Service provider selection and negotiation in 2021

The procurement of modern ICT services is a lively sector, characterised not only by challenges present in all types of procurement, but also by its highly distinctive features. When procuring standardised services from established and widely operating suppliers, the customer’s negotiating position can be rather restricted. At the same time, ICT procurement constitutes a significantly business-critical sector for many companies where the customer must ensure certain minimum requirements in selecting the service provider and negotiating the relevant contractual terms.

The last few years have seen a distinct shift towards standardised services, as opposed to a more traditional setting of acquiring individualised ICT solutions that are tailored to the customer’s needs. The modern market offers an abundance of readily available, diversified solutions with unprecedented usability and highly competitive pricing, while also often exhibiting a robust approach to topical data security concerns. While individual procurement has, for these reasons, become ill-suited in many situations, the development towards standardised services has also meant that the contractual framework and allocation of liabilities surrounding the relevant solution are increasingly typically formulated on the service providers’ templates and standard terms. As services must often be purchased on seller-friendly terms, the customer may face a difficult position, especially when the procured service would be integrated into a broader solution to be sold onwards or where there are other special external requirements affecting the customer’s operations (such as when the customer operates a strictly regulated business).

Innovative elements of modern technology solutions, such as artificial intelligence and machine learning, further complicate the landscape, since the contractual framework for such novel features cannot rely solely on traditional licensing terms. Moreover, organisations are subject to constantly evolving compliance and sustainability requirements, which also flow into their ICT procurement processes. Even where the customer finds itself in what seems like a ‘take it or leave it’ situation, the due assessment of the scope of the procurement, alternative solutions and the customer’s liability and risk position remains essential for achieving adequate results and an acceptable contractual position.

In this article, we set out our five top picks for focus areas in selecting an ICT service provider and in negotiating ICT service agreements. These are based on prominent topics, which we continuously encounter when assisting our clients in the field of ICT procurement:

☑️ Whose rights and to what?

The allocation of rights between the vendor and the customer may take up a considerable portion of negotiations when procuring modern ICT services. Which party has the rights to the service infrastructure, the data stored within it, the content produced by the service, or to the systems connected to the service? The customer should be highly mindful of such questions when assessing contractual terms offered by service providers, since the objectives pursued by the ICT procurement may fall short if the rights to the service and the relevant data are not allocated in a manner that supports such objectives or the customer’s future operational requirements.

Artificial intelligence typically involves a larger variety of components in this respect, and the ownership and intellectual property rights related to such components require sufficiently clear contractual provisions.

Typically, it is important that the parties agree that the customer material stored within the ICT systems and produced by them clearly belongs to the customer. However, for example, solutions utilising artificial intelligence require a more nuanced approach to agreeing on the allocation of rights. Artificial intelligence typically involves a larger variety of components in this respect, and the ownership and intellectual property rights related to such components require sufficiently clear contractual provisions. In this context, key components to address include, at least, the AI solution running in the background, the data that is fed into the AI and used during the development, validation and testing of the AI, the results produced by the AI, and the evolution of the AI achieved through the customer’s requirements, data and use.

☑️ Ensuring a sufficient level of liability

The liability level of the service provider must always be determined so that the customer’s rights are secured in case the service does not meet the agreed requirements or if disruptions arise, taking into account that such events could have significant adverse impacts on the customer’s business processes. Therefore, it is important that the customer ensures that the relevant agreement contains appropriate provisions on service levels, the seller’s liabilities and the seller’s warranties, which, in turn, vendors typically aim to restrict in their standard terms.

When assessing the acceptability of restrictions on the provider’s liabilities proposed for the agreement, the customer must, especially, recognise the potential adverse effects that disruptions in the relevant service or system might have on the customer’s business. Furthermore, the damage types and situations, where the liability restrictions may not apply must be specifically identified and reflected in the agreement (such as liabilities related to breaches of confidentiality or data protection obligations).

For services that rely on artificial intelligence it is important to note that the object of the agreement is typically rather dynamic in the sense that the traditional way of tying the supplier’s performance obligations to certain technical criteria and documentation at the time of concluding the agreement might not be the best solution. Instead, emphasis should be placed on, for example, the end results and impacts pursued by the relevant solution.

Aspects relating to liabilities and responsibilities should be observed already when selecting a service provider. For example, a service provider operating on a strict ‘take it or leave it’ basis as regards its own standard terms may be a poor alternative in situations where a highly restricted vendor liability level, with limited or no room for negotiation, is not in line with the criticality of the service in the customer’s business.

☑️ Compliance with laws

The increasing level of legal regulation, typical to the 21st century, has also directly affected the field of ICT services. Legislation concerning data protection, cyber security, electronic communications, consumer protection and artificial intelligence may create inevitable uncertainties, especially when planning the procurement of a large-scale and long-term ICT system. Key questions include who is responsible (and to what extent) for ensuring that the service or system meets applicable regulatory requirements in force from time to time. Even before selecting the service provider, it is beneficial to investigate the extent, to which the vendor candidates can provide readily available material on the relevant compliance requirements affecting the service.

Additionally, the allocation of responsibilities concerning compliance requirements should be specified during the contract negotiations as clearly as possible and separately for the different elements of the service, if necessary. The agreement should also contain clear change management processes, under which the service or system can be adjusted or even discontinued if amendments to the relevant regulatory framework so require.

“Selecting a reliable vendor that understands the various data protection requirements applicable to its customer is a key step in managing data protection risks.”

☑️ Identifying the service provider’s data protection profile

Data protection issues constitute a significant source of compliance risks for almost every modern organisation. ICT solutions all but inevitably involve the processing of personal data, which necessitates the due consideration of data protection aspects already in the selection of the service provider. Indeed, selecting a reliable vendor that understands the various data protection requirements applicable to its customer is a key step in managing data protection risks . Therefore, it is important, when preparing a procurement, to review the potential providers’ approaches and existing arrangements in relation to data protection requirements. For example, a service provider’s privacy policies, possible data protection impact assessments or data security certificates are a good starting point.

Following the so-called Schrems II ruling of the Court of Justice of the EU (C-311/18, 16 July 2020), European companies have been required to identify and assess the geographic location of their data processing. The Schrems II ruling brought about significant requirements that must be observed when personal data is stored outside the EEA, including situations where data inside the EEA is made accessible to outside the EEA, which is extremely likely, for example, in the context of established global cloud services. When selecting a service provider, the customer should identify the location of the service data and ensure, in practice, that the service provider has clear and sufficient mechanisms and contractual liabilities required to address the Schrems II requirements (e.g. the so-called transfer impact assessment documentation).

In our view, the ability to address the challenges related to the location of data is becoming a central competitive advantage among ICT service providers.

“The infrastructure of modern data processing has, in the last few years, proven to be a concerning environmental challenge.”

☑️ Sustainability first

It may be tempting to think that sustainability requirements would not represent a significant challenge for businesses operating in a digital environment. However, the infrastructure of modern data processing has, in the last few years, proven to be a concerning environmental challenge , which has been especially apparent through the data processing capacities required by blockchain technologies. If the current progress continues, data centres are expected to represent over 3% of global carbon dioxide emissions by 2025.

As the amount of data in the world grows, environmentally friendly data storing solutions will become an important tool for many companies as they work to limit their carbon footprints. Additionally, energy-efficient servers may prove an excellent means for creating cost savings. Environmentally friendly data management can also become a company’s competitive advantage as consumers’ environmental awareness and values evolve.

When planning the procurement of a long-term and large scale ICT system, the due assessment of environmental issues should, in fact, be a crucial stage in terms of an organisation’s sustainability requirements. The ‘greenness’ of a potential service provider should, moreover, form a key selection criterion in choosing a vendor. Contractual terms can also be used to create incentives for environmentally responsible operations. We predict that pricing mechanisms and novel contractual terms concerning the validity and termination of the agreement, linking to environmental factors and requirements, will become more common also in ICT agreements in the coming years.


The focus areas identified in this article go to show that the procurement of ICT solutions is connected to a highly diverse set of requirements. The comprehensive assessment of all such factors may feel overly time-consuming in the midst of a rapidly progressing ICT procurement project. However, the magnitude of applicable requirements requires ensuring an adequate schedule and seamless cooperation between the procuring organisation’s technical and legal experts to ensure that all relevant requirements are observed. Accepting the supplier’s terms ‘as is’ may seem like an attractive solution when operating under a tight schedule, but doing so may create unexpected and long-term contractual risks. Additionally, we have noticed, in practice, that even where the supplier has initially indicated its own standard terms as being ‘non-negotiable’, there may nevertheless be room for negotiating the terms to be more favourable for the customer.


Special thanks also to Roi Rantanen who participated in the writing of this article and works as an Associate Trainee at Dittmar & Indrenius in autumn 2021.

More by the same author

Implementing the Data Act without Clashing with the GDPR?

The Data Act will largely apply as of 12 September 2025, imposing new obligations and rights in relation to personal and non-personal data in the context of, e.g., connected products and related services. As rules governing data expand, it is increasingly important to map what data sets are processed by an organisation and how they are managed in the upcoming regulatory framework. For data sets including personal data (which is often the case!), it is vital to align the implementation of the Data Act with existing GDPR compliance.

First-ever Supreme Administrative Court rulings on GDPR fines – both for and against

The Supreme Administrative Court of Finland has issued its first decisions regarding administrative fines under the General Data Protection Regulation (the “GDPR”). Incidentally, the decisions concerned the first administrative fines imposed by the Finnish Data Protection Ombudsman back in 2020. The court’s essential arguments, as summarised below, may provide useful insights into how the appellate courts will interpret GDPR requirements and, especially, what aspects are key when challenging GDPR fines in the future.

Collaboration with Miltton

We are launching a new kind of collaboration with creative consultancy Miltton to support the clients both in managing strategic sustainability and in understanding the growing regulation, integrating it into operating methods and translating it into business goals.

Latest insights

Are Finnish Lawyers the Happiest in the World?

Article / 4 Apr 2024
Reading time 2 minutes

Implementing the Data Act without Clashing with the GDPR?

Article / 4 Apr 2024