Safeguarding consumers, citizens and enterprises is important as they become increasingly reliant on their mobile phones to access banking, shopping, health and other important services. This requires a coordinated approach where technical standards and supportive policy frameworks reinforce each other.
The Case for Technical Standards
Technical standards provide a common security baseline that works across borders, vendors, and network generations (e.g. 4G, 5G and 6G). NESAS (Network Equipment Security Assurance Scheme), developed jointly with 3GPP, defines a globally applicable security baseline for network equipment. It combines standardised security requirements with independent rigorous testing and auditing to provide confidence to mobile operators worldwide. NESAS also allows vendors to demonstrate compliance once.
Global Standards Bodies
International standards and frameworks can support global and cross-sector collaboration. Alignment with existing industry and international frameworks not only enhances interoperability and strengthens security solutions but also facilitates shared responses to emerging threats. NESAS is one of many globally recognised standards. These include 3GPP (core mobile network specification for 2G to 5G), including authentication, encryption, and signalling security; ETSI (European telecoms standards), and IETF (Internet protocols underpinning mobile data).
Why standards alone are not sufficient
Standards tell us how to build secure systems; policy tells us that we must. The GSMA’s report The Impact of Cybersecurity Regulation on Mobile Operators explains that well-designed policy strengthens resilience, while poorly designed policy increases risk and costs.
Six Principles for Effective Cybersecurity Regulation
The GSMA recommends that governments design cybersecurity frameworks around these principles:
- Harmonisation: Align cybersecurity policy with international standards wherever possible, to reduce regulatory fragmentation and inconsistency.
- Consistency: Ensure new policies and frameworks are consistent with existing policy to avoid duplication or conflict.
- Risk- and outcome-based: Adopt risk-based and outcome-based approaches in the design and implementation of cybersecurity regulation, giving operators flexibility to innovate and deploy effective solutions.
- Collaboration: Promote a collaborative regulatory culture with industry, supported by secure threat intelligence sharing to strengthen resilience, increase awareness of cyber threats, enable constructive enforcement, and foster a joint approach to combating cybercrime.
- Security-by-design: Encourage a proactive, security-by-design approach to mitigating cyber risks.
- Capacity-building: Strengthen the institutional capacity of cybersecurity authorities to ensure a whole-of-government approach and effective application of policy and regulation.
When regulation follows these principles, mobile operators can direct resources toward genuine threat and risk mitigation rather than compliance for the sake of compliance.  
Regional and country examples
EU – NIS2 Directive
The EU’s revised Network and Information Security Directive (NIS2) treats telecoms as essential infrastructure and mandates risk-management measures, incident reporting, and supply-chain security. It references ETSI and 3GPP standards, so operators can leverage existing compliance work rather than starting from scratch.
US – NIST and CSRIC
In the US, the NIST Cybersecurity Framework is co-developed with industry input, while the Communications Security, Reliability and Interoperability Council (CSRIC) brings regulators and telecoms experts together to shape cybersecurity guidance collaboratively.
APAC – Singapore’s Cybersecurity Act
Singapore’s Infocomm Media Development Authority (IMDA) designates critical information infrastructure, including mobile networks, and mandates audits, incident reporting, and risk assessments. Alignment with international standards is explicitly encouraged, and the IMDA regularly seeks mobile operator feedback on draft standards, facilitating trust and cooperation between the public and private sectors.
LATAM – Emerging Frameworks
Latin American regulators are increasingly recognising the link between cybersecurity policy and connectivity investment. Countries that adopt outcome-based approaches, rather than prescriptive checklists, can target their investments in innovative solutions to improve network security and resilience.
The 2026 Security Landscape Report
The GSMA Mobile Telecommunications Security Landscape 2026 is an annual report providing a comprehensive analysis of the current and emerging security threats and strategies across the mobile telecoms landscape. The report explains how multi-layered defences combining international standards, industry best practices, company-specific controls, and risk-driven measures offer the most effective response to network security threats. Policies that mandate baseline compliance while allowing flexibility for innovation support this layered approach. 
The Cost of Getting It Wrong
Fragmented or overly prescriptive regulation creates real harm. The GSMA estimates that mobile operators spend $15–19 billion annually on core cybersecurity activities today, rising to $40–42 billion by 2030. When compliance obligations overlap or conflict, resources shift from threat detection to audit preparation. One operator reported that 80 per cent of their security operations team’s time goes to compliance tasks rather than incident response. Harmonised, outcome-focused policy avoids this trap.
Key takeaways
Technical standards and policy go hand in hand. Standards provide the engineering blueprint for secure networks; policy ensures that blueprint is followed consistently and that gaps are addressed as threats evolve. For mobile network users – whether individuals, enterprises or governments – this combination is the foundation of trust in a digitally connected world.
Policymakers can strengthen that foundation by embracing risk-based, harmonised frameworks that reference international standards. Operators, in turn, are engaging constructively with regulators, sharing threat intelligence, and investing in the layered defences that standards enable. Collaboration is key.