- The POSH Act applies the moment you have 10 or more workers in India, regardless of whether they sit in an office, work remotely, or report to an overseas manager. Your EOR is legally required to constitute an Internal Complaints Committee, run annual training, and file a yearly compliance report.
- The Shops and Establishments Act is a state law, not a central one. Your EOR must register separately in every Indian state where your employees actually work, not just where their entity is headquartered.
- Aggregator EORs (those that route hiring through local partners instead of owning their own Indian entity) often have visible gaps here, especially around ICC constitution, annual POSH reports, and multi-state S&E registrations.
- Non-compliance is not a quiet risk. POSH violations attract fines starting at ₹50,000 and can escalate to business license cancellation. S&E lapses trigger penalties, inspections, and complications during employee terminations or audits.
- A simple four-question audit (ICC, training, annual filing, state-wise S&E registration) tells you within ten minutes whether your EOR is genuinely covering these areas or just claiming to.
Most global EOR providers will tell you they handle "full India compliance." That's marketing language. The real test is whether they handle the laws that actually trip up foreign employers, and POSH and the Shops and Establishments Act sit at the top of that list.
These two laws don't get much attention in EOR sales conversations. They should. POSH carries criminal exposure for company representatives, and S&E registration determines whether your employee's contract is legally valid in their state. If your EOR is treating either as optional, you have a problem that's harder to fix later than it is to check now.
This guide walks through what each law requires, where global EORs typically fall short, and the exact questions to ask your current or prospective provider.
What is the POSH Act and why does it matter for global EORs?
The POSH Act, formally the Sexual Harassment of Women at Workplace (Prevention, Prohibition and Redressal) Act, 2013, is the central law governing workplace sexual harassment in India. It applies to every workplace with 10 or more employees, including remote teams and home-based workers.
The law puts the obligation squarely on the employer, which under an EOR setup means the EOR's Indian entity. Your global EOR is the legal employer of the workers it places with you, so POSH compliance is its responsibility, not yours.
Three operational requirements drive most of the compliance work:
- Internal Complaints Committee (ICC): Every workplace with 10 or more workers must constitute an ICC. The committee needs a presiding officer who is a senior woman employee, at least two members from within the organization, and one external member from an NGO or with relevant legal or social work experience. At least half the members must be women.
- POSH policy and awareness: The employer must publish a written POSH policy, display it visibly at the workplace or on internal platforms, and conduct regular awareness sessions and training for both employees and ICC members.
- Annual compliance report: The ICC must file an annual report with the District Officer detailing the number of complaints received, disposed of, and pending. The deadline is typically January 31 each year.
The Act also requires the employer to assist the complainant in filing a criminal complaint, provide interim measures during inquiry, and act on ICC recommendations within 60 days.
From our experience helping global companies set up in India, this is one of the most underchecked areas. Buyers assume "compliance" means payroll and statutory contributions. POSH lives in a different operational lane, and aggregator EORs often outsource it (or skip it) in ways that surface only when something goes wrong.
What does the Shops and Establishments Act actually require?
The Shops and Establishments Act is a state-level law, not a central one. Every Indian state (and Union Territory) has its own version, and they vary meaningfully in registration timelines, working-hour caps, leave entitlements, and renewal cycles.
Your EOR's Indian entity must register under the S&E Act of every state where it places an employee. Registering once in Karnataka does not cover an employee working from home in Tamil Nadu. The trigger is where the employee performs the work, not where the EOR is headquartered or where you are based.
The Act broadly governs:
- Working hours, overtime caps, and rest periods
- Weekly off and public holiday rules
- Earned leave, sick leave, and casual leave entitlements
- Wage payment timelines
- Conditions of employment for women, including night-shift rules in some states
- Maintenance of registers and records for inspection
Most state Acts also require the certificate of registration to be displayed at the place of business and renewed at intervals ranging from one to five years, depending on the state.
Here is a quick view of how a few major states diverge:
| State | Registration timeline | Renewal | Notable rule |
|---|---|---|---|
| Karnataka | Within 30 days of opening | Every 5 years | Annual earned leave at 1 day per 20 worked |
| Maharashtra | Within 60 days of opening | Every 1 to 10 years (chosen at registration) | Working hours cap at 9 per day, 48 per week |
| Tamil Nadu | Within 30 days of opening | Annual | Minimum 12 days earned leave per year |
| Delhi | Within 90 days of opening | Permanent registration | Separate rules for women's night shifts |
| Telangana | Within 30 days of opening | Annual or biennial | Specific rules on overtime calculation |
For a remote team spread across five cities in five states, your EOR should hold five active S&E registrations, not one.
How do I check if my global EOR is actually handling POSH?
Ask four direct questions. The answers separate real compliance from marketing claims.
1. Is there a formally constituted ICC under your Indian entity, and can you share the composition?
A compliant EOR should be able to share the names and roles of the presiding officer, internal members, and external member, along with the appointment letter dates. If they describe it vaguely or say it is "handled centrally," dig deeper.
2. Is annual POSH training conducted for all employees placed under your entity?
The Act expects regular training, not a one-time onboarding tick-box. Most reputable EORs run annual e-learning modules or live sessions. Ask for the last training date and attendance log.
3. Have you filed the annual POSH compliance report with the District Officer for the most recent calendar year?
This is a hard yes or no question. The report is a legal filing with a specific recipient. Either it was filed by January 31, or it was not.
4. What is the process if an employee on my account wants to file a POSH complaint?
The answer should include who the complainant contacts, how the ICC is engaged, what timelines apply, and how the client company is informed without compromising the complainant's confidentiality. Vague answers here are a red flag.
In many cases, global employers realize that their EOR's "POSH coverage" is just a clause in the employment contract referencing the law, with no actual ICC, no training, and no filings happening. That is not compliance. That is exposure.
How do I check if my global EOR is actually handling S&E Act?
Three questions cover most of it.
1. In which Indian states is your entity currently registered under the Shops and Establishments Act?
Compare this list against the locations of your employees. If you have someone in Hyderabad and the EOR holds no Telangana registration, you have a problem.
2. How do you handle a new state when I hire there for the first time?
The answer should describe a clear process: triggering registration in the new state, the timeline to complete it (usually 7 to 21 working days depending on the state), and how the employee's start date is managed. If the EOR has to outsource this to a third party or "look into it," they are likely an aggregator.
3. How do you align employment contracts and leave policies to state-specific rules?
A Karnataka employee's contract should reflect Karnataka leave entitlements. A Maharashtra employee's contract should reflect Maharashtra rules. If every employee gets the same template regardless of state, the EOR is cutting corners.
From what we have seen, this is where aggregator models tend to break. The EOR you signed with may not be the entity actually employing your worker. The local Indian partner handles S&E, and the visibility back to you is limited.
Why do aggregator EORs often miss POSH and S&E compliance?
There are two EOR structures in the Indian market, and they handle these laws very differently.
| EOR model | How it works | POSH and S&E handling |
|---|---|---|
| India-native (owned entity) | Provider owns its Indian entity, employs workers directly, runs compliance in-house | ICC, training, annual filings, and state-wise S&E registrations sit inside the same company you contracted with |
| Aggregator (partner-routed) | Global provider sublets to local Indian partners who are the actual employer | POSH and S&E sit with the local partner, often with limited visibility, inconsistent ICCs, and patchy state-wise registrations |
Aggregator EORs are often faster to expand into new geographies because they don't carry the operational weight of owning entities. The trade-off is fragmented compliance ownership. If your provider's compliance team is in Lisbon or New York but your employee is in Pune, the gap between sales claims and ground reality can be wide.
Companies often underestimate how much this matters until an inspection, a termination dispute, or a POSH complaint forces them to ask who is actually responsible.
What happens if my EOR fails on POSH or S&E compliance?
The penalties are not abstract.
For POSH non-compliance:
- First violation: fines up to ₹50,000
- Repeated violations: doubled penalties, plus possible cancellation of business license or registration
- Failure to constitute ICC or file annual reports: same penalty bracket
- Reputational fallout if a complaint surfaces and the ICC was never formed
For S&E non-compliance:
- Penalties vary by state, typically ranging from ₹1,000 to ₹2,50,000 for unregistered establishments
- Inspections and continued penalties for non-display of certificate or non-maintenance of registers
- Difficulty enforcing employment contracts or processing terminations
- Issues during audits, PF inspections, or banking compliance checks
The financial penalties are usually manageable. The operational consequences (delayed terminations, blocked audits, employee complaints that escalate publicly) are the real cost.
One pattern we have consistently noticed is that POSH and S&E gaps surface during high-pressure moments: a contentious exit, a regulatory audit, or a complaint that escalates to a District Officer. By then, fixing the gap retroactively is expensive and slow.
What should a fully compliant EOR setup look like?
A genuinely compliant EOR engagement in India should give you, at minimum:
- A documented, formally constituted ICC under the EOR's Indian entity, with the required mix of internal members, a senior woman presiding officer, and a qualified external member.
- Annual POSH training rolled out to all employees, with attendance records you can review on request.
- Annual POSH compliance reports filed with the District Officer in every state where the EOR places employees, on time.
- Active S&E Act registrations in every state where your employees work, not just where the EOR is headquartered, with renewals tracked centrally.
- Employment contracts that reflect state-specific leave, working-hour, and overtime rules, not a flat template applied across India.
- A clear, written escalation process for any POSH complaint, including timelines, confidentiality protocols, and how the client company is involved (or shielded) at each stage.
If your EOR cannot demonstrate each of these on request, the compliance posture is weaker than the contract suggests.
How Wisemonk handles POSH and S&E Act compliance
Wisemonk is an India-native EOR, which means we own our Indian entity, employ your team directly, and run every compliance function in-house. POSH and S&E sit inside the same operational layer as payroll, PF, and TDS, not outsourced to a partner network.
On POSH, we maintain a formally constituted Internal Complaints Committee with the required composition, run annual training for all employees we onboard, and file annual compliance reports with the relevant District Officer. If a complaint is filed, our ICC handles it under the timelines and confidentiality protocols required by the Act, and we keep the client company informed appropriately without compromising the complainant's identity.
On the Shops and Establishments Act, we hold active registrations in every Indian state where we place employees and add new states proactively when you hire there for the first time. Employment contracts are drafted to reflect the leave, working-hour, and overtime rules of the employee's state of work, not a flat national template.
The broader point is that compliance in India is operational, not contractual. A clause in your MSA referencing POSH or S&E does not protect you if no ICC exists or no state registration was ever filed. The work has to happen, and someone has to own it. With Wisemonk, that someone is the same company you contracted with. No aggregator gap, no partner network, no ambiguity about who is responsible when something needs to be filed, renewed, or escalated.
If you want to audit your current EOR or understand what a clean compliance setup looks like for your India team, that's a conversation worth having before the next renewal cycle or audit lands on your desk.
Get Stared with Wisemonk EOR
Frequently asked questions
Does the POSH Act apply if my India team is fully remote?
Yes. The Act defines "workplace" broadly enough to include remote work, home offices, and any place an employee visits for work. The 10-employee threshold applies to the total workforce, not just office-based staff. Your EOR must constitute an ICC and run training regardless of where your team physically sits.
Who is liable under POSH if my EOR fails to constitute an ICC?
The legal employer carries the liability, which under an EOR setup is the EOR's Indian entity. However, reputational and operational fallout can affect your company directly, especially if a complaint becomes public or escalates to the District Officer. The MSA with your EOR should clearly indemnify your company against compliance failures on their side.
Can a man file a POSH complaint?
The POSH Act of 2013 specifically protects women. However, most reputable employers and EORs now extend equivalent protections to all genders through internal policies, even though those complaints are handled outside the formal POSH framework. Ask your EOR whether their internal harassment policy is gender-neutral.
How often does the Shops and Establishments Act need to be renewed?
It depends entirely on the state. Tamil Nadu requires annual renewal. Karnataka renews every five years. Delhi offers permanent registration with no renewal. Your EOR should track each state's renewal cycle separately. A missed renewal can invalidate the registration and trigger penalties.
What is the annual POSH compliance report and when is it due?
The Internal Complaints Committee must file an annual report with the District Officer, detailing the number of sexual harassment complaints received, disposed of, and pending during the year, along with action taken. The standard deadline is January 31 of the following year. A compliant EOR files this for every state where they have employees.
Can my EOR add me to its existing ICC?
No, and they should not try. The ICC is constituted under the EOR's Indian entity. Your employees, who are legally employees of that entity, fall under the same ICC. You do not need a separate committee, and you should not be added to theirs. What you do need is visibility into how complaints involving your team members will be handled.
What if I'm hiring just one or two people in India, do these laws still apply?
The S&E Act applies from the first employee. Registration in the relevant state is required regardless of headcount. POSH formally requires an ICC at 10 or more employees, but a smaller workforce still triggers obligations under the broader law, including grievance redressal through the Local Complaints Committee at the district level. Your EOR's overall headcount across all clients usually crosses the 10-employee threshold easily, so the ICC obligation is almost always live.
