New GSMA Report Highlights Costs and Risks of Fragmented Cybersecurity Regulations for Mobile Operators

Introduction

In an increasingly digital world, the importance of cybersecurity cannot be overstated. A recent independent study by GSMA, titled "The Impact of Cybersecurity Regulation on Mobile Operators", has underscored the significant financial burden that fragmented cybersecurity regulations place on mobile operators globally. The report, released on November 26, 2025, suggests that mobile operators spend between $15 billion and $19 billion annually on essential cybersecurity measures, a figure that is anticipated to escalate to between $40 billion and $42 billion by 2030.

Key Findings

Despite heavy investment in cybersecurity, mobile network operators face the challenge of poorly designed, inappropriate, or overly restrictive regulations. Such regulations not only incur unnecessary costs but also divert resources away from actual risk mitigation efforts. In some instances, they may even increase the susceptibility of these networks to cyber threats.

Michaela Angonius, GSMA's head of policy and regulation, emphasized, "Mobile networks are the digital heartbeat of the world. Given the rise in cyber threats, operators are investing significantly in the security of society—but regulations must support these efforts, not impede them." The report illustrates that cybersecurity frameworks are most effective when they are harmonized, risk-based, and built on trust. Poorly implemented regulations can lead to situations where valuable resources are devoted to mere compliance rather than genuine improvements in security.

Global Perspective

Created in collaboration with Frontier Economics, the GSMA report draws upon economic analyses and interviews with operators across varied regions, including Africa, the Asia-Pacific, Europe, Latin America, the Middle East, and North America. It highlights the rapidly evolving nature of cyber threats, which drives up costs and complexity for mobile operators worldwide. The findings point to the crucial need for collaborative efforts between governments across jurisdictions and industry stakeholders to prevent unnecessary costs for operators working across various markets.

Challenges Identified

The study reveals widespread issues faced by operators in different markets, including:

- Fragmented and inconsistent regulations that compel operators to adhere to overlapping or contradictory requirements from multiple authorities.
- An array of reporting obligations, which occasionally necessitate reporting the same incident in different formats multiple times.
- Prescriptive 'checkbox' rules that focus less on actual security outcomes.

One operator reported that their cybersecurity team dedicates up to 80% of their time to audits and compliance tasks instead of actively detecting threats or responding to incidents. Nevertheless, operators remain committed to ensuring secure mobile networks for the benefit of their customers and society as a whole.

Recommendations for Effective Cybersecurity Regulation

The report lays out a blueprint for governments and policymakers aimed at fostering safer and more efficient regulatory frameworks, informed by six key principles:
1. Harmonization - Align cybersecurity policies with international standards to minimize regulatory fragmentation and inconsistencies.
2. Consistency - Ensure that new policies align with existing ones to avoid overlap or conflicts.
3. Risk and outcome-oriented - Design and implement regulations that are risk-based and outcome-focused, allowing operators room for innovation.
4. Collaboration - Encourage a cooperative culture with industry stakeholders in regulation supported by secure sharing of threat information.
5. Security by design - Promote a proactive, security-oriented approach to managing cyber risks.
6. Capacity building - Enhance the institutional capacities of cybersecurity authorities to assure a comprehensive approach and effective policy enforcement.

The report warns that unilateral, fragmented approaches may heighten vulnerabilities and create inefficiencies for global operators.

Michaela Angonius also noted, "Cybersecurity is a shared responsibility. To protect citizens and critical societal services, regulators and operators must work together guided by common principles. When policy is coherent and outcome-oriented, the entire digital ecosystem will be more secure."

Call for Coordinated Global Actions

The mobile industry, backed by GSMA, urges governments and regulatory bodies to mitigate unnecessary burdens on mobile operators by collaborating to establish trusted frameworks and mechanisms. These should aim to foster innovation, ensure the ongoing security and resilience of mobile networks, and support the digital services that society increasingly relies on.

For more information and access to the full report, visit the GSMA's official website.