At MWC Doha last week, the GSMA welcomed government ministers, regulatory authorities, and industry leaders from around the world to the Ministerial Programme. We examined several policy areas, including mobile investment, digital governance, children’s rights, AI, and spectrum management. Platforms such as the Ministerial Stage and roundtables provided the perfect opportunity for public-private collaboration within and beyond the MENA region.
We launched our global report, The Impact of Cybersecurity Regulation on Mobile Operators, which outlines examples and best practices in existing cybersecurity policy frameworks. Mobile operators invest significantly in cybersecurity, spending between $15bn and $19bn on core activities, with costs expected to rise to over $40bn as threats increase. However, many markets face a patchwork of overlapping or conflicting laws and regulations, sector-specific policies, and mandates from multiple regulators. This often results in higher compliance costs, diverting resources away from making innovative and targeted improvements.
Discussions between the public and private sectors in the Ministerial Programme highlighted that there is no ‘one-size-fits-all’ model for cybersecurity policy and regulation, and that collaboration is key. Not only between mobile operators and regulatory bodies, but for all those involved in the mobile ecosystem, and across other sectors such as technology, payment and financial services.
Through in-depth interviews, the report draws on the experience of mobile operators from Africa, Asia-Pacific, Europe, Latin America, the Middle East and North America, highlighting the challenges that they face within their markets. It contains six core principles for governments and regulators to consider when shaping cybersecurity policy.
The six principles for best practice cybersecurity policy
Harmonisation: Align cybersecurity policy with international standards wherever possible, to reduce regulatory fragmentation and inconsistency.
Consistency: Ensure new policies and frameworks are consistent with existing policy to avoid duplication or conflict.
Risk- and outcome-based: Adopt risk-based and outcome-based approaches in the design and implementation of cybersecurity regulation, giving operators flexibility to innovate and deploy effective solutions.
Collaboration: Promote a collaborative regulatory culture with industry, supported by secure threat intelligence sharing to strengthen resilience, increase awareness of cyber threats, enable constructive enforcement, and foster a joint approach to combating cybercrime.
Security-by-design: Encourage a proactive, security-by-design approach to mitigating cyber risks.
Capacity-building: Strengthen the institutional capacity of cybersecurity authorities to ensure a whole-of-government approach and effective application of policy and regulation.
The principles aim to encourage more collaboration, increase trust, and share responsibility more widely. By adopting them, governments, regulators and policymakers can help ensure that mobile networks remain secure, resilient, and support the digital services that consumers and wider society increasingly rely on.
A huge thanks to all participants for engaging in open and frank dialogue and sharing their knowledge and experience. We look forward to further engagement with policymakers and regulators to address challenges in their markets and remain ready to inform discussions and shape policy in ways that benefit their citizens.