EOR Compliance Risks: What Can Go Wrong (and How to Protect Yourself)

EOR Handles Employment Compliance. Everything Else Is Still Yours.

The sales pitch is clean: the EOR owns the compliance liability, so you don’t have to worry about local employment law. That’s true — for employment law specifically. What it doesn’t cover is the list of compliance risks that sit outside the employment relationship but get triggered by having an employee in another country.

To operationalize this in Eor Compliance Risks, cross-check country-specific EOR options, live job demand, and pricing risk signals before final budget approval.

Permanent establishment. Tax nexus. Data privacy. IP ownership chain. Export controls. Anti-bribery. These are your risks, and an EOR agreement doesn’t transfer them. Companies that treat EOR as a compliance silver bullet find this out the hard way, usually during an acquisition due diligence or a tax authority inquiry.

Here are the risks that actually matter, ranked by how often they burn real companies.

Risk #1: Permanent Establishment Exposure

This is the big one. Having an EOR employee in a country does not, by itself, create permanent establishment (PE). But what that employee does might.

PE rules vary by jurisdiction, but the OECD Model Tax Convention provides the baseline most countries follow. A PE is typically triggered when a person in a country habitually exercises authority to conclude contracts on behalf of your company, or when your company maintains a fixed place of business through which it conducts operations.

What triggers PE through an EOR employee:

The employee signs contracts with local customers on your behalf
The employee negotiates deal terms or pricing (even without signing authority)
The employee maintains a local office or warehouse that functions as your place of business
The employee makes strategic decisions that bind your company in that market

What doesn’t trigger PE (usually):

A software engineer writing code from their home office
A customer support agent following scripts you provide
A marketing manager executing campaigns designed at headquarters
Any employee performing auxiliary or preparatory activities

The risk is highest with sales roles. If your EOR employee in France is meeting local clients, negotiating pricing, and closing deals — you likely have PE exposure in France regardless of the EOR structure. The French tax authority (DGFiP) has been increasingly aggressive about identifying PE through dependent agents.

What PE means financially: If a tax authority determines you have a PE, you owe corporate income tax on profits attributable to that PE — retroactively. In France, that’s a 25% corporate tax rate applied to allocated profits, plus penalties and interest for prior years. In India, PE can also create withholding tax obligations on payments to the foreign parent. The total exposure can reach hundreds of thousands of dollars for a single employee in a sales-facing role.

How to protect yourself: Limit what EOR employees can do. No contract signing authority. No negotiation of binding terms. Document the employee’s role explicitly in both the EOR service agreement and internal policies. Some companies maintain a PE risk matrix by country and role type. If you’re hiring a country manager or sales director through EOR, consult a tax advisor before the hire — not after.

Risk #2: Partner Entity Liability Gaps

When your EOR provider uses a partner entity (a local firm that employs your worker), you’re trusting a company you didn’t select and may never have vetted.

The chain looks like this: You → EOR Provider → Local Partner Entity → Your Employee. If the local partner makes a payroll error, files taxes late, or botches a termination, the employee suffers — and the fallout reaches you, even though you have no contractual relationship with the partner.

Real scenarios that go wrong:

Late payroll. The local partner processes payroll on a different schedule than your EOR provider communicated. Your engineer in Colombia gets paid on the 30th instead of the 25th. They’re upset. You’re upset. The EOR provider apologizes but can’t directly control the partner’s payroll timing.

Compliance gaps during provider switches. You decide to leave Provider A for Provider B. Provider A’s local partner terminates the employee. Provider B’s local partner rehires them. In between, there’s a 2-week employment gap. In some jurisdictions (Germany, France), this gap resets the employee’s tenure for termination protection purposes. Your senior engineer who was “unfireable” after two years is suddenly back in probation.

Tax filing errors. The local partner in India files the wrong TDS (tax deducted at source) code, and your employee gets a tax notice from the Income Tax Department. The employee blames you. The EOR provider blames the partner. The partner blames a system migration. Nobody fixes it quickly because the entity relationship adds friction to every escalation.

How to protect yourself: Ask every EOR provider which countries use owned entities and which use partners. For your highest-headcount or highest-risk markets, insist on owned-entity providers. If you’re using a partner-model provider, ask for the name of the local partner entity, how long the EOR has worked with them, and what audit mechanisms are in place. Put escalation SLAs in your service agreement that apply regardless of the entity model.

Risk #3: Termination Gone Wrong

Terminating an employee through an EOR in a protected market is the single most expensive thing that can go wrong. And it goes wrong a lot, because companies apply their home-country termination instincts to jurisdictions with fundamentally different rules.

Germany: After six months, employees at companies with more than 10 employees are protected by the Kündigungsschutzgesetz (Protection Against Dismissal Act). You need “social justification” to terminate — operational reasons, behavioral reasons, or personal capability reasons. “Not a good fit” doesn’t cut it. The EOR’s entity almost certainly has more than 10 employees, so the protection applies to your hire. Average cost of a wrongful dismissal settlement in Germany: 0.5–1.5 months’ salary per year of service. For a senior hire with 3 years of tenure, that’s 1.5–4.5 months’ salary.

Brazil: Termination without cause is legal but expensive. You owe a 40% FGTS penalty (40% of all FGTS deposits made during employment), prorated 13th salary, accrued vacation plus one-third vacation bonus, and notice pay (30 days plus 3 days per year of service, up to 90 days). For a $100K/year employee with 2 years of tenure, the termination bill can hit $25K–$35K.

France: Termination requires a formal process: preliminary meeting invitation (5 working days’ notice), the meeting itself, then a notification letter sent by registered mail. The entire process takes at minimum 2–3 weeks. Skip a step and the termination is procedurally void. Severance for employees with 8+ months of tenure is 0.25 months’ salary per year for the first 10 years, then 0.33 months’ per year after that. Wrongful termination awards can reach 12+ months’ salary for senior employees.

What goes wrong in practice:

Company tells EOR “fire this person today” in a market that requires 30–90 days’ notice
Company refuses to pay statutory severance because “we’re at-will in the US”
Company doesn’t document performance issues before requesting termination, giving the employee a strong unfair dismissal claim
EOR partner entity processes the termination incorrectly and the employee sues

How to protect yourself: Before hiring in any country, understand the termination rules. Not in theory — specifically. What notice period, what severance formula, what process. Ask your EOR for a termination fact sheet for each country. Start documenting performance issues early if a hire isn’t working out. Budget for severance. See our EOR termination guide for country-by-country specifics.

EOR assumes your employee lives and works in one country. But people move. Remote workers travel. And tax authorities are paying attention.

The 183-day rule isn’t universal. Many countries use a 183-day physical presence threshold to determine tax residency, but it’s not the only test. The UK’s Statutory Residence Test considers ties like property ownership, family presence, and available accommodation. Germany looks at habitual abode. Some countries (India) use 60-day thresholds for returning citizens.

Dual tax residency is real. An employee on your EOR in Ireland who spends 200 days working from Portugal may trigger Portuguese tax residency while remaining Irish tax resident. This creates dual obligations: social security in one country, income tax potentially in both (mitigated by double taxation agreements, but only if properly claimed).

Social security conflicts. EU countries use the A1 certificate system to determine which country’s social security applies when an employee works across multiple EU states. Outside the EU, bilateral social security agreements (or lack thereof) create gaps where an employee might owe social security contributions in two countries.

What goes wrong: Your EOR employee in the Netherlands takes a 4-month “workcation” in Spain. Spain’s tax authority considers them tax resident (they exceeded 183 days when combined with other visits). The EOR was reporting payroll in the Netherlands. Now there’s a tax filing gap in Spain and a potential double-taxation issue. The EOR wasn’t tracking the employee’s location because nobody told them.

How to protect yourself: Implement a work-from-anywhere policy that defines where employees can and cannot work. Require employees to report location changes beyond a threshold (e.g., 30+ days in another country). Ask your EOR what tracking mechanisms they have — some providers (Deel, Remote) offer location tracking or policy tools. Don’t assume EOR employees will stay put.

Risk #5: IP Assignment Failures

The standard EOR setup creates a two-hop IP chain: Employee → EOR Entity → Your Company. If either hop breaks, you don’t own the IP.

Hop 1: Employee to EOR. The employment contract should include an IP assignment clause assigning all work product to the EOR entity. Most EOR providers include this by default, but the enforceability varies by jurisdiction.

Hop 2: EOR to Your Company. The service agreement between you and the EOR should include a clause assigning (not licensing) all IP from the EOR to you. Some EOR templates default to a license rather than an assignment. A license gives you permission to use the IP. An assignment gives you ownership. During M&A due diligence, acquirers care about the difference.

Jurisdictions that complicate IP assignment:

Germany: The Employee Inventions Act (Arbeitnehmererfindungsgesetz) gives employees rights to inventions made during employment. The employer must formally claim the invention within 4 months. If the EOR entity doesn’t follow this process, the employee may retain rights.
India: The Patents Act, 1970 assigns patent rights to the employer only if the invention was made “in the course of the employee’s duties.” The employment contract needs explicit IP assignment language beyond the statutory default.
France: Software created by employees belongs to the employer by default under the Intellectual Property Code (Article L113-9), but other types of IP (inventions, designs) follow different rules.

What goes wrong: Company acquires a startup. During due diligence, lawyers discover that 3 engineers were employed through an EOR in India, the IP assignment clauses in the employment contracts were boilerplate and didn’t account for Indian IP law, and the service agreement with the EOR granted a license rather than an assignment. The acquirer demands the IP chain be cleaned up — which requires getting signatures from the EOR entity and potentially the employees — or discounts the acquisition price.

How to protect yourself: Review the actual IP clauses in every EOR employment contract. Don’t accept defaults. Have your IP counsel review the two-hop chain. Insist on assignment, not licensing, in the service agreement. For engineering-heavy teams, this is worth getting right before the first hire, not during a funding round. See our IP protection guide for detailed best practices.

Risk #6: Data Privacy Compliance

EOR employees generate personal data: payroll information, health records (for benefits), tax IDs, bank details. This data flows between you, the EOR provider, and potentially the local partner entity.

GDPR applies to all EU-based EOR employees. If your EOR employs someone in Germany, GDPR governs how their personal data is collected, processed, stored, and transferred. Cross-border data transfers (e.g., employee data flowing from the EOR’s German entity to your US headquarters) require appropriate safeguards — Standard Contractual Clauses, Binding Corporate Rules, or an adequacy decision.

Most EOR providers handle GDPR compliance as part of their service. But the responsibility for lawful processing is shared. Your service agreement should specify who is the data controller (typically you, for the purposes of managing the employment relationship) and who is the data processor (the EOR, for payroll and HR administration). Get this wrong and both parties face exposure.

What goes wrong: Company shares detailed performance data about an EOR employee in France with a US-based manager using an internal tool that stores data in US data centers. No data processing agreement in place. No adequate safeguards for cross-border transfer. GDPR fine for EU data protection violations: up to €20M or 4% of global annual turnover, whichever is higher.

How to Audit Your EOR Compliance Exposure

Run this checklist annually, or before any major event (funding round, acquisition, entering a new market):

PE risk review. Map each EOR employee’s role against PE triggers. Sales-facing roles in high-enforcement countries (France, Germany, India, Australia) get extra scrutiny.
Entity model audit. Confirm which countries use owned vs. partner entities. Request partner entity names and compliance certifications for your top markets.
IP chain verification. Confirm assignment (not license) language in both the employment contract and the service agreement. Flag any country-specific IP rules.
Termination readiness. Confirm you have termination fact sheets for every country where you have EOR employees. Budget for worst-case severance.
Data flow mapping. Document where employee data sits, who accesses it, and what transfer mechanisms are in place for cross-border flows.
Tax residency monitoring. Confirm employees are working where you think they are. Implement location tracking or self-reporting requirements.

When Not to Use This Approach

Your employees are signing contracts with local clients on your behalf. This is the most direct route to permanent establishment. The EOR employment arrangement doesn’t protect you from PE if your people are concluding contracts in the country. The PE exposure exists independently of the employment structure.

Your EOR uses a partner entity model in a market where PE thresholds are low. In India and China especially, partner-entity EOR arrangements create additional risk because the local partner’s entity may already have PE triggers from other clients — and your employees’ activities layer on top.

Your IP is critical and you haven’t had country-specific IP assignment clauses reviewed by local counsel. Template EOR IP clauses are starting points, not guarantees. Germany, Netherlands, Canada, and several other jurisdictions have statutory IP rules that can override assignment clauses in ways that aren’t obvious from the contract language.

Your business requires regulated local licenses the EOR entity can’t hold on your behalf. A financial services license, healthcare provider registration, or legal practice certification typically must be held by the entity employing the licensed individual. An EOR’s entity can’t hold a license it hasn’t applied for and doesn’t operate under — confirm before hiring licensed professionals through EOR.

Frequently Asked Questions

Does the EOR indemnify me for compliance mistakes?

Most do, but read the fine print. Many EOR service agreements cap indemnification at the total fees you’ve paid — which, for a 1-year engagement at $599/month, is $7,188. That’s inadequate if the compliance failure costs $50K in German wrongful termination liability. Negotiate uncapped (or higher-capped) indemnification for compliance errors that are the EOR’s fault.

Can I be held liable for my EOR employee’s actions?

For employment law purposes, the EOR is the liable employer. But for tax, regulatory, and commercial purposes, your company’s actions through the employee can create liability. If your EOR employee in India signs a contract with a local vendor on your behalf, you’re commercially bound regardless of who the legal employer is.

How do I know if my EOR provider is actually compliant?

Ask for their compliance certifications (SOC 2, ISO 27001 for data security). Request references from companies of similar size in your key markets. Ask how they handle regulatory changes — do they proactively update employment contracts when local law changes, or do they wait until you ask? The good providers (like Remote and Deel) publish transparency reports and maintain internal legal teams in their major markets.

To connect this guidance with live hiring demand, see hiring your first international employee and remote jobs by country.