• Share this on:

What requirements must outsourcing services comply with for the European market?

Last updated:
Takes 16 minutes to read

Requirements and standards continue to be very important in the outsourcing industry. The main mandatory requirements relate to copyright and data protection. Important common requirements are the presence of a quality management system, and corporate social responsibility. New requirements emerge annually, you must continuously monitor what standards and guidelines are important for your product-market combination.

1. What are mandatory requirements?

Mandatory outsourcing requirements for the European market can be divided into legal and non-legal requirements. Although non-legal requirements are not enforced by law, they are seen as minimum requirements to enter the European market.

Legal mandatory requirements

Legal mandatory requirements are both required by law and mandatory for companies entering the European outsourcing market. Legal requirements include legislation on copyright, personal data protection, the general data protection, and the e-Privacy Directive.

We recommend checking the specific rules for your European target market. You can find an overview of country-specific measures affecting trade, which are different from international standards, on the ePing website (an initiative of the WTO, ITC and UN). This website also lists contact details for country agents appointed by the World Trade Organisation (WTO). You can subscribe to receive ‘e-Ping alerts’ that are relevant for your product or service.


Copyright is a type of intellectual property that protects original works of authorship as soon as an author fixes the work in a tangible form of expression. Examples of work on which copyright exists are: illustrations, musical compositions, computer programs, books, blog posts and much more.

The European Union has established specific copyright rules to protect computer programs. According to the directive on the legal protection of computer programs you must make sure not to breach any copyright when placing your computer program on the market and at the same time your products are also protected against unauthorised reproduction.


  • Read more about legal protection for computer programs on the website of the European Commission.
  • Check the exact regulations in your European target market. All European Union member states have implemented the European Directive in their domestic legislation. Though this legislation is mostly the same, there may be minor differences.
  • Be aware of clauses on copyright and infringement (the act of breaking or disobeying a contract) in contracts you sign with European buyers.
  • Read this blog by Cshark about copyright for software development outsourcing, it gives a good overview and provides interesting tips.

Personal data protection

Privacy is highly protected in Europe. The European Union has several directives in place for this purpose. Providers that violate these directives may be subject to enforcement actions and/or possible claims, even if they are located outside Europe.

General Data Protection Regulation

The General Data Protection Regulation (GDPR) is designed to protect individuals in Europe from privacy and data breaches. It aims to give people more control over their personal data and gives businesses equal opportunities for the use of data. The GDPR applies to all companies that process the personal data of individuals in Europe, regardless of a company’s location. Therefore, it also applies directly to you.

Under the GDPR, any company or individual that processes data is held responsible for protecting that data. Examples of protected personal data are names, email addresses, bank details, social media content, photos and IP addresses.

Important consumer rights protected by the GDPR include but are not limited to:

  • Consent (approval) – consumers must explicitly agree to the use of their data by opting in, consent must be easy to withdraw and requests to use data must be specific and in plain language.
  • Right to access consumers are entitled to know if companies will process their personal data, where they will do so and for what purpose.
  • Right to be forgotten – consumers have the right to have their personal data removed and to stop further processing and sharing of their data.
  • Privacy by design – data protection must be incorporated into every project or contract from the start; the use of data must be minimised and access to it limited.


ePrivacy Regulation

The ePrivacy Regulation, commonly known as the ‘cookie law’, contains specific rules for data protection in electronic communications. Among other things, this new regulation bans the sending of unsolicited commercial electronic messages (‘spam’). It also contains strict rules on the use of cookies and states that contact details may only be published with the consent of the person or organisation involved.

Along with the GDPR a new ePrivacy Regulation was supposed to come into effect. But its implementation is delayed. The latest proposal was released in February 2021. The new regulation is there to safeguard the confidentiality of electronic communications through stronger privacy rules. Unlike the current directive, it includes internet-based voice and messaging technologies such as Skype, WhatsApp and Facebook Messenger. The negotiations with the European Parliament are still ongoing at the end of 2022.


  • Keep records of consent forms.
  • Be aware of what data you store and where. Note that the legislation on data protection is only relevant if your services involve personal data. Make sure your staff is aware of your policy, so they do not unintentionally violate GDPR regulations.
  • Read more about digital privacy on the website of the European Commission. It also publishes updates about reforms to European ePrivacy rules. Consultancy firm Deloitte has a very insightful blog about the ePrivacy directive and its implications.

Non-legal mandatory requirements

There are also non-legal requirements that many European buyers of outsourcing services consider to be mandatory. Although not enforced by law, they are minimum requirements if you wish to enter the European market. If you do not meet these requirements, European buyers are unlikely to consider your services.

Information security

Information security is a non-legal mandatory requirement. It relates to both data protection and data recovery systems. Many European buyers expect you to have an information security and management system, especially in industries in which security is essential, such as finance and banking, healthcare and mobile applications.

The ISO 27000 series contains common information security standards and guidelines. ISO 27001 is an internationally recognised standard with requirements for information security management systems. ISO 27002 supports ISO 27001, providing guidance and advice on how to implement information security controls.

Companies can be certified for ISO 27001, but not for ISO 27002, which is only a supporting guidance document. Other supporting documents in the ISO 27000 series are ISO 27003 and ISO 27004.

You should at least consider obtaining the ISO/IEC 27701:2019 certification. This is a certifiable privacy extension of ISO 27001 supporting GDPR. Organisations looking to get certified to ISO 27701 will either need to have an existing ISO 27001 certification or implement ISO 27001 and ISO 27701 together as a single implementation audit.


  • Make sure you have effective security processes and systems in place covering everything from business continuity and disaster recovery to virus protection.
  • Ask your buyers if they require you to implement a security management system such as the ISO 27001 standard.
  • Contact Open Trade Gate Sweden if you have specific questions regarding rules and requirements in Sweden and the European Union.

2. What additional requirements do buyers often have?

European buyers often have additional requirements when choosing an outsourcing provider. These requirements relate to quality, privacy, security and corporate social responsibility.

Quality management

Some European buyers will only do business with companies that have a quality management system in place. Though it does not guarantee good-quality IT solutions or business process services, having such a system proves that you have a repeatable process and that you are a serious company that values standardisation. Recognised and common quality management systems are ISO 9001:2015 and the Capability Maturity Model Integration.

ISO 9001:2015

One of the best-known quality management standards is ISO 9001:2015. If you comply with ISO 9001:2015, you can obtain certification, but it is not a requirement.

ISO 9001:2015 certification or compliance means the organisation (or part of it) has demonstrated the following:

  • It follows the guidelines of the ISO 9001 standard.
  • It fulfils its own requirements.
  • It consistently meets customer requirements and statutory and regulatory requirements.
  • It keeps records.

ISO/IEC/IEEE 90003:2018 is a guideline (checklist) on how to apply ISO 9001:2005 for software development.

Capability Maturity Model Integration

Another option is the Capability Maturity Model Integration (CMMI), which has been adopted worldwide. You are appraised and receive a maturity level rating between 1 and 5, indicating your capability level achievement in multiple process areas including product development, service excellence, workforce management, supplier management and cybersecurity. CMMI Services then helps you improve your capability to provide customers with quality services.

ISO 9001 and CMMI are the most widely used quality management systems in the outsourcing market. Even if you have a good in-house quality management system, buyers prefer systems they recognise. However, you have to realise that having ISO 9001 certification or CMMI appraisal is not always a strong selling point (ISO 27001 is slightly more important in certain market segments). On the other hand, if you are a company that focuses on specific industries, then complying with key standards, guidelines and/or frameworks for that industry may be a good selling point and a proof of your competence in that industry.

Digital resonance

Digital resonance is increasingly important to European buyers. Digital resonance is a concept used to assess how companies and their governments are handling the effects of digital transformation, particularly automation and cybersecurity.

Digital resonance looks at a combination of:

  • digital skills of a country's workforce
  • legal and cybersecurity
  • corporate investment in start-ups
  • digital innovation outputs

The digital resonance level of your company is important to European companies because they increasingly rely on outsourcing and automation. This makes their systems more vulnerable. Many companies outsource vital functions or share sensitive information with their service providers. Yet, they do not understand the process enough to recognize the risks.

The global management consulting firm Kearney also recognises the importance of digital resonance. In the 2019 edition of their biannual Global Service Location Index (GSLI), they added Digital Resonance as one of the factors to measure the competitiveness of an outsourcing destination on. The other three factors are: how attractive your destination is financially, its people skills and availability, and the business environment.

Companies use the index to understand and compare potential outsourcing locations. You can use it to see how well your country rates compared to others and compared to other years.


  • Check your country’s score on the GSLI and see where you might need some improvement. Improve your digital resonance. Make sure your employees have the skills to manage automation and cybersecurity. Also invest in solid data security and privacy (see trend below).
  • Show that you are a professional company by providing good references, obtaining relevant industry certification, responding quickly, communicating regularly, offering consistent quality, complying with contractual agreements and having a good, stable management team to lead the outsourcing project.
  • While a quality management system does not automatically guarantee good software, implementing and consistently using it will help significantly. Invest in implementing (and using) a quality management system in your company.

Corporate social responsibility

Corporate social responsibility (CSR) is about how companies take responsibility for their impact on the world. Not only in relation to the products or services they offer, but also in areas such as:

  • consumer rights
  • workforce education and training
  • human rights
  • health
  • innovation
  • the environment
  • working conditions

Though the importance of CSR in the ITO and BPO industry has long been debated, industry experts agree that for some buyers it is already very important (even a non-negotiable) and will become mainstream very soon.

Documented CSR policy

CSR is becoming particularly important to large companies and governments in Northern and Western Europe. Many European companies include their suppliers in their CSR policies. Having a well-documented CSR policy may give you a competitive advantage over companies that do not have one. The ISO 26000 standard provides guidance on CSR. For small software companies, the most relevant and practical aspects of this standard are labour practices, fair operating practices and community involvement.

The environmental impact of outsourcing products and services consists of its energy consumption. You can easily limit this by designing/developing energy-efficient websites and carefully selecting/recommending (green) webhosts.

Impact sourcing

The social side of sustainability is the biggest challenge – but also an opportunity! You can make a social impact by becoming an impact sourcing provider. This is becoming a big trend in outsourcing. Impact sourcing is a relatively new term for a sourcing model that aims to improve the lives of individuals, families and communities through meaningful employment in ITO and BPO. This can be achieved either through outsourcing or by setting up remote or virtual teams using digital technology.

However, sourcing and training these people requires quite some upfront investment and effort from you as their employer. You can look for support from local impact sourcing initiatives, work readiness programmes, and (non-profit) training institutes like South Africa’s Maharishi Institute.

When you have tackled this challenge and set up an effective recruitment and training strategy, you can enjoy the benefits:

  • large(r) talent pool in a competitive market
  • loyal and motivated workforce
  • strong competitive advantage
  • positive social impact on your employees and community

For your buyers, this means:

  • better supplier performance
  • stable/reliable supplier workforce
  • meeting inclusion and diversity goals
  • positive social impact

Good examples are Techno Brain and Sama. Techno Brain: an impact sourcing pioneer and winner of the 2021 Global Impact Sourcing Award. They provide training and employment to underprivileged people in e.g. Kenya and Uganda. Sama (India, Kenya, Pakistan, South Africa, Uganda) lifts many employees out of poverty by providing training in topics like digital literacy and soft skills, and a living wage.

Fair-trade software

Another example of how CSR initiatives extend to small IT businesses is fair-trade software. This is software that is developed for better prices, under decent working conditions, while supporting local sustainability and with fair terms of trade. In essence, fair-trade software is a part of the broader concept of impact sourcing.


  • Clearly communicate your commitment to CSR in your marketing activities. Also, show that you care about your impact on society and the environment by implementing your own CSR policy. This can be a unique selling point (USP) for buyers when selecting a provider.
  • Consider promoting yourself as an impact sourcing provider or a fair-trade ITO or BPO provider. Check if you meet the requirements for impact sourcing suppliers. For more information about fair-trade software, see the Fair Trade Software Foundation and Web Essentials’ video on what fair-trade software development means.
  • Consult the ITC Standards Map for a full overview of certification schemes for outsourcing sector sustainability.

3. What are the requirements for niche markets?

European buyers often require compliance with sector-specific and/or industry-specific standards or codes of practice (if they exist). Examples of industry-specific standards are the Basel Committee standards for banking. Service-specific standards include those for cloud service providers and payment-related services.

Financial services

The European Banking Authority’s (EBA) Guidelines on outsourcing arrangements took effect on 30 September 2019. These guidelines apply not only to banks, building societies and investment firms, but also to payment institutions and electronic money institutions.

The Basel Committee on Banking Supervision has developed a set of recommendations for regulations in the banking industry, called the Basel Accords. Basel I is the minimum requirement, but many European clients require the higher Basel II and/or Basel III standards.

Internet of Things-related services

ETSI TS 103 645 is an important standard for consumer security in the Internet of Things (IoT). ETSI is a European Standards Organisation (ESO) and the recognised regional standards body for telecommunications, broadcasting and other electronic communications networks and services. It released the first globally applicable standard for consumer IoT security. Other organisations have also developed security guidelines for the IoT. It is important to look out for other emerging standards that may become important in the coming years. Other organisations that have developed security guidelines for IoT can be found at the Entrust website, the website of GSMA and the SENKI website.

Cloud service providers

CISPE.cloud has developed a sector-specific code for cloud infrastructure service providers under Article 40 of the European Union’s GDPR. They have a page dedicated to helping organisations accelerate the development of GDPR compliant cloud-based services for consumers, business and institutions.

Payment-related services

The PCI Security Standards Council is a global forum for the payment industry. It maintains, develops and promotes Payment Card Industry Security Standards. If you work with payment-related services and offer outsourcing services to the EU/EFTA market, or aim to do so, see their standards overview and do the Self-Assessment to learn more about standards in payment-related services.

Other niche markets

Specific buyer requirements also apply in other major European industries, such as aviation, automotive and agriculture. Some requirements are software and/or technology-related. Standards, frameworks and guidelines are available for many different industries. Examples of sector and service-specific buyer requirements are ISO 18295-1:2017 for contact centres and HL7 and HIPAA for health and social care. Check which standards, guidelines and industry bodies are important for your specific country and industry.

Look at the product and services specific buyer requirements for Big Data, Blockchain, Contact Centre Services, Cyber Security, Finance and Accounting, Retail Tech, Software Development Services, Software Testing Services, Virtual Reality and Augmented Reality, and others at the market information page of the CBI website.


  • Learn which standards are relevant for the services you provide. Buyers will expect this from you. Do your research in advance, so you can show that your company complies with these standards.
  • Check which sector-specific standards or codes are available for your specific product, for example by asking your sector association or buyer. Also ask buyers to what extent they want you to implement these standards.
  • Some standards have competing equivalents, especially in smaller and more specific industries. Keep track of which standards exist for your product/market combination to ensure you comply with the most relevant ones.
  • If you work in the contact centre industry, consider getting COPC certification. They also have work-at-home solutions, if your contact centre employees work from home.
  • Visit the EU Trade Helpdesk for more information on import rules and taxes in the European Union.

This study was carried out on behalf of CBI by Globally Cool in collaboration with Laszlo Klucs.

Please review our market information disclaimer.

  • Share this on:


Enter search terms to find market research

Do you have questions about this research?

Ask your question

CSR, Impact sourcing and Sustainable Development Goals will become a driving force in the industry and will open opportunities for both the demand and the supply side.

Christian Vezjak

Christian Vezjak, co-founder of Kiitos, Dutch – Palestinian fully gender balanced IT Outsourcing company