The Groupe Spéciale Mobile Association (GSMA) has warned that fragmented cybersecurity regulation is raising costs and increasing mobile operators’ risk. GSMA, in a new independent study titled “The Impact of Cybersecurity Regulation on Mobile Operators,” revealed that mobile operators are spending between $15-19 billion yearly on core cybersecurity activities, a figure expected to rise to $40-42 billion by 2030.    
  
Despite this significant investment, the telecom body said mobile network operators, which form the backbone of digital economies worldwide, are impacted by poorly designed, misaligned or overly prescriptive regulation, which results in unnecessary costs, diverting resources from genuine risk mitigation, and in some cases increasing exposure to cyber threats.
  
GSMA Head of Policy and Regulation, Michaela Angonius, said: “Mobile networks carry the world’s digital heartbeat. As cyber threats escalate, operators are investing heavily to keep societies safe – but regulation must help, not hinder, those efforts. This report makes clear that cybersecurity frameworks work best when they are harmonised, risk-based and built on trust. When done poorly, regulation can redirect critical resources away from real security improvements and toward compliance for its own sake.”
  
Developed in partnership with Frontier Economics, the report drew on economic analysis and operator interviews representing the Africa, Asia Pacific, Europe, Latin America, Middle East and North America regions. It highlighted how the fast-changing nature of cyber threats is driving up the costs and complexity for mobile operators across the globe, making collaboration between governments in different jurisdictions and engagement with industry vital in avoiding unnecessary costs for those operators present in multiple markets.

The study identified widespread challenges across markets, including fragmented and inconsistent regulation, forcing operators to comply with overlapping or contradictory requirements from multiple agencies.

It also pointed to the proliferation of reporting obligations, sometimes requiring the same incident to be reported multiple times in different formats.

There are also the prescriptive “box-ticking” rules that mandate tools or processes rather than focusing on real-world security outcomes. According to GSMA, one operator reported that up to 80 per cent of their cybersecurity operations team’s time is spent on audits and compliance tasks, rather than threat detection or incident response.

Despite these pressures, operators emphasised that ensuring safe and secure mobile networks is a priority for their customers and for society as a whole in a digitally connected world.

The report outlined a blueprint for governments and policymakers to build more secure and efficient frameworks and design cybersecurity policies according to six core principles.

This includes harmonization, where GSMA said there is a need to align cybersecurity policy with international standards where possible, to reduce regulatory fragmentation and inconsistency.

It called for consistency, saying there is a need to ensure new policies and frameworks are consistent with existing policy to avoid duplication or conflict.

According to the telecom body, there is also risk- and outcome-based, here, it emphasised the need to adopt risk- and outcome-based approaches in the design and implementation of cybersecurity regulation, giving operators flexibility to innovate.

GSMA also stressed the importance of collaboration. It stressed the importance of a collaborative regulatory culture with industry, supported by secure threat intelligence sharing.

It emphasised security-by-design, saying there is a need to encourage a proactive, security-by-design approach to mitigating cyber risks.The body equally emphasised capacity-building. According to it, it is important to strengthen the institutional capacity of cybersecurity authorities to ensure a whole-of-government approach and effective application of policy and regulation.

The report warned that unilateral, fragmented approaches heighten vulnerabilities and create inefficiencies for global operators. Angonius added: “Cybersecurity is a shared responsibility. To protect citizens and critical societal services, regulators and operators should work together, guided by a common set of principles. When policy is coherent and outcomes-focused, the entire digital ecosystem becomes safer.”

The mobile industry, supported by the GSMA, called on governments and regulators to minimise unnecessary burdens on mobile operators by collaborating and building trusted frameworks and mechanisms that foster innovation to enable mobile networks to remain secure, resilient, and capable of supporting the digital services that societies increasingly rely on.