The GSMA has released a study, The Impact of Cybersecurity Regulation on Mobile Operators, revealing that mobile operators worldwide are spending between US $15-19 billion annually in cybersecurity, a figure expected to rise to US $40-42 billion by 2030.
Despite this significant investment, mobile network operators are impacted by poorly designed, misaligned or overly prescriptive regulation, which results in unnecessary costs, diverting resources from genuine risk mitigation, and in some cases increasing exposure to cyber threats.
Backbone of Digital Economies
Michaela Angonius, GSMA Head of Policy and Regulation, said: “Mobile networks carry the world’s digital heartbeat. As cyber threats escalate, operators are investing heavily to keep societies safe – but regulation must help, not hinder, those efforts. This report makes clear that cybersecurity frameworks work best when they are harmonised, risk-based and built on trust. When done poorly, regulation can redirect critical resources away from real security improvements and toward compliance for its own sake.”
A global perspective
Developed in partnership with Frontier Economics, the report draws on economic analysis and operator interviews representing the Africa, Asia Pacific, Europe, Latin America, Middle East and North America regions. It highlights how the fast-changing nature of cyber threats is driving up the costs and complexity for mobile operators across the globe, making collaboration between governments in different jurisdictions and engagement with industry vital in avoiding unnecessary costs for those operators present in multiple markets.
Policy misalignment is creating unnecessary burdens:
The study identifies widespread challenges across markets, including:
- Fragmented and inconsistent regulation, forcing operators to comply with overlapping or contradictory requirements from multiple agencies.
- A proliferation of reporting obligations, sometimes requiring the same incident to be reported multiple times in different formats.
- Prescriptive ‘box-ticking’ rules that mandate tools or processes rather than focusing on real-world security outcomes.
One operator reported that up to 80% of their cybersecurity operations team’s time is spent on audits and compliance tasks, rather than threat detection or incident response.
Despite these pressures, operators emphasised that ensuring safe and secure mobile networks is a priority for their customers and for society as a whole in a digitally connected world.
Six principles for effective cybersecurity regulation:
The report outlines a blueprint for governments and policymakers to build more secure and efficient frameworks, and design cybersecurity policies according to six core principles:
- Harmonisation: Align cybersecurity policy with international standards where possible, to reduce regulatory fragmentation and inconsistency.
- Consistency: Ensure new policies and frameworks are consistent with existing policy to avoid duplication or conflict.
- Risk- and outcome-based: Adopt risk- and outcome-based approaches in the design and implementation of cybersecurity regulation, giving operators flexibility to innovate.
- Collaboration: Promote a collaborative regulatory culture with industry, supported by secure threat intelligence sharing.
- Security-by-design: Encourage a proactive, security-by-design approach to mitigating cyber risks.
- Capacity-building: Strengthen the institutional capacity of cybersecurity authorities to ensure a whole-of-government approach and effective application of policy and regulation.
The report warns that unilateral, fragmented approaches heighten vulnerabilities and create inefficiencies for global operators.
Michaela Angonius added: “Cybersecurity is a shared responsibility. To protect citizens and critical societal services, regulators and operators should work together, guided by a common set of principles. When policy is coherent and outcomes-focused, the entire digital ecosystem becomes safer.”
Call for Coordinated global action
The mobile industry, supported by the GSMA, is calling on governments and regulators to minimise unnecessary burdens on mobile operators by collaborating and building trusted frameworks and mechanisms that foster innovation to enable mobile networks to remain secure, resilient, and capable of supporting the digital services that societies increasingly rely on.