Mobile network operators: when compliance crowds out security

Cybersecurity regulation is incredibly important – we talk about it all the time. And mobile networks are critical infrastructure; they’re a favourite target for disruption, espionage, and fraud, with knock-on effects that land on citizens, businesses, and governments.

Mobile network security needs to be carefully regulated. But a new GSMA-commissioned report on mobile operators argues that the way regulation is written and enforced can unintentionally weaken security. It’s not that operators oppose the rules; it’s that some regimes push teams into a compliance-first mindset that rewards paperwork over real-world resilience.

When compliance becomes the job 

The sharpest insight in the report is what operators say happens on the ground.

One Asia-Pacific operator described a reality many CISOs will recognise:

“We have to assign people to compliance work which means they are not working on actual security… 80% of the year we spend on audits, follow ups and compliance… not on threat mitigation.”

As well as being frustrating, that creates a real operational risk. The report repeatedly highlights the same pattern: resources that should go to threat analysis, incident detection, and vulnerability management get pulled into audits, reporting cycles, and reformatting evidence for multiple authorities.

A European operator told GSMA: 

“The main cost is the resource drain… which decreases overall security because we spend more time formatting data to suit the reporting authorities than in improving security and resilience.”

The rules themselves aren’t the problem 

The report’s critique is particularly pointed about fragmentation: cybersecurity rules are often introduced in isolation from adjacent frameworks (data protection, AI, sector rules), with inconsistent terminology and overlapping enforcement.

In practice, this can mean reporting the same incident multiple times to different agencies, using different formats and deadlines – with the added anxiety that disclosing too little creates cyber non-compliance risk, while disclosing too much could breach data protection rules.

Operators quoted in the report even describe contradictory guidance:

“Sometimes it feels there is competition between regulators because they publish contradictory policies… at the end, we don’t know which one to follow.”

If your compliance map is this confusing, you don’t get better security – you get fatigue. 

Input-driven regulation encourages box-ticking

The report warns that formalistic, checklist-style regulation can foster a box-ticking culture and divert resources from genuine risk mitigation.

And operators say this isn’t theoretical. Prescriptive mandates can push teams to prioritise meeting requirements over addressing the threat landscape in front of them:

“Regulation can affect culture. Overly prescriptive compliance drives security culture from threat-risk mitigation towards box-ticking culture.”

One line from a Latin American operator really stood out to us: 

“The issue is regulators think compliance equals being secure… This is not the case.”

What ‘better’ looks like 

The report doesn’t call for deregulation. It calls for outcome and risk-based regulation, aligned to international standards (like ISO 27001/NIST), with coherent reporting and fewer duplicative asks.

That’s the crux of the problem. If resilience is the goal, then regulation should measure outcomes (like detection, response, and recovery), not just inputs (documents, tooling checklists, and repeated audits). Because attackers don’t care if you passed an audit or not. They care whether you can see them, stop them, and recover fast.

Cybersecurity practitioners and regulators have to work together 

When regulatory decisions are made in isolation from on-the-ground security work, they try to mandate resilience into existence. But it doesn’t work like that. 

Real resilience is built in the space between security teams and regulators. Practitioners bring visibility into how attacks actually unfold and where defences fail under pressure; regulators bring the authority to set expectations and raise the floor across an industry. 

When those perspectives are aligned around outcomes rather than paperwork, compliance stops being a distraction and starts becoming an enabler. 

So if the goal is resilient mobile networks, the path forward is collaboration – designing rules that reflect real-world risk, and security programmes that meet both operational and regulatory needs without losing sight of what they’re there to protect.

That’s what we’re taking from this research. Collaboration is everything. And we’re giving you a space to make that happen at the next edition of Black Hat MEA. Preparation is underway – put it in your calendar now: 1-3 December 2026.