Contact Us Request Consultation
Back to Blog
IT Governance and Compliance

Five Governments Will Nationalize or Restrict Critical Telecom Infrastructure

Telecom regulation is shifting from market oversight to state control as five governments nationalize or restrict critical infrastructure in 2026. The Salt Typhoon cyberespionage campaign breached 600+ organizations across 80 countries, exposing telecom vulnerability to nation-state attackers undetected for years. Australia enforces SOCI Act oversight. Italy restructures its network for 22 billion euros. The US bans adversary vendor subsea cable ownership. Quantum security spending exceeds 5% of IT budgets. Cloud-telecom regulatory convergence creates overlapping compliance obligations.

IT Governance and Compliance
Insights
10 min read
4 views

Telecom regulation is undergoing a fundamental transformation in 2026 as governments around the world move from passive oversight to direct control of critical communications infrastructure. Forrester predicts that five governments will nationalize or impose strict restrictions on telecom infrastructure this year, driven by the Salt Typhoon cyberespionage campaign that breached over 600 organizations across 80 countries and exposed the vulnerability of commercial telecommunications to nation-state attackers who went undetected for years. Australia has strengthened its SOCI Act reforms mandating direct oversight of telecom assets. Italy has advanced a 22 billion euro restructuring of its national telecom network. Furthermore, the US has banned Chinese and Russian ownership of subsea cables and bolstered cybersecurity standards for critical infrastructure. In this guide, we break down why telecom regulation is intensifying, what CISOs and compliance teams should expect, and how organizations relying on telecommunications infrastructure should prepare.

5
Governments Will Nationalize or Restrict Telecom Infrastructure
600+
Organizations Breached by Salt Typhoon Campaign
80
Countries Affected by Critical Telecom Espionage

Why Telecom Regulation Is Shifting Toward Government Control

Telecom regulation has historically treated communications providers as commercial entities requiring light-touch oversight. However, the Salt Typhoon campaign fundamentally shifted government perspectives on critical infrastructure security. Nation-state actors breached major telecommunications providers and remained undetected for years, accessing call records, metadata, and communications content of government officials and private citizens across 80 countries.

Furthermore, this breach demonstrated that commercial incentives alone are insufficient to secure infrastructure that governments consider essential to national security, economic competitiveness, and public safety. Consequently, governments are no longer willing to rely on voluntary compliance or industry self-regulation for telecommunications networks that carry sensitive government communications, financial transactions, and critical infrastructure control data.

In addition, the regulatory environment is converging from multiple directions. The EU’s NIS2 directive, Digital Markets Act, Digital Services Act, and AI Act are all in active enforcement, creating overlapping compliance obligations for telecom operators. Meanwhile, the US released a new national cybersecurity strategy in March 2026 that explicitly directs critical infrastructure providers to move away from companies considered adversary vendors and to promote domestic technologies. Therefore, telecom regulation in 2026 represents a structural shift from market-based security toward state-directed infrastructure protection.

What Is the Salt Typhoon Campaign?

Salt Typhoon is a cyberespionage campaign attributed to nation-state actors that breached over 600 organizations across 80 countries by targeting commercial telecommunications infrastructure. Attackers exploited vulnerabilities in telecom networks to access call records, communications metadata, and in some cases content of government officials. The campaign went undetected for years, demonstrating that commercial telecom security measures were insufficient against persistent, well-resourced state-sponsored attackers operating within critical infrastructure.

How Five Governments Are Restructuring Telecom Regulation

The five governments predicted to nationalize or restrict telecom infrastructure in 2026 are taking different approaches, but all share a common goal: establishing direct state control over infrastructure they consider too critical to leave in purely commercial hands.

Australia: SOCI Act Enforcement
Australia has reinforced its Security of Critical Infrastructure Act reforms, mandating direct government oversight of telecom assets. Furthermore, the legislation designates telecommunications as critical information infrastructure requiring enhanced security obligations, incident reporting, and government access during national security emergencies.
Italy: 22 Billion Euro Network Restructuring
Italy has advanced a comprehensive 22 billion euro restructuring of Telecom Italia’s network, separating infrastructure ownership from commercial operations. In addition, Italy is developing its own satellite communications capability for encrypted government communications that bypass commercial telecom entirely.
United States: Vendor Restrictions and Supply Chain Controls
The US has banned Chinese and Russian ownership of subsea cables and bolstered cybersecurity standards. Consequently, the new national cybersecurity strategy directs critical infrastructure providers to replace technologies from adversary vendors with domestic or allied alternatives.
Additional Nations Following Similar Paths
India has designated telecom as critical information infrastructure under its IT Act. Singapore extends its Cybersecurity Act to cover telecom operators directly. Meanwhile, GCC states are implementing national cybersecurity frameworks for strategic sectors including telecommunications and energy infrastructure.

“Telecom now relies on vast IoT ecosystems that are notoriously insecure, while LEO satellites add new attack surfaces.”

— Forrester Predictions 2026: Cybersecurity and Risk

The CISO Impact of Evolving Telecom Regulation

For CISOs and compliance teams, the shift in telecom regulation creates cascading implications that extend far beyond the telecommunications industry itself. Every organization that relies on commercial telecom infrastructure — which is virtually every enterprise — must understand how these changes affect their own security posture and compliance obligations.

Impact Area What Is Changing CISO Response Required
Supply Chain Risk Vendor nationality and origin restrictions tightening ✓ Inventory all telecom hardware and software for adversary vendors
Incident Reporting CIRCIA mandates 72-hour reporting for critical sectors ✓ Build incident response workflows meeting regulatory timelines
Data Sovereignty Communications data residency increasingly regulated ◐ Map data flows across telecom providers and jurisdictions
Quantum Readiness Harvest-now-decrypt-later threats driving PQC mandates ◐ Begin post-quantum cryptography transition planning
IoT Security Insecure telecom IoT ecosystems under regulatory scrutiny ✗ Most organizations lack visibility into telecom IoT exposure

Notably, Forrester warns that critical ecosystem risks will escalate because telecom relies on vast IoT ecosystems that are notoriously insecure and frequently exploited. Meanwhile, the rapid rise of space infrastructure such as low-Earth-orbit satellites adds entirely new attack surfaces that existing regulatory frameworks do not address. Therefore, CISOs must expand risk assessments to include telecom dependencies.

The Cloud-Telecom Regulatory Convergence

By late 2026, the boundaries between telecom regulation and cloud regulation are expected to blur significantly. Following a major hyperscaler outage in late 2025, discussions have grown around treating cloud providers as essential infrastructure subject to the same resilience and reporting obligations as telecom operators. The first official cloud carrier regulatory category may emerge in 2026, requiring companies to obtain approval under both telecom and cloud frameworks. For enterprises using both telecom and cloud services, this convergence means a single compliance event could trigger obligations under multiple overlapping regulatory regimes.

The Quantum Security Dimension of Telecom Regulation

Quantum computing threats are accelerating telecom regulation changes because telecommunications networks carry the data that harvest-now-decrypt-later attacks specifically target. Adversaries collect encrypted communications transmitted over commercial telecom infrastructure today with the expectation of decrypting them once quantum computers mature — potentially exposing years of government, financial, and corporate communications that were considered secure at the time of transmission.

Furthermore, Forrester predicts that quantum security spending will exceed 5% of overall IT security budgets in 2026, reflecting the urgency of preparing telecom and enterprise communications for the post-quantum era. NIST has published post-quantum cryptography standards that organizations can begin implementing now, but the migration across entire telecom networks represents a multi-year effort requiring coordinated investment from operators, regulators, and enterprise customers.

Regulatory Actions on Quantum Security
Quantum security spending will exceed 5% of overall IT security budgets in 2026
NIST post-quantum cryptography standards now available for implementation
Nokia Bell Labs demonstrates 80% reduction in optical networking energy with quantum technology
Small-scale quantum-secure projects using QKD via optical fiber already operational
Outstanding Quantum Telecom Challenges
Harvest-now-decrypt-later attacks already targeting long-retention government data
QKD distance limitations require satellite relay for wide-area quantum networks
Migration to post-quantum cryptography across telecom networks is multi-year effort
Regulatory frameworks for quantum-safe communications are still fragmented globally

Five Priorities for Navigating Telecom Regulation in 2026

Based on the Forrester predictions and regulatory landscape, here are five priorities for CISOs, compliance officers, and infrastructure leaders navigating evolving telecom regulation:

  1. Inventory all telecom-dependent infrastructure for adversary vendor exposure: Because governments are restricting vendor nationality, document every hardware and software component in your telecom supply chain. Consequently, you identify replacement requirements before deadlines hit.
  2. Build incident reporting workflows for multiple frameworks: Since CIRCIA, NIS2, SOCI, and other mandates impose different reporting timelines, create unified workflows that satisfy the strictest requirements. As a result, one incident triggers compliant notifications across jurisdictions.
  3. Expand risk assessments to cover telecom infrastructure dependencies: With governments nationalizing telecom assets, evaluate how changes in telecom ownership or regulation affect your connectivity and data transmission. Furthermore, identify single points of telecom dependency.
  4. Begin post-quantum cryptography transition planning for sensitive communications: Because harvest-now-decrypt-later attacks target data in transit through telecom networks, prioritize PQC migration for your most sensitive communications. Therefore, data encrypted today remains protected when quantum computing matures.
  5. Monitor the cloud-telecom regulatory convergence closely: Since cloud providers may face telecom-style regulation by late 2026, track regulatory developments that could create overlapping obligations. In addition, evaluate whether your providers will remain compliant under emerging frameworks.
Key Takeaway

Telecom regulation is shifting from market oversight to state control as five governments nationalize or restrict critical infrastructure in 2026, driven by the Salt Typhoon breach of 600+ organizations across 80 countries. Australia enforces SOCI Act oversight, Italy restructures its national network for 22 billion euros, and the US bans adversary vendor ownership of subsea cables. CISOs must inventory supply chains for restricted vendors, build multi-framework incident reporting, and begin PQC transitions. The convergence of telecom and cloud regulation will reshape compliance obligations for every enterprise that depends on communications infrastructure.

Looking Ahead: Telecom Regulation Beyond 2026

Telecom regulation will continue to intensify as governments increasingly treat communications infrastructure as sovereign assets requiring state-level protection. By 2028, the trend toward nationalization and direct oversight will likely expand beyond the initial five governments as additional nations respond to cyberespionage campaigns targeting their own telecommunications networks. Meanwhile, the convergence of telecom, cloud, and AI regulation will create integrated compliance frameworks that treat all critical digital infrastructure under unified governance standards.

However, the organizations that adapt proactively will turn regulatory compliance into competitive advantage. In contrast, those that react to each new mandate individually will face escalating costs, fragmented compliance programs, and increasing risk of regulatory penalties as frameworks multiply and overlap across jurisdictions.

For CISOs and compliance leaders, telecom regulation is therefore a bellwether for broader critical infrastructure governance trends. The governments that nationalize telecom today will apply similar frameworks to cloud, AI, and data infrastructure tomorrow. The organizations that build adaptable, framework-agnostic compliance capabilities now will navigate every future regulatory shift more effectively than those locked into single-framework approaches.

Related Guide
Our IT GRC Services: Governance, Risk and Compliance Advisory

Frequently Asked Questions

Frequently Asked Questions
Which governments are nationalizing telecom infrastructure?
Forrester predicts five governments will nationalize or restrict telecom infrastructure in 2026. Australia has strengthened SOCI Act oversight, Italy is restructuring its national network for 22 billion euros, and the US has banned adversary vendor ownership of subsea cables. India and Singapore are also extending critical infrastructure designations to telecom.
What was the Salt Typhoon campaign?
Salt Typhoon was a nation-state cyberespionage campaign that breached over 600 organizations across 80 countries by targeting commercial telecom infrastructure. Attackers accessed call records, metadata, and communications content while remaining undetected for years, demonstrating that commercial telecom security was insufficient against persistent state-sponsored threats.
How does telecom regulation affect non-telecom organizations?
Every enterprise depends on telecom infrastructure for connectivity, data transmission, and cloud access. Changes in telecom ownership, vendor restrictions, or regulatory requirements can affect service availability, compliance obligations, and supply chain risk. CISOs must assess telecom dependencies as part of their organizational risk management.
What is the quantum security threat to telecom?
Harvest-now-decrypt-later attacks collect encrypted communications transmitted over telecom networks today, with plans to decrypt them when quantum computers mature. This threat drives regulatory action on quantum-safe communications. Quantum security spending will exceed 5% of IT security budgets in 2026, and NIST post-quantum cryptography standards are now available for implementation.
Will cloud providers face telecom-style regulation?
The boundaries between telecom and cloud regulation are blurring. Following a major hyperscaler outage, regulators are discussing treating cloud providers as essential infrastructure with telecom-style resilience and reporting obligations. By late 2026, the first cloud carrier regulatory category may emerge, requiring companies to comply with both telecom and cloud regulatory frameworks.

References

  1. Five Governments Nationalize, Salt Typhoon 600+ Orgs, Australia SOCI, Italy 22B, US Subsea Bans: Forrester — Predictions 2026: Cybersecurity and Risk Leaders Grapple With New Tech and Geopolitical Threats
  2. CISO Implications, IoT Ecosystem Risk, LEO Satellite Attack Surfaces, Regulatory Fragmentation: CybrSec Media — Forrester’s 2026 Cybersecurity Predictions
  3. Cloud-Telecom Convergence, Sovereign Cloud Contracts, Operator Dual Identity, 6G Spectrum: Wray Castle — Telecom Regulation 2026: What Industry Leaders Need to Know
Weekly Briefing
Security insights, delivered Tuesdays.

Join 1 million+ security professionals. Practical, vendor-neutral analysis of threats, tools, and architecture decisions.

Related Articles
Thought Leadership

Compliance Automation Is the Only Way to Scale Governance in a Multi-Regulation World

Compliance automation is the only path to scale across 400+ regulations. GRC market reaches $57.3B by 2033. AI saves $2.2M…

IT Governance and Compliance
10 min
Thought Leadership

Why AI Governance Must Be Built Into the System — Not Bolted On After Deployment

AI governance by design produces better outcomes than bolted-on compliance. Organizations with embedded governance see 10% higher ROI. 60% of…

IT Governance and Compliance
10 min
Thought Leadership

The CISO Is Becoming the Chief Compliance Officer — And That’s a Problem

CISO compliance scope expands unsustainably as 45% of remits grow beyond cybersecurity by 2027. 84% of boards equate security with…

IT Governance and Compliance
10 min
Thought Leadership

GRC Is No Longer a Back-Office Function — It’s a Strategic Business Enabler

GRC strategy has transformed from back-office compliance to strategic business enabler. The market reaches $57.1B in 2026 growing to $129.45B…

IT Governance and Compliance
10 min