GSMA | New GSMA report warns that fragmented cybersecurity regulation is driving up costs and increasing risk for mobile operators

The mobile industry, supported by the GSMA, calls for harmonized, risk-based and collaborative policy frameworks to strengthen global cyber resilience.

26^th November 2025, Doha: The GSMA today published a major new independent study, The impact of cybersecurity regulation on mobile operatorsrevealing that mobile operators are spending between Between 15,000 and 19,000 million dollars a year on basic cybersecurity activities, a figure that is expected to increase by Between 40,000 and 42,000 million dollars between now and 2030. Despite this significant investment, mobile network operators, which form the backbone of digital economies around the world, are plagued by poorly designed, misaligned or overly prescriptive regulations, resulting in unnecessary costs, diverting resources from true risk mitigation and, in some cases, increasing exposure to cyber threats.

Michaela Angonius, Head of Policy and Regulation at GSMAsaying: “Mobile networks carry the digital heartbeat of the world. As cyber threats increase, operators are investing heavily to keep societies safe, but regulation must help, not hinder, those efforts. This report makes clear that cybersecurity frameworks work best when they are harmonized, risk-based, and trust-based. When done wrong, regulation can redirect critical resources away from real security improvements and toward compliance for its own sake.”

A global perspective

Developed in partnership with Frontier Economics, the report is based on economic analysis and interviews with traders representing the Africa, Asia Pacific, Europe, Latin America, Middle East and North America regions. It highlights how the rapidly changing nature of cyber threats is increasing costs and complexity for mobile operators around the world, making collaboration between governments in different jurisdictions and engagement with the industry vital to avoid unnecessary costs for those operators present in multiple markets.

Policy misalignment is creating unnecessary burdens:

The study identifies widespread challenges across markets, including:

• Fragmented and inconsistent regulationforcing operators to comply with overlapping or conflicting requirements from multiple agencies.
• A proliferation of reporting obligationswhich sometimes requires the same incident to be reported multiple times in different formats.
• Prescriptive “check the box” rules that demand tools or processes rather than focusing on real-world security outcomes.

An operator reported that even 80% of your cybersecurity operations team's time is spent on audits and compliance tasks, rather than threat detection or incident response.

Despite these pressures, operators emphasized that ensuring secure mobile networks is a priority for their customers and for society as a whole in a digitally connected world.

Six principles for effective cybersecurity regulation:

The report outlines a plan for governments and policymakers to create more secure and efficient frameworks and design cybersecurity policies according to six core principles:

• Harmonization: Align cybersecurity policy with international standards where possible, to reduce fragmentation and regulatory inconsistency.
• Consistency: Ensure that new policies and frameworks are consistent with existing policies to avoid duplication or conflict.
• Based on risks and outcomes: Adopt risk- and outcome-based approaches in the design and implementation of cybersecurity regulations, giving operators flexibility to innovate.
• Collaboration: Promote a collaborative regulatory culture with industry, supported by the secure sharing of threat intelligence.
• Security by design: Encourage a proactive security by design approach to mitigate cyber risks.
• Capacity building: Strengthen the institutional capacity of cybersecurity authorities to ensure a whole-of-government approach and the effective application of policies and regulations.

The report warns that unilateral and fragmented approaches increase vulnerabilities and create inefficiencies for global operators.

Michaela Angonius added: “Cybersecurity is a shared responsibility. To protect citizens and critical social services, regulators and operators must work together, guided by a common set of principles. When policies are consistent and focused on outcomes, the entire digital ecosystem becomes more secure.”

A call for coordinated global action:

The mobile industry, supported by the GSMA, calls on governments and regulators to minimize unnecessary burdens on mobile operators by collaborating and creating trusted frameworks and mechanisms that encourage innovation to enable mobile networks to remain secure, resilient and able to support the digital services on which societies increasingly depend.

For more information and access to the full report, see here.

– ENDS –

About the GSMA

The GSMA is a global organization that unifies the mobile ecosystem to discover, develop and deliver critical innovation for positive business environments and social change. Our vision is to unlock the full power of connectivity so that people, industry and society thrive. Representing mobile operators and organizations across the mobile ecosystem and adjacent industries, the GSMA offers its members three broad pillars: connectivity for good, industry services and solutions, and outreach. This activity includes advancing policy, addressing today's biggest societal challenges, supporting the technology and interoperability that make mobile devices work, and providing the world's largest platform to convene the mobile ecosystem at the MWC and M360 series of events.

We invite you to learn more at gsma.com