The GSMA study, The Impact of Cybersecurity Regulation on Mobile Operators, reveals that annual spending on core cybersecurity activities by mobile operators currently ranges from US $15-19 billion, projected to soar to US $40-42 billion by 2030.
The report highlights a pressing concern for mobile operators globally: fragmented cybersecurity regulation is significantly increasing costs and vulnerabilities in the industry.
"Mobile networks carry the world's digital heartbeat," said Michaela Angonius, GSMA head of policy and regulation. "As cyber threats escalate, operators are investing heavily to keep societies safe – but regulation must help, not hinder, those efforts."
The report underscores the vital need for harmonised, risk-based, and collaborative regulatory frameworks to bolster global cyber resilience. The findings indicate that the fast-evolving nature of cyber threats complicates the regulatory landscape, with many operators facing overlapping and contradictory requirements from diverse agencies.
This fragmentation often forces operators to divert resources from actual risk mitigation strategies towards compliance with cumbersome regulations. One operator reported that up to 80% of their cybersecurity team’s time is spent on audits and compliance tasks rather than addressing real threats.
Mobile operators face many overlapping layers of reguation that affect cybersecurity Source: Frontier Economics.
The report identifies six principles essential for creating effective cybersecurity regulation:
Harmonisation: Align regulations with international standards to minimise fragmentation.
Consistency: Ensure new policies avoid duplication and align with existing frameworks.
Risk- and outcome-based: Design regulations that provide operators with flexibility to innovate, focusing on real-world security outcomes.
Collaboration: Foster a culture of cooperation between regulators and the industry, centred around secure threat intelligence sharing.
Security-by-design: Encourage a proactive approach to mitigating cyber risks.
Capacity-building: Enhance the capability of cybersecurity authorities for effective policy deployment.
Overall, the GSMA report stresses that a coherent regulatory environment is critical for protecting mobile networks, which serve as the backbone of digital economies.
Michaela Angonius
"Cybersecurity is a shared responsibility. To protect citizens and critical societal services, regulators and operators should work together, guided by a common set of principles." Michaela Angonius
As the mobile industry calls for coordinated global action, it is imperative that governments collaborate with operators to create a secure and resilient digital infrastructure that can adequately support the services society increasingly relies on.
