On average, third parties try to gain access to Deutsche Telekom’s systems up to 45,000 times per minute. Not least in view of AI-generated attacks, cybersecurity and the protection of personal data are essential fields of action for us. The highest standards of IT and data security as well as data protection are part of our brand identity.
We cover privacy and security issues in detail under “Consumers and End Users” and “Cybersecurity” in our audited Sustainability statement 2025.
Evaluating attacks with AI
You can find out more about cybersecurity in our
Sustainability statement in the Annual Report 2025With the help of artificial intelligence (AI), our security experts analyze around 5 billion security-relevant data from around 1,400 data sources every day. They detect attacks in real time and immediately take the necessary steps to neutralize or ward off attacks. In 2025, we registered around 65 million attacks per day on our honeypot systems. Honeypots are intentionally set traps for attackers. In Europe, we are a pioneer in the proactive fight against botnets in the Deutsche Telekom network. This is how we protect our infrastructure – and thus also the data of our customers. In this way, we contribute to trust in our networks and systems.
In 2025, we employed more than 280 cybersecurity analysts and more than 30 specialists in our Cyber Defense and Security Operations Centers (SOC) worldwide. Among other things, they work on the detection of threats, the treatment of security incidents and digital forensics, i.e., the analysis of digital traces in order to be able to understand and solve security incidents.
Security and commitment combined: Deutsche Telekom Security GmbH
We also offer our services against cyber attacks to other companies: More than 150 DAX and medium-sized companies in Germany use the services of Deutsche Telekom Security GmbH for their own protection. As one of the world’s largest providers of digital security and the market leader in Germany, Austria and Switzerland, Deutsche Telekom Security GmbH bundles cybersecurity expertise throughout the Group and has been securing our own infrastructure and that of our customers for many years. In order to further improve cooperation in digital hazard prevention, Deutsche Telekom Security GmbH is involved in numerous organizations and associations. It also works with other ICT service providers in Germany and at EU level.
We also address the topic of children’s online safety through offers from Deutsche Telekom Security GmbH. These include educational offers such as AwareNessi, which are intended to teach children basic skills for the safe use of online media. More information on our approach to protecting minors when using digital media can be found here in the CR Report under Consumer protection.
Deutsche Telekom Security GmbH offers part-time training to become a cyber security professional and other career opportunities. Detailed information on this topic is provided in the CR report under Employee development.
Training for employees: targeted qualification
You can find out more about training and awareness measures on our
websiteIn order to sensitize our employees to data protection, information protection and cybersecurity, we use various learning formats that we regularly develop. For example, every two years (most recently in 2025), employees are obliged to protect data and information. Participation is mandatory for full- and part-time employees and takes place throughout the Group (currently excluding T‑Mobile US). In the reporting year, this mandatory training course consisted of content on data protection (4 modules) and information protection (2 modules).
Progress in 2025: impact of our actions
In the latest update of our mandatory training on data and information protection, we have integrated a systematic evaluation of the level of data protection – both at the Group level (excluding T‑Mobile US) and at the level of the individual companies. On this basis, strengths and concrete fields of action can be identified and targeted improvement measures can be derived. The new evaluation replaces the “Data Protection Award” last recorded in 2022, which we used to evaluate our data protection measures. In the year under review, more than 80 % of our employees successfully completed the mandatory training at the first attempt. This result serves as an indication of the effectiveness of our measures to raise awareness of data protection issues.
We also conduct regular surveys to determine the security awareness of our employees on a random basis. On this basis, we evaluate the effectiveness of our cybersecurity measures (excluding T‑Mobile US). A central instrument is the Online Awareness Survey (OAU). We derive the Security Awareness Index (SAI) from their results. The SAI maps how employees perceive and assess IT security in the Group. A higher percentage stands for a more positive rating.
The OAU was last held in 2024. The SAI increased from 80.6 % in 2023 to 81.0 % in 2024. No survey was conducted in the year under review, as we systematically reviewed and further developed content and issues after OAU 2024. On this basis, it is planned to restart the revised OAU in 2026. In this way, we want to derive measures from the results in an even more targeted and data-based manner in the future.
Looking ahead
Our intentional traps for cybercriminals were attacked 65 million times a day in the reporting year. This figure underscores the importance of continuously improving our cybersecurity activities. With innovative processes, the increased use of AI and the expansion of our protection centers, we are committed to protecting our infrastructure and the data of our customers in the future.
Deep Dive for Experts
Management & Frameworks
We have established a security organization centrally and in all entities of the Group. The “Security” policy establishes fundamental principles for data protection and cybersecurity and is aligned with the ISO/IEC 27001 standard. In addition, the Group’s information security management system as well as the majority of Deutsche Telekom’s Group entities are certified in accordance with ISO/IEC 27001 and are subject to regular internal and external audits (excluding T‑Mobile US).
Since 2020, CERT has been officially certified according to the SIM3 (Security Incident Management Maturity Model) standard.
Our group companies are subject to specific data protection regulations, such as the GDPR in the EU. Where national legal requirements permit, the companies in the Group have also committed themselves to complying with the “Binding Corporate Rules Privacy”. This guideline is intended to ensure a uniformly high level of data protection in accordance with ISO/IEC 27701 for our products and services.
On our website, we provide comprehensive information about our data protection activities. We also publish an annual Transparency Report. In our Status Report on data privacy, we also report on major data protection-related processes and corresponding measures.
Our customers in the United States receive information about the data protection practices of our U.S. subsidiary via the Privacy Center of T‑Mobile US. It provides consumers with information about how the company collects, uses, shares, and protects personal customer information; additional information about the types of data collected and the programs that individuals can enable and disable; what types of data are used internally and under what circumstances data may be sold or disclosed to third parties; and more information about how data is stored and backed up.
T‑Mobile US has policies, procedures, and review processes, including a structured intake process for cybersecurity service requests, to ensure data security. T‑Mobile US also conducts a comprehensive data inventory of its systems.
We want to ensure the lawful processing of personal data while respecting general human rights. In our Code of Human Rights, we (excluding T‑Mobile US) are committed to the fundamental right to data protection and informational self-determination that applies in the EU and would like to promote its recognition worldwide.
In our Guidelines for the ethical use of AI, we (excluding T‑Mobile US) have set out how we use AI responsibly in our products and services. T‑Mobile US is steering the issue with its Responsible AI Policy and Guidelines.
We expect our suppliers to comply with all applicable data protection and data security requirements. By recognizing our Supplier Code of Conduct, they commit to transparently documenting their data processing and AI processes and disclosing them upon request. They must also ensure that their AI systems are non-discriminatory, transparent and barrier-free and can be stopped or switched off at any time by a responsible person.
Relevant Standards
Sustainability Accounting Standards Board (SASB)
TC-TL-230a.2 (Data security)