When This Model Makes Sense
You’re using an EOR to employ 12 people across 6 countries, and your General Counsel just asked: “Are we actually compliant?” The honest answer is: probably, for the employment basics. But compliance in an EOR arrangement goes beyond having a local employment contract. Tax authorities, labor inspectorates, and social security agencies in your employees’ countries have their own audit triggers — and EOR arrangements create specific compliance patterns that are increasingly scrutinized.
In practice, teams apply this guidance faster when they pair it with best EOR providers, remote roles in this market, and the Employer of Record glossary.
This guide covers what gets audited, what fails, and what you need to verify with your EOR provider to avoid being the company that discovers a compliance gap during an enforcement action. If you want a broader map of where EOR structures break in practice, read EOR compliance risks. If you’re building policy around distributed teams, pair this with remote hiring compliance.
How It Works
EOR compliance operates on three levels, each with different enforcement mechanisms and failure modes.
Level 1: Employment law compliance. The EOR’s employment contract must conform to local law — minimum wage, working time regulations, statutory leave entitlements, notice periods, termination protections, and anti-discrimination provisions. This is the EOR’s core competency, and reputable providers get this right. The failure mode here is usually outdated contracts that don’t reflect recent legislative changes, or template contracts that miss industry-specific requirements (e.g., collective bargaining agreements that apply to certain sectors in France or Germany).
Level 2: Tax and social security compliance. The EOR’s entity must correctly withhold income tax, remit employer and employee social security contributions, file periodic returns, and issue year-end tax documents to employees. This is mechanical but high-stakes — errors result in penalties, interest, and potential criminal liability for the entity’s directors. The failure mode is miscalculation of contributions (especially in countries with complex, multi-fund social security systems like Brazil or Italy) or late filing of returns.
Level 3: Structural compliance — the EOR arrangement itself. This is where it gets interesting. Some jurisdictions scrutinize the EOR model itself: Is the EOR the genuine employer, or is the client company the de facto employer? Is the arrangement being used to circumvent labor law protections? Does the client company’s level of control over the employee create a direct employment relationship that the EOR structure can’t paper over? If you’re still evaluating whether EOR is the right legal setup for your hiring plan, start with what an EOR is and then compare it against alternatives in the global hiring models overview.
Germany’s AÜG (temporary employment law) is the most prominent example. If the EOR arrangement is classified as labor leasing (Arbeitnehmerüberlassung), the EOR needs a specific license, and the employee has rights to equal pay and conditions after 9 months. France has similar protections against “prêt de main-d’œuvre illicite” (illegal lending of workers). These aren’t theoretical risks — French labor inspectors have actively investigated EOR arrangements.
What It Costs
Compliance itself is embedded in your EOR fee. But compliance failures cost real money:
Payroll tax penalties: Late or incorrect tax filings typically result in penalties of 5%–25% of the underpaid amount, plus interest. In Germany, intentional payroll tax evasion can result in criminal prosecution of the entity’s managing director.
Social security penalties: Underpayment of social insurance contributions in most EU countries triggers penalties plus retroactive payment with interest. In France, URSSAF audits can go back 3 years and assess penalties of 5%–10% of unpaid contributions.
Worker misclassification fines: If the EOR arrangement is reclassified as an illegal labor leasing arrangement, penalties vary by jurisdiction. In Germany, fines can reach €30,000 per violation. In France, the sanctions include criminal penalties.
Employee claims: If an EOR employee is terminated without proper process, the claim is against the EOR’s entity — but the EOR passes the cost to you. Wrongful termination awards in markets like France or Spain can run 6–24 months’ salary. Your EOR contract should specify who bears this cost and under what circumstances.
Key Risks and Limitations
Permanent establishment (PE) is the compliance risk most companies underestimate. The EOR eliminates the need for an employment entity, but it doesn’t eliminate tax nexus risk. If your EOR-employed worker in Germany is negotiating deals, signing contracts, or creating binding obligations for your company, German tax authorities can argue you have a PE — a taxable presence — regardless of whether you have an entity. PE analysis is based on your business activities, not your employment structure. Get a PE risk assessment from a tax advisor for every country where you have EOR employees performing commercial functions.
Benefit-in-kind (BIK) compliance is routinely missed. If you give your EOR employee a laptop, pay for their home office setup, provide a gym membership, or give them a company credit card, these may be taxable benefits under local law. The EOR needs to report and withhold tax on these benefits. If you’re providing perks outside the EOR’s knowledge (e.g., buying equipment directly and shipping it to the employee), you’re creating an undeclared tax liability. Route all benefits and perks through the EOR so they can assess the tax treatment.
Working time and overtime compliance varies dramatically. The EU Working Time Directive limits working weeks to 48 hours. France’s statutory workweek is 35 hours. If your EOR employee in France is regularly working 50-hour weeks because your San Francisco team schedules calls at midnight Paris time, you’re creating a working time violation — and the EOR’s entity is liable. Clarify working time expectations with your EOR and ensure your management practices don’t inadvertently violate local limits.
Data protection (GDPR, LGPD, PDPA) creates compliance obligations for you AND the EOR. The EOR processes employee personal data as part of the employment relationship. You process employee data for management purposes. Both of you are data controllers or processors under applicable data protection law. Ensure your EOR has appropriate data processing agreements, employee privacy notices, and data retention policies. GDPR fines can reach €20 million or 4% of global annual turnover.
How It Compares to EOR
Here’s how compliance responsibilities split between the EOR model and alternatives. For deeper classification risk analysis, see EOR vs contractor and contractor vs employee (global).
| Compliance Area | EOR | Own Entity | Contractor |
|---|---|---|---|
| Employment contracts | EOR drafts and owns | You draft (or local counsel) | No employment contract (service agreement) |
| Payroll tax withholding | EOR handles | You handle (or outsource) | Contractor self-files |
| Social security | EOR enrolls and remits | You enroll and remit | No employer contributions |
| Termination compliance | EOR executes, you decide | You handle entirely | Contract termination terms |
| PE risk | Still your risk | Entity already exists | Still your risk |
| Worker misclassification | Eliminated (properly employed) | Eliminated (properly employed) | High risk if misclassified |
| Data protection | Shared responsibility | Your responsibility | Limited (B2B relationship) |
When NOT to Use This Model
You’re using EOR specifically to avoid establishing a taxable presence. If the primary reason for using an EOR is to avoid PE in a country where your business activities clearly constitute a PE, the EOR structure won’t protect you. Tax authorities look through employment arrangements to the underlying business activities. Get proper PE advice before relying on EOR as a PE avoidance strategy.
Your employees perform regulated activities requiring licensed employers. In financial services, healthcare, defense, and certain government contracting roles, the employer may need specific licenses or registrations. An EOR’s general-purpose entity may not hold these licenses, which means your employee can’t legally perform the work even though they’re legally employed.
You can’t commit to managing compliance actively. EOR reduces your compliance burden but doesn’t eliminate your responsibilities. You still need to manage PE risk, ensure working time compliance, route benefits through the EOR, and respond to audits. If you expect to sign an EOR contract and never think about compliance again, you’ll eventually be surprised by an enforcement action.
Your EOR uses partner entities in high-risk markets. Some EOR providers don’t own their entities in every country — they partner with local firms. In a partner-entity model, compliance quality depends on the partner, and your EOR may have limited visibility into the partner’s tax filings, social security remittances, and audit history. For high-risk markets (Brazil, France, Germany, India), verify whether your EOR owns the entity or uses a partner, and request compliance documentation either way.
When Not to Use This Approach
Your EOR uses partner entities rather than owned entities in key markets. When your EOR partners with a local third party to employ your people, the compliance chain lengthens and your visibility into actual filings decreases. In markets where owned-entity EORs are available (France, Germany, UK, Singapore), the compliance gap is too significant to ignore.
You’re in a regulated industry where employment compliance intersects with sectoral regulation. Financial services firms, healthcare companies, and defense contractors face compliance requirements — FSA registration, healthcare licensing, security clearances — that employment compliance software and EOR contracts don’t address. You need local sector-specific counsel in addition to your EOR.
You have employees in high-scrutiny jurisdictions without independent legal review. France, Germany, and Brazil have among the most active labor inspection environments in the world. Relying solely on your EOR’s standard compliance process in these markets is a known risk that independent legal review (€2,000–€5,000/year per country) mitigates cheaply.
Your EOR can’t produce compliance documentation on request. Tax filing receipts, social contribution statements, and payroll reconciliation reports should be available within 48 hours. If they’re not, the compliance infrastructure is either non-existent or inaccessible — both are disqualifying.
Frequently Asked Questions
How do I know if my EOR is actually filing taxes correctly in each country?
Ask for proof. Reputable EOR providers can produce tax filing receipts, social security contribution statements, and payroll reconciliation reports for each country. If your EOR can’t produce these on request, that’s a red flag. For high-value markets (where you have multiple employees or high salaries), consider engaging a local audit firm to independently verify the EOR’s tax filings annually. This costs $2,000–$5,000 per country but provides independent assurance.
What happens during a labor inspection at the EOR’s entity?
Labor inspectorates in some countries (France, Germany, Brazil, Spain) conduct periodic inspections of employer entities. If the EOR’s entity is inspected, the inspector may review employment contracts, working time records, payroll records, and workplace safety documentation for your employees. The EOR handles the inspection, but they may need information from you — particularly about the employee’s actual working conditions, hours, and duties. Establish a protocol with your EOR for responding to government inquiries.
Can a tax authority “look through” the EOR to treat us as the employer?
In some jurisdictions, yes. Germany’s AÜG framework, France’s labor leasing rules, and certain developing markets’ anti-avoidance provisions can reclassify the client company as the true employer if the arrangement lacks genuine substance — meaning the EOR entity has no real operational presence beyond paper employment. The risk is highest when the EOR uses shell entities with minimal local staff, and the client exercises complete control over the employee’s work, schedule, and tools.
Do I need separate legal counsel in each country where I use an EOR?
Not necessarily for day-to-day operations — that’s what you’re paying the EOR for. But for PE risk assessments, complex terminations, equity compensation, and any situation where the EOR’s interests might diverge from yours, independent local counsel is worth the investment. Budget $3,000–$10,000 per country for an initial compliance review and PE assessment, then use local counsel on an as-needed basis for complex situations.
To connect this guidance with live hiring demand, see hiring your first international employee and remote jobs by country.
Further Reading
- EOR compliance risks
- Remote hiring compliance
- EOR vs contractor
- Contractor vs employee (global)
- Global hiring models overview
- Compare EOR providers
- Top EOR reviews
- Hiring your first international employee
Further Reading
Was this page helpful?
Tell us or send a correction.