Outsourcing Spotlight – Autumn/Winter 2025

In this issue, we look at how to mitigate risks to outsourcings from cyber-attacks and the implications for customers and service providers of proposed reforms on late payment. We also discuss the Employment Rights Bill, cloud service switching, umbrella companies, what to watch out for in the Budget and AI literacy.

1 Cyber attacks: where's your weakest link?

Many outsourcings involve processing data which is highly attractive to hackers, such as individual customer names and payment details. With cyber attacks very much in the news, what should outsourcing customers and service providers be doing to manage their risk?

Customers

Imposing robust contractual obligations on your outsourced service provider is a start – but it's unlikely to be sufficient on its own. In particular, many recent attacks have come from vulnerabilities within the wider supply chain, highlighting the need to consider third parties within that chain – information which may only be obtainable via your outsourcing service provider. As we explain in our briefing Cyber risks in your supply chain: where is your weakest link?, you will need to engage with the service provider to ensure that robust systems are in place all the way along the chain.

Whilst due diligence at the outset of the relationship is essential, it's also critical that further audits are carried out at appropriate intervals during the lifetime of the outsourcing and that systems are tested regularly for vulnerabilities. This is all the more important with longer-term outsourcings, where it's to be expected that IT systems will need to be upgraded or modified over time – but where each upgrade or change may provide scope for new vulnerabilities.

Service providers

Much the same advice applies to service providers, particularly as regards their own, wider supply chain. But another critical interface – and potential "vector" for malware etc – is the customer itself, so service providers shouldn't be shy about expecting customers to adopt an equally rigorous approach to "cyber hygiene" and to treat it as a shared problem.

Service providers should also consider "war-gaming" their cyber-incident response plans and practising how they would respond if bad actors gain access to your systems via the customer or via your suppliers. For a more detailed discussion, see our podcast series Mitigating a Data Breach: Insider Threats.

Learning from the mistakes of others

Last but not least, much can be learned by looking at mistakes made by others. For example, Capita has recently been fined £14 million for data breaches resulting in the disclosure of personal data of over 6.6 million individuals. The Information Commissioner's Office highlighted the following steps that might have made a difference:

• Follow NCSC guidance: Capita had not followed NCSC guidance on "lateral movement", enabling the hacker to get access to more data than would have been possible with a better designed, tiered system of administrator privileges.

• Respond promptly to alerts: a high security alert was raised within 10 minutes of the breach – but Capita took 58 hours to respond (possibly due to under-staffing). Had action been taken earlier, it's possible some of the damage could have been contained.

• Test regularly: penetration testing was only undertaken when Capita's systems were commissioned (and as outlined above, upgrades and other changes provide scope for new vulnerabilities to emerge – so it's critical to test systems at regular intervals to try to identify any new weak points).

2 Late payment reform: how will it affect outsourcing?

The UK Government is consulting on major changes to the law on late payment. These range from powers to fine businesses which fail to pay their suppliers on time through to measures which would prohibit credit periods of more than 60 days and restrict customers' ability to withhold payment. We look at how these proposals would affect outsourcing customers and service providers.

What are the key proposals?

Our briefing explains the proposals in detail but the key measures are:

• Prohibition of payment periods of more than 60 days (reducing to 45 days over 5 years)

• Statutory interest rate on late payments of base + 8% to be made mandatory (i.e. no "contracting out", as at present)

3 The Employment Rights Bill: implications for outsourcing

The Employment Rights Bill is currently before the UK Parliament and expected to receive Royal Assent later this year – possibly in the coming weeks. From an outsourcing perspective, the key implications are as follows:

The impact on customers

The legislation will introduce a new duty on employers to protect staff from harassment by third parties – which, in the case of a customer in an outsourcing, would include the supplier of the outsourced services. Here's an example to illustrate the difference this would make:

A staff member responsible for liaising with the outsourced service provider is sexually harassed by her opposite number at one of their regular monthly review meetings. In principle, that staff member will be able to bring a claim against her own employer i.e. the customer for the outsourced service, alleging a failure to protect her from such harassment. Her employer would not be liable if it can show that it had reasonable measures in place to prevent harassment. Such a claim would be in addition to any recourse she might have directly against the relevant individual.

But perhaps the bigger impact for customers will come from other provisions of the legislation, particularly those which arguably increase the regulatory burden on service providers in their capacity as employers (see below). These could lead to service providers either:

• becoming more reluctant to recruit new staff, potentially leading to increased problems with service delivery; or

• continuing to recruit as normal but looking to pass on increased compliance costs.

The impact on service providers

Outsourcing service providers will face the same new duty to protect against harassment by third parties i.e. they could find themselves liable if their own staff have been harassed by the employees of the customer and they have failed to take reasonable steps to prevent this. But given that many outsourcings are labour-intensive, the bigger impact on service providers is likely to come from provisions of the Bill which arguably increase the regulatory burden on them in their capacity as employers. Two aspects are of particular note in an outsourcing context:

• Impact of Day 1 unfair dismissal rights: at present, if the performance of relatively new employees is poor, it is typically reasonably straightforward to dismiss them lawfully because such staff do not benefit from unfair dismissal rights until they have at least 2 years' service. The Bill is expected to provide for "Day 1" unfair dismissal rights, but subject to a probation period during which employees could be dismissed, pursuant to a "lighter touch" procedure. The length of the probation period is currently unclear and will be subject to further consultation, but the Government has indicated a preference for 9 months. In order to dismiss poorly performing staff fairly, employers will need to carry out more formal performance reviews and demonstrate that they have given individuals a reasonable opportunity to improve.

• Zero hours / casual / irregular hours workers: zero/low hours workers will have a right to be offered a contract reflecting regular hours, whilst those working irregular hours will be given a right to notice of shifts and compensation for cancellation. These provisions are likely to make it more burdensome for service providers to rely on zero hours / casual workers.

Potential positive effects of the Bill

It's by no means inevitable that the legislation will have a negative impact on outsourcing transactions. Much will depend on how service providers in particular respond to its introduction. For example, it's possible that for some service providers, the introduction of Day 1 unfair dismissal rights leads them to put more focus on performance management generally – which could improve productivity. If some service providers become more reluctant to recruit new staff, this could lead them to put more resources into technological solutions, with a view to doing more work with the same numbers of staff – again, potentially leading to improved efficiency and productivity. Meanwhile, improvements to family rights could help to make it more attractive for some individuals to enter the labour market, thereby easing recruitment problems faced in some sectors.

What's the timing?

Assuming the legislation receives Royal Assent later this year, the majority of reforms are not expected to take effect until 2026 at the earliest – and Day 1 unfair dismissal rights will not take effect until 2027. There will also need to be consultation on some of the detail, which has already begun and will continue into 2026. That said, the Bill will make significant changes to the law and employers should start thinking now about how it's likely to affect them. For more detail on the Bill – which contains a number of provisions not discussed above – see our briefing: The Employment Rights Bill: What does it mean for employers?

• 30 day deadline for disputing invoices (if customer wishes to withhold payment)

• Binding arbitration scheme, administered by Small Business Commissioner, for payment disputes involving businesses with fewer than 50 staff

• Small Business Commissioner to be able to fine businesses with poor payment records or which persistently fail to comply with late payment obligations

• Large companies and LLPs to be required to report on the amount of statutory interest owed and paid out

• Audit committees or company boards of large companies and LLPs to be required to make regular recommendations to improve payment practices

The impact on customers

Partner Rich Offord commented:

"Although the most eye-catching proposal is arguably the prospect of fines, the more immediate issue for customers in the context of a major outsourcing relates to payment terms and disputes. Let's say you've got some form of cost-based pricing, for which the supplier presents a monthly invoice. Customers will have to pay that invoice within 60 days of receipt – so if you've been used to having longer to pay, this may have implications for cashflow, especially if the monthly sums being invoiced are quite substantial.

And if there's something you're not happy with on the invoice and you want to be able to withhold payment, you'll only have 30 days in which to raise a dispute. So if you've been used to taking longer to check invoices to ensure that you're not being over-charged – particularly on the cost-based elements - you may no longer have that luxury.

Lastly, if you pay late without justification, the supplier will be able to claim interest on overdue amounts of base plus 8%. At present, most contracts substitute a significantly lower interest rate – but if these proposals are implemented, it won't be possible to 'contract out' any more."

NOTE: According to a recent FT report, UK retailers have raised concerns about the maximum 60 day payment period, owing to the long lead times for importing goods from Asia. However, even if the UK Government accepts that such concerns are justified, it is difficult to see how they would also apply to the provision of services under the majority of outsourcing agreements. It would therefore be premature to assume that the proposal to impose maximum payment periods will be abandoned – although it's possible it could be modified to take account of the concerns of particular sectors.

The impact on service providers

Partner Rich Offord commented:

"Service providers might think there's nothing to worry about here – after all, what's not to like about being paid on time? But they need to think about their own suppliers – where they'll face the same issues as their customers when it comes to payment terms and disputes.

Meanwhile, service providers which rely on significant numbers of smaller sub-contractors with fewer than 50 staff will also need to contend with a significantly beefed up Small Business Commissioner acting on their behalf."

Who's afraid of the Small Business Commissioner?

The answer at present is probably that relatively few people have even heard of the Small Business Commissioner (SBC), let alone are afraid of it. But if the late payment proposals are implemented, that could well change. Among other things, the Small Business Commissioner (SBC) would get new powers to investigate businesses which are viewed as systematically paying their customers late. The Government's concern here is that some larger businesses may be paying larger suppliers on time, whilst making smaller suppliers wait, with a view to easing their own cashflow position. Smaller suppliers may be singled out in this way because they are considered unlikely to complain or bring court proceedings for late payment. The proposal for a "beefed up" SBC is designed to help level the playing field in their favour.

In addition to new investigatory and fining powers, the SBC will also administer an arbitration scheme for payment disputes involving smaller businesses (defined as those with fewer than 50 staff – there is no turnover threshold). This is intended to provide a quicker, cheaper and easier mechanism for resolving payment disputes than going to court.

Measures affecting both customers and service providers

Parties to significant outsourcings – whether customers or service providers - are quite likely to meet the thresholds for the existing late payment reporting regime. This applies to any company or LLP meeting at least two of the following criteria on the business' last two balance sheet dates:

• turnover of more than £54 million;

• balance sheet total of more than £28 million; and

• more than 250 employees.

The SBC will also be charged with reviewing the statistics provided by such businesses under the reporting regime and considering whether to impose fines on any companies or LLPs which have paid a significant proportion (e.g. 25%) of their suppliers late. Many parties to significant outsourcing deals are likely to be within the scope of this aspect of the proposed fining regime – and although late payment in the context of a single outsourcing isn't likely to be a problem, a pattern of late payment across a substantial proportion of suppliers could lead to a business being fined.

What happens next?

The Government has been consulting on the proposals and has said that it will provide its response by early 2026. Our view is that at least some of these measures (if not the whole reform package) are likely to be taken forward - not least because taking tough action on late payment was a Labour Manifesto commitment.

4 Data breaches: class actions and "near misses"

Many outsourcings involve processing significant volumes of customer data – and if there is a data breach, one of the legal risks is that individual data subjects may bring claims for damages. If the breach has been caused by a security failure of the service provider, data subjects could sue the provider directly but, more likely, these claims would be brought against the customer – who would then look to pass on liability to the provider through the contract. The recent Court of Appeal decision in Farley v Paymaster (trading as Equiniti) has lowered the bar for data subjects to bring such actions.

Class actions: a reminder

When many data subjects are impacted by a data breach, their claims may be brought as class actions i.e. the claimant lawyers will be acting on behalf of a significant number of individuals affected by the breach. In 2021, the Supreme Court ruling in Lloyd v Google made clear that such actions could not be brought on an "opt out" basis – meaning that, going forward, lawyers seeking to get class actions of this type off the ground would need to contact affected individuals and persuade them to agree to bring a claim. This has made it more difficult for claimant lawyers to get viable class actions "off the ground" in data breach cases – but it is by no means impossible, provided they are prepared to incur the time and expense involved in contacting affected data subjects. Farley v Paymaster doesn't change the position on opt-out class actions – but it does relate to another issue which previously tended to undermine class actions.

No seriousness threshold and no need for actual disclosure to third parties

A further factor making it difficult to pursue class actions of this type was the apparent requirement for claimants to demonstrate that any non-material damage suffered (e.g. fear or anxiety over possible misuse of the data) reached a minimum "seriousness threshold". However, the Court of Appeal has now confirmed that there is no threshold of seriousness in cases of this type. It also ruled that the actual disclosure to a third party was not an "essential ingredient" of an allegation of processing or infringement. Businesses can therefore be liable under data protection law for administrative errors that they may categorise as "near-misses", such as sending data to the wrong address, where no third party accesses the data.

The impact of the previous approach on class actions can be seen in the High Court's ruling in Farley v Paymaster, which the Court of Appeal has now overturned. The High Court ruled that only claims on behalf of 14 individuals could proceed – and that the other 460 should be dismissed. This was because these were the only cases where there was evidence that the data had actually been read by a third party (in this case, the breach involved the administrator of a police pension scheme sending annual benefit statements to the wrong addresses).

The upshot of the Court of Appeal's ruling is that all the claims have been remitted back to the High Court, which will now need to consider whether there is sufficient evidence of harm (and it will only be able to strike out individual claims if, for example, they are based on vague or far-fetched worries on the part of data subjects).

Does this decision open the floodgates to low-value claims for data breaches?

Although the ruling removes one of the hurdles facing data breach claims of this type, we don't expect it to open the floodgates to low value claims. It is clear from the decision that the courts will give short shrift to hypothetical or speculative claims of harm that are not "well-founded". The test is whether a reasonable person in the claimant's position, knowing what they knew at the time, would have had a genuine reason to fear that their data might be misused. The decision also provides further support for low-value claims to be pushed down the County Court's Small Claims Track. Moreover, nothing in Farley reverses the position in respect of collective claims following Lloyd v Google (see above).

See our briefing on Farley v Paymaster for 3 key takeaways for businesses.

5 Cloud services: an update on switching

Cloud services are critical to many technology-focused outsourcings – but concerns have been raised that some cloud service providers make it unnecessarily difficult to switch to competing services. This can be a problem in the context of outsourcing – for example, where the prospective customer and service provider are using different cloud services, but need to be on the same platform in order to make the outsourcing work effectively. We look at developments in both the EU and the UK which may improve the position of parties to outsourcing transactions wanting to switch to a different cloud service.

The EU Data Act

From 12 September 2025, the EU's Data Act requires contracts for most cloud service providers in the EU to include a right to switch after a maximum of two months' notice. Switching charges must be limited to the direct costs incurred by the provider as a result of the switching (and from 12 January 2027, no charges for switching will be permitted). The legislation also requires contracts to contain a number of other provisions designed to remove or minimise common obstacles to switching. For more detail, see our briefing: The Data Act's changes to cloud services contracts – tipping the scales on switching.

What's the UK position?

The EU's Data Act does not apply in the UK – which means that strictly speaking, there is no obligation on cloud service providers to include similar switching terms in contracts with UK customers. However, there are already examples of cloud providers not differentiating between their EU and UK customers in shifting away from charging for data egress, and so UK customers may experience some benefit from the Data Act's impact in this respect.

Additionally, as we discuss in two briefings here and here, the UK Competition and Markets Authority has been investigating cloud services. That investigation has now formally concluded with a recommendation that the CMA take steps under the Digital Markets, Competition and Consumers Act in relation to the largest cloud service providers, AWS and Microsoft. This may impact their terms and could have a ripple effect for other providers.

6 Umbrella companies: new PAYE liabilities for outsourcing service providers

Outsourcing service providers with umbrella companies in their supply chain need to be aware of new rules that will take effect from the start of the next tax year.

What are umbrella companies?

So-called "umbrella companies" are used to facilitate provision of staff without the "end user" business having to take them on as employees. Such arrangements can be highly beneficial to outsourcing service providers (the "end user" business in this case) with a fluctuating demand for staff, as they allow for increased flexibility compared with engaging staff as employees. As the individual's employer, the umbrella company is required to deduct income tax and NICS from salary payments it makes to them. In some cases, individuals may also be required to provide their services through an umbrella company operated by the employment agency which they have signed up with.

What's changing?

From the next tax year, outsourcing service providers with umbrella companies in their supply chains could find themselves with additional PAYE responsibilities. As noted above, it is the umbrella company that has responsibility for paying tax and National Insurance contributions on the workers' earnings through PAYE. The Government acknowledges that engaging workers in this way offers a flexible and cost-effective means of managing labour force requirements. However, it has become increasingly concerned that some umbrella companies are not operating PAYE correctly on their employees' salary. Accordingly, new rules are being introduced under which businesses using these hiring structures will become jointly responsible for the PAYE obligations of the umbrella company where it makes an error or simply fails to pay the correct amount of tax and NICs. This will be the case even if the outsourcing service provider has taken steps to ensure that it only engages with compliant umbrella companies. There are special rules for labour supply chains containing multiple agencies (where the agency closest to the end user will be responsible for the PAYE) or an offshore element.

What's the timing and what should you do to comply?

The new rules will apply to payments made on or after 6 April 2026 and will cover existing as well as new arrangements. Further, in some circumstances, an individual worker will be treated as employed by an umbrella company, even if they claim that they are self-employed or working through a personal service company. The legislation is still in draft form but HMRC has already published guidance on how the new rules will work.

Outsourcing service providers with supply chains that include umbrella companies should:

• identify any potential exposure under these new rules

• develop appropriate processes for ensuring that PAYE is being operated correctly; and

• if possible, obtain sufficient indemnities from umbrella companies should HMRC seek recovery from them.

7 Have you done your AI literacy training?

Many outsourcing service providers are using AI to improve their efficiency and their customer offering. The EU AI Act demands that providers and deployers of AI systems take measures to ensure a sufficient level of AI literacy of their EU staff and anyone else using AI systems in the EU on the organisation's behalf. Whilst this won't apply to outsourcings which relate solely to the UK, it will apply, for example, to UK service providers when deploying AI systems whose output is used in the EU. This obligation began to apply on 2 February 2025 – although guidance was only released in May 2025 and enforcement powers only apply from August 2026. Our briefing sets out the key takeaways from that guidance.

Even if the EU AI Act doesn't apply, customers may still want to consider asking their service providers what training they have done to ensure that their staff are able to use AI effectively and are aware of some of the key pitfalls, such as its tendency to "hallucinate".

8 Data (Use and Access) Act now on the statute book

After a stop-start legislative journey that lasted several years (including various incarnations proposed by the previous government), the Data (Use and Access) Act (DUAA) finally made it onto the statute book in June 2025. As well as a package of data protection and e-privacy reforms, the DUAA introduces frameworks for smart data and digital verification schemes and puts the National Underground Asset Register on a statutory footing. The legislation has a staged application, with most of its provisions requiring secondary legislation to be brought into effect.

Limited data protection reforms

The DUAA does not amount to a wholesale reform of UK GDPR, which is undoubtedly a relief to most businesses which have already invested heavily in GDPR compliance – changes to data subject rights, for example, largely codify existing regulatory guidance. There have, however, been some limited relaxations to the rules in relation to automated decision-making, data transfers and cookies. Our briefing on the data protection aspects of the DUAA provides some key takeaways for businesses.

The DUAA is also unlikely to negatively impact the EU's adequacy decision in favour of the UK, the review deadline for which was postponed until 27 December 2025 to allow the DUAA first to pass.

9 What to watch out for in the Budget

The next Budget is due to be delivered on 26 November 2025 and against a challenging economic backdrop, speculation is rife that HM Treasury is considering a broad range of tax policy changes. Our Tracker highlights some of the more prominent proposals that have surfaced in the run-up to the Budget – including the following that may be relevant to outsourcing (the Tracker provides more detail on all these issues):

10 More on outsourcing

Relatively few leading UK law firms regularly publish client briefings and other materials which specifically focus on outsourcing – but we do, because it's a key area of our practice. Unlike some, our focus goes wider than just the outsourcing contract – we take a more holistic approach, frequently advising our outsourcing clients on related legal issues such as employment, data protection, cyber-security, sectoral regulation, public procurement and tax. In case you missed it, our last edition (from May 2025), included coverage of the following topics:

• whether a possible change in the approach to equal pay could undermine incentives to outsource;

• practical implications of the UK Government's Immigration White Paper;

• new legislation on premises and consumer-facing outsourcings; and

• 5 key practical lessons for delivering successful longer term outsourcings.

For all our materials on outsourcing, see our Outsourcing Spotlight series page.

Need to know videos

You may also be interested in the following very short (3 minute) "need to know" videos:

• Data protection and outsourcing: a 3 minute primer on key recent developments

• Deploying Artificial Intelligence in an outsourcing: a 3 minute primer

Possible measures with relevance to most outsourcings

• Further changes to National Insurance Contributions (NICs)

• Changes to corporation tax (although the Corporation Tax Roadmap contained a commitment to cap it at 25%)

• Broaden VAT taxable base – or alter rates of VAT (although the 2024 Labour Manifesto contained a pledge not to increase it)

Outsourced transport and logistics services

• Changes to fuel duty

• Road pricing or pay-per-mile schemes (to recoup money lost due to the shift to electric vehicles)

Of course, whether HM Treasury will actually pursue any of these measures remains to be seen – we will find out at the end of November.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.