The Health and Safety Checklist for International Tech Expansion

UK tech companies expanding internationally have never had it easier on paper. Employer of Record (EOR) providers like Deel, Remote, Velocity Global, and Multiplier let a UK company employ someone in Berlin, Paris, Madrid, or San Francisco within days, without setting up a local entity. Payroll, tax, employment law basics, and benefits administration are handled. The friction that used to take months and a six-figure legal budget now takes a credit card.

What this convenience hides is a meaningful compliance gap that catches UK tech founders out at precisely the wrong moment, usually during investor due diligence, M&A, or after the first workplace incident in a new country. The EOR contract does not cover occupational health and safety obligations in the countries where your people now work. ISO 45001 is becoming the investor-expected baseline. Country-specific risk assessment formats, mandatory training in local languages, named responsible persons, local reporting regimes, and country-specific working time rules all apply from day one of operation, regardless of how the legal employment relationship is structured.

This guide is a sequential health and safety checklist for UK tech companies expanding internationally. It covers what the EOR does and does not handle, the duties that apply from day one in any new country, the biggest country-specific variations, the ISO 45001 unifying play, and how the position is judged by investors and acquirers. It is written for founders, Heads of People, COOs, General Counsel, and international expansion leads in scaling tech companies.

The principle that catches everyone out

Occupational health and safety duties are not transferable across borders. A UK company's compliance with UK Working Time Regulations, the Health and Safety at Work etc. Act 1974, and the Management of Health and Safety at Work Regulations 1999 is not relevant in France, Germany, the Netherlands, or the US. Each country has its own framework, its own risk assessment requirements, its own training duties, its own injury reporting regime, and its own enforcement bodies with different powers.

The EU framework adds some commonality through Framework Directive 89/391/EEC, but the directive only sets minimum standards. National implementation varies substantially. France's risk assessment requirement (the Document Unique d'Évaluation des Risques Professionnels, DUERP) is a different document from Germany's Gefährdungsbeurteilung, which is different again from Italy's Documento di Valutazione dei Rischi (DVR). The European Court of Justice's 2019 ruling in Federación de Servicios de Comisiones Obreras v Deutsche Bank requires employers to record working time, but each member state has implemented it differently.

US obligations are managed at federal level through OSHA, but several states (California, Washington, Oregon, Michigan, and others) operate their own state-OSHA programmes with stricter rules. New York City has additional employer duties. Workers' compensation insurance is mandatory and varies state by state.

The principle is straightforward: each country your tech company operates in has its own occupational health and safety regime, and your duties under each begin the day you hire your first worker in that country.

What an EOR does (and does not) cover

Employer of Record providers serve a specific and legitimate purpose. Understanding what they actually do is the first step in understanding the gap.

What an EOR typically covers:

• Payroll processing in local currency, with correct tax withholding
• Employment contracts compliant with local employment law
• Statutory benefits (paid leave, parental leave, pension contributions)
• Social security contributions and tax administration
• Termination procedures and local notice periods
• Basic onboarding and offboarding compliance

What an EOR typically does not cover:

• Country-specific occupational health and safety risk assessments
• DSE or workstation assessments (whether for home, hybrid, or office work)
• Country-specific safety training delivered in local language
• Designated local health and safety representative roles required by some jurisdictions
• Working time monitoring beyond payroll requirements
• Mental health and stress risk assessment under local frameworks
• Investigation, reporting, and management of workplace incidents
• Local fire safety and premises compliance where the worker uses a leased office or coworking space
• ISO 45001 management system requirements
• Investor or acquirer due diligence evidence

This is not a criticism of EOR providers. The services they sell are clearly defined. The gap is one of assumption: many UK tech founders treat EOR coverage as equivalent to full compliance, which it is not on the occupational health and safety side. The duty for these matters sits with the operating business that engages the worker, regardless of which legal entity employs them on paper.

Some EOR providers are now beginning to offer ancillary H&S services, often through partner networks. Where they do, the offering is usually limited and not aligned with ISO 45001 or with investor due diligence standards. The model continues to assume that H&S sits with the business operating the worker, not with the legal employer.

Pre-launch checklist: before you hire in a new country

Start this phase at least four weeks before the first worker starts. Some of the documentation cannot be retrofitted and the local representative roles take time to fill.

Understand the local regulatory framework

For each new country:

• Identify the lead national health and safety legislation and the relevant regulator
• Identify any state, regional, or sectoral variation that applies
• Confirm the threshold at which various obligations bite (employee count thresholds for works councils, safety committees, named representatives)
• Understand the local injury reporting regime and the thresholds for notifiable incidents
• Understand the local working time framework and any local right-to-disconnect rules

A general overview is useful, but the specifics drive the work. France's CSE (Comité Social et Économique) is required from 11 employees. Germany's Betriebsrat (works council) rights apply from 5 employees. Spain's working time recording requirement applies from the first employee. These thresholds matter for the project plan.

Decide your local presence model

The presence model determines which duties apply:

• Fully remote workers, no local office. Worker uses their home as workplace. Country-specific home worker H&S duties apply.
• Coworking or serviced office membership. Building-level compliance sits with the operator. Worker-level and team-level compliance still sits with your company.
• Leased local office. Full premises responsibility, including local fire safety, asbestos register (where applicable), workplace welfare obligations, and emergency procedures.
• Local subsidiary or branch. Additional duties as a registered employer in that country.

For most UK tech companies in early international expansion, the model is fully remote or coworking-based. The H&S obligations are smaller than for leased offices but they are not zero.

Confirm what the EOR will and will not handle

Get written confirmation from your EOR provider, country by country, of which H&S duties they cover under your contract and which they do not. The default position is usually "we do not cover OHS". Have this in writing before the first hire, not after.

Identify the local responsible person

Most countries require a named individual responsible for occupational health and safety:

• Germany: Sicherheitsbeauftragte (safety officer) for workplaces over 20 employees; Fachkraft für Arbeitssicherheit (specialist safety officer) at higher thresholds
• France: a designated salarié compétent for OHS, plus the CSE responsibilities at 11+ employees
• Italy: RSPP (Responsabile del Servizio di Prevenzione e Protezione) for every employer
• Spain: a designated worker or a contracted external prevention service (SPA)
• Netherlands: a preventiemedewerker (prevention worker) for every employer
• US: requirements vary by state and sector; no single equivalent role

Some of these can be filled by an external service. Others require an employee. Some require formal qualifications. Plan the role appointment as part of the country launch, not afterwards.

Plan local language documentation and training

Most countries require that key safety information be made available to workers in the local language. UK-language English-only safety inductions, policies, and risk assessments typically do not meet the local duty. Plan for:

• Translation of core safety documents (or local versions where the framework requires)
• Local-language onboarding for new hires
• Local-language emergency procedures and first aid information
• Local-language DSE or workstation guidance where applicable

Post-launch checklist: the first 90 days in a new country

Once the first worker is operational in a new country, the H&S clock starts. The following items should be addressed in the first 90 days.

Country-specific risk assessment

Conduct and document a risk assessment using the local format:

• France: DUERP
• Germany: Gefährdungsbeurteilung
• Italy: DVR
• Spain: Evaluación de Riesgos Laborales
• Netherlands: RI&E (Risico Inventarisatie en Evaluatie)
• US: state-OSHA equivalent or general OSHA hazard assessment

UK-style risk assessments do not satisfy these requirements regardless of how thorough they are. The format and the language matter. The assessment must reflect the actual workplace and tasks of the workers in that country.

Workstation and DSE assessments

For remote and hybrid workers, the home workstation assessment is a duty in most European jurisdictions. The format varies. The duty does not. For office-based workers, the assessment reflects the specific workplace.

Working time records

Following the 2019 CJEU Deutsche Bank ruling and its national implementations, working time records must be kept. Spain, France, and Germany are particularly strict. The arrangement should be operational from the first day of work in those countries, not retrofitted later.

Local injury and incident reporting setup

Configure your incident reporting process to capture local notifiable thresholds:

• France: déclaration d'accident du travail to URSSAF within 48 hours
• Germany: Unfallanzeige to the relevant Berufsgenossenschaft for incidents with 3+ days absence
• Italy: INAIL reporting for absences over 3 days
• US: federal OSHA Form 300 for recordable injuries; state variations apply

Workers compensation insurance is mandatory in most countries and is separate from your UK employers' liability cover. Confirm with the EOR who is responsible for the policy.

Local first aid, fire, and emergency arrangements

For workers using a coworking space, the operator usually handles building-level fire safety and first aid. The duty to know the arrangements still sits with your business. For leased offices, you are the responsible person for the local equivalent of the UK Fire Safety Order duties, applying the local framework. Most European jurisdictions require similar fire risk assessments and emergency planning.

Mental health and stress

Several jurisdictions are notably stricter than the UK on workplace mental health:

• France: extensive jurisprudence on harcèlement moral (psychological harassment) and the employer's duty to prevent psychosocial risks. Stress assessment is part of the DUERP.
• Sweden: the Work Environment Authority's AFS 2015:4 places explicit duties on employers to assess organisational and social work environment factors.
• Spain: ITSS (labour inspectorate) actively enforces on psychosocial risk.

Companies expanding from the UK into these jurisdictions often underestimate the local expectations. UK Working Time Regulations compliance is a useful starting point but not a substitute for the country-specific frameworks. See our Working Time Regulations guide for the UK position and the broader link to mental health duties.

The ISO 45001 unifying play

For tech companies operating in two or more countries, the question quickly becomes how to maintain consistent standards without recreating the wheel in each jurisdiction. ISO 45001:2018, the international standard for occupational health and safety management systems, is the answer most multinationals settle on.

ISO 45001 sets out a management system framework that:

• Applies consistently across jurisdictions while accommodating country-specific legal requirements
• Provides a single audit-ready evidence base for investors, acquirers, and clients
• Treats psychological health on the same footing as physical health
• Aligns with ISO 9001 and ISO 14001 for businesses pursuing integrated management systems

The standard does not replace country-specific compliance. It overlays a management system on top of it, so that country-by-country compliance becomes the operational output of a consistent global approach.

Tech companies considering certification typically reach the decision point around Series B or when the third country is added to the operating footprint. Earlier is better. Building the system as the company expands is easier than retrofitting it after the international footprint is mature.

Arinite is certified to ISO 45001:2018 and supports clients across 50+ countries to implement equivalent systems. The certification matters because clients increasingly ask for it in tenders and because investors increasingly ask for it in due diligence.

What investors and acquirers will ask

Health and safety has historically been a low-priority area in tech investment due diligence. That has changed. Three drivers are pushing it up the agenda:

ESG reporting requirements. The EU Corporate Sustainability Reporting Directive (CSRD) and the UK's evolving ESG reporting framework both treat occupational health and safety as a material reporting topic. Workforce safety metrics are now expected disclosures for in-scope companies.

Investor portfolio risk. Several high-profile cases of post-acquisition H&S liability discovery have made VCs and PE firms more cautious. Some investor portfolios now require minimum H&S management standards as a condition of funding or as a covenant in shareholders' agreements.

Acquirer due diligence depth. Strategic acquirers, particularly those with mature ESG functions, conduct full H&S due diligence on targets. A target with multi-country operations and inconsistent or undocumented H&S management is a deal-stage risk.

Typical due diligence questions a tech founder should be ready to answer:

• Do you have a documented occupational health and safety policy that applies globally?
• For each country of operation, do you have a current risk assessment in the local format and language?
• Who is the named local responsible person in each country, and what is their qualification?
• What is your workplace incident rate, and how does it compare across jurisdictions?
• How do you train workers on health and safety, and how do you record that training?
• Do you hold ISO 45001 certification or are you pursuing it? What is the timeline?
• What is your working time tracking arrangement in jurisdictions requiring it?
• What insurance cover do you maintain for workers compensation or equivalent in each country?
• Have you had any regulatory enforcement action in any jurisdiction in the last five years?

Most growing tech companies cannot answer most of these questions cleanly when first asked. Doing the work properly during scaling is far less expensive than reconstructing it during a deal.

Country-specific call-outs worth knowing

Five jurisdictions where UK tech companies most often hit unexpected friction.

France. DUERP risk assessment is mandatory and must be updated annually. The 35-hour week is the legal reference (though many tech roles use cadres dispositions to manage around this). Right to disconnect (droit à la déconnexion) is enshrined in law. Psychosocial risk assessment is part of the DUERP. The Inspection du Travail is active and well-resourced. CSE establishment is required from 11 employees.

Germany. The dual system of statutory accident insurance (Berufsgenossenschaften) plus state Arbeitsschutz authorities is genuinely powerful. Works councils (Betriebsrat) have co-determination rights from low headcount thresholds and can compel changes to safety arrangements. Working time enforcement is strict.

Spain. Working time recording has been mandatory since 2019 and is enforced robustly by the ITSS. Risk assessment must be conducted by a qualified service or designated worker. Psychosocial risk assessment expectations are growing.

Netherlands. RI&E (risk assessment) is mandatory for every employer and must be reviewed by a certified safety expert (Arbo professional) for most companies. The Arbobeleid (working conditions policy) is a separate documented requirement.

United States. Federal OSHA plus state-OSHA variation. California's Cal/OSHA, Washington L&I, and New York City requirements all add layers. Workers' compensation insurance is mandatory and state-specific. Heat illness prevention, ergonomic, and (in some states) psychological safety rules are increasingly active.

This is not the full list. Italy, Belgium, Switzerland, Sweden, Denmark, Norway, Ireland, Australia, and Singapore all have their own meaningful frameworks. The principle remains the same: each country has its own regime, and your duties begin from the first worker.

When to bring in a Chartered consultant

Arinite's Chartered consultants work with tech companies expanding internationally, with a UK head office leading the relationship and locally-qualified consultants in each country delivering against the local framework. The four situations where Arinite typically adds the most value:

Series A and beyond, multi-country expansion. Where the company is opening offices or hiring in three or more countries, the coordination problem becomes large enough that external support pays for itself in time saved alone.

Pre-funding or pre-acquisition compliance preparation. Where the company is heading into a funding round or sale process, the H&S compliance position across all countries needs to be documented and defensible. External Chartered consultant evidence is more credible to investors and acquirers than internal documentation alone.

ISO 45001 implementation. For tech companies pursuing ISO 45001 for ESG, investor, or customer reasons, building the management system from scratch across multiple countries needs experienced support.

Post-incident or post-inspection response in a foreign jurisdiction. Following a workplace incident or a local inspectorate visit in a country where the company has no internal expertise, structured external support is the right response.

Arinite works with 1,500+ businesses across 50+ countries. 100,000+ Employees Protected. ISO 45001:2018 certified. 15+ years of practice with UK and international clients, including tech businesses through scaling and exit.

The fastest way to scope the H&S workstream of your international expansion is a 30-minute Free Gap Analysis Call. A structured review of your current footprint, the country-specific gaps that matter most, and what to do about them. No commitment.

Book My Free Gap Analysis Call or call +44 (0)20 7947 9581.

Frequently asked questions

Does our Employer of Record provider cover health and safety? In almost all cases, no. EOR providers cover payroll, employment law basics, tax, and statutory benefits. Occupational health and safety duties (risk assessment, training, local responsible person roles, working time monitoring, incident reporting beyond payroll requirements) typically sit with the operating business. Get written confirmation from your EOR of what is and is not covered, country by country.

Which country's health and safety law applies when a UK company hires someone in another country? The law of the country where the worker is physically working. UK Working Time Regulations, the Health and Safety at Work etc. Act 1974, and other UK statutes do not apply to a worker based in Germany, France, or the US. Each country's framework applies from day one of operation.

Do we need a named local health and safety representative in every country? Most European jurisdictions require some form of named local representative or service provider. Germany requires safety officers above certain employee thresholds; France requires a designated competent worker; Italy requires an RSPP; the Netherlands requires a preventiemedewerker. The US framework varies by state. Check the requirement for each country of operation before the first hire.

Is ISO 45001 certification required for international tech expansion? Not legally required. Increasingly expected by investors, acquirers, and enterprise clients as evidence of consistent multi-country H&S management. Tech companies typically reach the certification decision around Series B or at the third country of operation.

What is the EU Framework Directive 89/391/EEC? The Framework Directive sets minimum occupational health and safety standards across EU member states. It is the foundation on which national legislation in EU countries is built. The Directive provides some commonality but each member state implements its own variation, and national requirements are typically stricter than the minimum.

Do remote workers in other countries trigger health and safety duties? Yes. Remote workers in any country trigger the home worker H&S duties of that country. Most European jurisdictions explicitly cover home workers under their national framework. The duty to conduct a workstation assessment, provide training, and document arrangements applies regardless of where the worker is physically located.

What is the 2019 CJEU working time recording ruling? The European Court of Justice ruled in Federación de Servicios de Comisiones Obreras v Deutsche Bank that EU member states must require employers to record working time. Each member state has implemented the requirement differently. Spain, France, and Germany are particularly strict. Companies operating in these jurisdictions need a working time tracking arrangement from the first day of operation.

How does workers compensation work outside the UK? The UK system of employers' liability insurance is replicated in different forms across other jurisdictions. The US uses state-specific workers' compensation programmes. Germany uses the Berufsgenossenschaft statutory accident insurance system. France uses URSSAF and the assurance maladie. Coverage is typically mandatory and country-specific, and is separate from UK employers' liability cover.

Will investor due diligence ask about international H&S compliance? Increasingly, yes. ESG reporting requirements, investor portfolio risk management, and acquirer due diligence depth have all pushed occupational health and safety up the priority list. Series B and later rounds, and almost all M&A processes, now include H&S in due diligence. Multi-country operations with inconsistent or undocumented H&S management are deal-stage risks.

Can one Chartered consultant manage health and safety across all our international offices? For a UK-headquartered tech company, the most efficient model is typically a lead UK-based Chartered consultant who knows the business and coordinates the relationship, with locally-qualified consultants in each operating country delivering against the local framework. Arinite operates this model across 50+ countries.