The Architecture of Trust

“Regulatory compliance isn’t a checklist. It is operational discipline — the foundation of trust between a telecom operator, its regulators, and the markets it serves.” — Dr. Andrew Arowojolu, Group Chief Regulatory Officer, Zain Group.

A sector defined by oversight

Telecom is a business of permissions. Licences to operate, spectrum rights, and public trust are contingent upon an operator’s ability to demonstrate continuous regulatory compliance across multiple authorities and rulebooks. For Zain Group (Zain), which spans eight Middle Eastern markets serving over 50 million customers, complexity is not theoretical; it is the daily operating environment. Each market has its own set of laws, regulations, regulators, enforcement authorities, reporting rhythms, and expectations. Governance that merely “keeps up” will not do. It must scale.

When Dr. Andrew Arowojolu and his colleague Abdulla Al Awadi, Group Regulatory Compliance Director, reviewed Zain’s regulatory compliance practices, they saw an opportunity to modernise and elevate how the business operates. Regulatory materials—spanning spreadsheets, emails, and local repositories—reflected the tools and workflows of their time, but no longer matched the scale, speed, and sophistication of Zain’s evolving digital ecosystem.

The mandate that followed was clear: transition from traditional, manually coordinated processes to a unified, technology-enabled governance framework that enhances consistency, transparency, and group-wide insight. This transformation was also driven by a strategic objective—ensuring that Zain can demonstrably show its customers (consumers, enterprises, and government entities), as well as its strategic partners and vendors, that it is an organisation that takes compliance seriously and is committed to being the business partner of choice.

In today’s digital and highly regulated telecommunications environment, that status is inseparable from strong regulatory compliance. Enterprises and government institutions increasingly demand partners who can ensure data protection, operational integrity, and compliance with ever-evolving regulatory requirements. Vendors and strategic partners seek predictable, well-governed organisations that minimise risk and uphold international standards. By strengthening and digitalising its compliance posture, Zain reinforces trust, reduces uncertainty, and positions itself as a reliable, low-risk, forward-thinking partner—attributes essential for securing and sustaining preferred-partner status across its footprint.

The first pass at digitization was pragmatic. Zain acquired and implemented a compliance tool to serve as a single point platform to proactively track, manage and report on compliance obligations across the lifecycle. That gap sent the leadership back to first principles in 2022: define the governance model, secure board backing, and run a formal selection for both expertise and a modern platform. A board resolution in December 2022 mandated the regulatory compliance program and set out governance, rollout, and ISO 37301 standards certification targets.

“We moved from paper to a Regulatory Compliance tool – that created culture and visibility. Now, moving to VComply, we expect a step-change in performance and efficiency.” — Abdulla Al Awadi .

Zain’s architecture rests on a simple idea: central policy, local execution, and continuous oversight. The group function defines standards, regulatory compliance domains, and performance expectations. Each operating company — Kuwait, Bahrain, Iraq, Jordan, Saudi Arabia, South Sudan, Sudan, and the United Arab Emirates — executes against those standards under its local laws, with results aggregated for group-level visibility. Abdulla Al Awadi’s short answer to the centralization question is candid: “Each market has its own policies plus the group.” The virtue of that model is coherence without uniformity.

The depth of the task is visible in the numbers. In Saudi Arabia, Zain’s team inventoried “about 200 statutory and regulatory documents,” which translated into ~990 specific obligations from telecom and ICT rules to competition law, personal-data statutes, site-sharing requirements, and fintech guidance. And Saudi Arabia is just one market. Zain typically engages with two to four authorities per country today — telecom, data protection, e-government, and, in some cases, central banking — along with additional sectoral bodies depending on the services. The quantitative footprint is what forces the qualitative shift: governance cannot be reconstructed every quarter from email chains. It must be systematised.

Zain’s Operating Model (in brief)

• Group sets policy, standards, and KPIs.
• Local entities’ own implementation under national law.
• Centralized platform provides evidence, audit trails, and dashboards.
• Board-mandated rollout.

In 2025, after engaging external advisors and running a fresh RFP, Zain selected VComply as the next-stage platform. The criteria were not glamour features; they were adoption, scale, and fit for purpose. Dr. Arowojolu listed the non-negotiables: simplicity (“as intuitive as Microsoft Office”), enterprise scale (hundreds of users, ultimately across all departments with ICT/telco responsibilities), entity-level separation (each opco functions as a standalone business, with strict visibility boundaries), cloud deployment, Arabic support, and the ability to serve as both regulatory compliance system and searchable repository of applicable laws and obligations.

Implementation is treated as a sequence, not an event. The team’s stated success condition is precise: when obligations are fully uploaded, owners are assigned, dashboards are configured, data is clean, and users are trained so that reporting is natural — “that’s when the system starts working for you.” Until then, the discipline is to avoid declaring victory early.

“We didn’t want a tool with bells and whistles that nobody uses. We wanted something people would actually work in every day.” — Dr. Andrew Arowojolu.

Zain is clear-eyed about the limits of technology; software does not create accountability. But it exposes it. The first digital phase “opened our eyes to the enormity of the task,” Arowojolu said, and began to create a regulatory compliance culture: people could see their obligations, trace provisions back to their sources, and understand what was being asked of them. The expectation in phase two — the move to VComply – is a performance gain: efficient tracking, structured reviews, alerting, and consistent evidence. The mechanics matter because they change the posture with regulators: when data are organized, current, and attributable, discussions move from document hunts to outcomes.

The benefits are not cosmetic. Continuous dashboards shorten preparation cycles, reduce ambiguity across teams, and allow group leadership to see posture by entity and domain. That visibility shifts internal conversations from “where is the file?” to “what is the risk and what will we do?” It also standardises transparency across opcos without flattening local specificity. In a region with varying documentation standards and enforcement cultures, that balancing act is the difference between regulatory compliance as a periodic scramble and regulatory compliance as an operating rhythm.

“Digital regulatory compliance doesn’t replace accountability. It institutionalises it.” — Abdulla Al Awadi, Director of Regulatory Compliance, Zain Group.

Telecom regulatory compliance is not standing still; it is evolving into a more technical, real-time, and interdisciplinary field. Zain’s leaders expect three shifts over the next five to ten years.

First, AI-native compliance systems. Dr. Arowojolu expects platforms to ingest regulations automatically, extract obligations, assign owners, and build the obligations universe without manual parsing — including regulator-site monitoring and retrieval at source. In short, the system should create and maintain the map. This is not hype; it is the only credible answer to volume and velocity.

Second, more regulators, not fewer. Zain anticipates moving from today’s two to four authorities in many markets to five to eight, as oversight expands into AI governance, civil aviation (for drones and satellite interfaces), fintech/insurtech, sustainability supervision, and cross-border data enforcement. Convergence is not the base case. Proliferation is.

Third, regulatory compliance as a competitive edge. In Zain’s recently implemented five-year corporate strategy (“4WARD-Progress with Purpose”), “business partner of choice” sits under Customer Delight; demonstrable regulatory compliance maturity is part of that ambition. For governments and large enterprises, the requirement is not an attestation; it is operational proof. The company’s view is blunt: regulatory compliance capability will determine eligibility for partnerships, new services, and entry into sensitive domains, such as payments or data services related to 6G and AI-enabled networks.

Cybersecurity oversight is intensifying across Zain’s footprint. Satellite considerations are rising as spectrum and space-adjacent services expand. ESG reporting, including decarbonization metrics and network-level consumption audits, is being integrated into the regulatory compliance stack. These are not tangents; they are additional load-bearing pillars of institutional trust.

“The next phase is predictive readiness systems that see risk before it materialises.” — Dr. Andrew Arowojolu.

Zain’s transformation is not a software story. It is governance design under conditions of regulatory heterogeneity. The company transitioned from fragmented records to a board-mandated, platform-enabled model that standardizes how obligations are captured and proven, while allowing for local law and regulator practices. The middle step — digitising a repository mattered because it revealed scale. The decisive step was to treat regulatory compliance as infrastructure —a system with owners, data, evidence, and a cadence.

That choice clarifies what “maturity” means in the telecom industry. It is not perfection or absence of findings. It is the ability to map, assign, evidence, and adapt at a pace appropriate to networks that will soon carry 6G, AI-inflected traffic, and sovereign data workloads. The platform Zain chose, and the governance model it supports, are instruments of that maturity. The strategic bet is that proof of regulatory compliance will not only prevent fines and reputational damage but also determine who is trusted to build the next layer of digital infrastructure.