India is a global outsourcing leader, leveraging its skilled workforce and strong Information Technology (IT) ecosystem. The outsourcing market in India spans a broad spectrum of services from traditional software development and IT support to advanced technology solutions such as cloud computing, artificial intelligence (‘AI’), machine learning (‘ML’), cybersecurity, and blockchain technology.

Prominent Indian IT firms such as Tata Consultancy Services (TCS), Infosys, Wipro, HCL Technologies, and Tech Mahindra remain at the forefront of this market, delivering end-to-end services to both international and domestic clients. Additionally, multinational corporations like Accenture, IBM, Capgemini, Genpact and Cognizant have established operations in India, leveraging the country’s expertise and cost efficiencies.

The primary sectors adopting outsourcing services are IT, Information Technology enabled Services (ITeS), banking, financial services and insurance, healthcare, pharmaceuticals, e-commerce and retails, engineering services, public sector and the government. The digital payments and fintech sector, for instance, has seen a surge in demand for services related to mobile banking, e-wallets, and blockchain-based solutions. Similarly, the healthcare sector is embracing digital transformation, with telemedicine, mobile health clinics, and electronic health records requiring outsourced ITeS support. Businesses across industries are increasingly outsourcing the development of web and mobile applications, UI/UX design and digital marketing services such as social media management, content creation and management, and email marketing campaigns to enhance digital visibility and customer engagement.

AI is also increasingly being leveraged by manufacturers to optimise critical functions and drive efficiency across industrial processes. Outsourcing partners are deploying AI solutions for predictive maintenance of machinery, automated quality checks through computer vision, supply chain optimisation, energy management, and real-time monitoring of safety and compliance.

Engineering Services Outsourcing (ESO) is also a growing segment, wherein Indian entities deliver various services such as design, drafting, prototyping, and simulation services across industries such as automotive, aerospace, construction, and manufacturing, to global clients.

At the government level, several policy initiatives have further accelerated outsourcing opportunities in India. The Digital India initiative, launched in 2015, aims to transform India into a digitally empowered society and knowledge economy. It has driven substantial demand for ITeS in areas such as e-governance, digital infrastructure, and citizen-centric services. The Smart Cities Mission, focused on developing 100 smart cities with state-of-the-art infrastructure and governance, has led to increased opportunities in areas like urban mobility solutions, smart grids, and integrated command and control systems. Additionally, the National Artificial Intelligence Mission seeks to position India as a global leader in AI, fostering research, innovation, and the development of AI-based solutions, thereby creating new avenues for outsourcing in AI and ML domains.

​The Indian government continues to actively promote outsourcing, particularly within the IT and business process management sectors, recognizing its role in economic growth, employment generation, foreign investment, and digital innovation. Initiatives such as Digital India, Make in India, and Startup India have fostered an ecosystem that supports advancements in software development, artificial intelligence, and other emerging technologies. The liberalized foreign direct investment policy, in the IT and ITeS sectors under the automatic route, further underscores this supportive stance.

From a regulatory standpoint, outsourcing is widely accepted and forms an integral part of business and government operations, there is an increasing focus on governance, data security, and operational resilience. Regulators insensitive sectors such as banking, telecom, and healthcare have issued specific guidelines to mitigate outsourcing-related risks, particularly in areas involving data privacy, cybersecurity, and financial stability.

India does not have a single, overarching law  governing public procurement. Instead, procurement is regulated through a combination of central and state-level laws, policies, rules, and manuals issued by the Central and State Governments are updated periodically.

In the absence of a unified central law, the General Financial Rules, 2017 (‘GFR 2017’) issued by the Ministry of Finance (‘MoF’), as amended from time to time, serve as the primary guideline for procuring products and services to all central ministries and provides comprehensive instructions on procurement processes, bidding procedures, contract management, and the disposal of goods for public use. To promote transparency and efficiency, GFR 2017 emphasizes the use of electronic procurement systems and requires procurement activities being through e-procurement platforms like the Central Public Procurement Portal or other designated portals.

The MoF itself has promulgated three manuals namely Manual for Procurement of Goods, 2024, Manual for Procurement of Services, 2017, and Manual for Procurement of Works, 2019, which are followed by the procuring departments, with such modifications, as deemed necessary.

To address complexities of procurement in major departments, like the Ministry of Defence (‘MoD’) and the Ministry of Railways, GFR 2017 permits individual departments to issue detailed procurement instructions, broadly in conformity with the generic rules contained in the GFR 2017.

The MoD has issued specific manuals including the Defence Acquisition Procedure 2020, Defence Procurement Manual 2009, DRDO Procurement Manual 2020, and the Defence Works Procedure 2020 for civil works. Similarly, Central Public Sector Enterprises have issued their own procedural manuals or internal guidelines to cater to their unique procurement requirements, while maintaining conformity with the overarching principles of the GFR 2017.

The Department for Promotion of Industry and Internal Trade, under the Ministry of Commerce and Industry, has also introduced the Public Procurement (Preference to Make in India) Order, 2017 (‘PPPMI Order’). This initiative is aimed at promoting domestic manufacturing under the ‘Make in India’. The PPPMI Order prioritizes locally manufactured goods and services in public procurement by defining local content requirements, categorizing suppliers, and sets purchase preferences for local/domestic goods and services.

For technology-specific procurement, the Ministry of Electronics and Information Technology (‘MeitY’) plays a pivotal role in regulating the acquisition of electronic and IT products by public entities. MeitY has issued several notifications under the PPPMI Order covering items such as computer monitors, mobile devices, cloud computing services, cybersecurity solutions, and smart cards (both contact-based and contactless). These notifications aim to ensure compliance with cybersecurity standards while also fostering g innovation.

Additionally, several Indian states including Rajasthan, Karnataka, and Punjab have also established their own procurement regulations tailored to their unique requirements. These state-level frameworks supplement the broader guidelines provided by central authorities.

Similar to the public sector, there is no single, comprehensive law or regulations governing outsourcing by private sector organisation. Instead, such arrangements are primarily regulated through contractual frameworks, sector-specific regulations and certain statutory obligations, as are outlined below:

1. Contractual Framework (Indian Contract Act, 1872): Outsourcing agreements are anchored in the Indian Contract Act, which requires lawful objectives, mutual consent, and consideration. A contract typically incorporates rights and obligations of contracting parties and remedies for breach.
2. Intellectual Property (‘IP’) Laws: IP ownership in outsourcing is governed by the Copyright Act, 1957, Patent Act, 1970, and Trade Marks Act, 1999. Contracts must explicitly define IP ownership, licensing terms, and confidentiality to avoid disputes.
3. Competition Law (Competition Act, 2002): Outsourcing agreements must avoid anti-competitive clauses, such as exclusivity arrangements or pricing cartels, which may attract scrutiny for abuse of dominance or unfair trade practices.
4. Cross-Border Transactions (Foreign Exchange Management Act, 1999): Foreign payments, remittances, or offshore data transfers must comply with the Foreign Exchange Management Act and rules and regulations made thereunder inter alia on invoicing, documentation, and repatriation of profits in cross-border outsourcing deals.
5. Trade Laws: Cross-border outsourcing is governed by India’s foreign trade policy, customs regulations, and applicable bilateral or multilateral trade agreements.
6. Information Technology and data privacy: Outsourcing involving personal data is governed by the Information Technology Act, 2000 and the rules made thereunder, requiring implementation of reasonable security practices and safeguards to protect sensitive personal data. The forthcoming Digital Personal Data Protection Act, 2023 will further enhance compliance requirements, including explicit consent, cross-border data transfer restrictions, and mandatory breach reporting.
7. Labor Laws: Outsourcing of workforce-dependent services (e.g., ITeS, BPOs) must comply with labour statutes like the Contract Labour (Regulation and Abolition) Act, 1970, the Industrial Disputes Act, 1947, and state-specific Shops and Establishments Acts. Additionally, legislations like the Minimum Wages Act and Payment of Wages Act mandate fair compensation and timely payments. These laws impose obligations on principal employers to ensure that contractors adhere to legal standards.
8. Sectors specific guidelines: Certain sectors have their own guidelines for outsourcing. The same are discussed in response to Question 5.
9. Tax laws: Taxations laws play a key role in outsourcing arrangements. Payments to vendors may attract deduction/withholding requirements under the Indian income-tax law. Additionally, Goods and Services Tax (GST) is applicable on most outsourced services, requiring proper invoicing, registration, and compliance from both parties.

It is highly advisable for private entities to enter into well-crafted contracts and ensuring strict compliance with applicable laws tailored to the nature of goods or services being outsourced.

While there are no comprehensive laws or unified regulations, certain industries are subject to sector-specific regulatory frameworks. For instance, the Reserve Bank of India (‘RBI’) has introduced detailed guidelines to regulate outsourcing arrangements by regulated entities (‘REs‘) operating in both the information technology and financial services sectors. In April 2023, the RBI issued the Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023, these directions provide a structured framework for outsourcing activities undertaken by REs such as commercial banks, non-banking financial companies (NBFCs), credit information companies, and certain cooperative banks.   Key aspects of these directions include establishing a comprehensive governance framework, thorough due diligence of service providers, robust risk management, and continuous oversight of outsourced IT activities.

Similarly, other sector-specific regulators have implemented tailored regulations for outsourcing within their respective domains. For example, the Insurance Regulatory and Development Authority of India (‘IRDAI’), which oversees and licenses insurance and reinsurance industries in India, has established the IRDAI (Outsourcing of Activities by Indian Insurers) Regulations, 2017. Likewise, for entities operating within securities markets, the Securities Exchange Board of India (SEBI) has issued the Guidelines on Outsourcing of Activities by Intermediaries in 2011.

Please also refer to response to Question 4 for other laws governing the outsourcing arrangements.

Please refer to response to Question 5.

In India, outsourcing arrangements typically do not require notification or approval under merger control rules unless they result in a substantial change in control of an enterprise. The Competition Commission of India, under the Competition Act, 2002, regulates mergers, acquisitions, and combinations that exceed prescribed asset, turnover or transaction value thresholds.

As regards the technology outsourcing contracts, typically they involve service provision without transferring ownership of critical intellectual property, business assets, or management control, keeping them outside the merger control regulations.

Outsourcing agreements in India may attract scrutiny under the Competition Act, 2002 (‘Competition Act’) if they (i) involve collusion between competitors, or (ii) impose vertical restraints that have an appreciable adverse effect on competition in the Indian market.

Vertical restraints may arise through provisions such as: tie-in clauses — requiring customers to avail additional services; exclusivity obligations — restricting parties from engaging with competitors; or non-compete clauses — which, while often necessary to protect proprietary technology and trade secrets, must remain reasonable in terms of scope, duration, and geographic coverage to withstand regulatory review.

Separately, horizontal agreements such as price-fixing, bid-rigging, or collusion between competing technology firms are strictly prohibited and treated as per se anti-competitive under Indian law.

Vertical integration agreements including outsourcing arrangements between entities at different levels of the supply chain are not per se prohibited under the Competition Act. In the technology outsourcing/services sector, where the combined market share of the contracting parties is in the range of 20-25%, the risk of a vertical agreement raising competition concerns is generally low, though not entirely absent.

The Competition Commission of India (‘CCI’) tends to assess vertical restraints more leniently than horizontal ones, unless the arrangement results in significant market foreclosure or involves parties with substantial market power. Vertical integration aimed at operational efficiency, cost savings, or quality control is typically viewed as pro-competitive.

However, certain practices such as tying or bundling of services, customer lock-ins, data portability restrictions, or exclusivity arrangements may invite scrutiny, particularly in digital markets where switching costs for customers are high. The CCI has increasingly focused on such data-driven foreclosure concerns in recent enforcement trends. With the introduction of the draft Digital Competition Bill, there is a proposed shift towards an ex-ante framework aimed at curbing anti-competitive practices by large digital enterprises, which may significantly impact the assessment of outsourcing arrangements involving systemic digital players.

Similarly, where one of the contracting parties qualifies as a dominant enterprise in the relevant market, i.e. an entity with the ability to operate independently of competitive forces or influence market conditions in its favour, the outsourcing agreement may require additional scrutiny from an abuse of dominance perspective. As a thumb rule, an enterprise may be treated as dominant, if its market share in the relevant market exceeds 40%.

In such cases, outsourcing agreements must be carefully assessed to ensure they do not facilitate abusive conduct, such as: imposing unfair terms or discriminatory terms on counterparties, restricting or limiting market access or supply, or eliminating competition.

The CCI typically evaluates whether outsourcing contracts (particularly when entered into by large corporations) create entry barriers, stifle innovation, or disadvantage smaller or emerging technology firms. Further, compliance considerations extend beyond the Competition Act. With the impending implementation of Digital Personal Data Protection Act, 2023, and sector-specific IT outsourcing regulations, such as Reserve Bank of India and Securities and Exchange Board of India guidelines, contracting parties must also ensure adherence to data protection, confidentiality, and operational risk management obligations.

In outsourcing arrangements within India including those relating to technology, registrable intellectual property  includes copyrights governed by the Copyright Act, 1957. This covers assets like software code, technical documentation, and multimedia content created during projects. Patents under the Patents Act, 1970 protect inventions that are novel and have technical applicability, such as algorithms or processes; however, abstract ideas are explicitly excluded from patentability. Branding elements like logos and slogans are safeguarded under the Trade Marks Act, 1999. Aesthetic aspects of interfaces or hardware components are protected under the Designs Act, 2000. Additionally, layouts of semiconductor integrated circuits are regulated by the Semiconductor Integrated Circuits Layout-Design Act, 2000.

Rights in the information including trade secrets (such as proprietary methodologies), confidential know-how (undisclosed business practices), may be protected by way of specific contractual provisions. Registrable IP requires formal registration with the relevant authorities inter alia Copyright or Patent Office. Conversely, non-registrable IP typically relies on contractual agreements and common law principles that prevent unauthorized use or disclosure.

Yes, Indian law requires specific contractual terms and statutory requirements be met to transfer IP created by suppliers to customers. According to Section 19 of the Copyright Act, 1957, any assignment of copyright must be documented in writing and must clearly outline the work involved, the rights being transferred, and the geographical scope. Ambiguity in assignment clauses may lead to disputes and potential invalidation of the assignment, as evidenced by cases where unclear terms resulted in conflicts over ownership. To counteract the default ownership rights, contracts should incorporate deemed employment clauses and ensure proper chain-of-title documentation, such as developer affidavits to clarify ownership.

Under Section 68 of the Patents Act assignments must be registered with the Patent Office to be enforceable against third parties.  Furthermore, any licenses for IP, including trademarks, must also be registered if the associated IP is registered in India.

Creating well-defined agreements with explicit assignment terms, following formal registration protocols, and maintaining thorough documentation are vital steps in reducing risks and enhancing legal enforceability. Practical measures should include periodic training programs for the service provider and their personnel, highlighting the importance of confidentiality and IP protection, as well as the potential consequences of a breach.

In India, confidential information, know-how, and trade secrets are protected primarily through contractual arrangements, as there is no standalone statute specifically governing trade secrets. These are typically safeguarded through non-disclosure agreements (‘NDAs’), confidentiality clauses in employment or vendor contracts, and IP clauses in outsourcing or service-level agreements. Such contracts are enforceable under the Indian Contract Act, 1872, and courts may grant injunctions, damages or equitable relief.

Although there is no specific statute, Indian courts have upheld the protection of confidential business information based on common law principles of equity and obligations of confidence. The Information Technology Act, 2000 further supports this framework by penalizing unauthorized access and misuse of data. Additionally, the Bharatiya Nyaya Sanhita, 2023 (BNS) includes provisions relating to digital theft, data misappropriation, breach of trust.

Courts have become increasingly proactive in enforcing IP rights, often granting urgent interim relief in cases of misappropriation. The Delhi, Madras and Calcutta High Courts now have dedicated IP benches. Risk mitigation measures include, NDAs, IP ownership clauses, access restrictions, employee training, and audit protocols. Remedies for breach include termination, civil claims, cease-and-desist orders, digital forensics, and, where applicable, criminal complaints.

India’s data protection regime is currently governed by the Information Technology Act, 2000 (IT Act) and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). These laws provide the foundational structure for data protection and security obligations. While India has enacted the Digital Personal Data Protection Act, 2023 (‘DPDPA’) to establish a more comprehensive and modern framework, it is not yet effective.

Under the IT Act and SPDI Rules, organizations handling sensitive personal data or information (‘SPDI’) are required to implement reasonable security practices. SPDI includes passwords, financial information, health records, and biometric data. Consent must be obtained from individuals before collecting or processing their SPDI, and privacy policies must clearly explain the purpose of data collection. Additionally, cross-border transfers of SPDI are permitted only if the recipient ensures an equivalent level of protection or if explicit consent is obtained from the individual concerned. Non-compliance can result in penalties under Section 43A of the IT Act.

The DPDPA once in force will introduce a more comprehensive framework focussed on consent-based processing, purpose limitation, and accountability. The Act will also introduce roles such as Data Fiduciaries (entities determining how personal data is processed) and Data Principals (individuals whose data is processed). While businesses are not yet required to comply with DPDPA, they should begin preparing for its implementation by reviewing their policies and processes.

Outsourcing entities must ensure that their service providers adhere to reasonable security practices while handling SPDI. Contracts with vendors should include provisions addressing confidentiality obligations, data security standards, and liability for breaches.

India currently does not have a comprehensive legal framework governing non-personal data. The existing and proposed data protection laws regulates the personal data only. The Expert Committee on Non-Personal Data Governance Framework 2020 (led by Kris Gopalakrishnan) proposed a framework for regulating non-personal data, particularly community and public non-personal datasets. While the recommendations have not yet been enacted into law, it signals potential legislation on this.

In the absence of a standalone legal regime, the treatment of non-personal data  is currently governed by contractual arrangements between the parties, sector specific regulations (issued by regulators such as Reserve Bank of India (‘RBI‘), Securities Exchange Board of India (‘SEBI’), Insurance Regulatory and Development Authority of India (‘IRDAI’), Telecom Regulatory Authority of India (‘TRAI‘) and general legal principles such as confidentiality and intellectual property rights. For instance, SEBI mandates financial sector entities using SaaS or cloud services to store critical data within India’s borders. A similar framework applies to cloud adoption by regulated entities, with limited exceptions for foreign parents. IRDAI requires insurers to store policy and claims data in India.

India’s cybersecurity framework has evolved significantly to address risks associated with its expanding digital ecosystem, especially in outsourcing arrangements involving sensitive data and critical infrastructure. The primary legislation is the Information Technology Act, 2000 (‘IT Act’), which defines cybersecurity obligations and penalizes cyber offences such as unauthorized access, data theft, and privacy breaches, providing both civil and criminal remedies.

The IT Act is supported by key regulatory bodies, including the Ministry of Electronics and Information Technology (‘MeitY’), the Indian Computer Emergency Response Team (‘CERT-In’), and the National Critical Information Infrastructure Protection Centre (‘NCIIPC’). CERT-In mandates all body corporates to report cybersecurity incidents, maintain system logs, and ensure synchronized ICT clocks. NCIIPC safeguards Critical Information Infrastructure (CII) in sectors like banking, telecom, and energy.

Outsourcing arrangements must comply with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, which require implementation of security standards like ISO/IEC 27001.

The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 also impose obligations on intermediaries to follow security protocols and report incidents to CERT-In. Contracts generally reflect these obligations through detailed compliance clauses, audit rights, and breach response provisions.

The forthcoming Digital Personal Data Protection Act, 2023 (‘DPDPA’), once enforced, will introduce stricter obligations for data fiduciaries and processors, including outsourced serviced providers, relating to consent-based processing, technical safeguards, breach notifications, and compliance oversight by a Data Protection Board (‘DPB’). Draft rules under the DPDPA are currently under public consultation.

Outsourcing contracts must embed cybersecurity compliance, reflecting legal requirements and ensuring robust vendor assessments, contractual safeguards (such as cybersecurity obligations, incident response protocols, and liability clauses for breaches., and risk mitigation.

India currently does not have comprehensive national legislation that specifically regulates emerging technologies such as AI, robotic process automation or blockchain, or distributed ledger technologies in the context of outsourcing. However, various policy initiatives and sector-specific guidelines provide indicative frameworks and compliance considerations.

There is no standalone law governing AI, but guidance exists through policy initiatives. NITI Aayog has released key reports, including the National Strategy for AI (2018) and the Responsible AI Principles (2021), which promote transparency, accountability, and fairness in AI deployment. While these remain non-binding, they shape procurement and compliance approaches, especially in outsourcing scenarios. In regulated sectors such as finance, the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) have issued operational and risk management guidelines relevant to AI-based services, including algorithmic trading and digital KYC processes.

Blockchain and distributed ledger technologies similarly lack a formal regulatory framework. However, their use is influenced by broader legal developments. Cryptocurrencies and virtual digital assets, which rely on blockchain, were brought under anti-money laundering obligations through amendments to the Prevention of Money Laundering Act in 2023. NITI Aayog’s Blockchain: The India Strategy (2020) discusses government use cases but does not impose binding regulations. The Indian Blockchain Forum under the Ministry of Electronics and Information Technology (‘MeitY’) is also working toward standardization.

Cloud computing, widely used in outsourcing, is regulated under the Information Technology Act, 2000, and the Indian Computer Emergency Response Team (‘CERT-In’) Directions, 2022, which require data localization, breach reporting, and log retention.

Outsourcing contracts involving such technologies must therefore align with applicable regulatory standards and evolving policy developments.

India’s employment legal framework creates specific considerations for outsourcing arrangements that companies must carefully navigate. The law distinguishes between two main categories of employees – workmen (those engaged in manual, technical, operational or supervisory roles) and white-collar employees. This classification has direct consequences for how workforce management is handled in outsourcing contracts.

In typical outsourcing scenarios, the service provider maintains formal employment of the workers and remains responsible for all employment-related matters including salary payments, statutory benefits and workplace conditions. This holds true even when employees are temporarily assigned or seconded to work at the client’s premises. However, the legal situation becomes more complex when outsourced workers are engaged in what constitutes the client company’s core business operations.

A critical risk arises under the Contract Labour (Regulation and Abolition) Act, 1970, where the client company may be deemed the “principal employer” if it exercises direct control and supervision over contract workers performing essential business functions. This classification creates joint liability for ensuring proper working conditions and compliance with all labour regulations. The courts examine multiple factors including the nature of supervision, work integration and operational control when making such determinations.

Several key labour statutes influence outsourcing structures:

• The Industrial Disputes Act provides strong protections against arbitrary termination
• The provident fund and employees state insurance laws mandate social security contributions
• Pending labour codes may introduce new compliance requirements

To mitigate risks, companies should implement several protective measures in their outsourcing agreements. Contracts must clearly delineate employment responsibilities and include comprehensive indemnity clauses.

In India, employees cannot be transferred automatically under an outsourcing arrangement. Transfers must be legally structured through either secondment or termination and re-employment, both requiring employee consent.

In a secondment, employees remain on the payroll of the original employer but work under the control and supervision of the outsourcing service provider. In a transfer of employment, employees resign from the original employer and are rehired by the service provider on mutually agreed terms.

Alternatively, employment may be terminated by the client and fresh contracts offered by the vendor, subject to compliance with termination and severance obligations under Indian labour laws.

Key considerations include compliance with the Industrial Disputes Act, 1947, Shops and Establishments Acts, and preservation of statutory benefits such as  provident fund, gratuity, and leave encashment.

In cross-border secondment scenarios, where employees are deputed between jurisdictions (e.g., from a foreign parent to an Indian subsidiary or vice versa), companies must carefully evaluate Permanent Establishment (‘PE’) risks under Indian tax laws and applicable double taxation treaties (‘DTAAs’).  A PE may arise in India of a foreign company if the secondee acts on behalf of the said foreign employer in India, particularly where he has authority to conclude contracts or habitually exercise such authority, or where the foreign employer retains control over the secondee. A sound tax advice is must in the case of cross border transfer of employees under outsourcing arrangement.

India’s tax regime presents several important considerations for businesses entering into outsourcing arrangements. The tax implications primarily depend on the structure of the transaction, the nature of services being outsourced, and whether the arrangement involves domestic or international parties.

Under India’s Goods and Service Tax (‘GST’) framework, most outsourcing services attract an 18% tax rate. The ‘place of supply’ rules are particularly important as they establish whether the transaction constitutes inter-state (subject to IGST) or intra-state (subject to CGST and SGST) supply. Businesses must also maintain accurate GST invoicing and ensure compliance with input tax credit provisions to effectively optimize their tax position.

In cross-border transactions, export of services (from India) may qualify as zero-rated supply if conditions are met (e.g., payment received in convertible foreign exchange) and import of services (by an Indian entity from a foreign service provider) may attract GST under the reverse charge mechanism. Further, see response to Question No. 17 with respect to Double Taxation Avoidance Agreements (‘DTAAs’) and Permanent Establishment (‘PE’). Payments to non-resident service providers typically attract withholding tax obligations ranging between 10-20%, depending on the nature of services and applicable DTAA provisions.

Where outsourcing occurs between related parties (such as group companies), transfer pricing regulations under Indian tax law require that transactions be at arm’s length. This requires certain compliances including maintaining detailed documentation, benchmarking and disclosures in tax filings.

Hence, entities entering into outsourcing arrangements in India should consider GST implications, tax deduction at source (TDS) compliance, transfer pricing, PE risk, and applicable DTAAs. Proper and sound contractual drafting, tax-efficient structuring, and applicable compliance are essential to mitigate financial and regulatory risks.

Environmental, Social, and Governance (‘ESG’) considerations are gaining prominence in India, particularly in corporate sustainability and social responsibility. While ESG regulations are still evolving, several key areas impact directly or indirectly outsourcing arrangements.

From an environmental perspective, rules such as the E-Waste (Management) Rules, 2022, and the Hazardous and Other Wastes (Management and Transboundary Movement) Rules, 2016, impose duties on producers and service providers regarding the handling, recycling, and disposal of electronic waste. Outsourcing vendors handling IT infrastructure may be required to comply with these rules.

On the social and governance front, legislation such as the Prevention of Corruption Act, 1988 (which targets public sector/government employees), and the Companies Act, 2013 (including provisions related to Corporate Social Responsibility mandating spending on social development initiatives for companies meeting specified thresholds) set standards for ethical conduct, transparency, and accountability. Factories Act ensures workplace safety and welfare. There are anti-discrimination and social equity regulations such as Equal Remuneration Act, 1976 and Rights of Persons with Disabilities Act, 2016. Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013 offers protection to women against sexual harassment. The labour law legislations such as Payment of Wages Act, Payment of Bonus Act, Payment of Gratuity Act, Employees Provident Fund Act, Shops and Establishment Acts (varies by state), Maternity Benefit Act govern essential aspects of employment such as wages, social security, benefits, working conditions, and dispute resolution.

Outsourcing partners may be expected to adopt anti-bribery and fair labour practices.

Companies, particularly listed and regulated entities, are increasingly incorporating ESG due diligence and compliance obligations into outsourcing contracts through supplier codes of conduct, compliance certifications, and audit rights.

The Securities and Exchange Board of India (SEBI) mandates the top 1,000 listed entities to prepare Business Responsibility and Sustainability Reports (BRSR) under the Securities and Exchange Board of India (Listing Obligations and Disclosure Requirements) Regulations, 2015, ensuring disclosures align with the National Guidelines on Responsible Business Conduct (NGRBC).

Outsourcing contracts increasingly incorporate ESG due diligence requirements, compliance certifications, supplier codes of conduct, and audit rights. Companies also seek alignment with sustainability goals such as ethical sourcing, workplace diversity, and traceability of environmental impact.

Cross-border outsourcing arrangements or multi-jurisdictional outsourcing arrangements  raise several legal and regulatory considerations particularly concerning data transfer regulations, export controls, jurisdictional complexities, and compliances under the Foreign Exchange Management Act (‘FEMA’) and tax laws.

In outsourcing arrangements that involve data, one of the most critical legal concerns is the cross-border transfer and localisation of data, particularly in light of evolving data protection laws and sector-specific regulatory requirements.

The upcoming Digital Personal Data Protection Act, 2023 regulates the processing and cross border transfer of personal data outside India. It permits cross-border transfers to countries except those which are notified by the Central Government. Businesses must however ensure that appropriate contractual and other safeguards are in place to protect personal data processed by foreign service providers. For sensitive sectors such as banking, insurance, and healthcare, additional obligations which may require storing certain data only within India or obtaining customer consent for data transfers.

Another area of concern is export control and sector-specific restrictions. For instance, outsourcing involving sensitive or strategic technologies, such as defence, telecom infrastructure, or encrypted software, may require compliance with India’s export control regulations and prior governmental approvals under laws like the Foreign Trade (Development and Regulation) Act, 1992.

Relevant FEMA regulations also apply to manner of receipt and payments for cross-border transactions, including advance, period for realisation and repatriation of export proceeds and remittances against import.

Cross-border arrangements may also give rise to tax implications under Indian tax laws and Double Taxation Avoidance Agreements (DTAAs) and Permanent Establishment (PE) exposure, subjecting global revenue from Indian operations to Indian income tax. Similarly, Indian companies must ensure appropriate withholding tax compliance when making cross-border payments.

Multi-jurisdictional arrangements often involve parties from different jurisdictions having different legal systems. Disputes arising under such contracts may face challenges relating to governing law, exclusive jurisdiction clauses, and enforcement of foreign judgments or arbitral awards. While India is a party to the New York and Geneva Conventions (facilitating enforcement of foreign arbitral awards), recognition of foreign court judgments is subject to reciprocity and compliance with procedural requirements under the Code of Civil Procedure, 1908.

Indian law generally permits contracting parties to agree upon limitations or exclusions of liability under their contracts. However, this contractual freedom is subject to certain legal boundaries to ensure that such clauses are not unfair, unreasonable, and contrary to public policy and law.

The Indian Contract Act, 1872 (‘Contract Act’), particularly Sections 73 and 74, provides the legal framework for assessing damages. Section 73 allows for compensation only for losses that arise naturally from the breach or were within the contemplation of the parties. Section 74 recognizes liquidated damages, provided they are a genuine pre-estimate of loss and not punitive.

Courts have held that clauses which exclude liability for death, personal injury, fraud, misrepresentation, negligence, or statutory rights are void and unenforceable. Furthermore, any clause that deprives a party of their lawful entitlement to damages may also be struck down under Section 23 of the Contract Act, which voids agreements contrary to public policy.

While parties may agree on financial caps to limit liability, these caps must not be arbitrary or excessively low. The enforceability of such caps depends on their reasonableness, proportionality, and whether they reflect a fair allocation of risk. Indian courts have upheld financial caps where they were clearly worded, mutually agreed, and commercially justifiable, but have also struck them down when they were found to be oppressive or discriminatory. Courts have also recognized that where a party is in a significantly weaker bargaining position and is compelled to accept a standard-form contract with an unfair limitation clause, such clauses may be interpreted in favour of the weaker party.

Contractual disputes in outsourcing arrangements are typically governed by the dispute resolution clause incorporated within the contract. These clauses commonly provide for alternative dispute resolution (ADR) mechanisms—such as conciliation, mediation, or arbitration.

Parties usually prefer to resolve disputes amicably through ADR, given its confidentiality, speed, and cost-effectiveness. Where arbitration is adopted, contracts may specify the seat and governing rules (e.g., institutional or ad hoc), and the resulting award is binding and enforceable in Indian courts. Where one party to the contract is a foreign entity and the other is an Indian private party, it is a common practice to agree on a foreign-seated arbitration, particularly in neutral jurisdictions. However, government entities or public sector undertakings in India typically do not agree to foreign-seated arbitration and insist on a domestic seated Indian arbitration.

Where ADR fails or is not opted for, parties may seek judicial recourse. In such cases, contracts typically include an exclusive jurisdiction clause identifying the courts that will have authority to adjudicate disputes. Remedies available for contractual breaches include damages, specific performance, injunctions, and termination, among others, depending on the nature and severity of the breach.

Depending on the nature of the breach, courts may also be approached directly—for instance, to seek injunctive relief in cases involving breach of intellectual property or confidentiality violations.

It is also not uncommon for an operational creditor of certain threshold to invoke proceedings under the Insolvency and Bankruptcy Code, 2016 (IBC) as a strategic pressure tactic to expedite settlement of payment-related disputes, particularly where one party seeks to recover undisputed operational dues.

In India, enforcement measures in outsourcing arrangements extend beyond contractual remedies and are also driven by regulatory compliance obligations. Regulatory authorities may impose sanctions where outsourcing leads to non-compliance with applicable laws, sector-specific regulations, or public interest concerns.

For example, in regulated industries such as banking, insurance, and telecommunications, non-compliance with outsourcing guidelines issued by the Reserve Bank of India (RBI), Insurance Regulatory and Development Authority of India (IRDAI), or the Department of Telecommunications (DoT) can lead to penalties, or revocation of approvals or other restrictions.

Outsourcing arrangements that involve processing of personal data are now subject to the Digital Personal Data Protection Act, 2023, which once become enforceable would empower the Data Protection Board to impose significant financial penalties for violations, including mishandling of sensitive data or unlawful cross-border transfers.

Additionally, public sector undertakings may impose administrative sanctions such as blacklisting or disqualification from future bidding/ tender in cases of contractual or ethical violations.