Fragmented security regulation is costing mobile operators billions, diverting budgets and personnel from effective threat mitigation toward administrative compliance tasks.
Security leaders in the telecoms sector now manage far more than network perimeter defence. A GSMA-commissioned report shows that mobile operators are navigating a tangled mix of overlapping mandates that can hinder innovation and inflate operational costs without necessarily improving security outcomes.
Escalating cost of mobile network security
The financial burden of network defence is rising quickly. Globally, mobile operators currently spend an estimated $15 billion to $19 billion annually on core cybersecurity activities. That covers technical security functions and threat monitoring teams but typically excludes broader resilience work such as governance, training, and continuity planning.
As the cyber threat landscape intensifies—global cybercrime costs are projected to reach $10.5 trillion by 2025—operators expect their defence spending to surge. By 2030, security budgets for mobile operators are forecast to climb to roughly $40 billion–$42 billion.
While this increased investment is essential, its efficiency is under scrutiny. The report finds a significant share of spending absorbed by regulatory fragmentation rather than active risk reduction. Poorly aligned frameworks can divert resources away from meaningful security improvements, slow incident response, and stifle innovation in protective technologies.
The compliance labyrinth
Multinational operators face an added burden from weak international harmonisation. Cyber threats do not respect borders, yet policy and enforcement are national, producing divergent requirements across countries. Even within the European Union, directives like NIS2 produce variation through differing national implementations.
Within single jurisdictions, complexity grows. Operators must reconcile a patchwork of interlinked rules spanning multiple sectors and domains, including:
- Horizontal regulation: national cybersecurity strategies and rules that apply to essential national infrastructure.
- Vertical regulation: telecom-specific licensing and sectoral security requirements.
- Adjacent policy: data protection regimes such as GDPR and emerging AI governance frameworks.
This regulatory mosaic creates operational friction. In Europe, overlaps between the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA), and the NIS2 Directive require operators to reconcile potentially conflicting obligations.
One operator described the tension between security transparency and privacy compliance: “If we disclose too little, we risk non-compliance with cybersecurity obligations; if we disclose too much, we may breach data protection rules.”
As a result, many operators adopt a “gold-plating” strategy—applying the strictest standard across all markets to ensure global compliance. An Asia-Pacific operator summed this up: “When requirements differ, we design systems to meet the strictest mandate.”
That approach raises costs but does not necessarily deliver a proportionate improvement in security posture.
From box-ticking to outcome-based mobile security
The industry criticises prescriptive, input-focused regulation for encouraging a box-ticking mindset. Rigid rules that mandate specific technologies or processes risk becoming outdated quickly and can block adoption of modern defences such as AI-driven detection or secure cloud architectures.
The report recommends shifting toward outcome-based regulation: set clear security objectives but allow operators flexibility in how they meet them. This approach enables operators to tailor measures to their technologies, threats and risk profiles without being constrained by detailed technical prescriptions.
Australia’s Security of Critical Infrastructure (SOCI) Act is cited as an example that emphasises outcomes over prescriptive inputs, requiring operators to achieve defined security results while allowing flexibility in implementation.
The trust deficit in intelligence sharing
Timely threat intelligence sharing is central to effective mobile security, yet the report highlights a trust deficit between regulators and operators. Operators are often required to report incidents but see limited reciprocal value from authorities.
In environments where oversight feels punitive or where trust is low, operators may treat compliance primarily as liability avoidance rather than collaborative defence. By contrast, trusted partnerships—such as the UK’s National Cyber Security Centre (NCSC) Industry 100 programme, which embeds private-sector experts into the agency—show how collaboration can produce practical, actionable guidance.
From fragmentation to cohesion
To curb rising costs and strengthen resilience, the report proposes a policy framework aligned with enterprise best practice.
- Harmonisation with international standards: Align national rules with globally recognised frameworks—ISO 27001, NIST and similar standards—to reduce duplication. ENISA’s mapping of NIS2 to ISO standards is an example that helps operators use existing internal controls rather than creating parallel compliance structures.
- Security-by-design: Regulation should encourage proactive risk reduction and embed security into systems from the start, complementing incident response with clear, outcome-based expectations.
- Capacity building: Effective regulation requires well-resourced, technically capable agencies. Regulators lacking expertise or resources can undermine enforcement, create unpredictability, and weaken deterrence, so operators need agencies able to engage in technical dialogue rather than just administrative checks.
For telecom executives, the takeaway is that mobile security is no longer just a technical concern but a core business imperative that affects strategy, operations and customer trust.
As the GSMA report concludes, well-crafted frameworks can preserve sector-specific flexibility while supporting coherent national cybersecurity strategies. Without greater coherence, the industry risks spending billions on compliance rather than on measures that materially improve defence.
See also: GSMA: Act now to avoid spectrum crunch with 6G mobile networks
Interested in IoT insights from industry leaders? Attend IoT Tech Expo events in Amsterdam, California and London, part of the broader TechEx series and co-located with events such as AI & Big Data Expo and Cyber Security Expo.
Telecoms is produced by TechForge Media. Explore upcoming enterprise technology events and webinars with TechForge Media.