From day rates to outcomes: the shift to fixed-price cyber in 2026

Joint & Several Liability rules landed in April. End clients no longer want to assess IR35 status on every contractor. Fixed-price Statements of Work are becoming the default. Here's what genuine outcome delivery looks like.

On 6 April 2026, the Joint & Several Liability (JSL) rules came into force. The headline is simple. End clients can now be made liable for tax debts in their contractor supply chain. The practical consequence is bigger than the headline.

Procurement, finance and legal teams across the UK have spent the last six weeks doing the same thing: looking at their cyber contractor population and asking a different question. Not "is this individual inside or outside IR35". The question now is "why are we engaging this person on a day rate at all".

The answer, for a growing number of Cyber Programmes, is to stop. Fixed-price Statements of Work are becoming the default operating model for outcome-led Cyber Security delivery in 2026.

What actually changed in April

The JSL rules sit on top of the existing off-payroll regime. Where an umbrella company in your supply chain fails to pay PAYE, HMRC can now pursue the agency, the end client, or both. That's a different kind of risk. It is no longer a question about whether a single contractor was correctly classified. It is a question about the whole supply chain.

For end clients running Cyber Programmes, three things follow:

• Status determinations have to be done properly, every time, with audit trails that withstand scrutiny.
• Umbrella and agency selection now carries direct financial exposure. The procurement team owns the consequence of getting it wrong.
• The compliance overhead of operating a day-rate model has tipped past the point where it makes commercial sense for any programme that can be scoped as an outcome.

Statement of Works delivery removes the headache at source. The provider takes responsibility for the people. The end client buys an outcome.

What a genuine SoW looks like (and what it doesn't)

A relabelled day rate is not a Statement of Works. HMRC and the courts will look past the document straight to the substance. To be genuine, an SoW has to demonstrate four things:

• Defined scope. The deliverable is described in business terms – a SOC built, a SIEM migrated, an environment certified – not in hours.
• Defined milestones. Payment is tied to acceptance of stages, not to time spent.
• Real risk transfer. The provider carries the consequence of late or non-delivery, including remediation, financially.
• Substantive supervision and direction. The provider's senior project manager runs the work. The client does not direct the day-to-day activity of individual specialists.

If any of those four collapses, the SoW collapses with it – and the original IR35 question lands right back on the client's desk.

Why fixed-price beats day rates on more than tax

The tax exposure is what's driving the conversation. It's not the only reason the model is winning.

Fixed-price delivery aligns the supplier with the outcome. A day-rate engagement is a unit-economics conversation. The longer the engagement runs, the more the supplier earns. A fixed-price engagement reverses that incentive. The faster the supplier delivers to the standard agreed, the better the engagement is for both sides.

It also gives the buyer something they rarely get from a contractor population: cost certainty. The CFO knows what the SOC build costs. The CISO knows what the migration costs. The board knows what the programme costs. The conversation moves from timesheets to outcomes.

And it changes who's in the room. A genuine SoW is anchored by a senior project manager on the supplier side who owns the work end to end. There is no account manager passing messages between the buyer and a delivery team they have never met. The seniority of the conversation goes up.

When SoW is the right answer – and when it isn't

SoW delivery is not a fit for every requirement. It is the right model when:

• The outcome can be defined upfront with milestones a buyer would accept against.
• The work has a defined start, middle and end – a build, a migration, a stand-up, a certification.
• The team needed is more than one specialist and benefits from being assembled rather than recruited individually.

It is the wrong model when:

• The requirement is open-ended cover for BAU operations.
• The work is genuinely a single specialist supplementing an in-house team under the team lead's direction.
• The scope is too unstable to commit to a fixed price honestly.

In those cases, day-rate contract is still the right answer – provided the supply chain compliance is watertight. The point is to match the commercial model to the work, not to force every engagement through the same template.

Where invitise sits

We deliver Cyber Security across all three models: embedded programmes, fixed-price Statement of Works, and contract capability on-site within 24 hours. We will tell you which one fits your problem before we tell you what it costs.

Every SoW we run is anchored by a senior cyber project manager who scopes the work, validates each stage, and signs off acceptance. One point of accountability across the engagement.

If you have a defined outcome – a SOC to build, a certification to land, a capability to stand up – we can scope it, price it and deliver it on a fixed basis. The first conversation is a 15-minute call to confirm whether the outcome is well-defined enough for a genuine SoW. Sometimes the answer is no, and we'll say so.

Scope a Statement of Works →