The Impact of Cybersecurity Regulation on Mobile Operators

An executive summary of this resource is also available in Spanish.

This report explores how cybersecurity regulations shape mobile operators’ ability to defend against evolving threats. It highlights the costs, challenges, and opportunities that regulation creates, and shows how well-designed policies can strengthen resilience while poorly designed ones increase risk.

Cybersecurity is now a foundational pillar of mobile network operations, requiring significant and growing resources. “The Impact of Cybersecurity Regulation on Mobile Operators” report estimates that mobile operators globally spend between $15bn and $19bn annually on their “core” cybersecurity activities, including technical security functions and threat-monitoring teams. As threats evolve, costs are projected to rise to between $40bn and $42bn by 2030. 

Despite this significant investment, mobile network operators are affected by poorly designed, misaligned, or overly prescriptive regulation, which results in unnecessary costs, diverts resources from genuine risk mitigation, and, in some cases, increase exposure to cyber threats. 

To help legislators and regulators, the report sets out six core principles that they should always consider when shaping cybersecurity policy. Applied consistently, they minimise unnecessary costs for operators, enabling them to focus effort and attention on genuine risks and mitigation. The principles are:

Harmonisation: Align cybersecurity policy with international standards where possible, to reduce regulatory fragmentation and inconsistency.

Consistency: Ensure new policies and frameworks are consistent with existing policy to avoid duplication or conflict.

Risk- and outcome-based: Adopt risk- and outcome-based approaches in the design and implementation of cybersecurity regulation, giving operators flexibility to innovate.

Collaboration: Promote a collaborative regulatory culture with industry, supported by secure threat intelligence sharing.

Security-by-design: Encourage a proactive, security-by-design approach to mitigating cyber risks.

Capacity-building: Strengthen the institutional capacity of cybersecurity authorities to ensure a whole-of-government approach and effective application of policy and regulation.

Developed in partnership with Frontier Economics, “The Impact of Cybersecurity Regulation on Mobile Operators” draws on economic analysis and operator interviews representing the Africa, Asia Pacific, Europe, Latin America, Middle East and North America regions.