Outsourcing Spotlight – Spring / Summer 2026

Upcoming restrictions on 'fire and rehire' under the Employment Rights Act 2025 could have an impact on outsourcing arrangements.

What's changing?

Under the changes, it will become automatically unfair to dismiss employees in order to replace them with non-employees doing essentially the same work. This is designed to prevent businesses from dismissing employees to replace them with cheaper agency staff (as happened in the P&O Ferries controversy in 2022).

How could outsourcing be affected?

However, the legislation could also capture an outsourcing situation where a customer's employees are replaced with staff of the service provider performing the same services. This will not be a problem where the customer's employees transfer to the service provider under TUPE, as is often the case in an outsourcing. However, it could be an issue where the service provider does not take on employees for whatever reason, and the customer is left to make redundancies – those redundancies could result in automatic unfair dismissal claims. The liability could be significant, particularly where large numbers of staff are involved. The issue is also compounded by upcoming reforms to unfair dismissal law – the duration of service required to claim unfair dismissal is reducing from two years to six months and the current cap on compensation (of around £120,000) is being removed (see section 5 below).

As we've highlighted in previous issues, the risks for both customers and service providers involved in consumer-facing outsourcings have increased substantially, following the entry into force of the Digital Markets, Competition and Consumers Act 2024 (for more detail, see section 2 of Outsourcing Spotlight Autumn/Winter 2024). Among other things, businesses that breach UK consumer law now face the prospect of fines of up to 10% of worldwide turnover.

In our Spring/Summer 2025 issue, we looked at the key question of who would liable for breach of consumer law in the context of an outsourced service that was consumer-facing – and in particular, to what extent could outsourced service providers be "in the frame"?  We argued that there were circumstances where the regulator – the Competition and Markets Authority (CMA) - would seek to enforce against both the service provider and its customer.  This appears from recent enforcement actions to be the CMA's preferred approach.  Service providers in consumer-facing outsourcings should not therefore assume the CMA will only enforce against their customer. 

The outbreak of war in the Middle East has delivered a series of economic and operational shocks.  In this article, we explore the impact on outsourcing, focussing on the potential for contractual disputes:

Force majeure clauses

• Scope of clause: Whilst the clause is likely to include a reference to "war" or "conflict", the mere fact that a contract has become more expensive to perform will not normally be sufficient to trigger it. The service provider may therefore need to focus more on the delays that it is experiencing.
  
  
• Threshold for triggering the clause:  The threshold for engaging the clause will vary depending on the exact wording; for instance, a reference to performance being "prevented" indicates a high threshold, whereas words such as "delayed" or "hindered" are likely favour the service provider in this scenario.
  
  
• Mitigations: The clause may well require the service provider to take reasonable steps to mitigate the impact, such as exploring alternative supply routes.  But absent clear contractual wording, customers are generally not required to accept non-contractual alternatives in response to disruption (such as payment in a different currency) – see our briefing on the UK Supreme Court's decision in MUR Shipping v RTI.
  
  
• Termination rights: Finally, it is also fairly common for force majeure clauses to allow the unaffected party to terminate if the disruption persists beyond a specified period.  Experience from COVID-19 suggests that this can make suppliers reluctant to pursue the force majeure route for fear of losing the contract – but with a complex, large-scale outsourcing of this type, the service provider may calculate that the customer will also be reluctant to terminate. This may push both parties towards a negotiated solution.

The key area of tension in this dispute is likely to be the bank's concern that – despite the outsourcing – it remains responsible to its regulators for compliance outcomes, whereas the service provider is likely to argue that it is only required to deliver what was agreed at the time of the contract. Much is likely to depend on how the parties agreed to allocate the costs of compliance with regulatory change.  Sanctions regimes are known to change fairly frequently; as a result, the bank is likely to have pushed for the service provider to bear the risk and cost of at least a certain level of change. The service provider, meanwhile, will probably be looking to invoke the change control provisions, especially if they require the bank to bear the cost of regulatory changes beyond a certain threshold.  Although the regulatory background is an obvious source of tension here, it may also provide a powerful incentive for bank to reach a negotiated solution, on the basis that this is likely to be the quickest way to reduce the risk of the dispute leading to intervention from the regulator.  

For a more on our thinking about how to respond to the current crisis, including the sanctions risk, see: Conflict in the Middle East – legal solutions to help build business resilience

With many tech-focussed outsourcings increasingly reliant on cloud services, concerns have been raised that some service providers put excessive barriers in the way of switching to a competitor. This has prompted regulators in both the UK and EU to take an active interest in the sector, with a view to making switching easier.  The latest position is as follows:

What does this mean?

Overall, the position for customers has improved in both the EU and the UK, primarily driven by the EU's intervention.  The position in the UK is arguably less secure than in the EU, because there is no formal "conduct requirement" imposed by the CMA on any cloud service provider to offer comparable switching rights.  If Microsoft and Amazon decided to abandon their improved terms, the CMA would require some time before it was in a position to impose any conduct requirements on them to restore those terms.  However, at least for the time being, it would appear that customers in the UK are benefitting from improved exit terms and are thus not at a significant disadvantage compared with their counterparts in the EU. 

From 1 January 2027, the qualifying service period for unfair dismissal protection will reduce from two years to six months. This means that all current employees, as well as new recruits starting between now and 1 July 2026, will immediately have unfair dismissal protection from 1 January 2027. Also from 1 January 2027, the unfair dismissal compensation cap (currently the lower of a year's pay and £123,543) will be removed, allowing employees to claim unlimited compensation for financial loss.

In our last issue, we highlighted new rules affecting outsourcing service providers with umbrella companies in their supply chain.  These rules came into force on 6 April 2026 and apply to existing as well as new arrangements.  The main risk for outsourcing service providers is that they could be liable for the tax and NICS due in respect of individuals engaged via umbrella companies – even though historically, these PAYE obligations have normally been viewed as solely the responsibility of umbrella companies. 

Cyber Security and Resilience Bill

Against a backdrop of increasingly sophisticated cyber attacks - costing the UK economy nearly £15 billion a year - the UK Government has introduced the Cyber Security and Resilience (Network and Information Systems) Bill. Focused on protecting the systems behind essential services and the digital infrastructure that supports daily life, the Bill will expand cyber compliance obligations and regulators' enforcement powers - including for data centres, managed IT service providers, and designated “critical suppliers".  As such, it will undoubtedly have an impact on a significant number of major tech outsourcings – although its scope is not as broad as the EU's NIS2 Directive, which covers a much wider range of sectors.  For more detail, see: The UK’s new Cyber Security and Resilience Bil.

EU Digital Omnibus: impact on the AI Act

The EU's draft Digital Omnibus proposes a number of changes to the AI Act.  These include:

• delay to the August 2026 deadline for high-risk systems
  
  
• relaxation of the AI literacy requirement
  
  
• relaxations for SMEs and small mid-caps and
  
  
• an exemption from registration for AI systems used in high risk areas for narrow or procedural tasks.

For more detail, see What can businesses hope to gain from the EU's Digital Omnibus?  However, since our briefing, EU trilogue discussions on the AI Act proposals fell apart at the end of April 2026. There is plan for further debate in May 2026, but the path to agreeing these changes is not running smoothly, creating significant uncertainty for business.

The European Banking Authority (EBA) looks likely to bring in a Digital Operational Resilience Act (DORA)-style regime, but this time for non-ICT third-party arrangements. Its proposed draft guidelines (on which it consulted in 2025) significantly expand its former 2019 outsourcing guidelines and will lead to an overhaul of third-party risk management within EU financial services.  If implemented, the new guidelines will introduce a much broader, more prescriptive framework for third-party contracts outside DORA, introducing new requirements, greatly expanding scope, and imposing new contract and governance standards across the sector. 

Our briefing explains the key changes and the next steps for firms in scope: The EBA's proposed expansion of third-party risk management requirements

In our Spring/Summer 2025 issue, we highlighted new obligations to take measures to protect against terrorist attacks that will affect premises and event management outsourcings. These are contained in the Terrorism (Protection of Premises) Act 2025 – also referred to as "Martyn's Law" (after one of the 22 victims of the Manchester Arena attack). The Home Office has recently published statutory guidance on how it expects businesses to comply with these obligations. Whilst the legislation is not expected to be brought fully into force until April 2027, the guidance should help businesses take steps to plan and prepare.

We regularly advise both customers and suppliers on outsourcing transactions in a broad range of sectors. Recent examples include: