Duty of care is one of those phrases that gets used so often inside risk management decks that it has stopped meaning very much. For corporates whose executives move across European borders in 2026, it is worth being precise about what the obligation actually is, where it has tightened recently, and what a reasonable programme looks like in practice — without the marketing layer.
What “duty of care” means in 2026
Most European jurisdictions impose a non-delegable duty on employers to take reasonable steps to protect the health, safety, and welfare of staff at work — including while travelling on the employer’s behalf. The phrasing varies (UK: Health and Safety at Work Act 1974; France: Code du travail Art. L4121-1; Italy: D.Lgs. 81/2008; Germany: ArbSchG), but the substance is consistent. The duty is one of reasonable care, not of guaranteed outcomes; what counts as reasonable is benchmarked against what a competent employer in the same sector would do.
What has tightened, modestly, in the last two years is the documentation expectation. Several recent rulings and enforcement notices have made clear that an employer who cannot show what risk assessment was performed before sending a person somewhere is in a materially weaker position than one who can — even if the underlying decision was sound. The duty has not changed; the evidentiary bar has.
The four building blocks
A defensible duty-of-care programme for European executive travel has four components. None of them are exotic; what is often missing is consistency.
1. Pre-travel risk assessment
A short written assessment — usually one to two pages — for each significant trip. Country-level advisory is necessary but not sufficient. The assessment should reflect the specific itinerary: which cities, which hotels, which routes, which meetings, which timings.
The point is not to predict every contingency. It is to demonstrate that the trip was considered, by name, before it happened.
2. Communications and check-in protocol
A defined communications channel, a check-in cadence appropriate to the risk profile, and a written escalation path if a check-in is missed. For most European travel this is light-touch — a daily message, an emergency contact, a known route to support. For higher-risk profiles it is more involved.
3. Operator and vendor due diligence
If the trip involves engaging a protection team, a transport provider, or a local fixer, the employer needs a record of how that operator was selected and what was verified about them. The duty extends to who you hired, not just whether they performed.
This is where many programmes are quietly weakest — operators are booked through informal channels and the file is empty.
4. Post-travel debrief
A short structured note after each significant trip: what happened, what worked, what did not, what to change next time. This is the part most often skipped and the part that, over time, makes the next assessment materially better.
What is not required
A few things that show up in vendor pitches and that you do not, in fact, need:
- 24/7 medical evacuation cover for every European city. Useful in specific contexts; not a duty-of-care requirement in jurisdictions with developed healthcare systems and clear emergency response.
- GPS tracking of staff at all times. In most cases disproportionate, in some cases unlawful. The privacy framework around employee monitoring under GDPR is restrictive, and tracking-by-default fails the necessity test.
- A bespoke “global security operations centre” subscription. A clear escalation channel, kept current and tested, will out-perform a marketed 24/7 GSOC that no one in your team has actually used in anger.
A practical baseline
For a corporate sending a small number of executives to European cities a few times a quarter, a reasonable baseline looks like:
- A standing risk-assessment template, populated per trip in fifteen to thirty minutes.
- A documented operator panel for the cities you most often visit, with the vetting evidence on file.
- A communications protocol that the travelling executive actually understands, has used at least once, and can invoke without thinking.
- A short post-trip note, even if the trip was uneventful.
This is not a heavy programme. It is, however, a programme — which is what the duty actually requires. The failure mode is not insufficient cover. It is the absence of a recognisable system at all.
Where FRT fits
Travel security advisory is one of the services FRT delivers directly. Where engagements call for ground execution — protection teams, transport — we coordinate that through the European partner network under the same engagement. The point is to give corporates a single accountable counterparty for both the documentation and the delivery, rather than splitting them across providers and hoping the seams hold.
For specifics, the Travel Security Consulting page covers what an engagement looks like. For a confidential conversation about an existing programme or a particular trip, send a brief — we will reply within one business day with a named coordinator.