Regulatory change could double cybersecurity costs for mobile operators by 2030

A GSMA report warns that escalating cyber threats and fragmented regulations are driving mobile operators’ cybersecurity investments towards an estimated $42 billion annually by 2030, highlighting the need for coherent policy frameworks to secure the digital infrastructure.

Mobile network operators are pouring ever-larger sums into defending the infrastructure that underpins modern digital life, a trend that industry analysis says will intensify as cyber threats proliferate and regulatory demands multiply. According to the original GSMA report, operators now devote between $15 billion and $19 billion a year to core cybersecurity activities, a bill the study projects could grow to between $40 billion and $42 billion by 2030. ^[1][2][3]

The report, produced by the GSMA in partnership with Frontier Economics, argues that rising costs are not driven by adversaries alone. Poorly designed, misaligned or overly prescriptive regulation is imposing avoidable expenses on operators, diverting resources away from threat detection and incident response and, paradoxically, in some cases increasing exposure to cyber threats. Industry commentators and related coverage note the same core finding: fragmented regulatory regimes are inflating operational costs without guaranteeing better outcomes. ^[1][3][4]

Michaela Angonius, GSMA Head of Policy and Regulation, underlined the centrality of mobile networks to contemporary life, saying mobile networks now carry “the world’s digital heartbeat”. She told reporters that regulation should support , not hinder , operators’ efforts to secure critical infrastructure. “As cyber threats escalate, operators are investing heavily to keep societies safe, but regulation must help, not hinder, those efforts,” she added. ^[1]

Operators interviewed for the study described practical pain points. Many must comply with overlapping or contradictory rules from different government agencies, and some face onerous reporting obligations that require the same incident to be logged multiple times in different formats. One operator cited in the report said as much as 80 per cent of its cybersecurity operations team’s time is spent on audits and compliance activities rather than on threat detection or incident response. ^[1][5]

The report calls out prescriptive, box‑ticking regulatory approaches as particularly counterproductive: where laws mandate specific tools or processes rather than focusing on real‑world outcomes, regulators can inadvertently force firms to prioritise compliance paperwork over substantive security improvements. Telecommunications sector coverage echoes this conclusion, warning that a labyrinth of overlapping mandates can stifle innovation and inflate costs. ^[1][4][5]

To reduce those unintended effects, the GSMA sets out six principles for policymakers. These include harmonising national policies with international standards to reduce fragmentation, ensuring consistency with existing frameworks to avoid duplication, and adopting risk‑ and outcome‑based approaches that permit operators flexibility to innovate. The report also recommends promoting regulator‑industry collaboration for secure threat intelligence sharing, encouraging security‑by‑design, and strengthening the institutional capacity of cybersecurity authorities for whole‑of‑government implementation. ^[1][3]

The industry case for regulatory coordination is reinforced by broader data on cyber risk and investment. Global estimates of cybercrime costs and projections for increased defensive spending underpin the urgency of the GSMA’s recommendations, and an allied GSMA release highlights that mobile network operators account for roughly 85% of global investment in mobile internet connectivity infrastructure , positioning them as keystone investors in the services that depend on secure networks. ^[4][7]

The GSMA and supporting analyses present cybersecurity as a shared responsibility requiring coherently designed public policy. The organisation is urging governments and regulators to work with operators to build trusted, coordinated frameworks that support innovation, resilience and long‑term network security, rather than imposing fragmented obligations that can weaken the very systems they aim to protect. “Cybersecurity is a shared responsibility,” Angonius said. “To protect citizens and critical societal services, regulators and operators should work together, guided by a common set of principles. When policy is coherent and outcomes‑focused, the entire digital ecosystem becomes safer.” ^[1]

📌 Reference Map:

##Reference Map:

• ^[1] (Punch) – Paragraph 1, Paragraph 2, Paragraph 3, Paragraph 4, Paragraph 5, Paragraph 6, Paragraph 8
• ^[2] (GSMA press release) – Paragraph 1, Paragraph 2
• ^[3] (GSMA report page) – Paragraph 1, Paragraph 2, Paragraph 6
• ^[4] (TelecomsTechNews) – Paragraph 2, Paragraph 5, Paragraph 7
• ^[5] (Telecoms.com) – Paragraph 4, Paragraph 5
• ^[7] (PR Newswire) – Paragraph 7

Source: Fuse Wire Services