- Every contract with an IT service provider that has access to your data or systems needs explicit security clauses.
- The five core areas are: security standards, incident notification obligations, audit rights, SLAs with security metrics, and liability provisions.
- The audit right is the single most important clause: without the ability to verify your service provider's security, you are at their mercy.
- ISO 27001 or comparable certifications held by the service provider do not replace contractual provisions, but they complement them effectively.
- NIS2 significantly tightens requirements for supply chain security. Companies must actively manage the security of their service providers.
Your Security Does Not End at the Company Boundary
Hardly any company operates its IT entirely on its own today. Cloud providers host infrastructure, SaaS vendors deliver applications, managed service providers handle IT operations, development firms write software, and consultants have access to confidential information. Each of these service providers is a potential entry point for attackers and a potential source of data breaches.
The attacks on SolarWinds (2020), Kaseya (2021), and MOVEit (2023) have demonstrated that supply chain attacks are among the most dangerous threats. A compromised service provider can affect hundreds or thousands of its customers simultaneously.
Yet many contracts with IT service providers contain no or only rudimentary security clauses. "The contractor ensures appropriate security measures" is an empty phrase that is worthless in a dispute because nobody has defined what "appropriate" means.
Legal Foundations
NIS2 and Supply Chain Security
The NIS2 directive (and the German implementation act NIS2UmsuCG) significantly tightens requirements for supply chain security. Article 21(2)(d) explicitly requires "supply chain security including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers."
This means: if you fall under NIS2, you must actively manage the cybersecurity of your service providers, impose contractual cybersecurity requirements, and verify compliance.
ISO 27001
ISO 27001:2022 addresses the topic in several controls: A.5.19 (Information security in supplier relationships), A.5.20 (Addressing information security within supplier agreements), A.5.21 (Managing information security in the ICT supply chain), A.5.22 (Monitoring, review, and change management of supplier services).
GDPR
If the service provider processes personal data on your behalf, you additionally need a Data Processing Agreement (DPA) under Article 28 DSGVO (GDPR). The DPA governs data protection aspects and contains its own security requirements. The IT security clauses in the main contract complement the DPA but do not replace it.
The Five Core Areas of IT Security Clauses
1. Security Standards and Minimum Requirements
Define specifically which security standards the service provider must comply with. General phrases like "state of the art" are too vague. Instead, you should name specific requirements. A supplier security policy provides the overarching framework from which you derive the specific clauses.
Sample clause: "The contractor undertakes to operate and maintain an Information Security Management System (ISMS) in accordance with ISO 27001 or a comparable standard. The contractor shall demonstrate compliance through a valid certificate from an accredited certification body or through successful completion of an audit conducted or commissioned by the client."
If an ISO 27001 certification is not realistic for the service provider (e.g., for small vendors), you can instead attach a specific requirements catalog as a contract annex. This catalog lists the security measures you expect: encryption, access management, patch management, backup, logging, and so on.
Sample clause (requirements catalog): "The contractor shall implement and operate the technical and organizational measures described in Annex X. Changes to the measures that affect the security level require the prior written consent of the client."
2. Incident Notification Obligations
In the event of a security incident at the service provider, you must be informed quickly so you can take your own measures (incident response, notification of affected individuals, reporting to the supervisory authority).
Sample clause: "The contractor shall notify the client without undue delay, but no later than 24 hours after becoming aware, of any security incident that could affect the confidentiality, integrity, or availability of the client's data or systems. The notification shall be sent to [contact point] and shall include at minimum: (a) description of the incident, (b) affected systems and data, (c) time of discovery, (d) countermeasures already taken, (e) estimated impact."
The 24-hour deadline is intentionally shorter than the GDPR's 72-hour deadline because, as the client, you have your own assessment and reporting obligations. Some companies agree on even shorter deadlines (4 to 8 hours) for critical service providers.
Additionally recommended: "The contractor shall support the client in investigating the incident, provide relevant log data and forensic findings, and cooperate with incident response teams engaged by the client."
3. Audit Rights
The audit right is the single most important clause. Without the ability to verify your service provider's security measures, all other clauses are mere lip service.
Sample clause: "The client has the right to verify compliance with the security requirements agreed in this contract through its own employees or appointed third parties (auditors). The audit right includes: (a) on-site inspections of relevant premises and systems, (b) review of relevant documentation (policies, process descriptions, records), (c) interviews with relevant employees of the contractor, (d) technical assessments (vulnerability scans, configuration reviews) upon prior coordination. Audits shall be announced with a notice period of 10 business days. The contractor shall grant the required access and support the audit to a reasonable extent. The costs of the audit shall be borne by the client, unless the audit reveals material breaches; in that case, the contractor shall bear the costs."
Pragmatic approach for smaller service providers: Many smaller service providers reject comprehensive on-site audits because they cannot afford the effort. As a compromise, you can agree that the service provider submits an annual security report documenting compliance with the agreed measures, and that a full audit is only conducted when there is a specific reason (security incident, complaint, material change).
Certificates as audit substitute: You can agree that a valid ISO 27001 certificate replaces the regular audit, provided the scope of the certificate covers the services relevant to you. Pay attention to the scope: a certificate for the Munich office does not help if your data is processed in Frankfurt.
4. SLAs with Security Metrics
Service Level Agreements (SLAs) traditionally govern availability and response times. Supplement them with security-relevant metrics.
Availability: "The contractor guarantees a service availability of 99.9 percent on a monthly average, measured by access to the production system. Planned maintenance windows shall be announced at least 5 business days in advance and do not count as downtime."
Patch management: "The contractor shall remediate critical security vulnerabilities (CVSS 9.0 or higher) within 48 hours of disclosure. High-severity vulnerabilities (CVSS 7.0–8.9) shall be remediated within 7 days. Compliance shall be reported monthly."
Incident response time: "For security-relevant incidents, the contractor shall begin analysis and containment within 2 hours of becoming aware. The client shall receive an initial status report within 4 hours."
Backup and recovery: "The contractor shall create daily backups of the client's data and retain them for at least 30 days. Restore tests shall be conducted and documented quarterly. The maximum recovery time (RTO) is 4 hours; the maximum data loss (RPO) is 24 hours."
Consequences for non-compliance: Define what happens when SLA targets are not met. Graduated penalties are common: e.g., 5 percent credit on the monthly fee per 0.1 percent shortfall in availability.
5. Liability and Damages
The liability clause governs who bears the costs for damages caused by security incidents at the service provider.
Sample clause: "The contractor shall be liable for damages suffered by the client as a result of a breach of the security obligations agreed in this contract. Liability includes direct damages (data recovery, system recovery, business interruption) and third-party damages (damage claims by affected persons, fines imposed by supervisory authorities) to the extent that the contractor caused them through its breach of obligation."
Limitation of liability: In practice, service providers will demand a limitation of liability. It is common to cap liability at the annual contract value or a multiple thereof. Ensure that the cap is not so low as to be worthless to you in the event of a claim. And ensure that intent and gross negligence are excluded from the liability cap.
Indemnification clause: "The contractor shall indemnify the client against third-party claims arising from a breach of the security obligations agreed in this contract by the contractor."
Additional Important Clauses
Subcontractors (Sub-Contracting)
Many service providers in turn engage subcontractors. This expands the attack surface and makes oversight more difficult.
Sample clause: "The contractor may only engage subcontractors with the prior written consent of the client. The contractor shall ensure that subcontractors comply with at least the same security requirements agreed in this contract. The contractor shall be liable for breaches by its subcontractors as if they were its own breaches."
Data Return and Deletion at Contract End
What happens to your data when the contract ends? Without a clear provision, you risk data remaining with the service provider, inadequately protected or inadequately deleted.
Sample clause: "Upon termination of the contract, the contractor shall return all data to the client in a common, machine-readable format. After confirmed receipt of the data, the contractor shall irrevocably delete all of the client's data, including backups and copies, within 30 days. The contractor shall confirm the complete deletion in writing."
Change Management
Material changes to the service provider's infrastructure or security measures can affect your security level.
Sample clause: "The contractor shall inform the client at least 30 days in advance of material changes to infrastructure, locations, security measures, or subcontractors that affect the delivery of the contracted services. Material changes require the client's consent."
Duty to Cooperate in Audits and Incidents
In an emergency, you need the full cooperation of your service provider. This should be contractually secured.
Sample clause: "The contractor shall cooperate fully with the client and its representatives in the investigation of security incidents, in audits and assessments by the client or its representatives, in regulatory audits and investigations affecting the client's data or systems, and in fulfilling the client's regulatory reporting obligations."
Negotiation Strategy
Maintain Realism
Not every service provider will accept all your clauses. Large cloud providers like AWS, Azure, or Google Cloud generally do not negotiate their standard contracts individually. Here you must check whether the standard terms and conditions cover your requirements and compensate for gaps through your own measures.
With small and medium-sized service providers, you have more negotiating leverage. Use it, but remain proportionate. A one-person IT consultant cannot present an ISO 27001 certificate and cannot handle an on-site audit every six months. Adapt the requirements to the size and criticality of the service provider.
Prioritization
If you cannot enforce everything, prioritize: the audit right is indispensable because it forms the basis for all controls. Incident notification obligations must be clearly defined so you are not left in the dark in an emergency. Security standards as a contract annex give you a concrete benchmark. SLA metrics are important for ongoing monitoring. Liability provisions protect you financially.
Contract Annex Rather Than Contract Text
Detailed technical requirements belong in a contract annex, not in the main contract. This has two advantages: the annex can be updated without amending the main contract (if the main contract includes a change clause for annexes), and technical details do not burden the legal contract text.
Typical Weaknesses in Existing Contracts
For a systematic assessment of your service providers, a security questionnaire that covers the key topics in a structured manner is well suited. When you review existing contracts with IT service providers, you will frequently encounter the following weaknesses:
No security clauses present: Many legacy contracts contain no provisions for information security at all, especially if they were concluded before 2018 (GDPR) or before the NIS2 discussion. Plan a systematic review of all existing contracts and negotiate supplementary agreements.
General boilerplate instead of specific requirements: "The contractor takes appropriate security measures" is an empty phrase. Replace such wording with specific requirements catalogs as contract annexes.
No audit right: Without an audit right, you cannot verify compliance with the agreed measures. Negotiate an audit right retroactively, even if the service provider initially resists.
Notification obligations missing or too vague: "The contractor informs the client about security incidents" says nothing about deadlines, content, or contact channels. Make notification obligations specific with deadlines and minimum content.
Liability cap too low: If liability is capped at the monthly revenue and the service provider charges you EUR 500 per month, the liability cap is irrelevant in the event of a claim. Negotiate a liability cap that bears a reasonable relation to the potential damage.
No provision for contract end: What happens to your data when the contract ends? Without a provision, you risk data remaining with the service provider.
Ongoing Monitoring
The contract alone is not enough. You must continuously monitor compliance with the agreed clauses. Review annually whether the service provider maintains the agreed security standards, whether certificates are still valid, whether material changes have occurred, whether SLA metrics are being met, and whether notification obligations were triggered in the past year. Document the results of the monitoring in your ISMS. In the event of breaches, escalate in accordance with the contractually agreed mechanisms.
Maintain a service provider register in your ISMS that records the contract status, agreed security requirements, status of the last review, and next scheduled assessment for each service provider. In ISMS Lite, this register can be maintained centrally along with linked contracts, audit dates, and assessment results, so you have the current status at your fingertips for every review. This register gives you an overview of your supply chain's security posture at any time and is a valuable evidence document during audits.
Further Reading
- Supplier Assessment and Security Questionnaire
- Supply Chain Attacks: Understanding and Minimizing Risks in the Supply Chain
- Reviewing DPAs and Assessing Service Providers
- Cyber Insurance: What It Covers, What It Doesn't, and What Insurers Look For
- Non-Disclosure Agreement (NDA): Template and What Matters