For organizations across Europe and the United States, regulatory change is no longer a slow-moving policy trend. It is an immediate operational reality, reshaping how leaders think about security, resilience, and technology risk.
From the EU AI Act, GDPR updates, and NIS2, to a rapidly expanding patchwork of US state-level privacy and cybersecurity laws, the regulatory burden is growing in both scale and complexity. Many organizations are now under pressure to move faster, remain compliant across regions, and stay operational in the face of rising security threats.
As Martin Bitzinger, Senior Vice President of Product Management at Mitel, puts it:
“The regulatory environment is increasing in terms of complexity, and it’s ever-changing and evolving.”
From Grace Periods to Enforcement Reality
While many of today’s regulations have been years in the making, the critical shift is that they are now being enforced. What was once theoretical guidance is becoming mandatory practice.
“In Europe, regulations like NIS2 or DORA have been under development for a long time,” Bitzinger explains. “But now they’re becoming effective. Companies that operated under a grace period really have to take action.”
This change is exposing a long-standing pattern across many organizations: security, resilience, and compliance initiatives were often postponed or implemented at a minimum viable level. In today’s environment, that approach is becoming increasingly risky.
Compliance Is About Outcomes, Not Paperwork
What sets the current regulatory wave apart is its intent. These laws are not simply about meeting formal compliance requirements. They are designed to reduce real-world risk.
“Regulation is one aspect,” says Bitzinger. “But what often gets forgotten is that these regulations are there for a reason. They’re not meant to torture businesses – they’re meant to protect them.”
That protection increasingly focuses on an organization’s ability to withstand disruption. Recent geopolitical tensions and high-profile cyber incidents have sharpened regulatory attention on operational continuity, especially in sectors considered critical to society.
Sovereignty and Control Take Centre Stage
Alongside security and privacy, sovereignty has emerged as a central concern – particularly for governments, financial institutions, healthcare providers, and other regulated industries.
“There’s a growing focus on sovereignty,” Bitzinger notes.
“If something fails, how much control do I really have over my own systems and data?”
This question has become more pressing as organizations deepen their reliance on large-scale public cloud platforms. While cloud has delivered innovation and agility, it has also introduced dependencies that may only become visible during major outages or systemic failures.
Importantly, sovereignty is not just about where data is stored. It also encompasses operational control – the ability to keep essential services running even when external systems are unavailable.
Why Communications Infrastructure Is Under Scrutiny
Communications systems are increasingly viewed as critical infrastructure. They support essential workflows across healthcare, finance, manufacturing, public safety, and government – often carrying highly sensitive information.
“Communication is one of the most fundamental systems,” Bitzinger says. “Whether it’s phone calls, messaging, or alerting, these systems need to continue to operate under any circumstances.”
As a result, regulators and organizations alike are reassessing how communications platforms are deployed, secured, and governed. Treating them as simple productivity tools rather than as part of the broader security and compliance posture is no longer sustainable.
Hybrid Architectures as a Strategic Response
Against this backdrop, many organizations are rethinking their communications architecture choices. Pure cloud models, while attractive for scale and speed, can struggle to meet combined requirements around sovereignty, resilience, and regulatory flexibility.
Hybrid communications architectures offer a more balanced approach. By combining cloud-based capabilities with on-premises or private cloud deployments, organizations gain the flexibility to align technology decisions with regulatory realities.
“Hybrid gives you flexibility,” Bitzinger explains. “It allows you to combine different deployment models, create redundancy, and maintain control over critical systems – without giving up cloud innovation.”
Turning Regulatory Pressure into Strategic Readiness
The organizations best positioned to navigate ongoing regulatory change are not those reacting to individual mandates. They are those building adaptable foundations that can evolve as requirements shift.
“Don’t overreact,” Bitzinger advises. “Plan carefully, understand your business, and evolve what you already have. A complete redesign is rarely realistic in the timeframes most organizations face.”
In an era of accelerating regulation and increasing uncertainty, communications infrastructure has become a strategic lever.
Hybrid models are enabling organizations to reduce compliance risk, strengthen resilience, and retain control – not just for today’s rules, but for whatever comes next.
