Decision guide · Infrastructure
How to decide on IT outsourcing, a structured framework
IT outsourcing decisions fail when the decision is blurred with the selection. The right structure separates four sub-decisions: what is in scope, what stays in-house (competitive or poorly documented), which provider pattern fits (staff aug, managed service, full outsource), and exit posture from day one. Cost is the last variable, not the first.
TL;DR
Outsourcing failures are decision failures. Structure the decision first.
Who owns this decision
CIO as decision owner, CFO and CHRO as co-decision makers, business-unit sponsors as reviewers, Legal on contract.
Key criteria to weight
Strategic fit
Is this capability a differentiator? Outsourcing differentiators destroys value.
Operational maturity gap
Documented, measured gap vs the market best. Without a gap, there is no case.
Compliance transferability
Can the scope be cleanly transferred under DORA / NIS2 accountability rules?
Vendor concentration
How much of critical operations would sit with one provider?
Exit path
Documented, rehearsed, priced from day one. Without it, outsourcing is irreversible.
Cost over contract lifetime
Including transition, run, change requests and exit costs.
Step-by-step decision flow
- 1
Scope candidate scope
List what could be outsourced in principle. Keep differentiators off the list.
- 2
Classify each candidate
Keep, staff-aug, managed service, full outsource. Each is a different decision pattern.
- 3
Set accountability dealbreakers
What must remain demonstrably in your control under NIS2 / DORA.
- 4
Evaluate providers per pattern
Do not compare a managed-service vendor to a staff-aug vendor on the same grid.
- 5
Model the exit
Rehearse exit on paper. If the exit is not defensible, the entry is not either.
- 6
Produce a dual memo
One memo for board (strategic fit, risk), one for procurement (contractual terms, SLAs).
Anonymised memo excerpt
Logistik, 350 Mitarbeiter, NIS2-Zulieferer mehrerer DACH-Versorger
Readiness score
71
- Trigger
- Service-Provider-Vertrag läuft 2026 aus. Auftraggeber-Audits fordern getestete Exit-Pfade und Audit-Rechte nach Zulieferer-Klauseln.
- Top criteria (weights)
- Strategischer Fit und Differenzierung25%
- Compliance-Transferierbarkeit (NIS2)20%
- Vendor-Konzentrationsrisiko20%
- Exit-Pfad-Reifegrad15%
- TCO über Vertragsdauer15%
- SLA-Tiefe und Reaktionszeit5%
- Shortlist
- Bestandsanbieter (Atos)
- DACH-Mid-Market-MSSP
- Insourcing mit MSSP-Hybrid
- Decision
- Insourcing der EDR-Operations und Vertrags-Reduktion auf Network/Helpdesk beim Bestandsanbieter, plus DACH-MSSP-Bridge für SOC-Coverage.
- Rationale
- Vollständiges Outsourcing kollidiert mit NIS2-Zulieferer-Anforderungen, weil die Audit-Rechte mehrerer Auftraggeber im Subkontrakt nicht durchsetzbar waren. Insourcing der sicherheitskritischen Funktionen verbessert Audit-Position. MSSP-Bridge entkoppelt Investitions-Spitze.
- Residual risks
- Personal-Aufbau im SecOps-Team braucht 6-9 Monate
- MSSP-Hand-off-Reifegrad muss in Quartalsreviews validiert werden
Compliance note
Under DORA Art. 28, ICT third-party arrangements of critical importance require a formal register, explicit contractual provisions and exit strategies. NIS2 Art. 21 makes the operator's board accountable regardless of outsourcing.
Common pitfalls
- !Outsourcing a capability because it is painful, without first fixing it in-house.
- !Treating staff-aug and full outsource as comparable patterns.
- !No exit plan.
- !Letting the contracted provider write the SLA.
FAQ
When is IT outsourcing a good decision?
When the in-house scope is not a competitive differentiator, when the operational quality gap is documented and wide, and when the compliance scope is cleanly transferable. Outsourcing a differentiating capability or a poorly documented one usually destroys value.
How do I compare outsourcing vs insourcing in a structured way?
Compare on cost (TCO over 3 to 5 years, including exit cost), capability gap (what is actually missing), risk (concentration, sovereignty, vendor lock-in) and strategic fit (does this belong to us). DecisionOS runs this as a structured decision with explicit weights and dealbreakers.
Can I outsource under NIS2 and DORA?
Yes, but the accountability cannot be outsourced. The operator remains responsible under NIS2 and DORA, which shifts the decision from pure cost to documented supplier risk, audit rights and clean exit paths.
Related decision guides
Related comparisons
DecisionOS vs strategy consulting
Consultants structure your decision once. DecisionOS structures every decision.
DecisionOS vs OneTrust
OneTrust manages privacy and risk continuously. DecisionOS produces the decision inside.
DecisionOS vs Excel and slide decks
Spreadsheets work until the second stakeholder shows up.
DecisionOS vs RFP tools
RFP tools automate Q&A. DecisionOS runs the decision.
DecisionOS vs procurement suites
Procurement suites execute the purchase. DecisionOS makes the decision.
Relevant industries
Transport und Logistik
Logistik entscheidet unter NIS2 + KRITIS Transport + branchenspezifischen Standards. Ein Memo, das Betriebssicherheit und Compliance gleichzeitig abbildet.
Manufacturing & Industrial
Manufacturing is a NIS2 important entity. OT security and supply-chain diligence are mandatory. The decision memo is the audit standard.
Pharma & Life Sciences
Pharma IT is regulated IT. Validation (CSV/CSA) and audit trail are not optional. The decision memo is the mandatory front-end documentation.
Automotive & Suppliers
Automotive = TISAX + UNECE R155/R156 + ISO 21434 + NIS2. The decision memo is the only format that maps all four in parallel.
Chemicals & Process Industry
Chemicals is a NIS2 important entity with physical major-accident risk. IT-OT convergence is the core strategic question.