In 2026, companies sending employees on business travel are subject to a demanding regulatory framework: Labour Code obligations, the ISO 31030:2021 international standard, and European directives on traveller safety. Three texts, three levels of obligation. And a hard reality: 68% of mid-sized companies fail to meet all requirements — usually without knowing it.
The Regulatory Framework in 2026: Three Texts, One Obligation
Duty of care refers to the totality of an employer's legal obligations towards employees on business travel. These obligations are not optional. They derive directly from employment law, which requires employers to "take the necessary measures to ensure the safety and protect the physical and mental health of workers."
In 2021, the ISO published ISO 31030:2021 — Travel Risk Management, establishing an international reference framework for managing risks associated with business travel. While this standard is not legally binding in itself, it is the benchmark courts use when assessing whether an employer has fulfilled its enhanced duty of care. In plain terms: failing to comply creates a presumption of negligence.
Additionally, EU directives and their revisions impose traceability requirements for high-risk travel, particularly for companies in the financial and pharmaceutical sectors subject to enhanced compliance obligations.
The 3 Concrete Legal Obligations
Behind the regulatory language, three operational obligations apply to any company sending employees on business trips:
These three obligations form an indivisible set. Tracking without informing is not compliant. Informing without repatriation capacity is not either. Employment tribunals and insurance companies now systematically analyse all three dimensions whenever an incident involves a business traveller.
The Cost of Non-Compliance
Duty of care non-compliance is not an abstract legal concept. It has a quantifiable cost — and that cost is asymmetric: sanctions occur precisely when the company is already under stress from an incident.
| Risk | Nature | Exposure |
|---|---|---|
| Criminal fine | Breach of employer safety obligation | Up to €45,000 for the legal entity |
| Executive liability | Gross negligence or reckless endangerment | Personal criminal liability of CEO/CHRO |
| Insurance voidance | Non-compliance with risk management clauses | Policy nullified on claim in event of incident |
| Civil litigation | Damages to the employee | Depending on harm: tens of thousands of euros |
Most corporate travel insurance contracts contain a clause conditioning coverage on having a risk management system compliant with ISO 31030. In the event of an incident, if your company cannot demonstrate procedural compliance, the insurer can legitimately refuse to cover the claim — even if your policy is current and premiums are paid.
Recent court decisions have condemned employers not for the incident itself, but for the absence of documented travel risk management procedures. The proof of compliance is as important as compliance itself.
How ZEPHYR Automates Compliance
The core problem with duty of care is not a lack of good intentions from travel managers — it is scalability. A company with 50 active travellers may have 15 to 20 people in transit simultaneously across multiple continents. Manual compliance — periodic checks, individual calls, generic alert bulletins — is structurally insufficient. ZEPHYR replaces this with an automated compliance pipeline in three phases:
Continuous Detection
ZEPHYR aggregates real-time data from over 800 airports, aviation weather bulletins (SIGMET/AIRMET), diplomatic security alerts, and operational disruption feeds (strikes, airspace closures, health restrictions). As soon as an event affects a tracked traveller's itinerary, the system detects it — on average 4 hours before the disruption becomes visible in booking systems.
Graded and Traceable Alerts
The alert is sent simultaneously to the traveller (SMS + email) and to the travel manager, with the criticality level, available rerouting options, and a certified timestamp. This timestamp is the key: in the event of a dispute, you can demonstrate that the traveller was notified at time T, before the incident, with the available options listed.
Repatriation Procedure Activation
If the criticality level triggers a repatriation protocol, ZEPHYR automatically identifies available alternatives (connecting flights, charter routes, ground transport), communicates them to the traveller, and opens a real-time tracking file until return is confirmed. The procedure is documented and exportable for your insurers.
The operational outcome for our clients: zero missed alerts on critical events, an average notification lead time of 11 minutes after incident detection, and compliance documentation exportable in one click for insurers or audits.
On the regulatory side, this automation simultaneously satisfies all three legal obligations — location tracking (real-time flight data), information (timestamped and traceable alerts), repatriation (activatable and documented procedure) — without adding operational burden to your travel team.
For Finance and Pharma companies, which must additionally demonstrate compliance within their ESG reporting and governance obligations, ZEPHYR produces quarterly duty of care activity reports in the format expected by auditors.
Conclusion: Compliance Is No Longer Optional
The regulatory framework for business travel duty of care has tightened significantly between 2021 and 2026. ISO 31030, recent case law, and rising insurer requirements have transformed what was seen as best practice into a real obligation — with real consequences.
The question is no longer whether your company is exposed. It is whether you can prove it — before an incident forces you to demonstrate it after the fact, under crisis conditions.
Assess your real exposure in 3 minutes
Our simulator analyses your travel volume, destinations, and sector to calculate your precise disruption exposure — and the compliance status of your current duty of care setup.
Simulate my exposure →