Mobile operators are spending $15-19bn annually on core cyber-security activities, a figure expected to rise to $40-42bn by 2030, according to the GSMA.

Despite this significant investment, mobile network operators, who form the backbone of digital economies worldwide, are impacted by poorly designed, misaligned or overly prescriptive regulation, which results in unnecessary costs, diverting resources from genuine risk mitigation, and in some cases increasing exposure to cyber threats.

“Mobile networks carry the world’s digital heartbeat,” said Michaela Angonius, GSMA head of policy and regulation. “As cyber threats escalate, operators are investing heavily to keep societies safe, but regulation must help, not hinder, those efforts. This report makes clear that cyber-security frameworks work best when they are harmonised, risk-based and built on trust. When done poorly, regulation can redirect critical resources away from real security improvements and towards compliance for its own sake.”

Developed in partnership with Frontier Economics (www.frontier-economics.com), the report draws on economic analysis and operator interviews representing Africa, Asia Pacific, Europe, Latin America, Middle East and North America regions. It highlights how the fast-changing nature of cyber threats is driving up the costs and complexity for mobile operators across the globe, making collaboration between governments in different jurisdictions and engagement with industry vital in avoiding unnecessary costs for those operators present in multiple markets.

The study identifies widespread problems across markets, including:

• Fragmented and inconsistent regulation, forcing operators to comply with overlapping or contradictory requirements from multiple agencies.
• A proliferation of reporting obligations, sometimes requiring the same incident be reported multiple times in different formats.
• Prescriptive box-ticking rules that mandate tools or processes rather than focusing on real-world security outcomes.

One operator reported that up to 80% of their cyber-security operations team’s time is spent on audits and compliance tasks, rather than threat detection or incident response.

Despite these pressures, operators emphasised that ensuring safe and secure mobile networks was a priority for their customers and for society as a whole in a digitally connected world.

The report outlines a blueprint for governments and policymakers to build more secure and efficient frameworks, and design cyber-security policies according to six core principles:

• Harmonisation: Align cyber-security policy with international standards where possible, to reduce regulatory fragmentation and inconsistency.
• Consistency: Ensure new policies and frameworks are consistent with existing policy to avoid duplication or conflict.
• Risk- and outcome-based: Adopt risk- and outcome-based approaches in the design and implementation of cyber-security regulation, giving operators flexibility to innovate.
• Collaboration: Promote a collaborative regulatory culture with industry, supported by secure threat intelligence sharing.
• Security-by-design: Encourage a proactive, security-by-design approach to mitigating cyber risks.
• Capacity-building: Strengthen the institutional capacity of cyber-security authorities to ensure a whole-of-government approach and effective application of policy and regulation.

The report warns that unilateral, fragmented approaches heighten vulnerabilities and create inefficiencies for global operators.

“Cyber security is a shared responsibility,” said Angonius. “To protect citizens and critical societal services, regulators and operators should work together, guided by a common set of principles. When policy is coherent and outcomes-focused, the entire digital ecosystem becomes safer.”

The mobile industry, supported by the GSMA (www.gsma.com), is calling on governments and regulators to reduce unnecessary burdens on mobile operators by collaborating and building trusted frameworks and mechanisms that foster innovation to enable mobile networks to remain secure, resilient, and capable of supporting the digital services on which societies increasingly rely.

For more on the report, go to www.gsma.com/solutions-and-impact/connectivity-for-good/public-policy/wp-content/uploads/2025/11/Impact-of-Cybersecurity-Regulation-on-Mobile-Operators.pdf.