Professional liability insurance and liability: who covers what in a non-EU subcontracting chain
A defective deliverable, a delay, a data leak: who is liable, and who is insured? How to allocate liability and professional liability insurance across the chain.
Your risk is not only whether the non-EU freelancer has professional liability insurance. It is knowing who is contractually liable if the deliverable causes damage for your end client.
Professional liability insurance and liability in non-EU subcontracting: the real issue for an IT services firm
When an IT services firm works with a tech freelancer based outside the EU, the insurance question arises quickly.
Does the freelancer have professional liability insurance?
Is their contract enforceable from France?
Does their insurance cover an assignment for a French client?
Who pays if the end client claims compensation?
Who bears the risk if the freelancer disappears, challenges jurisdiction or provides insufficient supporting documents?
The answer does not lie in an insurance certificate.
In subcontracting, professional liability insurance is one line of defence. It does not replace a robust contract, a clear chain of responsibilities or a coherent allocation of risk between the IT services firm, the supplier and the non-EU freelancer.
For an IT services firm, the objective is simple: to turn a technically relevant resource, but one that is difficult to contract with directly, into a contracted, documented and insurable service.
Why the non-EU freelancer’s professional liability insurance is not always enough
Professional liability insurance is useful. But it must be read before it is accepted.
In a France → non-EU relationship, several points must be checked:
- the territory covered by the insurance;
- the exact nature of the declared activity;
- the existence of cover for IT services;
- the applicable exclusions;
- the coverage limits;
- the deductibles;
- the language and enforceability of the documents;
- the competent jurisdiction in the event of a dispute;
- the validity of the certificate on the date of the assignment.
A freelancer based in Dubai, Bali or elsewhere outside the EU may be perfectly competent and properly established locally. That does not automatically mean that their insurance will respond effectively to a claim brought by a French IT services firm or by a French end client.
The difficulty is not theoretical. It is operational.
If your end client sends you formal notice, they will not first look for the freelancer’s foreign insurer. They will turn to their contractual counterparty: your IT services firm.
Your contract, your liability and your ability to seek recourse afterwards against your own subcontractor therefore become central.
The non-EU freelancer’s professional liability insurance is a useful compliance item. But it must not be your only protection. In practice, your IT services firm remains exposed towards the end client if it is the main contractual counterparty.
Liability follows the contract, not the project organisation chart
In a B2B service, the first question is contractual: who has committed to whom?
In a classic chain, the end client contracts with the IT services firm. The IT services firm may then subcontract part of the service to a supplier or to a freelancer.
The end client generally has no direct contractual link with the freelancer. In the event of a delivery failure, technical error, delay, vulnerability or non-compliance, the end client turns to the IT services firm.
The IT services firm must then examine its own subcontracting contract to know whether it can transfer all or part of the risk.
This is where the contractual model becomes decisive.
Healthy subcontracting is based on coherent commitments:
- a defined service scope;
- identified deliverables;
- acceptance criteria;
- confidentiality obligations;
- intellectual property rules;
- a liability clause;
- an insurance clause;
- a subcontracting clause, if necessary;
- security and compliance obligations;
- retained documentation.
Liability must not be left in a grey area.
What professional liability insurance generally covers
Professional liability insurance is generally intended to cover certain damage caused to third parties in the course of the insured professional activity.
In a tech service, depending on the policy, it may cover situations such as:
- a configuration error;
- professional negligence;
- an omission;
- a failure in performance;
- consequential or non-consequential financial loss;
- harm to a system or data, if the cover provides for it;
- a claim linked to a declared IT service.
But every insurance policy has limits.
Certain exclusions may concern:
- contractual penalties;
- overly broad outcome commitments;
- delays;
- indirect operating losses;
- uncovered cyber incidents;
- services performed outside the declared territory;
- undeclared activities;
- intentional misconduct;
- claims falling under a specific guarantee.
You should therefore avoid reading the certificate too quickly.
A certificate proves the existence of insurance on a given date. It does not guarantee that the contemplated loss will be covered.
Insurance, liability and compensation: three different levels
The terms are often confused. They do not cover the same reality.
Liability refers to the obligation to answer for damage or a breach.
Insurance is a mechanism that may cover certain financial consequences of that liability, within the limits of the insurance contract.
Compensation is the amount actually claimed, negotiated, awarded or paid.
These three levels must be aligned.
If your contract with the end client provides for high liability, but your non-EU subcontractor has a very low liability cap or poorly adapted insurance, your IT services firm retains a risk gap.
This is the problem of the coverage gap.
It often appears when contracts are not drafted back-to-back.
The role of back-to-back drafting in non-EU subcontracting
Back-to-back drafting consists of aligning the subcontractor’s obligations with the commitments the IT services firm has made to its own client.
This principle is central in subcontracting.
If your IT services firm commits to deadlines, confidentiality, security rules, transfers of rights or documentary requirement levels, your supplier must be able to carry compatible obligations.
Without back-to-back drafting, you may find yourself in an unfavourable position:
- your end client claims compensation from you;
- your subcontracting contract does not allow you to pass liability through properly;
- the freelancer’s insurance does not cover the situation;
- the freelancer is established outside the EU, making recourse more complex to enforce;
- your IT services firm absorbs the risk.
Back-to-back drafting does not eliminate risk. It aims to make it readable, contractualised and controllable.
An insurance clause is not enough if the liability clause, deliverables, acceptance criteria and security obligations are not coherent. Coverage is prepared throughout the contract, not in a single appendix.
Specific risks with a non-EU freelancer
Working with a non-EU freelancer is not prohibited. In many cases, it is even operationally relevant.
But certain frictions must be addressed.
Contractual enforceability
A contract signed with a person or structure outside the EU may be harder to enforce in the event of a dispute.
The question is not only which law applies. You must also anticipate the real ability to assert a claim.
Proof of compliance
An IT services firm often needs to document its supplier chain.
This may include:
- the identity of the contractual counterparty;
- their professional status;
- their genuine tax residence;
- their billing details;
- their certificates;
- their insurance policies;
- their confidentiality commitments;
- their security commitments;
- their deliverables.
The further the supplier is from French documentary standards, the greater the control burden.
Tax and the reality of the activity
A non-EU freelancer may genuinely be tax-resident abroad. That status may be perfectly legitimate if it corresponds to reality: actual residence, majority presence outside France, activity genuinely performed remotely, and no organised presence in France.
Conversely, a shell entity, a fictitious residence or a regular undeclared presence in France creates tax and social security risk. This type of arrangement is abusive and must be rejected.
Non-EU location must never be used as a pretext for artificial tax avoidance. It must reflect a real and documentable situation.
Permanent establishment risk
A poorly structured chain may also raise permanent establishment questions, particularly if a person or entity in France acts as a dependent representative of a foreign freelancer.
To limit this risk, the relationship must be structured clearly.
StelarWork contracts in its own name. It does not act as the freelancer’s representative and does not enter into contracts on behalf of the freelancer.
The classification of the relationship
Subcontracting must remain a service.
It must be framed by a purchase order, a scope, deliverables and an outcome-based logic.
Vocabulary and practices matter. A relationship described as simple staff secondment, managed as pure time-and-materials without autonomy or deliverables, may create risks of reclassification or unlawful labour lending.
An IT services firm must therefore document a service, not merely person-days.
Who covers what in an IT services firm → supplier → non-EU freelancer chain?
The allocation depends on the contracts. But a healthy reading can be organised across three levels.
1. The IT services firm is liable towards the end client
Your IT services firm is the end client’s contractual counterparty.
It bears the commitments it has accepted:
- quality of the service;
- meeting deadlines;
- functional or technical compliance;
- confidentiality;
- security;
- intellectual property;
- service continuity, if provided for;
- contractual liability.
Even if part of the service is subcontracted, the IT services firm generally remains liable towards the end client.
2. The supplier is liable towards the IT services firm
The subcontracting supplier must answer for its own commitments towards the IT services firm.
This is where liability, insurance, confidentiality, security, intellectual property and deliverables clauses play their role.
If the supplier is French, insured and contractually committed under French law, the IT services firm benefits from a clearer chain.
3. The non-EU freelancer performs part of the service within a defined framework
The non-EU freelancer intervenes within a service framework defined in advance.
They must have a real status, the ability to invoice, appropriate contractual commitments and, where relevant, compatible insurance.
But the IT services firm does not always benefit from bearing directly the contractual, documentary and insurance complexity linked to this non-EU supplier.
This is precisely the friction that StelarWork aims to remove.
How StelarWork reduces friction for the IT services firm
StelarWork sits in the contractual chain between the French IT services firm and the tech freelancer based outside the EU.
In practical terms, StelarWork invoices the IT services firm, pays the freelancer and carries a structured supplier contractual framework.
The objective is to turn a freelancer who is difficult to contract with directly into a French supplier that is easier to integrate into your procurement and compliance chain.
StelarWork is not an umbrella employment arrangement, nor an employer, nor an EOR, nor a domiciliation service, nor a law firm.
The model is based on a B2B logic: service, purchase order, deliverables and supplier liability.
For the IT services firm, the benefit is operational:
- contract with a French company (SASU);
- simplify supplier invoicing;
- reduce compliance frictions;
- better document the subcontracting chain;
- frame obligations as a service;
- clarify responsibilities;
- avoid a poorly controlled direct relationship with a non-EU freelancer who is difficult to integrate.
StelarWork does not promise to eliminate all risk. No serious arrangement can promise that.
The model is designed to reduce grey areas and make the relationship more acceptable for an IT services firm, its procurement, finance and compliance teams.
StelarWork contracts in its own name with the IT services firm. The relationship is structured as a B2B service with a French supplier. It is not based on an employment contract, a salary or staff secondment.
Clauses to review before signing non-EU subcontracting
Before engaging a non-EU freelancer, directly or through a supplier, several clauses deserve particular attention.
The scope clause
It must describe the expected service.
A vague title such as “back-end development” or “DevOps support” is not always enough.
It is preferable to specify:
- the deliverables;
- the environments concerned;
- the limits of intervention;
- client dependencies;
- validation criteria;
- exclusions.
The clearer the scope, the more readable the liability.
The liability clause
It must state what is covered, what is excluded and how damage is handled.
It must be consistent with your client contract.
Misalignment may create residual exposure for the IT services firm.
The insurance clause
It must provide for the existence of insurance suited to the activity.
But it must also allow you to request an up-to-date certificate and, if necessary, information about the scope of cover.
The aim is not to accumulate documents. It is to verify that the insurance corresponds to the service actually performed.
The confidentiality clause
It is essential in a tech service.
It must cover information belonging to the end client, the IT services firm and any relevant third party.
It must also survive the end of the assignment.
The intellectual property clause
It must organise the assignment or licence of the deliverables, depending on the model chosen.
In software development, this point must be handled precisely: code, documentation, scripts, configurations, pre-existing elements, open-source components, usage rights.
The GDPR and security clause
If the service provider accesses personal data, a GDPR analysis is necessary.
Depending on the roles, a data processing agreement within the meaning of Article 28 GDPR may be required.
Access, logs, permissions, environments and security rules must be framed.
The subcontracting clause
It must specify whether subcontracting is authorised, under what conditions and with what transparency obligations.
In a chain involving a non-EU freelancer, this point is particularly sensitive.
Common mistakes made by IT services firms
Certain mistakes occur frequently.
Accepting a professional liability insurance certificate without reading the scope
A certificate does not say everything.
It may confirm the existence of a policy, but not guarantee coverage of the loss that concerns you.
Signing directly with a non-EU freelancer without a realistic ability to seek recourse
The contract may be valid on paper, but difficult to enforce.
The risk is increased if the documents are incomplete or if the freelancer operates through a structure that is hard to verify.
Copying and pasting a French freelancer contract
A standard contract designed for a French independent contractor does not always address non-EU matters: tax, currency, jurisdiction, foreign insurance, data, proof of establishment, international sanctions, documentary transfer.
Confusing time spent with a service
A service may be billed at a day rate, but it must remain structured by a scope and deliverables.
The day rate is an economic method. It must not erase the service logic.
Leaving a gap between the client contract and the supplier contract
This is one of the main sources of exposure.
If the IT services firm accepts strong commitments on the client side, it must check that it can reflect them on the supplier side, at least proportionately.
How to build a more robust liability chain
A healthy approach is based on a few principles.
Document the supplier’s reality
You must verify who invoices, where the activity is performed, what the freelancer’s status is and what documentation exists.
If the freelancer is tax-resident outside the EU, that residence must correspond to reality.
A healthy configuration is based on a real presence outside France, genuine remote activity and no organised presence in France.
An abusive configuration is based on a façade address, a shell entity or a concealed French presence. It must be rejected.
Contractualise a service
The purchase order must relate to a defined service.
The deliverables, responsibilities, deadlines, validations and dependencies must be readable.
This approach reduces ambiguities and avoids presenting the relationship as a simple supply of personnel.
Align the key clauses
The supplier’s obligations must be compatible with those of the IT services firm towards the end client.
This concerns in particular:
- liability;
- insurance;
- confidentiality;
- intellectual property;
- security;
- GDPR;
- reasonable audit;
- continuity;
- reversibility, if applicable.
Keep evidence
In the event of an inspection, client audit or dispute, evidence matters.
You must be able to produce:
- contracts;
- purchase orders;
- deliverables;
- validations;
- certificates;
- key exchanges;
- compliance items;
- proof of payment;
- supplier identity documents, where required.
Where to place StelarWork in your procurement and compliance set-up
StelarWork intervenes when the IT services firm has identified a non-EU tech freelancer whom it cannot, or does not wish to, contract with directly.
The need often arises in three situations:
- the freelancer is strategically useful, but cannot be integrated into the supplier repository;
- procurement refuses direct non-EU invoicing;
- finance or compliance requests a French, documented and responsible supplier.
StelarWork then becomes the IT services firm’s French supplier for the service concerned.
The chain is more readable:
- the IT services firm receives a French invoice;
- the service is contractually framed;
- StelarWork carries the supplier relationship with the non-EU freelancer;
- responsibilities are organised within a B2B framework;
- documentation is centralised and easier to use.
The freelancer does not become an employee of StelarWork. They remain an independent service provider established outside the EU, where that situation corresponds to a verifiable reality.
StelarWork does not sell tax optimisation. If the freelancer benefits from a particular local tax regime, that is a matter of their genuine and pre-existing tax residence. StelarWork removes administrative and contractual friction for the IT services firm, without artificially creating that situation.
What an IT services firm should remember
The question “does the freelancer have professional liability insurance?” is necessary, but insufficient.
The right question is broader: does your subcontracting chain allow you to identify who is liable for what, with what recourse, what insurance and what documentation?
In non-EU subcontracting, the main risk comes from grey areas.
An IT services firm must avoid:
- a contractual counterparty that is difficult to verify;
- poorly understood foreign insurance;
- a contract not aligned with the client contract;
- a relationship described as person-days without deliverables;
- a non-genuine tax residence;
- insufficient documentation;
- no practical recourse.
StelarWork aims to address this difficulty by providing a French supplier inserted into the contractual chain, with a B2B service logic, compliance documentation and more clearly structured liability.
The objective is not to make the risk non-existent. It is to make it readable, contractible and acceptable for an IT services firm.
This article provides general information for IT services firms. It does not constitute personalised legal, tax, employment or insurance advice. Clauses, liabilities, tax regimes, GDPR obligations and insurance coverage must be analysed according to the contracts, the countries concerned, the operational reality and the facts specific to each situation, with the appropriate advisers where necessary.
FAQ — Professional liability insurance and liability in non-EU subcontracting
Can an IT services firm work with a non-EU freelancer?
Yes, provided the relationship is structured correctly.
The freelancer must genuinely be established outside the EU, work remotely in a coherent configuration and have an appropriate contractual framework.
The IT services firm must also check supplier compliance, tax issues, insurance, GDPR obligations, intellectual property and contractual liability.
Does the non-EU freelancer’s professional liability insurance protect the IT services firm?
It can contribute to protection, but it is not always enough.
You must check the scope of the cover, exclusions, the territory covered, the nature of the insured activity and the conditions for coverage.
Above all, the end client will generally turn against the IT services firm if the IT services firm is its contractual counterparty. The freelancer’s professional liability insurance therefore does not replace a robust subcontracting contract.
Who is liable if the non-EU freelancer makes an error?
Towards the end client, the IT services firm often remains liable if it has signed the main contract.
The IT services firm may then seek recourse against its subcontractor, depending on the contractual clauses provided for.
This is why it is important to align commitments, guarantees, insurance and liabilities across the entire chain.
Why go through a French supplier such as StelarWork?
To reduce the frictions linked to contracting directly with a non-EU freelancer.
StelarWork allows the IT services firm to work with a French supplier, within a B2B service framework, while organising the relationship with the non-EU freelancer.
This facilitates invoicing, documentation, supplier compliance and the reading of responsibilities.
Is StelarWork umbrella employment?
No.
StelarWork does not employ the freelancer, does not pay a salary and does not set up an employment contract.
The model is based on a B2B service between the IT services firm and StelarWork, and then on a separate contractual relationship with the independent non-EU freelancer.
Does the non-EU freelancer receive a tax advantage thanks to StelarWork?
No.
StelarWork does not create foreign tax residence and does not sell tax avoidance.
If a freelancer is tax-resident outside the EU, that situation must be real, pre-existing and documentable: effective presence abroad, genuine remote activity, no organised presence in France.
A shell entity or fictitious residence would be abusive and must be excluded.
Is a French invoice enough to secure the relationship?
No.
A French invoice facilitates supplier onboarding and administrative management, but it does not replace the contract, liability clauses, insurance, deliverables, GDPR commitments and compliance documentation.
The invoice is one element of the chain. It is not the whole chain.
How can the risk of unlawful labour lending be avoided?
The relationship must be structured as a service.
This implies a scope, deliverables, a purchase order, an outcome-based logic, validations and execution autonomy compatible with the service.
You must avoid presenting the relationship as simple staff secondment. Operational management must remain consistent with a B2B subcontracting framework.
What should be requested before accepting foreign professional liability insurance?
It is useful to request an up-to-date certificate and, if necessary, information on:
- the activities covered;
- the territories covered;
- the limits;
- the exclusions;
- the validity period;
- cyber or IT guarantees;
- the jurisdiction or claim procedures.
These elements must be assessed with caution, because coverage always depends on the terms of the insurance contract.
Does StelarWork remove the legal risk for the IT services firm?
No.
No serious arrangement can promise a total absence of risk.
StelarWork is designed to reduce grey areas, clarify the contractual chain and facilitate the integration of a non-EU freelancer within a French supplier framework that is more usable for an IT services firm.