Risks and opportunities
This section provides important additional information and explains recent changes in the risks and opportunities compared to those described in the 2022 combined management report (2022 Annual Report). Readers are also referred to the “Disclaimer” at the end of this report.
Strategic implementation and integration. Collaboration with Chinese suppliers is being impeded by the enduring trade conflict between the United States and China. Since 1997, the United States has restricted the use of U.S. technology for various countries, as well as, since 2020, for some Chinese companies, on account of security concerns. The United States also puts pressure on other countries to do the same. In Germany, the legislator adopted the Second Act to Increase the Security of Information Technology Systems, or the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0), in 2021. The Act does not include any ban on individual manufacturers. All 5G operators must notify the authorities of new critical components and the suppliers thereof in accordance with the catalog of security requirements pursuant to the Telecommunications Act and prior to first-time operation. If the Federal Government has security concerns, it can introduce a blanket ban on using certain manufacturers. Deutsche Telekom itself has long been scrutinizing security-critical components prior to installation and on an ongoing basis once in operation. In March 2023, under the IT Security Act 2.0, the Federal Ministry of the Interior and Community (BMI) asked German network operators to identify all 5G components from the Chinese suppliers Huawei and ZTE that have already been installed and map critical functions, and to notify the authority accordingly. Although BMI speaks of an impartial review, there is public speculation over the possibility that, in the second half of 2023, the findings could lead to a ban on deploying Chinese equipment in further parts of the German network classed as potentially critical, within certain time frames. The replacement of these components could incur high costs. In other countries, such as Austria, the Czech Republic, and Poland, it is still possible that critical infrastructure suppliers will have to be replaced within specific deadlines. Compared to the end of 2022, we already raised the risk significance of the risk category “Strategic implementation and integration” from high to very high in the first quarter of 2023, due to the extensive costs that could be incurred should there be a retrospective order to remove components.
Procurement and suppliers. Deutsche Telekom’s supply chains could currently be negatively impacted by a number of factors, such as geopolitical tensions, e.g., the United States’ technology sanctions against China, as well as cyberattacks and supply chain restructuring. Furthermore, the general costs of semiconductor materials, production, energy, wages, and global logistics are rising, leading to general price increases for products and services. Europe and the United States are experiencing delays in deliveries of individual products from certain vendors. However, thanks to countermeasures taken, shortages were avoided and continue to recede. At T-Mobile US, the increased concentration on the terminal equipment of a single vendor and the commensurate growing dependency could expose us to further risks. Continued geopolitical effects and price increases are expected. We address these challenges with a range of organizational, contractual, and strategic procurement measures, including the Supply Chain Resilience task force. To reflect the growing dependencies in T-Mobile US’ terminal equipment portfolio, we are raising the risk significance of the risk category “Procurement and suppliers” from low to medium.
Data privacy and data security. All Group companies are subject to specific data privacy regulations (in the EU especially the General Data Protection Regulation (GDPR)). These requirements must be implemented and their compliance must be monitored. Data privacy incidents can be sanctioned with extremely high fines (up to between 2 and 4 % of the global Group revenue). The European supervisory authorities’ concept for fines has been applied. It stipulates high fines even for violations with a low criticality. The supervisory authorities’ practice with respect to fines demonstrates that more and higher fines are being imposed. Despite mitigation measures and well-established data privacy management structures, it is not possible to fundamentally rule out data privacy incidents as almost all procedures/processes in the Group are relevant in terms of data protection. Errors may occur that are linked to reputation, cost, and sanction risks. Cybercrime and industrial espionage are on the rise and they are becoming ever more complex due to rapidly advancing technologies and attack methods. As a result, we face constant challenges and adjustments to protect our customer and business partner data, as well as our networks, technologies, products, and services against these attacks. Such incidents can lead, among other things, to business disruptions, embezzlement, or unauthorized access to confidential or personal information, and to loss of reputation. Due to the rise in successful cyberattacks against Deutsche Telekom in recent years, predominantly in the United States, and the growing overall threat level imposed by cyberattacks, as well as the supervisory authorities’ tougher practice with respect to data privacy-related fines, the risk significance of the risk category “Data privacy and data security” is rising from high to very high.
Financial risks. The war in Ukraine and the current situation on the world market drove sharp rises in energy costs in 2022. Energy prices could remain volatile, although the price level on the world market fell slightly in the first half of 2023. Inflationary pressure in Germany and the United States resulted in further interest rate hikes in the first half of 2023, prompting a reduction in the variable-interest debt portfolio to temper interest rate sensitivity. By taking account of fluctuating energy prices and the changes to the debt portfolio during the planning process, we were able to lower the risk significance of the risk category “Financial risks” from high to medium.
Proceedings against T-Mobile US in consequence of the cyberattack on T-Mobile US in August 2021. In the proceedings against T-Mobile US in relation to the cyberattack on T‑Mobile US in August 2021, the competent court issued an order on June 29, 2023 granting final approval of the agreement dated July 22, 2022 to settle the federal class action lawsuit. The order has been appealed, leading to a delay in the conclusion of the proceedings.
Assessment of the aggregate risk position
The aggregate risk position has deteriorated compared with the risks and opportunities as described in the 2022 combined management report (2022 Annual Report) due to a potential expansion of the ban on Chinese network components, the enduring pressures on global economic development, and the tense geopolitical situation. At the time of preparing this report, neither our risk management system nor our management could identify any material risks to the continued existence of Deutsche Telekom AG or a significant Group company as a going concern.