nexalign

Decision guide · Infrastructure

How to decide on IT outsourcing — a structured framework

IT outsourcing decisions fail when the decision is blurred with the selection. The right structure separates four sub-decisions: what is in scope, what stays in-house (competitive or poorly documented), which provider pattern fits (staff aug, managed service, full outsource), and exit posture from day one. Cost is the last variable, not the first.

TL;DR

Outsourcing failures are decision failures. Structure the decision first.

Who owns this decision

CIO as decision owner, CFO and CHRO as co-decision makers, business-unit sponsors as reviewers, Legal on contract.

Key criteria to weight

  • Strategic fit

    Is this capability a differentiator? Outsourcing differentiators destroys value.

  • Operational maturity gap

    Documented, measured gap vs the market best. Without a gap, there is no case.

  • Compliance transferability

    Can the scope be cleanly transferred under DORA / NIS2 accountability rules?

  • Vendor concentration

    How much of critical operations would sit with one provider?

  • Exit path

    Documented, rehearsed, priced from day one. Without it, outsourcing is irreversible.

  • Cost over contract lifetime

    Including transition, run, change requests and exit costs.

Step-by-step decision flow

  1. 1

    Scope candidate scope

    List what could be outsourced in principle. Keep differentiators off the list.

  2. 2

    Classify each candidate

    Keep, staff-aug, managed service, full outsource. Each is a different decision pattern.

  3. 3

    Set accountability dealbreakers

    What must remain demonstrably in your control under NIS2 / DORA.

  4. 4

    Evaluate providers per pattern

    Do not compare a managed-service vendor to a staff-aug vendor on the same grid.

  5. 5

    Model the exit

    Rehearse exit on paper. If the exit is not defensible, the entry is not either.

  6. 6

    Produce a dual memo

    One memo for board (strategic fit, risk), one for procurement (contractual terms, SLAs).

Compliance note

Under DORA Art. 28, ICT third-party arrangements of critical importance require a formal register, explicit contractual provisions and exit strategies. NIS2 Art. 21 makes the operator's board accountable regardless of outsourcing.

Common pitfalls

  • !Outsourcing a capability because it is painful, without first fixing it in-house.
  • !Treating staff-aug and full outsource as comparable patterns.
  • !No exit plan.
  • !Letting the contracted provider write the SLA.

FAQ

When is IT outsourcing a good decision?

When the in-house scope is not a competitive differentiator, when the operational quality gap is documented and wide, and when the compliance scope is cleanly transferable. Outsourcing a differentiating capability or a poorly documented one usually destroys value.

How do I compare outsourcing vs insourcing in a structured way?

Compare on cost (TCO over 3 to 5 years, including exit cost), capability gap (what is actually missing), risk (concentration, sovereignty, vendor lock-in) and strategic fit (does this belong to us). DecisionOS runs this as a structured decision with explicit weights and dealbreakers.

Can I outsource under NIS2 and DORA?

Yes, but the accountability cannot be outsourced. The operator remains responsible under NIS2 and DORA, which shifts the decision from pure cost to documented supplier risk, audit rights and clean exit paths.

Related decisions

Infrastructure

How to make a sovereign cloud migration decision

Compliance

How to reach DORA readiness as a financial entity

Compliance

How to reach NIS2 readiness as a mid-market or enterprise operator

Run this decision in DecisionOS →What is DecisionOS?