The continuing process of digitalization, accelerated in recent years by the pandemic, demonstrated the need to strengthen information and cybersecurity of the systems and tools we use daily. As the number of cyberattacks and other related threats rises, so does the urgency of this issue. One of the necessary components of ensuring the desired (or possible) level of security is sufficient and qualified personnel that includes experts (technical and legal) in information security, cybersecurity, and the protection of information. Numerous studies have highlighted the scarcity of such personnel in practice. To illustrate, the European Union Agency for Cybersecurity points out “a lack of skilled and qualified personnel in the labour market to work in cybersecurity roles” (Nurse, 2021). Similarly, in Slovakia, the National Security Authority considers the absence of professional staff in its National Cybersecurity Strategy for the years 2021–2025 (NSA, 2021) as a security threat.

A recent solution to this problem presents an emerging practice of entrusting the fulfilment of obligations legally imposed on certain subjects to third parties – private providers that have at their disposal qualified personnel – on the basis of a contract. In this paper, we focus on contractual relations established between these entities and identify the advantages and disadvantages of this approach. Specifically, we look at the relations concluded between state-related actors – different public authorities and their private providers.

Related research can be found primarily in studies that focus on contracts between cybersecurity service providers and their customers, examining various types of contracts and responsibilities related to the provision of cybersecurity services and evaluating their effectiveness in protecting information systems. For instance, some papers analyse legal relationships between external service providers and the government in the context of cybersecurity and suggest important implications for incorporating data confidentiality requirements into security service level agreements (Nugraha, 2022). These papers also address the issue of liability in service provision and propose different types of contracts (Wu, 2021), such as threshold-based liability contracts and variable liability contracts, to achieve optimal outcomes considering post-breach effort verification feasibility (Hui, 2019).

The authors of these papers also investigate factors influencing organizational decisions to outsource information security, including organizational factors such as cost-benefit analysis and inability to cope with the threat environment, as well as legal factors such as regulatory and legal compliance (Arshad, 2022). Another group of related studies focuses on contracts related to the security of processed personal data, which are used to ensure compliance with applicable legal regulations. These studies analyse the content, responsibilities, and contractual provisions related to information security and cybersecurity in such contracts. For example, some papers analyse privacy service level agreements, describing the risk assessment process and selection of cloud services (Rios, 2019). Additionally, some articles propose metamodels for privacy-level agreements to support privacy management based on analysing privacy threats, vulnerabilities, and trust relationships in information systems (Diamantopoulou, 2017).

The main objective of this paper is to explore the risks and challenges associated with the outsourcing of information and cybersecurity to third parties through contractual relationships. The article provides insights into some aspects of information and cybersecurity outsourcing, which can help readers better understand the potential risks, challenges, and benefits of such practices. We state the following research sub-goals:

• What is the extent and nature of cybersecurity services that are outsourced by public authorities to service providers?
  
  
• Identification of the degree of limitation of responsibility in the contractual relationships in the field of cybersecurity.

This paper is organized into four sections. Section II discusses research methodology. Section III outlines selected legal aspects related to contractual relations in cybersecurity. Section IV contains discussion and conclusion, including our suggestions for future research.