Agile compliance is possible for fast moving telcos

As telecoms operators accelerate to deploy digital services, automate network upgrades and fuel agile development, they are grappling with an expanding knot of cross-cutting regulatory and compliance requirements to stay ahead of increasing customer expectations, 5G monetisation needs and competition intensification, writes Anna Ribeiro. In transitioning, telcos are also charging headfirst into a jungle of regulatory requirements like GDPR in Europe, NIS2 Directive (Network and Information Systems Directive 2) over critical services, PCI DSS for payments, and a set of disjointed national data governance and cybersecurity regulations.

About 80% of telcos increased their level of compliance spending in 2024, following recent higher regulatory pressures. The accepted compliance fee now runs around US$10 million for each company per year, a significant rise from previous years.

Fines for violating those standards hit US$2 billion in 2024, though these are only expected to increase, as newer and tougher enforcement measures come into play. Analysts warn that telcos that fail to adapt risk losing over half of their operational capacity within five years due to regulatory setbacks and enforcement actions.

Treading the regulatory environment

For telcos, compliance has moved beyond network resilience and data retention. It’s now an ongoing process that’s part of how services are designed, tested and deployed.

• The GDPR limits what telcos can collect and how they store and use personal data, especially for AI-based services and customer analytics.
• Mission-critical industries like telecoms have to do risk management and incident reporting under the NIS2 Directive.
• PCI DSS 4.0 imposes stricter rules on secure payment processing for telcos that offer mobile payment and billing services.
• ICT risk management, especially cross-border operations, is covered by the Digital Operational Resilience Act (DORA).

While the regulations have different penalties, timelines and governance, the controls overlap but don’t fully align, especially when it comes to encryption, access and incident response.

Baking compliance into agile flows of work

Agile telcos are now slowly binding regulatory mandates into CI/CD and DevSecOps processes, though not in the rear view mirror, but ahead of productionisation.

• Teams can use a policy-as-code tool to codify the regulatory requirements and compliance can be enforced at development time.
• Static analysis scans check for sensitive data exposure or misconfigured secrets in the code.
• Runtime monitoring to make sure checks and controls stay in place after deployment.
• Auditing is also free and automatically tracked on each commit and release, so regulatory reporting is easy to provide.

SonarQube and Checkmarx mark bad code, while Open Policy Agent and HashiCorp Sentinel enforce infrastructure compliance. Policy-as-code practices allow telcos to encode data handling, encryption and access policies into the deployment process.

The result? Rather than counting on humans to catch every risk, telcos are working on repeatable, testable controls that scale at the speed of delivery.

Full or partial adoption of SSDF and NIST’s DevSecOps guidance. PCI DSS even currently has verbiage around automated and continuous compliance validation. This isn’t a theory. It’s occurring already with operators in Europe and Asia that are preparing for NIS2’s more stringent accountability demands.

Agile compliance enabling frameworks

Although telecoms operators are not directly regulated by the EU’s ePrivacy Regulation or GDPR, industry groups are encouraging their members to comply and drive digital change. European telecom bodies such as the GSMA and Connect Europe (formerly ETNO) have called for telecoms-specific obligations to align with GDPR principles, providing an ability to adopt a more flexible and risk-based approach, particularly around areas such as metadata handling.

Such moves are indicative of the industry building common standards and tools that can be incorporated into agile DevOps pipelines, so telcos can adopt compliance requirements as part of delivery.

• The TM Forum Open Digital Architecture contains reusable elements and APIs that can be pre-certified for compliance.
• NFV and MEC standards from ETSI have security and auditability by design.
• OWASP’s DevSecOps guidance offers templates for compliance testing within agile workflows.

Tooling has also improved. Platforms such as HashiCorp Sentinel, Checkov and OPA enable teams to write compliance regulations as code. Cloud providers have developed prescriptive compliance controls that can be instantiated for telecom workloads, like Google Cloud’s Assured Workloads and AWS Config conformance packs.

Real-world adoption

European and Asian operators are taking the lead in developing compliance-aware agile pipelines.

• BT Group created in-house models that embed data governance checks in its DevOps toolchain. When creating a new API or feature, engineers receive automatic feedback on whether it passes the data residency and encryption tests.
• SK Telecom is applying a security-as-code approach in which risk scoring is integrated within CI/CD workflows. Services cannot be advertised into production without having passed the baseline regulatory compliance gates.
• Orange is collaborating with partners to practice secure software supply chains, including signed builds and verifying SBOMs, to fulfill nascent EU requirements for open-source risk and digital sovereignty.

These methods illustrate how compliance can be integrated into the software factory, not at the expense of it.

Progressive telcos are embedding compliance from the start by putting compliance champions in agile squads and performing regular governance checkpoints. Compliance debt is operationalised similarly to technical debt, identified in backlog refinement, prioritised against feature work, and manifested on sprint burndown charts. The approach avoids siloing of or delay to compliance. An explicit contribution to the success of the team becomes a visible representative of the shared goal for the team, evaluated every sprint, and should be addressed long before the risk exposure ever becomes a significant factor.

Turning compliance into advantage

Done right, agile compliance unlocks more than audit-readiness across the telecom sector. It opens the door to new markets, faster product cycles, and greater trust.

• Automated compliance cuts review time and rework.
• Integrated controls reduce the surface area for breaches and fines.
• Clear governance builds credibility with regulators, partners and customers.

In a telecoms market where digital trust is currency, compliance is no longer just a cost center. It is a signal of operational maturity.

Looking forward

There are reasons to believe that the pressure on telcos will only increase as regulatory requirements and consumer desire for privacy and reliability grow. With the right tooling, framework and mindset, telecoms operators can turn compliance into a foundational attribute. Agile and compliant are no longer counterpoints, but more and more they are appearing as flip sides of the same coin.