What requirements must outsourcing services comply with for the European market?
Service providers wanting to enter the European outsourcing market, have to comply with several requirements. Main mandatory requirements concern copyright and data protection. Important common requirements are the presence of a quality management system and corporate social responsibility. Requirements and standards continue to be very important in the outsourcing industry. New requirements emerge annually, you have to continuously monitor what standards and guidelines are important for your product-market combination.
Contents of this page
1. What are mandatory requirements?
Mandatory outsourcing requirements for the European market can be divided into legal and non-legal mandatory requirements. Although non-legal requirements are not obligatory by law, they are considered minimum requirements to enter the European market.
Legal mandatory requirements
Legal mandatory requirements are requirements that are both legal and mandatory for companies entering the European outsourcing market. Legal requirements include legislation about copyright, personal data protection, the general data protection regulation and the e-Privacy Directive.
Copyright refers to the legal protection of computer programs. The European Union has established specific rules to protect computer programs by means of copyright. According to the directive on the legal protection of computer programs, you have to make sure not to breach any copyright when placing your computer program on the market.At the same time, this directive also protects your products against unauthorised reproduction.
- Read more on the legal protection of computer programs on the website of the European Commission.
- Check the exact regulations in your European target market. All European Union member states have implemented the European Directive into national legislation. Although their regulations are generally the same, there could be minor differences.
- Pay attention to copyright and infringement (the act of breaking or disobeying the contract) clauses in the contracts you sign with European buyers.
Personal data protection
Privacy is highly protected in Europe. The European Union has several directives in place for this purpose. Providers that do not respect these directives may be subject to enforcement actions and/or possible claims – even if they are located outside Europe.
General data protection regulation
The General Data Protection Regulation (GDPR) came into effect on 25 may 2018. This regulation was designed to protect individuals in Europe from privacy and data breaches and to simplify the regulatory environment for international business. It has since then also been incorporated into the European Economic Area (EEA) -Agreement so the new GDPR is also enforced in Iceland, Liechtenstein and Norway. The United Kingdom has left the European Union. Until 31 December 2020 (the end date of the transition period), the same EU regulation applies. After 31 December 2020, the United Kingdom will become a ‘third country’ under the EU GDPR law.
These new rules were introduced to give people more control over their personal data and let businesses benefit from a level playing field where the laws and regulations are the same in every country. The GDPR applies to all companies processing the personal data of individuals in Europe, regardless of the company’s location. This means it also applies to you directly.
Under the old directive, the protection of any data by which an individual can be identified was the sole responsibility of the data controller (owner). However, under the GDPR, any company or individual that processes data is also responsible for its protection. Examples of personal data this regulation protects are: name, email address, bank details, social media content, a photo or an IP address.
Some key consumer rights you must comply with include, but are not limited to, consent (also known as: permission or approval), right to access, the right to be forgotten and privacy by design.
Consent - Consumers must explicitly consent by opting in, consent must be easy to withdraw, and requests must be specific and in plain language.
Right to access - Consumers are entitled to know whether or not companies process their personal data, where and for what purpose.
Right to be forgotten - Consumers are entitled to have their personal data erased and have processing and further dissemination halted.
Privacy by design- Data protection should be included from the onset of designing systems. Data collection should be minimised and access limited.
- Make sure you comply with the GDPR if you process data of European citizens (or sensitive information of any kind).
- Study the GDPR’s European data protection rules and principles if you are dealing with personal data. This will give you a good understanding of what is allowed and what is not.
- Audit your current data to determine whether it is GDPR compliant. What data do you have, where and why? Did you or your client obtain explicit consent to use it for this specific purpose?
- Set up clear consent request forms and privacy policies that inform your and your client’s customers how you process their personal data. For more information, see the GDPR consent guidance from the United Kingdom’s Information Commissioner’s Office and Econsultancy’s GDPR: How to create best practice privacy notices (with examples).
- Use IDC’s GDPR Readiness Assessment to determine how compliant you are and what you may need to improve.
- Check the Eping website for an overview of country specific measures that effect trade and differ from the international standards as well as to the contact persons per country that WTO has defined. You can also subscribe to receive alerts (called ePing alerts) that might be relevant for your product or service.
The regulation is intended to safeguard the confidentiality of electronic communications through stronger privacy rules. Unlike the current directive, it includes Internet-based voice and messaging technologies such as Skype, WhatsApp and Facebook Messenger.
A new ePrivacy Regulation was originally scheduled to enter into force along with the GDPR, but its implementation has since been delayed. The latest draft dates from February 2019, but a year later, the EU Council Presidency Released new proposed amendments. No new date for putting the regulation into force has been announced.
- Keep records of your obtained consent.
- Be aware of what data you store and where, to be able to comply with potential consumer requests. Also note that the legislation on data protection is only relevant if your services involve personal data.
- Make sure your staff is aware of your policy, so they do not unintentionally violate GDPR regulations.
- Read more on digital privacy on the website of the European Commission. This is also where you can keep up to date on the reforms of the European ePrivacy rules.
- Contact Open Trade Gate Sweden if you have specific questions regarding rules and requirements in Sweden and the European Union.
Non-legal mandatory requirements
There are also non-legal requirements that are regarded as mandatory by many European buyers of outsourcing services. Although these non-legal requirements are not obligatory by law they are minimum requirements to enter the European market. Without fulfilling these requirements your services will be unlikely to be considered by European buyers.
Information security is one of the main challenges for IT outsourcing service providers. This includes both data protection and recovery systems. Many European buyers expect you to implement an information security and management system, especially in industries in which security is essential, such as finance and banking, healthcare or mobile applications. The ISO 27000-series contains common standards and guidelines for information security.
ISO 27001 is an internationally recognised standard that provides requirements for an information security management system. The ISO 27002 standard can be considered to be a supporting document to ISO 27001. It gives guidance and advice on the implementation of information security controls. A company cannot be ISO 27002 certified, because it is only a guidance document. The company can be ISO 27001 certified. Other supporting guideline documents in the ISO 27000-family are ISO 27003 and ISO 27004.
- Make sure you have effective security processes and systems in place, from business continuity and disaster recovery to virus protection.
- Ask your buyer to what extent they require you to implement a security management system like the ISO 27001 standard.
- Consider obtaining the ISO/IEC 27701:2019 certification. This is a certifiable privacy extension of ISO 27001 supporting GDPR. Organisations looking to get ISO 27701 certified will either need to have an existing ISO 27001 certification or implement ISO 27001 and ISO 27701 together as a single implementation audit.
2. What additional requirements do buyers often have?
European buyers often have additional requirements that are important to them when choosing an outsourcing provider. These refer to quality, privacy, security and corporate social responsibility.
Many European buyers only do business with companies that have a quality management system in place. Such a system shows that you are well organised and are able to deliver the required service quality. They include, for example, back-up and recovery schemes, network and infrastructure security, communication plans and relocation options. Acknowledged and common quality management systems are ISO 9001:2015 and the Capability Maturity Model Integration.
Achieving ISO 9001:2015 certification, or complying with it, means that an organisation (or part of it) has demonstrated the following:
- It follows the guidelines of the ISO 9001 standard
- It fulfils its own requirements
- It consistently meets customer requirements and statutory and regulatory requirements
- It maintains documentation
ISO/IEC/IEEE 90003:2018 is a guideline (checklist) on how to apply ISO 9001:2005 for software development.
Capability Maturity Model Integration
Another option is the Capability Maturity Model Integration (CMMI), which has been adopted worldwide. You can achieve a 1-5 maturity level rating, indicating your improvement in multiple process areas, including product development, service excellence, workforce management, supplier management and cybersecurity. CMMI Services helps you to improve your capability to provide your customers with quality services.
ISO 9001 and CMMI are the most commonly used quality management systems in the outsourcing market. Even if you have developed a good in-house quality management system, buyers prefer a system they recognise. However, you need to realise that having ISO 9001 or CMMI certification is not necessarily a strong selling point (ISO 27001 is a little more important in certain market segments). On the other hand, if you are a company that focuses on specific industries, meaning you have to comply with important standards, guidelines and/or frameworks applicable to that industry, it can be an interesting selling point as well as proof of your competence in that particular industry.
- Show that you are a professional company, by having good references, obtaining relevant industry certification, responding quickly, communicating regularly, offering constant quality, complying with contractual agreements and having a good and stable management team to lead the outsourcing project.
- While quality management systems do not automatically result in "good-quality software", having one implemented and consistently used helps greatly. Invest in implementing (and using) a quality management system in your company.
Corporate Social Responsibility
Corporate Social Responsibility (CSR) refers to companies taking responsibility for their impact on the world. Not only in products or services they offer, but also concerning consumer rights, education and training of your staff, human rights, health, innovation, the environment and working conditions. For the IT and IT related services outsourcing industry its importance is debated, as small companies can really only affect marginal change. However, CSR is becoming more important in the IT and IT related services outsourcing industry.
CSR is becoming especially important to large companies and governments in Northern and Western Europe. Many European companies involve their suppliers in their CSR policies. In the future, CSR may well become a direct selection criterion. Having a well-documented CSR policy may therefore give you a competitive advantage over companies without one.
ISO 26000 provides guidance on CSR. For small IT and IT enabled services outsourcing companies, labour practises, fair operating practises and community involvement are the most relevant aspects of the ISO 26000 standard.
There are some new trends and initiatives to extend CSR into small IT businesses. Fairtrade software is an example of such an initiative. Fairtrade software is software that is developed for better prices, under decent working conditions, supporting local sustainability and with fair terms of trade.
Impact sourcing is another example. Impact sourcing is described as the integration of disadvantaged workers from low-employment areas into the processes of businesses from more economically advanced countries either through outsourcing, or by setting up remote or virtual teams using digital technology.
This makes impact-sourcing fit perfectly in the IT and IT enabled services outsourcing from developing countries. Impact sourcing has good potential for companies that wish to make their business more socially responsible.
- Read more about Corporate Social Responsibility in practice on the website of the European Commission.
- Look at examples of small software companies engaging in CSR.
- Show that you care about your impact on society and the environment by implementing your own CSR policy. It can be a unique selling point (USP) when your buyer has to select a provider.
- Clearly communicate your commitment to CSR in your marketing activities.
- Consult the ITC Sustainability Map for a full overview of certification schemes addressing sustainability in the IT outsourcing sector. Read more about their software specific schemes in the International Featured Standards map (IFS).
3. What are the requirements for niche markets?
European buyers often require you to comply with a sector-specific and/or industry specific standard, or code of practice (if available). Examples of industry specific standards are the Basel Committee Standards for the Financial Services industry. Examples of service-specific standards are Cloud service providers and Payment related services.
From 30 September 2019, the European Banking Authority’s (EBA) guidelines on Outsourcing Arrangement took effect. This law does not only apply to banks, building societies and investment firms, but also to payment institutions and electronic money institutions.
Basel Committee Standards
The Basel Accords are a set of recommendations for regulations in the banking industry, developed by the Basel Committee on Banking Supervision. Basel I is the minimum requirement, which is often not accepted by European clients. Aim to get the Basel II and/or Basel III standard.
Other main European industries (in addition to financial services) to which sector-specific buyer requirements apply in relation to IT outsourcing are subject to sector-specific regulations that may include requirements related to outsourcing. Check the relevant country and industry-specific regulator for applicable regulation. Examples of sector/service-specific buyer requirements include COPC certification or ISO 18295-1:2017 for contact centres and HL7 and HIPAA for health and social care.
(Industrial) Internet of Things related services
ETSI TS 103 645 is an important standard for consumer security with regard to the Internet of Things (IOT). The ETSI organisation released the first globally applicable standard for consumer IoT security. There are also other organisations that have developed security guidelines for the IoT. It is important to keep an eye out for other standards that are being developed and might increase in importance in the upcoming years. Other organisations that have developed security guidelines for IoT can be found at the NCIPHER, GSMA and SENKI websites.
Cloud service providers
The Cloud Industry Forum has released a Code of Practise for Cloud Service Providers. They updated their Code in 2017 to incorporate key components of the General Data Protection Regulation. Cloud service providers aiming for the EU/EFTA market are recommended to follow this code of practice.
The PCI Security Standards Council is a global forum for the payment industry. It maintains, evolves and promotes the Payment Card Industry Security Standards. If you are working with payment-related services and (aim to) offer outsourcing services to the EU/EFTA market, look at their standards overview and complete their Self-Assessment tool to get more insight into the standards on payment-related services.
Other niche markets
There are other important European industries to which specific buyer requirements apply, like the aviation, automotive or agricultural industries. The requirements can be software and/or technology related. There are standards, frameworks and (quality) guidelines available for many different industries. Examples of such sector/service-specific buyer requirements are ISO 18295-1:2017 for contact centres and HL7 and HIPAA for health and social care. Check what standards, guidelines and industry bodies are present in your relevant country and industry-specific situation.
- Know which standards are relevant for the services you provide, as buyers will expect you comply. Do your research in advance, so you can show them your company complies with these standards.
- Check which sector-specific standards or codes are available for your specific product, for example by asking your sector association or your buyer. Also ask your buyer to what extent they want you to implement these standards.
- Some standards have competing equivalents. Especially the less common ones and the industry specific standards. Keep an eye on the competing guideline companies to make sure you comply with the most relevant standards for your product/market combination.
- If you are working in the contact centre industry, consider obtaining COPC certification. They have solutions designed for Work-At-Home environments for contact centre employees. This is particularly relevant during this COVID-19 crisis, when many people are forced to, or choose to, work from home.
- Visit the EU Trade Helpdesk for more information on import rules and taxes in the European Union.
- Look at the product and services specific buyer requirements for Big Data, Blockchain, Contact Centre Services, Software Development Services and others at the market information page of the CBI website.
Read our other studies regarding exporting your outsourcing services to Europe
- Tips for Organising your Exports to Europe – to find tips for organising export of outsourcing services to Europe.
- Tips for Doing Business with European Buyers – to find tips for doing business with European buyers in the outsourcing services sector.
- Tips for Finding buyers – to find tips for finding buyers for your products and services.
This study has been carried out on behalf of CBI by Globally Cool B.V. in collaboration with Laszlo Klucs.
Please review our market information disclaimer.