What is lock-in and how can it be avoided

Introduction

Lock-in is the difficulty of changing provider or technology after an initial choice. It involves both technical and economic aspects: switching to a new solution can become so costly or complex that it is preferable to remain tied to the current situation, even when it is no longer the best option.

For public administrations, this is a real risk because it limits flexibility, increases long-term costs, and makes it difficult to adopt more modern and efficient solutions. Understanding lock-in and adopting practices to prevent it helps maintain control over technological choices and avoid excessive dependence on individual providers.

The main forms of lock-in

Data lock-in

This situation arises when the software used does not allow data to be exported in open formats, but instead manages them with proprietary formats. In these cases, migrating data to new systems becomes costly and complex because it requires conversions, quality checks, and often manual intervention. The more data is created over time with these tools, the harder it becomes to switch to other software.

Knowledge lock-in

This occurs when there is no clear documentation of the software and technical choices made, or when adequate training materials are lacking. In this situation, only the original provider has the necessary information to manage and modify the system. The administration becomes completely dependent on the provider for any intervention and cannot easily transfer management to a new party.

Contractual lock-in

This occurs when contractual clauses make it costly or complicated to change provider or technology. There may be high penalties, long notice periods, minimum contract duration requirements, or restrictions on data portability. These elements increase exit costs and discourage the administration from seeking more convenient alternatives.

How to prevent lock-in

There are technical, organizational, and contractual practices that, if adopted from the beginning, significantly reduce the risk of lock-in and the associated costs.

Technical choices

Designing portable services means being able to move data and applications without having to rewrite them. Data should be exchanged using documented APIs (Application Programming Interfaces) and open formats. It is advisable to avoid proprietary formats and always ensure the complete export of data in accessible standards and open formats.

If the software is custom-developed, the administration must retain ownership and access to the source code. In PaaS (Platform as a Service) and IaaS (Infrastructure as a Service) models, it is better to choose technologies based on open standards and architectures that separate the application from the platform, in order to reduce dependence on a single provider.

Documentation and knowledge sharing

Documentation preserves the organization’s technical memory. Important decisions (architecture, security, integrations), main configurations, release and backup procedures, and the API schema should all be recorded. It is important to keep them updated and accessible. Basic training enables staff to manage daily activities without having to rely on the provider for every intervention.

Ongoing collaboration

Regular coordination between the administration and the provider reduces ambiguities and dependencies. Periodic meetings with shared minutes, scheduled technical reviews, and coordinated work sessions facilitate knowledge transfer. Shared dashboards and reports on costs, performance, and incidents make service trends transparent and support operational decision-making.

Contractual clauses

Lock-in prevention is reinforced in the contract. Tender documents should require data portability in standard formats, assisted export within set timeframes, delivery of updated documentation, and support for exit migration. During the planning phase, it is also useful to estimate future migration costs, so that offers can be evaluated based on long-term flexibility, not just the initial price.

The role of qualification

Cloud services qualified by ACN Opens in a new tab (National Cybersecurity Agency) must meet specific requirements, which also include measures against lock-in. This means that qualified providers are required to ensure data portability, the use of standard formats, and the ability to migrate to other solutions without excessive costs or difficulties.

Choosing qualified services therefore represents a first level of protection, which should always be complemented by good technical, organizational, and contractual practices to minimize the risks of vendor dependence.