Tech & Sourcing @ Morgan Lewis

As businesses move quickly to adopt artificial intelligence agents, contracts for their development and implementation raise novel questions around ownership, accountability, and risk. In this first post of a two-part series, we explore why these issues matter and what technology and sourcing lawyers should be considering as clients engage vendors in this emerging space.

The European Banking Authority (EBA) recently published a consultation paper (Consultation) that proposes to expand third-party risk management requirements for certain EU-regulated financial entities. The Consultation would extend the EBA’s current guidelines around outsourcing arrangements (EBA Guidelines) to all third-party services arrangements, excluding those services that are within scope of the EU Digital Operational Resilience Act (DORA), and would add further requirements to the existing guidelines, aligning with those requirements introduced under DORA.

Clauses dealing with intellectual property (IP) rights in commercial agreements can present nuanced challenges, particularly when they relate to information exchange. Two such clauses that often surface in technology contracts are residuals clauses and affirmative feedback licenses. While both relate to information shared during the course of a commercial relationship, they serve very different purposes and have distinct implications for IP ownership, confidentiality, and future use.

In a recent report, a team of Morgan Lewis lawyers discussed enforcement of the US Department of Justice’s (DOJ’s) Data Security Program (DSP). The report outlines critical considerations for companies and entities that may be affected by the extensive requirements of this national security initiative.

Cyber regulations are crucial for the protection of individuals and businesses and aid in risk minimization; failure to comply with these regulations can result in severe consequences such as financial penalties, legal action, reputational damage, and potential breach of sensitive or confidential information. Analysts have identified some key cyber regulations to watch in the coming months.

Commercial contracts are typically represented by two separate, yet equally important, components: the master agreement that contains primarily legal terms, and the ordering documentation that contains primarily commercial terms.

During the Biden administration, there was a push to prioritize and modernize cybersecurity responses, and the National Institute of Standards and Technology (NIST) agreed to work with the technology industry to develop a new cybersecurity framework. Now, those promises have come to fruition as NIST has provided updated industry-leading guidance in the cybersecurity field.

As the summer 2025 concert season continues to ramp up, we want to take the opportunity to explain why your favorite band or artist might only be performing once in your region this summer: a radius clause.

We are excited to welcome Mathilde Carle as a partner in Morgan Lewis’s Paris office and as a guest contributor to our Tech & Sourcing Spotlight series to discuss intellectual property (IP) protection and other related issues in agreements to design, build, license, host, and support digital solutions, including automation, AI, and software as a service (SaaS) products.

2025 has seen a notable push by companies to establish dedicated capability centers—or global capability centers (GCCs)—in countries with lower-cost resources and access to a strong talent pool. According to S&S Insider, the global GCC market was estimated at about $128.5 billion in 2023 and is expected to increase to more than $300 billion by 2032, growing at a rate of 13.51% CAGR. NASSCOM reports that India leads the GCC market, currently hosting over 1,700 GCCs, employing more than 1.9 million people, and having an 11% CAGR.