How fragmented regulation stifles mobile security innovation

Fragmented security regulation costs mobile operators billions, diverting resources from threat mitigation toward administrative compliance.

For security execs in the telecoms sector, the remit has expanded well beyond securing network perimeters. A new report commissioned by the GSMA reveals that mobile operators are navigating a labyrinth of overlapping mandates that threatens to stifle innovation and inflate operational expenditures without necessarily improving security outcomes.

Escalating cost of mobile network security

The financial stakes regarding network defence are climbing rapidly. Mobile operators globally currently spend between $15 billion and $19 billion annually on “core” cybersecurity activities. This expenditure covers technical security functions and threat-monitoring teams but notably excludes broader resilience activities, such as governance and training.

As the threat landscape darkens, with global cybercrime costs expected to reach $10.5 trillion by 2025, operators are projecting their own defence spending to surge. By 2030, the cost of security for mobile operators is forecast to rise to between $40 billion and $42 billion.

While investment is necessary, the efficiency of this spend is under scrutiny. The report identifies that a considerable portion of these funds is absorbed by regulatory fragmentation rather than active risk reduction. When frameworks are poorly designed or misaligned, they “divert resources away from real security improvements, delay incident response, and stifle innovation in protective technologies.”

The compliance labyrinth

For multinational operators, the challenge is compounded by a lack of international harmonisation. Cyber threats are inherently transnational, yet policy is implemented nationally, leading to divergence between countries. Even within the European Union, where directives like NIS2 aim for consistency, operators face variations in national implementation.

The complexity deepens within individual jurisdictions. Operators must navigate a “web of interlinked regulations spanning multiple sectors and domains” including:

• Horizontal regulation: National cybersecurity strategies applicable to all essential national infrastructure.

• Vertical regulation: Sector-specific telecom rules.

• Adjacent policy: Data protection laws (e.g. GDPR) and emerging AI frameworks.

This regulatory patchwork creates operational friction. In Europe, the overlap between the Cyber Resilience Act (CRA), the Digital Operational Resilience Act (DORA), and the NIS2 Directive forces operators to reconcile conflicting obligations.

One mobile operator noted the friction between security and data privacy mandates: “If too little detail is disclosed, operators risk non-compliance with cybersecurity rules. If too much is disclosed, they risk breaching data protection regulations.”

Consequently, operators often resort to “gold-plating”—adopting the strictest standard across all requirements to ensure global compliance. As one Asia-Pacific operator explained: “When faced with different requirements, we need to follow the strictest mandate to design our cyber systems.”

This gold-plating approach drives up costs without ensuring a commensurate increase in security posture.

From box-ticking to outcome-based mobile security

A primary critique levelled by the industry is the prevalence of prescriptive, input-focused regulation. Formalistic approaches relying on compliance checklists often foster a “box-ticking” culture.

Prescriptive mandates can become rapidly obsolete. Requiring specific legacy technologies or rigid processes prevents operators from deploying modern, Al-driven threat detection or secure cloud-based services. The report advocates for a transition toward outcome-oriented regulation, which defines the security objective but leaves the implementation method to the operator’s discretion.

Australia’s Security of Critical Infrastructure (SOCI) Act is cited as a positive example of this model. It requires operators to meet specific security outcomes without prescribing the exact technologies, ensuring alignment between regulatory expectations and an operator’s specific risk profile.

The trust deficit in intelligence sharing

Effective mobile security relies heavily on the timely exchange of threat intelligence. However, the report highlights a breakdown in reciprocity between regulators and operators. While operators are often mandated to report incidents, many perceive a lack of value in return.

In jurisdictions where trust is low or oversight is punitive, operators may become cautious, viewing compliance as a liability avoidance exercise rather than a collaborative defence. Conversely, trusted platforms like the UK’s National Cyber Security Centre (NCSC) Industry 100 programme, which embeds private-sector professionals into the agency, demonstrate how collaboration can shape effective guidance.

From fragmentation to cohesion

To mitigate rising costs and enhance resilience, the report outlines a framework for policymakers that aligns with enterprise best practices.

• Harmonisation with international standards: Aligning national policies with globally recognised frameworks such as ISO 27001 or NIST reduces fragmentation. The European Union Agency for Cybersecurity (ENISA) recently mapped NIS2 requirements to ISO standards, allowing operators to leverage existing internal processes rather than building duplicative compliance structures.

• Security-by-design: Regulation should incentivise proactive risk mitigation rather than reactive incident management. Best practice complements incident response with a “security-by-design approach, grounded in defined, outcome-based rules”.

• Capacity building: Strong institutional capacity is a prerequisite for effective regulation. Inadequate resources or expertise within regulatory bodies can undermine enforcement and weaken the deterrence of cybercrime, creating an unpredictable environment for the industry. Operators require well-resourced agencies capable of technical dialogue, rather than purely administrative oversight.

For telecoms leaders, the message is that mobile security is no longer a siloed technical function but a core business imperative affecting every aspect of operations.

As the GSMA report concludes, well-designed frameworks can “preserve sector-specific flexibility while supporting coherent national cybersecurity strategies”. Without such coherence, the industry risks spending billions on compliance rather than defence.

See also: GSMA: Act now to avoid spectrum crunch with 6G mobile networks

Want to learn about the IoT from industry leaders? Check out IoT Tech Expo taking place in Amsterdam, California, and London. The comprehensive event is part of TechEx and is co-located with other leading technology events including AI & Big Data Expo and Cyber Security Expo. Click here for more information.

Telecoms is powered by TechForge Media. Explore other upcoming enterprise technology events and webinars here.

Tags: cybersecurity, gsma, infosec, mobile, networks, Operators, regulation, report, research, Security, study