Mobile industry warns patchwork cyber regs are driving up costs
(2025/11/26)
- Reference: 1764177167
- News link: https://www.theregister.co.uk/2025/11/26/gsma_global_standards_mobile_industry/
- Source link:
Mobile operators' core cybersecurity spending is projected to more than double by 2030 as threats evolve, while poorly designed and fragmented policy frameworks add extra compliance costs, according to industry group the GSMA.
The lobbying organization has pushed out a report calling for national policymakers to simplify compliance and incident reporting to make the job of the network operators easier. It also wants to see greater international coordination between governments and regulators to build those frameworks around common standards.
In many countries, providers face a patchwork of overlapping laws and sector-specific policies, or are at the mercy of multiple regulatory bodies, the GSMA claims. This can result in higher compliance costs and duplicate reporting, diverting resources from effective risk mitigation efforts to ensuring compliance instead.
[1]
The 42-page [2]report [PDF], The Impact of Cybersecurity Regulation on Mobile Operators, notes that security threats are rising rapidly worldwide, with the number of attacks increasing by about 75 percent over the past five years.
[3]
[4]
It estimates that mobile operators globally spend between $15 billion and $19 billion annually on "core" cybersecurity activities, and this is projected to rise to between $40 billion and $42 billion by 2030 as threats evolve to become more sophisticated.
According to the report, those costs associated with cybersecurity regulations largely fall into three categories.
[5]
The first are obligations that align with or extend the measures operators already implement, ensuring minimum standards without adding significant costs to those firms that meet the requirements.
Another comprises regulations that require mobile operators to do things differently, but not always better. These may have the same objectives, the GSMA says, but lead to operators having to implement additional activities or incur extra costs, such as investing in mandated technologies.
The third covers obligations that do not directly improve cybersecurity but arise from demonstrating compliance, with some operators reporting that half of their cybersecurity operations teams are occupied with compliance tasks rather than identifying threats or managing risks.
[6]6G isn't even here yet but mobile industry wants triple the spectrum
[7]Half the world's online via mobile, but growth is slowing
[8]Satellite phone tech coming to your mobe this year – but who pays for it?
[9]Boffins say tool can sniff 5G traffic, launch 'attacks' without using rogue base stations
In order to make life easier for operators, the GSMA would like to see security policies align with international standards, such as ISO 27001 or the NIST Cybersecurity Framework, and for regulators to ensure new policies and frameworks are consistent.
Cybersecurity regulation should be enforced through engagement not punishment, it says, which sounds like a plea not to be fined for breaking the rules. In the same vein, it says that governments should avoid relying on post-incident compliance enforcement and instead incentivize long-term investment in prevention.
[10]
These recommendations do not require major new investment, according to the GSMA, but rather a shift in approach toward collaboration, trust, and shared responsibility.
"This report makes it clear that cybersecurity frameworks work best when they are harmonized, risk-based and built on trust," GSMA's Head of Policy and Regulation Michaela Angonius said in a canned statement.
"To protect citizens and critical societal services, regulators and operators should work together, guided by a common set of principles. When policy is coherent and outcomes-focused, the entire digital ecosystem becomes safer." ®
Get our [11]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSeGgwbWphp7PPTXqkCzSAAAAA4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.gsma.com/solutions-and-impact/connectivity-for-good/public-policy/wp-content/uploads/2025/11/Impact-of-Cybersecurity-Regulation-on-Mobile-Operators.pdf
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSeGgwbWphp7PPTXqkCzSAAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSeGgwbWphp7PPTXqkCzSAAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSeGgwbWphp7PPTXqkCzSAAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/11/24/gsma_6g_spectrum/
[7] https://www.theregister.com/2024/10/28/gsma_mobile_internet/
[8] https://www.theregister.com/2025/04/10/satellite_phone_service/
[9] https://www.theregister.com/2025/08/18/sni5gect/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSeGgwbWphp7PPTXqkCzSAAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
The lobbying organization has pushed out a report calling for national policymakers to simplify compliance and incident reporting to make the job of the network operators easier. It also wants to see greater international coordination between governments and regulators to build those frameworks around common standards.
In many countries, providers face a patchwork of overlapping laws and sector-specific policies, or are at the mercy of multiple regulatory bodies, the GSMA claims. This can result in higher compliance costs and duplicate reporting, diverting resources from effective risk mitigation efforts to ensuring compliance instead.
[1]
The 42-page [2]report [PDF], The Impact of Cybersecurity Regulation on Mobile Operators, notes that security threats are rising rapidly worldwide, with the number of attacks increasing by about 75 percent over the past five years.
[3]
[4]
It estimates that mobile operators globally spend between $15 billion and $19 billion annually on "core" cybersecurity activities, and this is projected to rise to between $40 billion and $42 billion by 2030 as threats evolve to become more sophisticated.
According to the report, those costs associated with cybersecurity regulations largely fall into three categories.
[5]
The first are obligations that align with or extend the measures operators already implement, ensuring minimum standards without adding significant costs to those firms that meet the requirements.
Another comprises regulations that require mobile operators to do things differently, but not always better. These may have the same objectives, the GSMA says, but lead to operators having to implement additional activities or incur extra costs, such as investing in mandated technologies.
The third covers obligations that do not directly improve cybersecurity but arise from demonstrating compliance, with some operators reporting that half of their cybersecurity operations teams are occupied with compliance tasks rather than identifying threats or managing risks.
[6]6G isn't even here yet but mobile industry wants triple the spectrum
[7]Half the world's online via mobile, but growth is slowing
[8]Satellite phone tech coming to your mobe this year – but who pays for it?
[9]Boffins say tool can sniff 5G traffic, launch 'attacks' without using rogue base stations
In order to make life easier for operators, the GSMA would like to see security policies align with international standards, such as ISO 27001 or the NIST Cybersecurity Framework, and for regulators to ensure new policies and frameworks are consistent.
Cybersecurity regulation should be enforced through engagement not punishment, it says, which sounds like a plea not to be fined for breaking the rules. In the same vein, it says that governments should avoid relying on post-incident compliance enforcement and instead incentivize long-term investment in prevention.
[10]
These recommendations do not require major new investment, according to the GSMA, but rather a shift in approach toward collaboration, trust, and shared responsibility.
"This report makes it clear that cybersecurity frameworks work best when they are harmonized, risk-based and built on trust," GSMA's Head of Policy and Regulation Michaela Angonius said in a canned statement.
"To protect citizens and critical societal services, regulators and operators should work together, guided by a common set of principles. When policy is coherent and outcomes-focused, the entire digital ecosystem becomes safer." ®
Get our [11]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aSeGgwbWphp7PPTXqkCzSAAAAA4&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.gsma.com/solutions-and-impact/connectivity-for-good/public-policy/wp-content/uploads/2025/11/Impact-of-Cybersecurity-Regulation-on-Mobile-Operators.pdf
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSeGgwbWphp7PPTXqkCzSAAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSeGgwbWphp7PPTXqkCzSAAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aSeGgwbWphp7PPTXqkCzSAAAAA4&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/11/24/gsma_6g_spectrum/
[7] https://www.theregister.com/2024/10/28/gsma_mobile_internet/
[8] https://www.theregister.com/2025/04/10/satellite_phone_service/
[9] https://www.theregister.com/2025/08/18/sni5gect/
[10] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aSeGgwbWphp7PPTXqkCzSAAAAA4&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[11] https://whitepapers.theregister.com/
You asked for it, you got it.
Anonymous Coward
If any customer data you hold is accessed by any unauthorised entity, you must notify every customer in every jurisdiction for whom you hold any data for any reason anywhere. This applies to a breach of any entity with any access to any customer data held by you or for you.
How's that? Is that simple enough for you?
Re: You asked for it, you got it.
Doctor Syntax
Just "notify"? "Make good", whether that's by compensation, providing protection against consequential damage - whatever it takes.
"Cybersecurity regulation should be enforced through engagement not punishment"
Translation: all carrot, no stick.