Mobile networks carry a great deal of the world’s digital activity, which makes operators a frequent target for attacks. A study released by the GSMA shows that operators spend between $15 and $19 billion a year on core cybersecurity functions. Spending could reach more than $40 billion by 2030. These figures do not include expenses tied to resilience, training, or governance.
Rising attack volumes test mobile network security
Security teams face attack volumes that exceed anything planned for a decade ago. Some operators record billions of attempts each year to scan for weaknesses or push malicious traffic into their networks. Outages linked to denial of service attacks remain common, and attempts to gain unauthorized access continue to rise.
The economic role of mobile access adds pressure. In many countries mobile networks are the main or only way people reach financial services, public portals, or health systems. A single breach can interrupt that activity and damage trust. That risk shapes how operators invest and how they respond to regulatory expectations.
Complex rules create friction
Security obligations do not come from a single law in most markets. They sit across telecom licences, national cyber rules, data protection laws, cloud policies, and in some regions rules for AI. Operators often must meet versions of the same requirement several times with different definitions and timelines. This creates friction and drains time from security teams.
Mobile operators face many overlapping layers of reguation that affect cybersecurity (Source: Frontier Economics)
In some markets, different agencies oversee different parts of the same incident. A breach involving personal data may require one form of disclosure while a service outage may require another. Each request uses its own format and process. Some operators said their teams spend long periods preparing reports for each agency even when the event is minor.
Cross border variation adds to the burden. Countries within the same region can use different interpretations of shared frameworks. This forces operators to maintain separate compliance processes for each market, which increases cost and slows decision making.
Input driven rules shift focus from risks
Many regulatory frameworks focus on required controls rather than security outcomes. Operators said this can encourage a box ticking mindset that satisfies compliance but does little to reduce risk.
Some audits check for specific technologies even when newer or more suitable options exist. Some agencies issue unplanned information requests that are not tied to a threat. These tasks disrupt planned work inside security teams and make it harder to focus on detection or response.
Outcome based and risk based rules are easier to integrate into security programs. They give operators room to choose the right tools and practices for their networks. They also reduce the chance that teams will divert resources to activities that have limited effect on resilience.
When frameworks align, operators benefit
Horizontal cybersecurity laws that apply across critical infrastructure sectors give a shared baseline for protection. When combined with sector specific guidance, they create a structure that is easier to update and interpret.
Global standards such as ISO 27001 reduce duplication when national rules map to them. Operators can show compliance through existing processes instead of creating new ones for each market. This approach also helps vendors and partners that support several operators across regions.
Well run institutions matter as well. Defined mandates and the right expertise make oversight predictable. Weak or undefined mandates have the opposite effect and often lead to conflicting requests or uneven enforcement.
“Cybersecurity is a shared responsibility. To protect citizens and critical societal services, regulators and operators should work together, guided by a common set of principles. When policy is coherent and outcomes-focused, the entire digital ecosystem becomes safer,” said Michaela Angonius, GSMA Head of Policy and Regulation.
Uneven impact across markets
Operators in low and middle income countries face particular strain. Mobile access often replaces fixed broadband in these markets. It also supports mobile money, government services, and remote work. But operators in these regions often report lower revenue per user, which limits available investment for security.
When regulatory demands increase without regard for local conditions, these operators may struggle to keep pace. This creates weak points in a global system where attackers look for the easiest path into interconnected networks.
Principles that support consistent policy
The study outlines six principles for policymakers, which include aligning with global standards, reducing duplication, centering rules on outcomes and risk, improving information sharing, promoting security by design, and building strong institutions to enforce them.
Each principle supports the same idea. Operators need rules that are well defined, proportionate, and stable. When frameworks meet those conditions, operators can invest in measures that reduce risk instead of spending time on procedural work.