The regulatory clock has been ticking for almost a decade, yet a startling number of enterprises have chosen not to hear it. Despite the passage of Kariβs Law and RAY BAUMβS Act, legislation designed to ensure direct access to emergency services and accurate location data from enterprise phone systems, industry data suggests that nearly 40 percent of organisations remain non-compliant.
For half a decade, the Federal Communications Commission (FCC) treated this gap with a degree of leniency, prioritising education over punishment. That era of benign neglect has abruptly concluded.
The transition is a fundamental change in how the US government views the enterpriseβs responsibility toward its workforce. The days of assuming that a legacy PBX or a sprawling cloud migration provides a shield against federal scrutiny are over. The Commission has signalled a hard pivot toward active policing, driven by a realization that voluntary adoption has stalled.
Lauren Kravetz, the former Chief of Staff at the FCCβs Public Safety and Homeland Security Bureau and current Vice President of Government Affairs at Intrado, offered a stark assessment of the current landscape to UC Today:
βIf you want to call the last few years a grace period, then yes, Iβd say weβre moving into a new era that could lead to enforcement investigations.β
The implications for the C-suite are seismic. Compliance is no longer a box-ticking exercise for the telecom manager, but a critical governance issue that carries the weight of federal law and, uniquely, the potential for individual accountability.
- The Compliance Schism: Why 2026 is the Year of the βTwo-Stackβ Enterprise
- Automate at Your Own Risk: Why Real-Time Compliance Can Fail
The End of the Honour System With Enterprise 911 Compliance
To grasp the urgency of the current moment, one must appreciate the legislative intent. Kariβs Law was born from tragedy in a hotel room, necessitating direct dialling for 911 without requiring a prefix. RAY BAUMβS Act followed, mandating that a βdispatchable locationβ be conveyed to emergency responders. These rules were complicated, rolling out with staggered implementation dates that allowed many organizations to procrastinate, citing technical hurdles or confusion.
However, the regulatorβs patience has evaporated. The catalyst for this renewed vigor is not a new law, but the failure of the market to adapt to the existing ones. βWhatβs changed is that the Commission was made aware that compliance rates are relatively low and, in their words, became βconcerned that awareness and compliance are unevenβ,β said Kravetz.
The FCC initially focused its outreach on the hospitality sector, the original context for Kariβs Law. However, as the mandate broadened to the broader enterprise, the message failed to penetrate. βNow that all elements of the rules have been in effect for a couple of years, the FCC is evaluating next steps to improve compliance,β Kravetz noted.
βThe guidance that the Public Safety and Homeland Security Bureau issued last summer is intended to ensure enterprises understand their obligations and to make sure that public safety officials are aware of and understand these obligations and can monitor whatβs happening in their area.β
This creates a pincer movement. The FCC is educating enterprises on what they must do, while simultaneously educating public safety answering points (PSAPs) on what they should expect and report if missing.
Travis Dahlgren, Senior Solution Engineer at Intrado, suggested to UC Today that the industry has fundamentally misread the room regarding the FCCβs tolerance. βFrom the FCCβs perspective, education and flexibility have not produced consistent results, so clearer guidance and stronger oversight became necessary,β Dahlgren explained. βTheyβre also hearing more concerns from public safety agencies who are encountering poor location data in real emergencies.β
βWe think the message to enterprises is simple: the learning period is over, and enforcement is now part of the equation.β
The 911 Liability Trap: When Technical Oversight Becomes Personal Risk in Enterprise Compliance
Perhaps the most chilling aspect of these statutes for IT and security leaders is the piercing of the corporate veil. In the realm of enterprise tech, fines are typically levied against the legal entity. The corporation writes a check, and the board moves on. However, the language in these specific public safety acts introduces a specter of personal liability that many CIOs and IT Directors have yet to fully comprehend.
Congress, in its drafting of the legislation, took an aggressive stance to prevent organizations from burying safety obligations in bureaucracy. Kravetz outlined:
βItβs a little unusual in the 911 context to see liability assigned to individuals rather than only the enterprises, but thatβs the decision that Congress made.β
βTo ensure the safety of the public, Congress applied the obligations not only to the business engaged in βmanufacturing, importing, selling, leasing, installing, managing, or operatingβ an MLTS but also to the people involved, specifically the MLTS manager and installer,β she added.
While Kravetz noted that the precise legal line βbetween technical oversight and personal liabilityβ¦ hasnβt been worked out yet,β the ambiguity itself is a risk vector. It forces technical leaders to ask whether a deferred upgrade cycle is worth the potential exposure.
Dahlgren pointed out that while the financial penalties, up to $10,000 plus $500 per day, usually apply to the organization, the reputational and legal fallout for decision-makers is distinct. βResponsibility is tied to the people who manage and operate the phone system,β Dahlgren asserted.
βIf leadership knew about gaps, had the ability to fix them, and chose not to act, thatβs where personal exposure can start to creep in through investigations or lawsuits. The risk isnβt theoretical. Itβs about being the person who ignored a known safety issue.β
Furthermore, many organizations are operating under a βgrandfatheredβ delusion, believing their ancient on-premise systems are exempt. This is a dangerous misconception. βThe biggest mistake organizations make is assuming that if something is hard, manual, or inconvenient, itβs exempt from the rules,β added Dahlgren. βTechnological feasibility does not mean βgood enoughβ or βwe put up a warning signβ. It means using the best solutions reasonably available today.β
Crucially, the moment an organization touches that legacy system for a partial upgrade, the exemption vanishes. βMany companies think legacy systems or partial upgrades protect them, when those same upgrades often erase any grandfathering they had,β Dahlgren warned. βThat false sense of exemption could actually lead to penalties.β
The Hybrid Blind Spot and The Industrial Frontier With Enterprise Compliance
The compliance conversation often defaults to the carpeted world of office cubicles and softphones, but the regulatory scope is far wider and arguably more complex in industrial settings. In warehouses, manufacturing plants, and sprawling campuses, the concept of a βdispatchable locationβ becomes murky. A street address for a 500,000-square-foot distribution centre is functionally useless to a paramedic trying to find a cardiac arrest victim on the loading dock.
βThe FCC doesnβt expect a cubicle number in a warehouse, but it does expect responders to get usable, actionable (even dispatchable!) location information,β Dahlgren explained. The requirement is for granularity that facilitates rescue, not just bureaucratic accuracy. βThat could mean building sections, zones, production lines, dock doors, or other clearly defined areas that emergency crews can understand.β
The fluidity of the modern workforce compounds this challenge. The rapid adoption of cloud calling and hybrid work models has outpaced the data hygiene required to support them. An enterprise might have been compliant in 2020, but a shift to Microsoft Teams or Zoom Phone without the requisite backend integration for emergency location services renders that compliance obsolete.
βThe most common issue isnβt bad intentions. Itβs outdated data,β said Dahlgren.
βCompanies often move to hybrid work, cloud calling, or softphones and never update how locations or emergency notifications are managed. As a result, 911 calls may reach the emergency call center, but with the wrong location or no alert to onsite responders. When audits or incidents happen, those gaps are what most often trigger violations.β
Leaders expecting a static rulebook should also be wary. The definition of what constitutes a compliant location is likely to tighten further. βI would add that the FCC is reviewing right now how to improve dispatchable location and what level of information should be considered to provide a dispatchable location,β noted Kravetz. βI donβt think weβll see anything on that until later this year, but we could see updated FCC rules on this point in effect next year.β
Key Takeaways on the Future of 911 Calling
The revitalization of FCC enforcement serves as a stark wake-up call for IT, security, and compliance leaders in every industry in the US. The period of ambiguity is closing, replaced by a regime in which compliance is binary, and failure carries tangible consequences.
It is important to note that the regulator is not currently kicking down doors at random. βTo be clear, the FCC is not proactively auditing enterprises for compliance,β Kravetz clarified. βThe rules are subject to complaint-based enforcement, meaning that the FCC investigates complaints that are filed with it or reports it receives from public safety officials. To date, no fines or other penalties have been issued, but again, weβre entering a new era.β
That βnew eraβ places the onus squarely on leadership. The absence of fines thus far is not a precedent for the future. More ominously, it is the calm before the inevitable storm of enforcement. For the prudent enterprise, the time to audit, upgrade, and verify is now, before a tragedy turns a technical oversight into a federal investigation.
