Digital Nomads and Duty of Care: Managing Travel Risk for a Distributed Workforce

The digital nomad phenomenon has accelerated dramatically since 2020, with the global population growing from an estimated 11 million to over 40 million by 2026. This is no longer a niche lifestyle choice — it is a mainstream work model embraced by employees across industries, from tech and finance to consulting and creative services. Popular destinations include Portugal, Thailand, Indonesia, Mexico, and Georgia, many of which present elevated security, health, and legal risks compared to traditional business travel hubs. The shift to hybrid and remote work has also blurred the boundaries of corporate travel. Employees increasingly combine leisure and work in what the industry calls "bleisure" travel, but a more concerning trend is the rise of "hush trips" — employees working remotely from foreign locations without informing their employers. A 2025 survey found that 72% of remote workers had taken at least one hush trip, with 45% doing so regularly. These undeclared trips create significant blind spots in corporate risk management systems, leaving both employees and organizations exposed.

Duty of care — the legal and ethical obligation of employers to take reasonable steps to ensure the health, safety, and security of their employees — does not stop at the office door or the national border. In most jurisdictions, this obligation extends to employees working remotely, whether from home or abroad. The legal landscape is complex and varies significantly by country. In the UK, the Health and Safety at Work Act 1974 and the Management of Health and Safety at Work Regulations 1999 impose broad obligations on employers regardless of where work is performed. In the EU, the Framework Directive 89/391/EEC establishes similar principles. In the US, OSHA regulations and common law negligence principles can expose employers to liability for foreseeable harms to remote workers. The consequences of failing to meet duty of care obligations are severe. Organizations can face civil litigation, regulatory fines, and reputational damage. In extreme cases, criminal liability may arise where negligence is gross. Beyond legal risk, the human cost of inadequate duty of care — employees stranded in crisis zones, denied medical assistance, or exposed to preventable security threats — is immeasurable.

When employees work across borders, organizations face a labyrinth of multi-jurisdictional compliance obligations that extend far beyond duty of care. Tax authorities in many countries apply "permanent establishment" rules that can trigger corporate tax liability if an employee works from a foreign location for more than a threshold period — often as few as 30 days. Social security and pension obligations may shift to the host country, creating double-contribution risks. Immigration compliance is equally complex: working on a tourist visa is illegal in most countries, yet many digital nomads do exactly this. The consequences can include deportation, fines, and bans on future entry. Data protection regulations add another layer of complexity. Employees working from countries outside the EU may inadvertently transfer personal data to jurisdictions without adequate protection, triggering GDPR violations. Organizations must map their employees' locations in real time to manage these risks effectively. The challenge is compounded by the fact that many employees do not disclose their locations, making compliance monitoring extremely difficult. A robust digital nomad policy — one that requires employees to notify HR before working from a foreign location — is the essential first step.

Published in 2021, ISO 31030 provides the most comprehensive international framework for organizational travel risk management. While the standard was developed primarily with traditional business travel in mind, its principles apply directly to the digital nomad and remote work context. ISO 31030 establishes a risk management process that includes: identifying and assessing travel risks; implementing risk treatment measures; monitoring and reviewing risk; and communicating with travelers. For distributed workforces, the standard's guidance on "traveler profiling" is particularly relevant — organizations should assess the specific vulnerabilities of each traveler, including their destination, duration of stay, purpose of travel, and personal characteristics. The standard also emphasizes the importance of pre-travel information and training, emergency response planning, and post-travel support. Organizations that align their digital nomad policies with ISO 31030 not only reduce their legal exposure but also demonstrate a genuine commitment to employee wellbeing — a significant competitive advantage in talent attraction and retention. Key implementation steps include: conducting a gap analysis against the ISO 31030 framework; developing a digital nomad risk register; establishing a traveler tracking system; and creating destination-specific risk briefings for popular nomad locations.

Digital nomads present unique cybersecurity challenges that traditional corporate security frameworks are ill-equipped to handle. Working from co-working spaces, cafes, hotels, and Airbnbs, nomadic employees routinely connect to unsecured public Wi-Fi networks, use personal devices for work, and operate in environments with limited physical security. The risks are substantial: credential harvesting via public Wi-Fi interception, malware infection through unsecured networks, physical device theft, and social engineering attacks targeting isolated workers. A 2025 IBM Security report found that remote workers were 3.5 times more likely to be the entry point for a corporate data breach than office-based employees. Organizations must adopt a zero-trust security architecture that assumes no network is safe and requires continuous verification of user identity and device health. Practical measures include: mandatory VPN use on all non-corporate networks; mobile device management (MDM) solutions that enable remote wipe; multi-factor authentication on all corporate systems; regular security awareness training tailored to remote work scenarios; and clear policies on the use of personal devices for work. For employees traveling to high-risk jurisdictions — including countries with aggressive state surveillance — organizations should consider providing dedicated travel devices with minimal data and pre-configured security settings.

A comprehensive digital nomad risk management program requires coordination across HR, legal, IT security, and travel risk functions. The foundation is a clear, enforceable policy that defines who can work remotely from abroad, for how long, in which locations, and under what conditions. The policy should require advance notification and approval for all foreign remote work, establish minimum security standards, and outline the support available to employees in an emergency. Pre-travel risk assessment is essential. Organizations should maintain up-to-date risk profiles for popular nomad destinations, covering security conditions, healthcare quality, legal risks, and connectivity. Employees should receive destination-specific briefings before departure and have access to 24/7 emergency assistance. Technology plays a critical role. Travel risk management platforms such as International SOS, Control Risks, and WorldAware offer real-time traveler tracking, automated risk alerts, and emergency communication tools. These platforms can be configured to flag employees working from high-risk locations and trigger proactive outreach. Finally, organizations should invest in employee education. Many duty of care failures stem not from malicious intent but from ignorance — employees simply do not understand the risks of working from abroad or the obligations they create for their employer. Regular training, clear communication, and a culture of transparency are the most effective long-term risk mitigation strategies.

Leading organizations are implementing the following best practices to manage duty of care for distributed workforces: (1) Establish a formal Digital Nomad Policy that requires advance approval for all foreign remote work, defines approved and restricted destinations, and sets clear expectations for compliance. (2) Implement a traveler tracking system that provides real-time visibility of employee locations, including remote workers. (3) Conduct destination-specific risk assessments for all locations where employees regularly work remotely, and update these assessments quarterly. (4) Provide 24/7 emergency assistance through a travel risk management provider or in-house security operations center. (5) Mandate cybersecurity training for all remote workers, with specific modules on public Wi-Fi risks, device security, and social engineering. (6) Align policies with ISO 31030 to ensure a systematic, internationally recognized approach to travel risk management. (7) Establish clear escalation procedures for employees who encounter security incidents, health emergencies, or legal issues while working abroad. (8) Conduct regular policy reviews to keep pace with the rapidly evolving digital nomad landscape, including new visa programs, changing security conditions, and emerging legal risks.