Service provider selection and negotiation in 2021

The procurement of modern ICT services is a lively sector, characterised not only by challenges present in all types of procurement, but also by its highly distinctive features. When procuring standardised services from established and widely operating suppliers, the customer’s negotiating position can be rather restricted. At the same time, ICT procurement constitutes a significantly business-critical sector for many companies where the customer must ensure certain minimum requirements in selecting the service provider and negotiating the relevant contractual terms.

The last few years have seen a distinct shift towards standardised services, as opposed to a more traditional setting of acquiring individualised ICT solutions that are tailored to the customer’s needs. The modern market offers an abundance of readily available, diversified solutions with unprecedented usability and highly competitive pricing, while also often exhibiting a robust approach to topical data security concerns. While individual procurement has, for these reasons, become ill-suited in many situations, the development towards standardised services has also meant that the contractual framework and allocation of liabilities surrounding the relevant solution are increasingly typically formulated on the service providers’ templates and standard terms. As services must often be purchased on seller-friendly terms, the customer may face a difficult position, especially when the procured service would be integrated into a broader solution to be sold onwards or where there are other special external requirements affecting the customer’s operations (such as when the customer operates a strictly regulated business).

Innovative elements of modern technology solutions, such as artificial intelligence and machine learning, further complicate the landscape, since the contractual framework for such novel features cannot rely solely on traditional licensing terms. Moreover, organisations are subject to constantly evolving compliance and sustainability requirements, which also flow into their ICT procurement processes. Even where the customer finds itself in what seems like a ‘take it or leave it’ situation, the due assessment of the scope of the procurement, alternative solutions and the customer’s liability and risk position remains essential for achieving adequate results and an acceptable contractual position.

In this article, we set out our five top picks for focus areas in selecting an ICT service provider and in negotiating ICT service agreements. These are based on prominent topics, which we continuously encounter when assisting our clients in the field of ICT procurement:

☑️ Whose rights and to what?

The allocation of rights between the vendor and the customer may take up a considerable portion of negotiations when procuring modern ICT services. Which party has the rights to the service infrastructure, the data stored within it, the content produced by the service, or to the systems connected to the service? The customer should be highly mindful of such questions when assessing contractual terms offered by service providers, since the objectives pursued by the ICT procurement may fall short if the rights to the service and the relevant data are not allocated in a manner that supports such objectives or the customer’s future operational requirements.

Artificial intelligence typically involves a larger variety of components in this respect, and the ownership and intellectual property rights related to such components require sufficiently clear contractual provisions.

Typically, it is important that the parties agree that the customer material stored within the ICT systems and produced by them clearly belongs to the customer. However, for example, solutions utilising artificial intelligence require a more nuanced approach to agreeing on the allocation of rights. Artificial intelligence typically involves a larger variety of components in this respect, and the ownership and intellectual property rights related to such components require sufficiently clear contractual provisions. In this context, key components to address include, at least, the AI solution running in the background, the data that is fed into the AI and used during the development, validation and testing of the AI, the results produced by the AI, and the evolution of the AI achieved through the customer’s requirements, data and use.

☑️ Ensuring a sufficient level of liability

The liability level of the service provider must always be determined so that the customer’s rights are secured in case the service does not meet the agreed requirements or if disruptions arise, taking into account that such events could have significant adverse impacts on the customer’s business processes. Therefore, it is important that the customer ensures that the relevant agreement contains appropriate provisions on service levels, the seller’s liabilities and the seller’s warranties, which, in turn, vendors typically aim to restrict in their standard terms.

When assessing the acceptability of restrictions on the provider’s liabilities proposed for the agreement, the customer must, especially, recognise the potential adverse effects that disruptions in the relevant service or system might have on the customer’s business. Furthermore, the damage types and situations, where the liability restrictions may not apply must be specifically identified and reflected in the agreement (such as liabilities related to breaches of confidentiality or data protection obligations).

For services that rely on artificial intelligence it is important to note that the object of the agreement is typically rather dynamic in the sense that the traditional way of tying the supplier’s performance obligations to certain technical criteria and documentation at the time of concluding the agreement might not be the best solution. Instead, emphasis should be placed on, for example, the end results and impacts pursued by the relevant solution.

Aspects relating to liabilities and responsibilities should be observed already when selecting a service provider. For example, a service provider operating on a strict ‘take it or leave it’ basis as regards its own standard terms may be a poor alternative in situations where a highly restricted vendor liability level, with limited or no room for negotiation, is not in line with the criticality of the service in the customer’s business.

☑️ Compliance with laws

The increasing level of legal regulation, typical to the 21st century, has also directly affected the field of ICT services. Legislation concerning data protection, cyber security, electronic communications, consumer protection and artificial intelligence may create inevitable uncertainties, especially when planning the procurement of a large-scale and long-term ICT system. Key questions include who is responsible (and to what extent) for ensuring that the service or system meets applicable regulatory requirements in force from time to time. Even before selecting the service provider, it is beneficial to investigate the extent, to which the vendor candidates can provide readily available material on the relevant compliance requirements affecting the service.

Additionally, the allocation of responsibilities concerning compliance requirements should be specified during the contract negotiations as clearly as possible and separately for the different elements of the service, if necessary. The agreement should also contain clear change management processes, under which the service or system can be adjusted or even discontinued if amendments to the relevant regulatory framework so require.

“Selecting a reliable vendor that understands the various data protection requirements applicable to its customer is a key step in managing data protection risks.”

☑️ Identifying the service provider’s data protection profile

Data protection issues constitute a significant source of compliance risks for almost every modern organisation. ICT solutions all but inevitably involve the processing of personal data, which necessitates the due consideration of data protection aspects already in the selection of the service provider. Indeed, selecting a reliable vendor that understands the various data protection requirements applicable to its customer is a key step in managing data protection risks . Therefore, it is important, when preparing a procurement, to review the potential providers’ approaches and existing arrangements in relation to data protection requirements. For example, a service provider’s privacy policies, possible data protection impact assessments or data security certificates are a good starting point.

Following the so-called Schrems II ruling of the Court of Justice of the EU (C-311/18, 16 July 2020), European companies have been required to identify and assess the geographic location of their data processing. The Schrems II ruling brought about significant requirements that must be observed when personal data is stored outside the EEA, including situations where data inside the EEA is made accessible to outside the EEA, which is extremely likely, for example, in the context of established global cloud services. When selecting a service provider, the customer should identify the location of the service data and ensure, in practice, that the service provider has clear and sufficient mechanisms and contractual liabilities required to address the Schrems II requirements (e.g. the so-called transfer impact assessment documentation).

In our view, the ability to address the challenges related to the location of data is becoming a central competitive advantage among ICT service providers.

“The infrastructure of modern data processing has, in the last few years, proven to be a concerning environmental challenge.”

☑️ Sustainability first

It may be tempting to think that sustainability requirements would not represent a significant challenge for businesses operating in a digital environment. However, the infrastructure of modern data processing has, in the last few years, proven to be a concerning environmental challenge , which has been especially apparent through the data processing capacities required by blockchain technologies. If the current progress continues, data centres are expected to represent over 3% of global carbon dioxide emissions by 2025.

As the amount of data in the world grows, environmentally friendly data storing solutions will become an important tool for many companies as they work to limit their carbon footprints. Additionally, energy-efficient servers may prove an excellent means for creating cost savings. Environmentally friendly data management can also become a company’s competitive advantage as consumers’ environmental awareness and values evolve.

When planning the procurement of a long-term and large scale ICT system, the due assessment of environmental issues should, in fact, be a crucial stage in terms of an organisation’s sustainability requirements. The ‘greenness’ of a potential service provider should, moreover, form a key selection criterion in choosing a vendor. Contractual terms can also be used to create incentives for environmentally responsible operations. We predict that pricing mechanisms and novel contractual terms concerning the validity and termination of the agreement, linking to environmental factors and requirements, will become more common also in ICT agreements in the coming years.


The focus areas identified in this article go to show that the procurement of ICT solutions is connected to a highly diverse set of requirements. The comprehensive assessment of all such factors may feel overly time-consuming in the midst of a rapidly progressing ICT procurement project. However, the magnitude of applicable requirements requires ensuring an adequate schedule and seamless cooperation between the procuring organisation’s technical and legal experts to ensure that all relevant requirements are observed. Accepting the supplier’s terms ‘as is’ may seem like an attractive solution when operating under a tight schedule, but doing so may create unexpected and long-term contractual risks. Additionally, we have noticed, in practice, that even where the supplier has initially indicated its own standard terms as being ‘non-negotiable’, there may nevertheless be room for negotiating the terms to be more favourable for the customer.


Special thanks also to Roi Rantanen who participated in the writing of this article and works as an Associate Trainee at Dittmar & Indrenius in autumn 2021.

More by the same author

Fostering Continuous Development

Q&A with Mikael Ahtokari, Director, People & Culture

Implementation of the NIS2 Directive in Finland: New Cybersecurity Requirements for Critical Sector Businesses and Entities

On 23 May 2024, Finland took a significant stride towards strengthening its cybersecurity legislation when the Government submitted to the Parliament a proposal (HE 57/2024 vp) to implement the EU Directive on Measures for a High Common Level of Cybersecurity across the Union (Directive (EU) 2022/2555, the “NIS2 Directive“). This legislative initiative aims to bolster cybersecurity measures across various critical sectors, reflecting a heightened regulatory focus on risk management and incident reporting. The proposed Cybersecurity Act, along with amendments to existing legislation, notably to the Act on Information Management in Public Administration (906/2019 as amended), is scheduled to be applicable as of 18 October 2024. The proposal denotes a significant step towards more regulated cybersecurity and positioning the review and supervision of cybersecurity risks as a top management issue.

Government proposal regarding the implementation of EU’s NIS 2 Directive published

On 23 May 2024, the Finnish Government submitted its proposal regarding the implementation of EU’s NIS 2 Directive ((EU) 2022/2555, the “Directive”) to the Parliament. The proposal includes, inter alia, the adoption of the new Cybersecurity Act and amendments to the Act on Information Management in Public Administration and the Act on Electronic Communications Services. The objective is that the proposed legislation would enter into force on 18 October 2024.

Latest insights

Fostering Continuous Development

Article / 1 Jul 2024

Advocate for Change: Good Governance and Sustainability

Article / 1 Jul 2024