If your company requires extremely secure data transfer with encryption, how can QoS work? The answer depends on the encryption algorithm used.
If you use IPsec over GRE, this will work. The 3 IP precedence bits will be copied from the orginal IP header to the GRE header, then further to the IPsec header. At the provider edge router, they will typically be copied to the MPLS EXP field automatically by TOS.
In essence, you have an exact replica of the QoS parameters visible outside the GRE packet, which the service provider uses to provide QoS. While this post is not especially technical, it addresses a common question.