Client-centric compliance

In the early days of IT agreements, the responsibility for a system’s legal compliance often rested on the client. This allocation was driven by two key factors: intellectual property rights (IPR) ownership and market practices of the time. Frequently, clients either owned or sought significant control over the IPR of the systems they commissioned. This ownership inherently made them responsible for ensuring the system’s compliance with applicable laws and regulations.

Additionally, prevailing market norms placed more emphasis on clients managing their compliance. IT providers were primarily focused on delivering functionality and technical capabilities, while clients, with their specific industry knowledge, were expected to navigate the legal and regulatory landscape. For instance, a bank implementing a financial system would bear the responsibility for ensuring it adhered to financial regulations, as the system was tailored to their operational needs.

It can be argued that for a long time, the work of IT providers was akin to craftsmanship, where each client received a slightly customized solution. While IT providers were perceived as “industrial” companies, in terms of contracts, their work was more akin to “handicraft.”

Eu regulation and market evolution

Recent years have brought about a significant shift in this dynamic, largely driven by changes in the regulatory environment and the technological landscape. The introduction of robust EU frameworks such as the GDPR, the AI Act, and the Digital Services Act has placed new, direct compliance obligations on IT providers. These regulations emphasize the need for providers to ensure their systems are lawful by design and compliant throughout their lifecycle, even as legal standards evolve.

At the same time, the rise of cloud computing has fundamentally altered the ownership and operational control of IT systems. Unlike traditional on-premises deployments, where clients managed the environment and compliance, cloud solutions place significant control—and therefore responsibility—in the hands of the provider. Providers manage infrastructure, update systems, and often dictate how data is processed, making them central to compliance efforts.

For example, an HR technology company developing an AI-driven recruitment system must now ensure the system does not create biases in hiring decisions, as required under the AI Act. Previously, clients using the system would have carried the risk of non-compliance with anti-discrimination laws.

Unlike traditional on-premises deployments, where clients managed the environment and compliance, cloud solutions place significant control—and therefore responsibility—in the hands of the provider.

It can be argued that IT providers now face increasing requirements regarding the legality of their operations. An IT provider cannot operate in the market unless it delivers legally compliant systems. This shift is also reflected in contract practices.

IT provider accountability

This shift in the regulatory and technological landscape has led to a re-evaluation of responsibility in IT agreements. Providers are now increasingly expected to bear the primary burden of ensuring that systems comply with relevant laws. This change reflects the reality that providers are better positioned to address compliance at the design and operational levels, particularly in cloud-based environments where they control the underlying infrastructure.

However, clients still retain responsibilities, albeit in a more focused capacity. While providers must ensure the system’s baseline legality, clients are responsible for ensuring that their use of the system aligns with their specific legal requirements and operational contexts.

For instance, a cloud-based CRM system may be GDPR-compliant in its design, but it is up to the client to ensure that the data they input and the manner of their processing adhere to GDPR principles, such as obtaining proper consent from data subjects. A cloud-based electronic health records provider, for instance, ensures its system meets regulatory data security requirements. However, it is up to the hospital using the system to ensure that patient consent mechanisms and data-sharing policies comply with applicable medical data legislation.

Evolving contract negotiations

These changes have also reshaped the negotiation process in IT agreements. Where earlier contracts might have included broad indemnities and disclaimers shifting compliance risks to the client, modern agreements now focus on delineating shared responsibilities. Providers typically accept liability for ensuring that the system is compliant with general legal standards, while clients agree to take responsibility for their specific use cases.

For example, providers may warrant that the system complies with data protection laws, does not infringe third-party IPR, and incorporates mechanisms to adapt to regulatory updates. Clients, on the other hand, may commit to using the system lawfully and within the scope of its intended purpose, ensuring compliance with industry-specific regulations or internal policies.

Moreover, EU regulations often require providers to offer tools and guidance to help clients meet their obligations. For instance, a provider might offer audit logs, compliance dashboards, or data localization options to assist clients in aligning with regional laws.

Further, when negotiating an agreement concerning an AI-powered chatbot for customer service, a provider may guarantee that the system adheres to AI Act requirements, while the client must define responsible use policies, such as disclosing to users that they are interacting with AI rather than a human.

Why the shift matters

The reallocation of compliance responsibility reflects a broader transformation in how IT services are delivered and consumed. It acknowledges the increasing complexity of regulatory landscapes, where a single system may be used across multiple jurisdictions, each with its own legal requirements.

By placing greater responsibility on providers, the regulatory environment seeks to ensure that systems are built with compliance as a fundamental feature, rather than an afterthought.

At the same time, this shift aligns with the practical realities of cloud computing. Clients no longer have the direct control over systems that they once did, making it both logical and necessary for providers to take on more accountability.

This accountability has already taken shape in the context of the Digital Services Act. Under the Act, an e-commerce platform provider must ensure that product listings comply with consumer protection laws. Previously, individual sellers were solely responsible. Platforms like Amazon and eBay have thus had to introduce proactive content moderation methods to avoid liability for counterfeit or unsafe products.

The future of it agreements

As EU regulations continue to evolve and cloud services dominate the IT landscape, the allocation of responsibilities in IT agreements will further solidify around this shared model. Providers must embrace their role as compliance leaders, integrating legal requirements into their systems by design and maintaining them throughout the system’s lifecycle.

Clients, for their part, must focus on ensuring that their operational use aligns with the intended legal and ethical purposes.

This new paradigm creates a more balanced and collaborative approach, reducing risks for both parties while fostering trust and adaptability. For IT agreements to remain effective in this changing environment, clear communication, precise contractual terms, and a mutual understanding of responsibilities will be essential.

This evolution not only reflects the demands of modern technology and regulation but also sets the stage for more resilient and legally sound partnerships in the future.