Mobile operators’ core cybersecurity spending is projected to more than double by 2030 as threats evolve, while poorly designed and fragmented policy frameworks add extra compliance costs, according to industry group the GSMA.

The lobbying organization has pushed out a report calling for national policymakers to simplify compliance and incident reporting to make the job of the network operators easier. It also wants to see greater international coordination between governments and regulators to build those frameworks around common standards.

In many countries, providers face a patchwork of overlapping laws and sector-specific policies, or are at the mercy of multiple regulatory bodies, the GSMA claims. This can result in higher compliance costs and duplicate reporting, diverting resources from effective risk mitigation efforts to ensuring compliance instead.

The 42-page report [PDF], The Impact of Cybersecurity Regulation on Mobile Operators, notes that security threats are rising rapidly worldwide, with the number of attacks increasing by about 75 percent over the past five years.

It estimates that mobile operators globally spend between $15 billion and $19 billion annually on “core” cybersecurity activities, and this is projected to rise to between $40 billion and $42 billion by 2030 as threats evolve to become more sophisticated.

According to the report, those costs associated with cybersecurity regulations largely fall into three categories.

The first are obligations that align with or extend the measures operators already implement, ensuring minimum standards without adding significant costs to those firms that meet the requirements.

Another comprises regulations that require mobile operators to do things differently, but not always better. These may have the same objectives, the GSMA says, but lead to operators having to implement additional activities or incur extra costs, such as investing in mandated technologies.

The third covers obligations that do not directly improve cybersecurity but arise from demonstrating compliance, with some operators reporting that half of their cybersecurity operations teams are occupied with compliance tasks rather than identifying threats or managing risks.

In order to make life easier for operators, the GSMA would like to see security policies align with international standards, such as ISO 27001 or the NIST Cybersecurity Framework, and for regulators to ensure new policies and frameworks are consistent.

Cybersecurity regulation should be enforced through engagement not punishment, it says, which sounds like a plea not to be fined for breaking the rules. In the same vein, it says that governments should avoid relying on post-incident compliance enforcement and instead incentivize long-term investment in prevention.

These recommendations do not require major new investment, according to the GSMA, but rather a shift in approach toward collaboration, trust, and shared responsibility.

“This report makes it clear that cybersecurity frameworks work best when they are harmonized, risk-based and built on trust,” GSMA’s Head of Policy and Regulation Michaela Angonius said in a canned statement.

“To protect citizens and critical societal services, regulators and operators should work together, guided by a common set of principles. When policy is coherent and outcomes-focused, the entire digital ecosystem becomes safer.” ®