Back to BlogCompliance horror stories: Mitigating EoR risks in the EMEA region
Key takeaways
- Using an Employer of Record is not risk-free, despite how many providers market it. The four core risks are permanent establishment liability, co-employment exposure, intellectual property and data protection gaps, and country-specific compliance failures.
- An EOR does not automatically protect your business from permanent establishment. If your workers generate local revenue, your operations may still trigger corporate tax obligations in that country.
- EOR contracts do not always include IP assignment clauses, confidentiality agreements, or post-termination restraints by default. These must be explicitly verified before signing.
- Non-compliance by your EOR can have serious consequences for your business even when you are not directly liable, including reputational damage that affects your ability to attract and retain talent.
- Choosing the right EOR matters more than avoiding them altogether. Do prioritise verified in-country legal expertise and robust compliance infrastructure over platform features or price.
Hiring an employee in a different country usually means setting up a legal entity there. And, while the exact process differs from one country to the next, it’s often expensive and time-consuming.
One alternative is to take on the worker as an independent contractor. But, while this is a great solution in some circumstances, governments across Europe and beyond are tightening the rules on employee misclassification — and you could face big fines and penalties if you get it wrong.
There is another solution: hiring employees through an employer of record (EoR). Doing things this way allows you to engage, onboard and pay employees much more quickly, without the hassle of incorporating. But despite what many EoR providers claim, this isn’t a risk-free solution either. In this article, we’ll talk about some of the biggest risks of hiring internationally through an EoR — and how to avoid them.
What is an employer of record (EoR)?
An employer of record (EoR) is an organisation that hires workers on behalf of other organisations. EoR providers also typically provide HR services like payroll, benefits administration and onboarding support. Working with a global EoR allows companies to hire workers in countries where they don’t (yet) have a legal presence — but there are still compliance risks to be aware of.
Understanding the risks of working with an EoR in EMEA
So, what are the risks you need to know about before hiring internationally through an EoR? Here are some of the biggest issues to look out for:
- Permanent establishment: Permanent establishment is when a company has a stable enough presence in a country to generate liability for corporate taxes. And here’s the kicker: working with an EoR won’t necessarily protect you. It’s important to understand exactly what your obligations will look like before entering a new market, even if you’re using an EoR.
- Co-employment risks: In some countries, your company may be considered a ‘co-employer’ of your workers alongside the EoR. This leaves you jointly liable for things like tax obligations and compliance with local labour laws, which could be a big problem if the EoR you choose doesn’t meet its obligations.
- Intellectual property, data protection and confidentiality: For some roles, confidentiality is crucial. And for others, you need to be 100% sure your intellectual property is protected. But EoRs don’t always include these things in their contracts by default — which could lead to big trouble for your business.
- Country-specific issues: Each country has its own rules about how EoRs can be used, including limits on the length of employment or the scope of the work involved. You need to be 100% sure your chosen EoR will comply with these requirements, as you could be held liable if they don’t.
3 real-life compliance horror stories
Hiring across borders comes with a minefield of compliance challenges — and working with an EoR won’t necessarily protect your business. Here are a few real-life cautionary tales to help you understand the risks.
1. Gucci owner Kering receives record-breaking fine in Italian permanent establishment case
In 2019, the French luxury goods group Kering was ordered to pay a record €1.25 billion to settle a dispute with the Italian tax authorities. Though the company, which owns luxury clothing brand Gucci, had been booking its revenue through its Swiss subsidiary, the Italian tax authorities deemed that it had a permanent establishment in Italy. The settlement includes €897 million in back taxes, plus some €353 million in interest payments and penalties.
2. Spanish delivery app Glovo fined €57 million for breaching labour laws
In 2023, a Spanish delivery app called Glovo was fined €57 million for classifying 7,800 workers in Madrid as self-employed when they were really employees. This breaks down into a fine of €32.9 million, €19 million in unpaid social security contributions and €5.2 million for visa violations. And this case is just the latest in a series of fines issued to the company for breaches in Spain. As of 2023, experts put the total Glovo has paid at somewhere around €200 million.
3. 14 ride-hailing companies in Kenya sued for data protection and employment law issues
In 2023, 14 ride-hailing companies in Kenya were sued for supposedly flouting labour laws and data protection regulations. Some of the companies have been accused of not having duly registered data handlers and processes, as Kenyan law requires. And others, including Uber and Bolt, have been accused of deducting more than the allowable 18% from drivers’ revenues, and not complying with regulations that require them to have a registered presence in Kenya. If the claim is successful, these companies will lose their licence to operate in the country.
What went wrong?
None of the incidents we’ve talked about are directly related to hiring through an employer of record. But the point is, using an EoR won’t necessarily protect you from this sort of issue.
For example, the rules about permanent establishment are different in each country, but it tends to come down to things like whether you have local premises in the country and whether the workers you employ there are doing work that generates revenue. That means your operations could trigger permanent establishment even if your only employees in the country are engaged through an EoR.
And there’s another important point here too: even if you’re not legally liable for things like employee misclassification or non-compliance with local employment laws, these things can still have a huge impact on your reputation as a business. Over time, this could limit your ability to attract and retain talent, and even impact your bottom line.
Best practices to mitigate EoR risks in EMEA
First things first: it’s always best to seek legal advice before hiring in another country. This blog post is intended to give you an idea of some of the issues you might face when hiring through an EoR — but we can’t cover everything. We also can’t tell you exactly how you can avoid risk when hiring overseas, because it depends on your specific circumstances.
That said, there are some best practices you can follow if you want to reduce the risks of working with an EoR — read on to learn more.
Conduct a thorough assessment of your chosen EoR provider
Before working with an EoR, you need to be sure they’ll be able to meet your company’s needs without putting your business at risk. This starts with some basic due diligence: for example, in some countries, EoR providers are required to have a licence in order to operate — and checking they are properly registered should be your first step.
Of course, you also need to check whether the EoR operates in the country you want to hire in, and ask them questions about the specific ways their services work in that country. Looking at testimonials and comments on the EoR’s website and on independent review platforms can also be revealing.
Ask the right compliance questions
You’ll also need to satisfy yourself that any EoR you choose to work with will be able to meet local employment law requirements. This includes things like compliance with the national minimum wage, paid holidays, limits on working hours and other labour law requirements.
To determine an EoR’s suitability, you should ask them detailed questions about the checks they carry out to ensure compliance in the country in question. It’s also a good idea to conduct some independent research into the labour laws and tax regulations that apply in that country. That way, you’ll at least have an idea of the right questions to ask the EoR.
Protect your business interests
When you hire employees directly, your contracts probably include several clauses that are designed to protect your business. For example, you might have clauses about confidentiality, intellectual property assignment and the return of assets after the end of an employee’s contract. You might even impose post-termination restraints on employees to prevent them from poaching your staff or customers once they leave your company.
When you hire through an EoR, you should ask them whether they include these provisions in their contracts. You should also ask detailed questions about how these work within the laws of the country in question, which might have specific rules about intellectual property or post-termination restraints, for example.
Establish communication channels
When you outsource an important part of your business to a third party, you need to know you’ll be able to get in touch with them when you need to. You should ask any EoR provider you’re considering working with what ongoing support they offer to clients — and check client testimonials too.
It’s also important to establish clear communication channels for flagging compliance issues and concerns. For example, even the most diligent providers sometimes make mistakes. The EoR should have a process in place to communicate problems, and systems for resolving them.
Look for tech-forward solutions, backed by real expertise
Almost all EoR providers use tools and technologies to monitor and manage compliance in the EMEA region. This allows them to handle compliance efficiently, and provides checks and balances to help catch any mistakes.
However, many EoRs prioritise tech over compliance. While it’s important to use technology effectively, this should always be backed up by extensive compliance knowledge and robust infrastructures in the countries the EoR operates in.
Choosing the right EoR
A lot of the time, it’s not about avoiding EoRs altogether, but choosing the right one. For the best chance of success, you should look for an EoR provider with a strong focus on compliance, backed up by the right tools and technologies. Above all, you need to make sure the EoR provider you choose can provide coverage in the countries where you want to hire — and has the necessary resources, expertise and knowledge to help you do so compliantly and legally.
At CXC, we’ve been helping companies like yours to compliantly hire and pay workers for more than 30 years. After starting out in Australia, we now offer our services in more than 100 countries worldwide — including many in the EMEA region. Our team are experts in all aspects of legal, tax and regulatory compliance, which means we can help you to protect your business as you expand overseas.
Want to learn more? Speak to our team today to get started.
Frequently Asked Questions: Employer of Record Risks and EOR Compliance in EMEA
What are the biggest risks of using an Employer of Record?
The biggest Employer of Record risks include: permanent establishment liability (your operations may still owe corporate taxes in a country even when using an EOR); co-employment exposure (some jurisdictions deem you jointly liable for labour law compliance alongside the EOR); intellectual property and data protection gaps (EOR contracts do not always include confidentiality or IP assignment clauses by default); and country-specific compliance failures (each EMEA country has its own rules governing how EORs operate). Choosing an EOR without verifying their local expertise in each target country amplifies all of these risks.
Does using an Employer of Record eliminate permanent establishment risk?
No. An EOR does not eliminate permanent establishment risk. Permanent establishment can happen when a company has a stable enough presence in a country to generate corporate tax liability. This can be triggered even when your local workers are engaged through an EOR. In 2019, Kering, the owner of Gucci, paid € 1.25 billion to settle a dispute with Italian tax authorities. Before entering any EMEA market through an EOR, obtain country-specific legal advice on whether your operations would trigger permanent establishment.
What is co-employment risk and how does it affect EOR compliance?
Co-employment occurs when a jurisdiction treats both your company and EOR as joint employers of the same worker. This means your business can be held liable for tax obligations, social security contributions, and local labour law compliance — even though the EOR is the named legal employer on the contract. Co-employment liability is more prevalent in certain EMEA markets than others, and the specific obligations it triggers vary by country. Selecting an EOR with verified local legal infrastructure in each target country reduces but does not eliminate this risk.
How can an EOR fail to protect intellectual property and confidential information?
EOR contracts do not automatically include intellectual property assignment clauses, confidentiality agreements, or post-termination restraints. Without explicit IP assignment clauses, default rules under local law apply. In many jurisdictions across EMEA, work created by an employee does not automatically belong to the hiring company. Before signing with any EOR, verify that their standard contracts include explicit IP assignment to your company, confidentiality obligations, and enforceable post-termination restraints. Confirm how these provisions operate under the specific laws of each country where you are hiring.
What country-specific EOR compliance issues should businesses watch for in EMEA?
EOR compliance requirements vary across EMEA. There is no single regional standard and rules differ per country. In Germany, temporary agency work is strictly regulated, with caps on assignment duration and mandatory equal pay requirements. In France, complex social security obligations and works council rules add compliance layers many EORs underestimate. In Spain, the Glovo case resulted in a €57 million fine for misclassifying 7,800 workers. In the UK, IR35 off-payroll working rules impose additional compliance obligations when engaging contractors. Before committing to an EOR in any EMEA market, verify they hold specific, documented expertise in that country.
What due diligence should you conduct before choosing an EOR provider?
Before choosing an EOR provider, conduct due diligence across these five areas: 1) Verify the EOR is properly licensed or registered in each target country as some jurisdictions require specific authorisations. 2) Confirm the EOR operates directly through its own local entities, rather than through sub-contractors with weaker compliance controls. 3) Ask questions about local employment law obligations: minimum wage, statutory holiday entitlements, working hours, and termination notice requirements. 4) Read independent testimonials on third-party platforms, not just those hosted on the EOR’s own website. 5) Confirm the EOR has a documented escalation process for reporting and resolving compliance failures.
Can an EOR protect your business from employee misclassification penalties?
An EOR reduces misclassification risk by formally employing workers rather than engaging them as independent contractors, removing the most common source of misclassification exposure. However, if the EOR itself misclassifies the engagement, or fails to meet its employment obligations, your business can still face reputational damage and shared legal liability. In Spain, Glovo was fined €57 million for misclassifying 7,800 workers as self-employed rather than employees. Even with an EOR in place, understanding the worker classification rules in each country where you are hiring is crucial.
What happens if your EOR fails to comply with local labour laws?
If your EOR fails to comply with local labour laws, the consequences for your business can be significant even if the EOR is the formal legal employer. First, financial liability — in EMEA jurisdictions where co-employment applies, your company may share responsibility for unpaid taxes, back pay, or social security contributions owed by the EOR. Second, reputational damage — even where your company is not directly fined, being associated with non-compliant employment practices can harm your ability to attract and retain talent. Third, operational disruption — if the EOR loses its licence to operate in a country, your workforce arrangements in that market may collapse. Thorough due diligence before appointment is the primary protection against all three.
How should EOR contracts be structured to protect the client company?
A compliant EOR contract should contain six provisions. First, an explicit IP assignment clause transferring ownership of all work products to your company. Second, confidentiality obligations binding directly on the worker. Third, post-termination restraints (preventing workers from poaching your staff or clients after leaving) where local law permits enforcement. Fourth, clear escalation and communication protocols for compliance issues. Fifth, indemnification clauses protecting your company if the EOR fails to meet its legal obligations. Sixth, specific representations confirming the EOR’s compliance with employment law in each country where you are hiring. Have local legal counsel review these provisions for every jurisdiction before signing.
Which EOR services provider has the compliance expertise to mitigate employer of record risks in EMEA?
For EMEA hiring, the three non-negotiable criteria are verified in-country legal expertise, direct entity ownership in each market rather than sub-contractor networks, and a proven track record of managing country-specific compliance requirements. CXC Global has operated across more than 100 countries for over 30 years, with specialist teams covering legal, tax, and regulatory compliance across key EMEA markets. CXC helps businesses manage the full range of Employer of Record risks from permanent establishment exposure to IP protection and worker classification. Contact CXC to discuss EMEA hiring requirements.
