The question no regulator can answer quickly
A traveller files a complaint. They booked a ski package through an AI agent. The hotel was in Japan, the ski school was a separate legal entity, the transfer was operated by a third-party taxi firm, and the booking was initiated through a platform registered in Singapore. Something went wrong at the ski school. The traveller was injured.
A regulator must now establish: who was the organiser? Who held duty of care at the moment of the incident? Who is the liable party? Under current frameworks — in every jurisdiction reviewed across the Activity Travel Protocol's regulatory analysis — this chain cannot be established quickly, automatically, or with certainty. It has to be reconstructed, manually, from records that may not exist in a form any enforcement body can read.
This is not a pathological edge case. It is the ordinary structure of the AI-era booking.
Two failure modes, one root cause
Consumer protection frameworks were designed for a simpler transaction: one seller, one product, one consumer. The EU Package Travel Directive, the Japan Travel Agency Act, the US Seller of Travel laws, the UK Package Travel and Linked Travel Arrangements Regulations — all were written with that structure in mind. When the seller is an AI orchestration agent assembling four suppliers across three jurisdictions in real time, the legal concept of an organiser becomes impossible to apply.
There is a second failure mode that is more serious still. In March 2026, over 200 Japanese travellers were stranded at Dubai International Airport as Iranian airspace closed without warning. In 2011, the Tohoku earthquake and tsunami left foreign visitors stranded across northern Japan, with no coordinated mechanism through which their governments could locate them, communicate with their families, or organise safe passage home.
Not one of the five regulatory frameworks reviewed in the Activity Travel Protocol's regulatory strategy addresses what happens when the disruption is at this scale. This is not an industry failure. It is the absence of government infrastructure that the industry alone cannot build.
Three things the protocol gives regulators
| What regulators currently lack | What the Activity Travel Protocol provides |
|---|---|
| No real-time visibility of who holds duty of care over a traveller at any given moment | A documented Trust Chain for every booking, updated at every state transition, with duty of care ownership tracked in real time and archived for enforcement use |
| No machine-readable record of regulatory requirements across jurisdictions — compliance is verified manually, inconsistently, and after the fact | A machine-readable Jurisdiction Compliance Registry reflecting the actual licensing, disclosure, and consumer protection requirements in each market — auditable at booking time |
| No framework for government access to booking-level data in a mass disruption event — traveller location and welfare status are invisible to authorities | Booking Object records that in a mass disruption scenario tell an emergency coordination authority: how many travellers are in the affected area, which suppliers hold duty of care, and which travellers are uncontactable |
| No industry-wide standard that governments can reference, audit against, or co-maintain | A self-regulation framework designed for government co-maintenance — each jurisdiction's regulatory entry can be maintained by the relevant authority, not only by the protocol's developers |
The Jurisdiction Compliance Registry is not a static reference document. Its architecture is designed so that regulatory authorities — JTA, EU Commission DG GROW, the UK CAA, the US FTC — can maintain the entry for their own jurisdiction directly. The protocol does not ask regulators to trust the industry's interpretation of their own rules. It gives regulators the mechanism to own that interpretation themselves.
What the reform agenda looks like
The reform agenda that follows from this analysis does not require new primary legislation in most jurisdictions. It requires three things from regulators.
First: signal that cross-border interoperability is a policy goal, and that open technical standards are the preferred mechanism for achieving it. The aviation industry offers the model — ICAO established global safety standards, IATA established global operational standards, and together they created a world where any airline can interline with any other. Regulators do not need to mandate a specific standard. They need to signal clearly that convergence is desirable.
Second: engage with the protocol's Jurisdiction Compliance Registry. The Activity Travel Protocol has completed a systematic regulatory review across five jurisdictions — EU, US, Japan, UK, and Singapore. The findings are published. The registry entries are the starting point for dialogue, not the end of it. We are inviting the relevant authorities to review, correct, and co-maintain the entry for their jurisdiction.
Third: begin the work of designing government-industry coordination frameworks for mass disruption events. When war or earthquake strands thousands of travellers, the question is not which business holds the licence. The question is whether any government has the infrastructure to find the travellers and bring them home. The protocol makes that infrastructure possible. Governments must decide whether to use it.