GSMA Report Warns of “Fragmented Cybersecurity Regulation”

In a new study by the GSMA, they criticize the state of cybersecurity regulation “including fragmented policies and regulatory frameworks, limited institutional capacity to support mobile operators, rigid or prescriptive rules, and a lack of effective platforms for threat intelligence sharing.”

As a result, operators often incur disproportionate or unnecessary costs in addressing cybersecurity concerns, and, in some cases, poorly designed policies can even increase cyber risk. Many of these challenges can be mitigated through better regulatory practices, such as more coordinated, risk-based, and outcomes-focused approaches to cybersecurity regulation.

They point out the difficulties of complying with multiple different fragmented, sometimes conflicting, regulations, leading to duplicated effort and increased cost spent on complying with regulations rather than actually reducing cybersecurity threats.

Policymakers should ensure that compliance and incident reporting frameworks are aligned across sectors and policy areas. Well-designed horizontal frameworks can preserve sector-specific flexibility while supporting coherent national cybersecurity strategies.

The report recommends that countries adhere to already recognized international standards set by organizations such as ISO, NIST, and GSMA, with deviations from these standards being the exception and not the rule.

They bemoan the ”box-ticking” culture of compliance checklist and mandated tools as preventing the adoption of new security technologies that could protect their users more effectively.

They also call out punitive and “blame-oriented” enforcement, stating that it erodes trust and discourages threat intelligence sharing, making compliance more about avoiding liability than actually preventing risk.

They say that reactive regulations that result from specific incidents or media attention are more costly to comply with than a well thought-out and proactive approach.

The report is an interesting read, I definitely think international standards made by experts in the field rather than politicians are the way to go.