Digital services in the spotlight: TP challenges for cybersecurity and GenAI

As digital transformation continues to accelerate across industries, taxpayers, tax authorities, and tax advisers continue to navigate the increasingly complex tax and transfer pricing implications of emerging technologies. Two recent reports, Deloitte Germany’s Digital Maturity Index Survey 2025 and the Thailand Digital Transformation Survey 2025, highlight trends applicable to many jurisdictions, including a growing strategic focus on generative AI (GenAI) and cybersecurity – two pillars of digital services that are reshaping value chains and governance models.

This article explores the transfer pricing challenges associated with these services and discusses potential governance considerations.

According to the Thailand Digital Transformation Survey 2025, nearly half of the evaluated organisations are in the “Doing Digital” stage, with GenAI emerging as a key driver of innovation. However, 95% of executives acknowledge a lack of internal expertise in GenAI, and governance, talent, and risk management are cited as the least-prepared areas for adoption.

Despite these challenges, GenAI is already transforming business operations; particularly in IT, cybersecurity, manufacturing, marketing, and customer service. Although legal, tax, risk, and compliance functions may sometimes lag behind these early adoption phases, these functions are nevertheless raising more and more questions about how to structure and price GenAI and cybersecurity services within multinational enterprises (MNEs), along with the issue of how such services should – or could – be treated from a transfer pricing perspective.

Traditional transfer pricing frameworks often struggle to capture the complexity of digital value creation, especially when intangible assets, data, and decentralised functions are involved.

Digital services often involve high scalability, rapid innovation, and cross-border collaboration. These characteristics, in combination with the interaction of humans and technology and the difficulty of unambiguously allocating value contributions to either of the two, may complicate the identification of DEMPE (development, enhancement, maintenance, protection, and exploitation) functions, the determination of arm’s-length pricing, and, ultimately, the allocation of profits along the digitised value chain.

In today’s era of virtual work and digitalisation, value creation is often no longer confined to a single legal entity or jurisdiction. This makes it important for tax departments to stay ahead of their MNE’s digital innovation curve and to establish clearly defined governance structures and responsibilities that facilitate global (tax) compliance. However, these are often not prioritised when launching new business models and services, particularly when organisations are focused on maintaining a first-mover advantage. Consequently, tax departments often follow business changes instead of accompanying and actively helping to structure such developments.

In addition, tax departments are required to consider whether, and how, evolving regulatory frameworks such as the EU AI Act and global data protection laws, which add layers of compliance and governance, should be reflected in transfer pricing systems and supporting documentation. This requires a sound understanding of the fast-developing regulatory frameworks.

The following sections outline three fictional and simplified use cases to illustrate potential practical implications on transfer pricing structures and the complexities tax departments are facing. Two of them focus on the deployment of GenAI within MNEs, while the third use case addresses cybersecurity services.

For the purpose of this article, potential legal and tax consequences that go beyond transfer pricing are not taken into consideration. However, tax departments should understand that the analysis of digitised business models generally requires a holistic analysis of potential tax and legal implications to enable compliance not only with the arm’s-length principle but also with general legal and tax regulations.

GenAI introduces novel challenges due to its ability to create content, automate processes, and enhance decision-making.

As tax authorities and policymakers begin to scrutinise the economic implications of GenAI, it becomes crucial for tax departments to proactively assess how these technologies affect intercompany transactions of the respective MNE. Key questions to be answered by tax departments may include:

• What is the value generated by GenAI?

• Who owns the value generated by GenAI?

• How should development, deployment, and usage costs be allocated across jurisdictions? And

• How can arm’s-length principles be applied when dealing with intangible, rapidly evolving assets?

In the following examples, these questions are further explored based on two fictitious simplified use cases that illustrate the transfer pricing challenges and considerations associated with GenAI.

An MNE has developed a proprietary GenAI tool at its headquarters (HQ) with the aim of automating administrative tasks across its global operations. The tool is deployed in local subsidiaries, which operate as routine contract manufacturers and limited-risk distributors. The GenAI application reduces manual errors and improves operational efficiency, particularly in production and logistics. In return, local entities provide usage data that helps to improve the tool’s performance.

In a scenario such as this, a tax department will need to investigate the essence of the GenAI tool; i.e., whether the GenAI tool constitutes a high-value intangible asset or builds the platform to serve as a (routine) IT service. For example, if the tool was considered a high-value intangible asset, tax departments would need to analyse whether the local entities using the GenAI tool would need to pay compensation; e.g., an arm’s-length licence rate for its use. If, however, it was classified as routine software as a service, alternative recharge models could be more appropriate.

In either case, it would be important for tax departments to assess the value of the data collected by local entities and fed into the GenAI tool, thereby considering:

• Whether such data might constitute a contribution to the development of the intellectual property (IP) or whether such data collection and contribution might be classified as part of their regular operational role; and

• How this data collection and contribution should be reflected in the underlying transfer pricing mechanism.

In practice, it can be observed that both the value of local data contributions as well as the arm’s-length pricing of such are often decisive factors to consider – especially considering local efforts and investments to gather data, as well as the role of data in the overall business model. Tax departments are required to perform detailed analyses of this to effectively and appropriately delineate the applicable transfer pricing methodology. Such analyses usually include a robust data life cycle analysis as part of the functional and risk analysis for the transactions under review.

Finally, tax departments would need to consider whether the use of the GenAI tool would result in the development of new IP that could be granted for use within the MNE’s operations, and for which an arm’s-length remuneration would need to be determined.

In this scenario, the GenAI tool is used not only for internal efficiency but also to drive external revenue growth. The tool, developed at HQ level of the MNE, is deployed in local retail subsidiaries to analyse customer data and optimise marketing strategies. The GenAI system processes unstructured data (e.g., customer behaviour, customer preferences) to generate targeted campaigns, resulting in increased sales at the local level.

Similar to case 1 above, among other aspects, tax departments would be required to analyse the value of the data collected locally and the potential value of the data contribution of local entities to the success of the GenAI tool. They would also need to consider the classification of the GenAI tool – whether it should be treated as a licensed intangible or as part of a broader service or product offering.

Furthermore, the increased revenue at the local level may affect the profit allocation under existing transfer pricing models, requiring tax departments to analyse whether the use of the GenAI tool would impact the characterisation of local business operations.

As outlined above, the value of local data contributions as well as the arm’s-length pricing of such are often key analyses undertaken by tax departments. The outcome of such analyses might differ depending on:

• The underlying business model;

• The characteristics of the GenAI tool;

• The classification of transaction partners; and

• The classification of the intercompany transactions under review.

In order to derive appropriate conclusions on the arm’s-length treatment of such use cases, tax departments will need a sound understanding of the technology underlying the GenAI tool. This can be obtained by working with the development teams and/or by building up technologically skilled tax teams, who are able to establish and maintain a transfer pricing system that results in arm’s-length returns at the level of local entities while reflecting the value added by the GenAI tool.

As digital threats grow in scale and sophistication, cybersecurity has become a strategic priority for MNEs. Beyond being a compliance or IT concern, cybersecurity plays a critical role in preserving enterprise value, protecting IP, and maintaining customer trust. As investments in cybersecurity operations increase, tax departments are beginning to investigate the potential implications from a transfer pricing perspective, particularly when cybersecurity functions, tools, and expertise are centralised or shared across jurisdictions.

Equally, tax authorities are increasingly scrutinising how MNEs allocate costs and benefits of intercompany service transactions and cybersecurity investments. Key questions for tax departments to ask include:

• How is the cybersecurity organisation set up?

• Who bears the cost of global threat monitoring and response?

• How should intercompany charges be structured for shared cybersecurity services? And

• How can value creation from proprietary threat intelligence or in-house security platforms be reflected in transfer pricing policies?

In the following example, these questions are further explored for a fictitious use case that illustrates potential transfer pricing considerations associated with cybersecurity. This case highlights the growing need for MNEs to align their transfer pricing model with the strategic and operational realities of cybersecurity in a digitally connected world.

An MNE with a decentralised organisational structure has implemented a centralised cybersecurity framework to meet increasing regulatory requirements and mitigate global cyber risks. The HQ manages core cybersecurity infrastructure, including VPN gateways, endpoint protection, and centralised monitoring platforms. Local entities benefit from these services through secure access, reduced local compliance burdens, and improved incident response capabilities. While some costs (e.g., local helpdesk support) are incurred and paid locally, most infrastructure and governance-related costs are borne centrally.

A key consideration for tax departments is the analysis of, and differentiation between, shareholder costs and chargeable services. This is driven by facts and circumstances; however, some MNEs may conclude that certain cybersecurity measures qualify as shareholder activities and are thus non-chargeable. Likewise, certain services may provide direct benefits to local entities and consequently could be considered intragroup services that provide a benefit to the service-receiving entities.

In this case study, the question arises as to whether such services could be qualified as high value-adding or low value-adding services and the arm’s-length markup to be applied.

In practice, it can be observed that MNEs allocate directly attributable costs (e.g., third-party licences, local hardware) to the benefiting entities, whereas centrally provided services with shared benefits are often charged out based on an indirect allocation methodology using appropriate allocation keys (e.g., number of users, devices, or incidents).

Additionally, certain cybersecurity tools might qualify as intangibles. Where proprietary cybersecurity platforms are developed in-house and used across the group, tax departments are required to assess whether a licensing model would be appropriate based on the existence of (potentially high-value) IP. Both global and local transfer pricing regulations should be taken into consideration when performing respective analyses, which should also take into account alignment with OECD guidelines and tax authority expectations, particularly regarding documentation and the treatment of risk control functions.

As digital services continue to reshape global business models, transfer pricing professionals face the challenge of adapting traditional frameworks to account for new forms of value creation. Those who proactively assess the impact of GenAI and cybersecurity tools, work with legal, IT, and compliance departments, stay informed about regulatory developments, update their transfer pricing strategies, and embed governance structures into their (new) business models will, most likely, be better positioned to manage risk, support innovation, and create sustainable value across the enterprise.

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (DTTL), its global network of member firms, and their related entities (collectively, the “Deloitte organization”). DTTL (also referred to as “Deloitte Global”) and each of its member firms and related entities are legally separate and independent entities, which cannot obligate or bind each other in respect of third parties. DTTL and each DTTL member firm and related entity is liable only for its own acts and omissions, and not those of each other. DTTL does not provide services to clients. Please see www.deloitte.com/about to learn more.

This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited (DTTL), its global network of member firms or their related entities (collectively, the “Deloitte organization”) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser.

No representations, warranties or undertakings (express or implied) are given as to the accuracy or completeness of the information in this communication, and none of DTTL, its member firms, related entities, employees or agents shall be liable or responsible for any loss or damage whatsoever arising directly or indirectly in connection with any person relying on this communication. DTTL and each of its member firms, and their related entities, are legally separate and independent entities.

© 2025. For information, contact Deloitte Global.