The corporate travel policy at most mid-sized companies was written when smartphones still came with a physical SIM slot and roaming was the only option for international data. Those policies specified maximum per-diem roaming charges, required pre-approval for international data above certain thresholds, and named one or two approved carrier international plans.
That policy was probably not updated when eSIM became mainstream. It almost certainly doesn't mention third-party travel eSIM providers. And it almost certainly isn't followed — because employees have found cheaper options and expense reconciliation systems can't easily distinguish a $9.99 Truely eSIM purchase from a $10 in-flight WiFi charge.
The result is inconsistent compliance, unpredictable travel data expenses, and occasional security concerns when employees connect to unvetted networks or unsecured hotel WiFi as a workaround to avoid high roaming charges. Here's how to write a policy that fixes this.
Start with What You're Actually Trying to Control
Most corporate data policies conflate three different concerns under the category of "international data:"
Cost control: Not paying hundreds of dollars in avoidable roaming fees on company-issued devices or expense-reimbursed personal phones.
Security: Ensuring that sensitive corporate data doesn't transit unencrypted networks or get captured through public WiFi interception.
Productivity: Making sure employees are actually connected and productive, not spending 45 minutes at an airport kiosk buying a local SIM.
A policy that addresses all three with a single rule ("use your carrier's international plan") solves the cost control problem partially, doesn't address security, and does nothing for productivity. A better policy separates the three concerns and addresses each directly.
Cost Control: Define the Approved Method, Not a Cost Limit
Setting a per-trip maximum on international data costs (e.g., "employees must not incur more than $50 in data charges per trip") sounds reasonable but is harder to enforce than it appears. Employees submit the charges after the fact. Finance reviews them after payment. Exceptions get approved retroactively. The limit is a target, not a ceiling.
A more effective approach is to define the approved procurement method and make it the default option. If the company's preferred international data solution is Truely — or any comparable travel eSIM provider — specify that in the policy and pre-fund employee accounts so the right option has zero friction.
A policy section that reads "For business travel to any country covered by our company's Truely enterprise account, employees must use Truely for mobile data. Personal carrier roaming plans are not reimbursable for covered destinations" is clear, actionable, and enforceable through expense system rules.
The caveat is that this requires the company to actually set up the preferred option and make it accessible. If the policy specifies a tool but the procurement process to access it takes two weeks, employees will use their carrier and submit the expense. The policy needs to match the workflow.
Security: Add a VPN Requirement for Hotel and Airport Networks
The security risk in international travel data is less about which carrier provides the data and more about which network carries the traffic. Hotel WiFi networks are frequently unencrypted or lightly encrypted. Airport lounge networks — even premium ones — are shared infrastructure with no network segmentation between users. An employee accessing corporate systems on a Marriott hotel network is exposed to the same packet capture risks as on a public café network.
A cellular data connection — including a Truely eSIM — is significantly more secure than hotel WiFi. Cellular data is encrypted at the radio layer (LTE uses 128-bit AES encryption between device and base station). The threat model for cellular data is fundamentally different from WiFi, requiring physical proximity to base station equipment to intercept.
The policy implication: require a VPN for WiFi connections, full stop. For cellular data connections from approved providers, VPN should be recommended but the risk profile is lower. This is a meaningful distinction that most corporate travel policies don't make — they either require VPN for all international connections (impractical for video calls and slow VPN connections) or don't mention VPN at all.
Specific language: "Employees must use the company VPN when accessing corporate systems on any WiFi network while traveling internationally. Cellular data connections through company-approved eSIM providers are considered secure for accessing corporate systems without VPN, but VPN is recommended for high-sensitivity data transfers."
Device Policy: eSIM-Compatible Devices for Road Warriors
If you have employees who travel internationally more than six times per year, their device should be eSIM-capable. This is now a procurement policy decision, not a technical one — virtually every flagship smartphone from Apple, Samsung, and Google since 2021 supports eSIM.
Adding "eSIM support" to the device procurement checklist for travel-heavy roles costs nothing additional — eSIM-capable devices are the norm, not a premium option. The benefit is that these employees can use company-negotiated travel eSIM plans without worrying about physical SIM compatibility.
For employees with older company-issued devices that don't support eSIM, the policy should specify the approved fallback (carrier international add-on, local SIM purchase with receipt, etc.) and set a clear reimbursement ceiling for that fallback. The intent is to make the preferred option easy and the fallback defined, not to punish employees for having older hardware.
Handling Multi-Country Trips
A travel policy that says "use Truely for international data" without specifying how multi-country trips are handled creates confusion. A road warrior on a three-week Asia circuit might visit Singapore, Japan, South Korea, and Australia in sequence. Does the policy require purchasing four separate country plans, or is a regional bundle the expected approach?
The answer depends on the company's negotiated rates and the employee's actual travel pattern. A clear policy section on multi-country trips should specify: "For trips covering multiple countries in a single travel week, employees should use a Truely regional bundle where one is available for the destination countries. Individual country plans may be used when a regional bundle does not cover all destinations."
The specific plan selection logic matters less than having a documented expectation. Without guidance, employees will either default to the most conservative option (individual plans per country, possibly over-purchasing) or the most convenient one (carrier roaming add-on, possibly over-spending). A policy that specifies the expected approach gives finance a baseline for expense review and gives employees a clear default behavior.
Expense Reconciliation: Make the Approved Option Easy to Expense
The most common failure mode in corporate travel data policies is the gap between the written policy and the expense system. If the policy says "use Truely" but the expense category options are "Carrier Roaming Charges" and "Other Communication," employees will categorize Truely under "Other Communication" and the finance team has no visibility into whether the policy is being followed.
Adding a specific expense category for "Travel eSIM" takes five minutes in most expense management systems (Concur, Expensify, SAP Concur). This gives finance a clean data set to audit compliance and track spending against the policy. It also makes it easier to identify employees who are still submitting carrier roaming charges — a clear signal that the policy is either unclear or the approved option doesn't work for their specific situation.
Annual Review: Technology Changes Faster Than Policies
The practical advice here is simple: put a 12-month review date in the travel data policy itself. "This policy was last reviewed on January 2025. It will be reviewed annually or when significant changes in mobile data options or carrier pricing warrant an update."
The eSIM market will look different in 2026 than it does today. Coverage will expand, new providers will emerge, and pricing will continue to decline. A policy written in 2025 should not be treated as permanent. The companies whose employees have the smoothest international data experience are the ones where the travel manager reviews options annually rather than assuming nothing has changed.