The regulatory clock has been ticking for almost a decade, yet a startling number of enterprises have chosen not to hear it. Despite the passage of Kari’s Law and RAY BAUM’S Act, legislation designed to ensure direct access to emergency services and accurate location data from enterprise phone systems, industry data suggests that nearly 40 percent of organisations remain non-compliant.
For half a decade, the Federal Communications Commission (FCC) treated this gap with a degree of leniency, prioritising education over punishment. That era of benign neglect has abruptly concluded.
The transition is a fundamental change in how the US government views the enterprise’s responsibility toward its workforce. The days of assuming that a legacy PBX or a sprawling cloud migration provides a shield against federal scrutiny are over. The Commission has signalled a hard pivot toward active policing, driven by a realization that voluntary adoption has stalled.
Lauren Kravetz, the former Chief of Staff at the FCC’s Public Safety and Homeland Security Bureau and current Vice President of Government Affairs at Intrado, offered a stark assessment of the current landscape to UC Today:
“If you want to call the last few years a grace period, then yes, I’d say we’re moving into a new era that could lead to enforcement investigations.”
The implications for the C-suite are seismic. Compliance is no longer a box-ticking exercise for the telecom manager, but a critical governance issue that carries the weight of federal law and, uniquely, the potential for individual accountability.
- The Compliance Schism: Why 2026 is the Year of the ‘Two-Stack’ Enterprise
- Automate at Your Own Risk: Why Real-Time Compliance Can Fail
The End of the Honour System With Enterprise 911 Compliance
To grasp the urgency of the current moment, one must appreciate the legislative intent. Kari’s Law was born from tragedy in a hotel room, necessitating direct dialling for 911 without requiring a prefix. RAY BAUM’S Act followed, mandating that a “dispatchable location” be conveyed to emergency responders. These rules were complicated, rolling out with staggered implementation dates that allowed many organizations to procrastinate, citing technical hurdles or confusion.
However, the regulator’s patience has evaporated. The catalyst for this renewed vigor is not a new law, but the failure of the market to adapt to the existing ones. “What’s changed is that the Commission was made aware that compliance rates are relatively low and, in their words, became ‘concerned that awareness and compliance are uneven’,” said Kravetz.
The FCC initially focused its outreach on the hospitality sector, the original context for Kari’s Law. However, as the mandate broadened to the broader enterprise, the message failed to penetrate. “Now that all elements of the rules have been in effect for a couple of years, the FCC is evaluating next steps to improve compliance,” Kravetz noted.
“The guidance that the Public Safety and Homeland Security Bureau issued last summer is intended to ensure enterprises understand their obligations and to make sure that public safety officials are aware of and understand these obligations and can monitor what’s happening in their area.”
This creates a pincer movement. The FCC is educating enterprises on what they must do, while simultaneously educating public safety answering points (PSAPs) on what they should expect and report if missing.
Travis Dahlgren, Senior Solution Engineer at Intrado, suggested to UC Today that the industry has fundamentally misread the room regarding the FCC’s tolerance. “From the FCC’s perspective, education and flexibility have not produced consistent results, so clearer guidance and stronger oversight became necessary,” Dahlgren explained. “They’re also hearing more concerns from public safety agencies who are encountering poor location data in real emergencies.”
“We think the message to enterprises is simple: the learning period is over, and enforcement is now part of the equation.”
The 911 Liability Trap: When Technical Oversight Becomes Personal Risk in Enterprise Compliance
Perhaps the most chilling aspect of these statutes for IT and security leaders is the piercing of the corporate veil. In the realm of enterprise tech, fines are typically levied against the legal entity. The corporation writes a check, and the board moves on. However, the language in these specific public safety acts introduces a specter of personal liability that many CIOs and IT Directors have yet to fully comprehend.
Congress, in its drafting of the legislation, took an aggressive stance to prevent organizations from burying safety obligations in bureaucracy. Kravetz outlined:
“It’s a little unusual in the 911 context to see liability assigned to individuals rather than only the enterprises, but that’s the decision that Congress made.”
“To ensure the safety of the public, Congress applied the obligations not only to the business engaged in ‘manufacturing, importing, selling, leasing, installing, managing, or operating’ an MLTS but also to the people involved, specifically the MLTS manager and installer,” she added.
While Kravetz noted that the precise legal line “between technical oversight and personal liability… hasn’t been worked out yet,” the ambiguity itself is a risk vector. It forces technical leaders to ask whether a deferred upgrade cycle is worth the potential exposure.
Dahlgren pointed out that while the financial penalties, up to $10,000 plus $500 per day, usually apply to the organization, the reputational and legal fallout for decision-makers is distinct. “Responsibility is tied to the people who manage and operate the phone system,” Dahlgren asserted.
“If leadership knew about gaps, had the ability to fix them, and chose not to act, that’s where personal exposure can start to creep in through investigations or lawsuits. The risk isn’t theoretical. It’s about being the person who ignored a known safety issue.”
Furthermore, many organizations are operating under a “grandfathered” delusion, believing their ancient on-premise systems are exempt. This is a dangerous misconception. “The biggest mistake organizations make is assuming that if something is hard, manual, or inconvenient, it’s exempt from the rules,” added Dahlgren. “Technological feasibility does not mean ‘good enough’ or ‘we put up a warning sign’. It means using the best solutions reasonably available today.”
Crucially, the moment an organization touches that legacy system for a partial upgrade, the exemption vanishes. “Many companies think legacy systems or partial upgrades protect them, when those same upgrades often erase any grandfathering they had,” Dahlgren warned. “That false sense of exemption could actually lead to penalties.”
The Hybrid Blind Spot and The Industrial Frontier With Enterprise Compliance
The compliance conversation often defaults to the carpeted world of office cubicles and softphones, but the regulatory scope is far wider and arguably more complex in industrial settings. In warehouses, manufacturing plants, and sprawling campuses, the concept of a “dispatchable location” becomes murky. A street address for a 500,000-square-foot distribution centre is functionally useless to a paramedic trying to find a cardiac arrest victim on the loading dock.
“The FCC doesn’t expect a cubicle number in a warehouse, but it does expect responders to get usable, actionable (even dispatchable!) location information,” Dahlgren explained. The requirement is for granularity that facilitates rescue, not just bureaucratic accuracy. “That could mean building sections, zones, production lines, dock doors, or other clearly defined areas that emergency crews can understand.”
The fluidity of the modern workforce compounds this challenge. The rapid adoption of cloud calling and hybrid work models has outpaced the data hygiene required to support them. An enterprise might have been compliant in 2020, but a shift to Microsoft Teams or Zoom Phone without the requisite backend integration for emergency location services renders that compliance obsolete.
“The most common issue isn’t bad intentions. It’s outdated data,” said Dahlgren.
“Companies often move to hybrid work, cloud calling, or softphones and never update how locations or emergency notifications are managed. As a result, 911 calls may reach the emergency call center, but with the wrong location or no alert to onsite responders. When audits or incidents happen, those gaps are what most often trigger violations.”
Leaders expecting a static rulebook should also be wary. The definition of what constitutes a compliant location is likely to tighten further. “I would add that the FCC is reviewing right now how to improve dispatchable location and what level of information should be considered to provide a dispatchable location,” noted Kravetz. “I don’t think we’ll see anything on that until later this year, but we could see updated FCC rules on this point in effect next year.”
Key Takeaways on the Future of 911 Calling
The revitalization of FCC enforcement serves as a stark wake-up call for IT, security, and compliance leaders in every industry in the US. The period of ambiguity is closing, replaced by a regime in which compliance is binary, and failure carries tangible consequences.
It is important to note that the regulator is not currently kicking down doors at random. “To be clear, the FCC is not proactively auditing enterprises for compliance,” Kravetz clarified. “The rules are subject to complaint-based enforcement, meaning that the FCC investigates complaints that are filed with it or reports it receives from public safety officials. To date, no fines or other penalties have been issued, but again, we’re entering a new era.”
That “new era” places the onus squarely on leadership. The absence of fines thus far is not a precedent for the future. More ominously, it is the calm before the inevitable storm of enforcement. For the prudent enterprise, the time to audit, upgrade, and verify is now, before a tragedy turns a technical oversight into a federal investigation.
