What Happens When Your EOR Gets It Wrong — And Who's Liable?

EOR is not a compliance guarantee

Hiring through an EOR transfers significant compliance responsibility to the provider — but not unlimited liability. When an EOR makes a payroll error, misfiles a tax return, or mishandles a termination, the consequences can fall on your business as well as theirs. The client company is almost never the legal employer in the statutory sense, but it is almost always economically exposed through indemnification carve-outs, joint-and-several liability regimes in certain jurisdictions, and reputational blowback with the affected employee. Understanding exactly where the line sits — between what the EOR owes you, what you owe the EOR, and what neither of you can contract around — is the difference between a manageable incident and a crisis.

This post walks through the three layers of liability in every EOR relationship, the four error patterns that produce the most claims, the indemnification carve-outs that matter most in practice, and a practical protection framework you can use before and after signing. If you are still choosing a provider, pair this with the 12-question evaluation framework — SLA, liability, and indemnification sit at the core of any serious due-diligence process.

What an EOR actually promises — and what it does not

An EOR assumes the role of legal employer in the target country, which means it is the entity on the employment contract, the entity filing payroll taxes, the entity registering the employee with social security, and the entity against which a statutory employment claim is typically brought. The client company remains the commercial principal — it directs the work, pays for the service, and makes the hiring and firing decisions — but it does not appear on the statutory employment relationship itself.

What this means in practice is that the EOR carries the first-line compliance burden: payroll accuracy, statutory filings, contract compliance, benefits enrolment, and termination procedure. What it does not mean is that the client is insulated from consequences when any of those break down. In several jurisdictions (notably Germany, France, Brazil, and South Africa), case law has established joint-and-several liability between the legal employer and the economic beneficiary of the work. In most jurisdictions, the EOR's indemnification obligation to the client is capped — at 12 months of fees, or a fixed monetary ceiling — which can be materially less than the exposure on a serious incident.

The three layers of liability in every EOR relationship

Statutory liability — the authority vs the employer of record

Statutory liability is what the tax authority, labor inspectorate, or social security agency can levy against the entity on the employment contract. This sits with the EOR by design. When URSSAF issues a requalification or BAFA assesses an LkSG penalty, it is the EOR that receives the notice. The EOR pays the fine or negotiates the settlement, subject to any statutory appeal rights.

The exception is when the authority pierces the EOR structure — which some jurisdictions will do if the EOR is structurally undercapitalized, if the economic reality of the relationship is substantively a direct employment between the client and the employee (a form of "sham EOR" doctrine applied in Germany's Arbeitnehmerüberlassung framework), or if the client gave specific instructions that caused the breach.

Contractual liability — the indemnification spectrum

Contractual liability is what the EOR owes the client (and vice versa) under the master services agreement. A well-drafted EOR agreement indemnifies the client for errors that are solely the EOR's fault — a payroll calculation error, a missed statutory filing, a contract drafting mistake. The coverage is reciprocal: the client typically indemnifies the EOR against claims arising from the client's instructions, the client-provided data, or changes the client directed outside the EOR's recommendation.

The practical range: strong contracts cap EOR liability at 12–24 months of fees with carve-outs for gross negligence and willful misconduct that remove the cap. Weak contracts cap at 3–6 months of fees and include broad carve-outs that exclude anything touching client data or client instructions. The contract-red-flag guide covers the specific language to look for.

Operational and reputational liability

The third layer is the one that does not appear in the contract but shows up in practice. If an employee's salary is paid late through an EOR's error, the employee calls the client — not the EOR — and the relationship damage is with the client. If a termination is botched and the employee posts about it on LinkedIn, the client's employer brand is the one affected. These exposures are not legally assignable and do not show up on any balance sheet, but they are the reason operational discipline matters as much as the indemnification language.

The four error patterns that produce the most claims

Payroll errors

Underpayment, late payment, incorrect tax withholding, or missed statutory contribution filings are the most frequent error mode. The statutory consequence varies materially by jurisdiction. In the UAE, the Wage Protection System (WPS) flags late payroll automatically and the Ministry of Human Resources and Emiratisation can issue immediate fines and suspend the employer's ability to process further visas. In Mexico, late IMSS or INFONAVIT filings trigger automatic percentage surcharges that compound monthly. In France, a missed DSN filing generates an URSSAF penalty plus regularization within 30 days. In South Africa, late UIF or SDL filings trigger SARS penalties and interest. Our UAE hiring guide, Mexico guide, and South Africa guide cover the country-specific mechanics.

Most payroll errors are resolved within one cycle with minimal statutory consequence, but cumulative or systemic errors — three missed filings in a row, or a pattern of late payments across multiple employees — can trigger an audit that extends 2–3 years backwards.

Incorrect employment contracts

If an EOR issues a contract missing mandatory clauses, incorrect notice periods, or non-compliant probation terms, the contract may be deemed void or unenforceable in the affected jurisdiction. The employment relationship usually does not disappear — instead, it reverts to the statutory default, which in most civil-law jurisdictions is materially more favorable to the employee than what the contract intended.

Common failure modes: French CDD fixed-term contracts issued in situations not permitted by the Code du Travail (which automatically convert to CDI indefinite contracts at significant cost on termination), German befristet fixed-term contracts missing the required justification (automatically converting to permanent), Brazilian contracts missing mandatory CLT clauses (triggering full statutory benefits retroactively), and UK contracts that inadvertently create IR35 exposure when intended as contractor arrangements. The IR35 guide covers that specific failure mode.

Mishandled terminations

Termination is the highest-risk event in the employment lifecycle, and most EOR liability claims cluster here. The procedural requirements vary sharply by jurisdiction. In South Africa, a dismissal without a CCMA-compliant disciplinary hearing is procedurally unfair and almost always results in reinstatement or compensation of 6–12 months of salary. In Germany, a dismissal during the protected period of parental leave or pregnancy is void under the Kündigungsschutzgesetz and the employee must be reinstated. In France, a licenciement without documented cause réelle et sérieuse or without the pre-termination interview (entretien préalable) is procedurally defective and usually settles at 6–18 months of salary. In Mexico, a termination without causa justificada triggers 90 days of salary plus 20 days per year of service plus 12 days of seniority premium.

The EOR bears primary responsibility for running the correct procedure, but the client typically triggers the decision. If the client directs an immediate termination without waiting for the statutory procedure, the resulting exposure often shifts to the client under the indemnification carve-outs. The Germany works-council guide covers the consultation mechanics that sit alongside the termination procedure in collectively-represented workforces.

Misclassification exposure

A distinct failure mode that only appears in the EOR context when a contractor is being routed through an EOR's "contractor management" product rather than the EOR's actual employment product. In these arrangements, the EOR is not the legal employer — it is an intermediary — and the misclassification risk stays with the client. If a tax authority (URSSAF, IRS, HMRC, Deutsche Rentenversicherung) requalifies the relationship into employment, the client bears the back-contributions and penalties, not the EOR. This is one of the most common misunderstandings in the market. Our misclassification risk guide and the risk quiz cover the statutory tests and the country-by-country penalty exposure.

Where liability typically sits — the indemnification carve-outs that matter

A well-drafted EOR agreement indemnifies the client for errors that are solely the EOR's fault. Every real contract, though, contains carve-outs that reallocate liability back to the client in specific scenarios. The ones that matter most in practice:

• Client-provided information. If the client gave incorrect data (wrong salary, wrong start date, wrong tax residency, wrong working hours), and the EOR processed payroll against that data, liability sits with the client. Keep audit-trail documentation of every piece of information you submit.
• Client-directed actions. If the client instructed an action the EOR flagged as non-compliant — for example, firing an employee mid-parental-leave in Germany, or issuing a French CDD in a non-permitted situation — liability sits with the client. The EOR's email flagging the non-compliance is the evidence that matters.
• Changes outside the contract. If the client directly communicated new terms to the employee (a raise, a role change, a shift in working hours) without routing through the EOR, and the EOR then processed payroll against the old terms, the discrepancy is the client's responsibility.
• Acts of the client's other group entities. If a parent company, sister company, or separate affiliate directs action without going through the EOR contract, the EOR is not responsible for the downstream consequences.

The practical test on any indemnification clause is to ask: "What would I need to prove in a dispute for this indemnification to pay out?" If the answer is "the EOR's handwritten admission of sole fault," the clause is too narrow. If it is "a written trail of EOR-executed actions," the clause is workable.

How to protect yourself — before signing

Four structural protections that most buyers do not put in place, and that meaningfully change the risk profile.

First, read the indemnification clauses carefully. Map the carve-outs against your actual operating model. If your internal process involves managers communicating directly with their reports on compensation changes, you are running constant indemnification exposure and you need to either change the process or negotiate the clause. If your employees have complex cross-border situations (US-UK dual residency, German assignments into France, remote work from jurisdictions other than the contract country), specific carve-outs for those scenarios need to be addressed explicitly.

Second, check the provider's professional indemnity insurance. Ask for a copy of the policy certificate, confirm the coverage limit (reputable providers carry £10M–£25M in PI cover), confirm the policy covers EOR-specific risks (payroll errors, tax misfiling, incorrect contracts, wrongful termination), and confirm you are listed as a named beneficiary or that subrogation rights are not excluded. A provider that will not produce the policy certificate is a provider you should not sign.

Third, run the contract through Compareor's 20-point contract audit checklist before signing. The checklist flags indemnification caps below 12 months of fees, carve-outs that exclude payroll errors, exit clauses that lock in beyond the insurance coverage window, and data-protection liability allocations that are not GDPR-compliant.

Fourth, for any material hire — C-suite, senior engineer above €150K, a hire into a complex jurisdiction — consider having the EOR contract reviewed by local counsel in the target country. The cost is €2,000–€5,000. The downside of not doing it can run into six figures.

How to protect yourself — after signing

Ongoing operational discipline matters at least as much as contract negotiation. Three practices separate the companies that weather incidents cleanly from the ones that end up in disputes.

Maintain your own records of every employment decision and approval. When the EOR asks for sign-off on a termination, a promotion, a contract change, respond in writing and keep the thread. Every indemnification dispute ever litigated has turned on the documentary trail.

Monitor payroll outputs monthly. Check at least one employee's payslip each cycle for correct gross, correct tax, correct contribution bands, and correct net. Cumulative errors that go undetected for 6 months are materially harder to unwind than errors caught in month one.

Escalate quickly when something looks wrong. The typical EOR support SLA is 24–48 hours for standard queries and 4 hours for payroll-critical items. If a response does not come within the SLA, escalate to the account manager the same day. Issues that fester become incidents.

What to do if your EOR makes a mistake

The sequence that minimizes downstream exposure:

Document the error immediately. Screenshot the incorrect payslip, filing confirmation, or contract. Capture dates, amounts, and affected employees. Attempt to remediate quickly with the EOR. Most errors — a late filing, a wrong net pay, a missing benefit enrolment — are fixable within one pay cycle if flagged fast. Notify affected employees proactively once the fix is in place. Employees who hear bad news from their manager with a clear fix-path almost always respond well; employees who discover errors themselves and have to chase escalate the issue emotionally. Invoke indemnification in writing if the fix requires financial restitution beyond the EOR's remediation. This triggers the contract's notice-and-cure period and starts the insurance claim clock. If the incident is material, engage local counsel. Indemnification disputes are won or lost on process. Evidence collected in the first 30 days is what decides the outcome.

If the incident is severe enough that continued operation with the provider is untenable, the switching guide and the 50-company migration case-study cover how to sequence the transition without compounding the original error.

Frequently asked questions

If my EOR makes a payroll error, am I liable?

The EOR is primarily liable to the statutory authority and to the employee. You are indirectly exposed through the indemnification structure and reputationally with the employee. Well-drafted contracts indemnify you for EOR-caused errors, with the carve-outs above. Read the clause before signing, not after the error.

What insurance should my EOR carry?

Professional indemnity at £10M–£25M minimum, employer's liability where statutorily required, cyber/data-breach coverage, and (ideally) a fidelity bond against internal fraud. Ask for the policy certificate and confirm the coverage periods and subrogation rights.

Can I be personally liable as the client contact?

In almost all jurisdictions, no — the EOR is the legal employer and the client company is the commercial principal. The exception is Germany, where AÜG sham-employment claims can reach a director under specific circumstances, and Brazil, where CLT fraud can create personal exposure. These are rare and generally preventable with clean documentation.

What is the difference between indemnification and insurance in EOR contracts?

Indemnification is the EOR's contractual promise to cover your losses from its errors, capped at a defined amount. Insurance is the policy backing that promise. A contract with strong indemnification and no insurance means the EOR pays from operating cash, which is fine if they are well-capitalized and catastrophic if they are not. You want both.

Should I hire my own local counsel even if I have an EOR?

For routine hires in straightforward markets, no — the EOR's local expertise is what you are paying for. For material hires (senior executives, first hires in complex markets, mergers or acquisitions, any situation involving non-standard equity or deferred compensation), yes. €2K–€5K of local counsel review is cheap insurance against a six-figure mistake.

Bottom line

EOR is a powerful compliance structure, not a compliance guarantee. Statutory liability sits with the EOR by design; contractual liability is allocated through indemnification with carve-outs that matter in practice; operational and reputational liability never fully transfers at all. The companies that navigate EOR relationships well are the ones that treat the indemnification clause as a procurement artifact worth negotiating, maintain documentary trails on every material decision, monitor payroll outputs as a standing operating discipline, and escalate early when something looks wrong.

The providers worth working with know this and structure their contracts and insurance accordingly. The ones that resist transparency on indemnification caps, PI coverage, or subrogation rights are signalling the exact shape of the relationship you will have after signing. Run the contract audit checklist before signing, pressure-test the shortlist through the comparison tool, and the 12-question framework will surface the providers that can carry the risk you are transferring.