025, the Information Commissioner’s Office (ICO) issued a fine of £14 million to the Capita Group for breach of the UK GDPR’s security obligations. The security failings resulted in them suffering a cyber-attack with the personal information of 6.6 million people being stolen, from pension records and staff records to the details of customers of organisations Capita supports. Fines are not, however, the ICO’s only possible sanction. It can also issue reprimands, enforcement notices and information notices. In the last two years, under the latest Information Commissioner (John Edwards) the ICO has made greater use of its non-fining powers. This has included ‘naming and shaming’ organisations for non-compliance by issuing public reprimands, and publishing data sets containing lists of organisations who have self-reported data breach incidents.

• Financial regulation: the regulators have a wide range of enforcement powers that they may exercise with respect to a regulated firm, including issuing fines. For example, Equifax was fined by both the data regulator (the ICO) and the Financial Conduct Authority following a data breach where it failed to monitor and manage the security of consumer data it had outsourced to its parent company. Other examples of measures the regulators may take include public censure, issuing private warnings, auditing the regulated firm or prohibiting an individual from carrying out regulated activities. In the case of a supplier that constitutes a critical third party, the regulators can also impose conditions or limitations on the services the relevant party provides to the regulated firm.