According to industry organization GSMA, poorly designed regulations cause unnecessary costs and distract from real risks. Mobile operators spend between $15 billion and $19 billion (€13 billion to €16.4 billion) annually on cybersecurity. That amount is expected to rise to $40 billion to $42 billion by 2030.
The GSMA issues this warning in a study entitled ‘The Impact of Cybersecurity Regulation on Mobile Operators’. The report reveals that mobile operators face poorly designed, inconsistent, or overly prescriptive regulations. This results in unnecessary costs and diverts resources away from actual risk mitigation.
“Mobile networks carry the world’s digital heartbeat,” said Michaela Angonius, GSMA Head of Policy and Regulation. “As cyber threats escalate, operators are investing heavily to keep societies safe – but regulation must help, not hinder, those efforts.”
Fragmentation and overlapping obligations
The study identifies widespread challenges across multiple markets. Operators face fragmented, inconsistent regulations that require them to comply with overlapping or conflicting requirements from multiple agencies. In addition, there is a proliferation of reporting obligations. Sometimes the same incident must be reported numerous times in different formats.
Prescriptive “check-box” rules that prescribe tools or processes rather than focusing on actual security outcomes are an additional burden. One operator reported that up to 80 percent of their cybersecurity operations team’s time is spent on audits and compliance tasks, rather than threat detection or incident response.
Six principles for effective regulation
The report outlines a blueprint for governments and policymakers to build safer and more efficient frameworks. The GSMA presents six core principles: harmonization with international standards, consistency with existing policies, risk- and results-based approach, collaboration with industry, security-by-design, and capacity building.
The study warns that unilateral, fragmented approaches increase vulnerabilities and create inefficiencies for global operators. The telecom cybersecurity market reached $45.23 billion in 2025 and is expected to grow to $78.42 billion by 2030.
“Cybersecurity is a shared responsibility,” said Angonius. “To protect citizens and critical societal services, regulators and operators should work together, guided by a common set of principles. When policy is coherent and outcomes-focused, the entire digital ecosystem becomes safer.”
The mobile industry calls on governments and regulators to minimize unnecessary burdens on operators by working together to create reliable frameworks that promote innovation. This will enable mobile networks to remain secure, resilient, and able to support the digital services on which society increasingly relies.