Mobile network operators are spending ever larger sums to protect the infrastructure that underpins the global digital economy, with annual cybersecurity costs expected to surge to as much as $42 billion by 2030 as regulatory demands add to mounting cyber risks, according to a new study by the GSMA.
The industry currently devotes between $15 billion and $19 billion a year to core cybersecurity activities, the mobile trade body said in its report, “The Impact of Cybersecurity Regulation on Mobile Operators”.
While rising cyber threats are a major factor, the GSMA argued that a growing share of the cost burden is being driven by poorly designed, fragmented or overly prescriptive regulation that diverts resources away from real risk reduction.
“Mobile networks now carry the world’s digital heartbeat. As cyber threats escalate, operators are investing heavily to keep societies safe, but regulation must help, not hinder, those efforts,” Michaela Angonius, the GSMA’s head of policy and regulation, said at the report’s launch.
Developed in partnership with Frontier Economics, the study draws on economic analysis and interviews with mobile operators across Africa, Asia Pacific, Europe, Latin America, the Middle East and North America, offering a global view of how fast-evolving cyber threats and regulatory complexity are reshaping network security spending.
According to the report, operators that run networks across multiple jurisdictions face some of the steepest challenges. Fragmented and inconsistent rules often force compliance with overlapping, and in some cases contradictory, requirements imposed by different government agencies, driving up costs without necessarily improving security outcomes.
Read also:
The GSMA said reporting obligations are becoming a particular strain, with operators sometimes required to report the same cybersecurity incident multiple times, in different formats, to different authorities. This, the study found, places additional pressure on security teams already stretched by the need to monitor and respond to increasingly sophisticated threats.
Prescriptive, box-ticking approaches to regulation were highlighted as especially counterproductive. Rather than focusing on real-world security outcomes, some rules mandate specific tools or processes, limiting operators’ flexibility to adapt to evolving risks. One operator cited in the report said as much as 80 per cent of its cybersecurity operations team’s time is spent on audits and compliance, rather than on threat detection or incident response.
Despite these pressures, mobile operators told the GSMA that securing networks remains a top priority for customers and for society, particularly as economies and public services become ever more dependent on digital connectivity.
To address the rising costs and complexity, the report outlines six principles that governments and policymakers are urged to adopt when designing cybersecurity regulation. These include harmonising national policies with international standards, ensuring consistency with existing frameworks to avoid duplication, and adopting risk- and outcome-based approaches that allow operators to innovate.
Other recommendations include deeper collaboration between regulators and industry through secure threat-intelligence sharing, promoting security-by-design in network development, and strengthening the institutional capacity of cybersecurity authorities to ensure coordinated, whole-of-government implementation.
The GSMA warned that unilateral and fragmented regulatory approaches could not only inflate costs for global operators but also increase vulnerabilities across mobile networks, potentially undermining the security of critical digital services.
“Cybersecurity is a shared responsibility. When policy is coherent and outcomes-focused, regulators and operators can work together to make the entire digital ecosystem safer,” Angonius said.
The mobile industry is now urging governments to reduce unnecessary regulatory burdens and build trusted, coordinated cybersecurity frameworks that support innovation, resilience and long-term network security, the GSMA said.
