Risks and opportunities
This section provides important additional information and explains recent changes in the risks and opportunities compared to those described in the 2022 combined management report (2022 Annual Report). Readers are also referred to the “Disclaimer” at the end of this report.
Strategic implementation and integration. Collaboration with Chinese suppliers is being impeded by the enduring trade conflict between the United States and China. Since 1997, the United States has restricted the use of U.S. technology for various countries, as well as, since 2020, for some Chinese companies, on account of security concerns. The United States also puts pressure on other countries to do the same. In Germany, the legislator adopted the Second Act to Increase the Security of Information Technology Systems, or the IT Security Act 2.0 (IT-Sicherheitsgesetz 2.0), in 2021. The Act does not include any ban on individual manufacturers. All 5G operators must notify the authorities of new critical components and the suppliers thereof in accordance with the catalog of security requirements pursuant to the Telecommunications Act and prior to first-time operation. If the Federal Government has security concerns, it can introduce a blanket ban on using certain manufacturers. Deutsche Telekom itself has long been scrutinizing security-critical components prior to installation and on an ongoing basis once in operation. In March 2023, under the IT Security Act 2.0, the Federal Ministry of the Interior and Community (BMI) asked German network operators to identify all 5G components from the Chinese suppliers Huawei and ZTE that have already been installed and map critical functions, and to notify the authority accordingly. In September 2023, the authority additionally asked the network operators to identify all installed components from the manufacturers Huawei and ZTE. Although BMI speaks of an impartial review, there is public speculation over the possibility that, in the fourth quarter of 2023, the findings could lead to a ban or restrictions on deploying Chinese equipment in parts of the German network, within certain time frames. The replacement of these components could incur high costs. In other countries, such as Austria, the Czech Republic, and Poland, it is still possible that critical infrastructure suppliers will have to be replaced within specific deadlines. Compared to the end of 2022, we already raised the risk significance of the risk category “Strategic implementation and integration” from high to very high in the first quarter of 2023, due to the extensive costs that could be incurred should there be a retrospective order to remove components.
Procurement and suppliers. Deutsche Telekom’s supply chains could currently be negatively impacted by a number of factors, such as geopolitical tensions, e.g., the United States’ technology sanctions against China, as well as cyberattacks and supply chain restructuring. At T-Mobile US, in certain areas such as terminal equipment, there are few suppliers who can provide adequate support, which may lead to unfavorable contract terms and decreased flexibility to switch to alternative third parties. Unexpected termination or difficulties in renewing the commercial arrangements with the suppliers, or any business disruptions at the suppliers could have a material adverse effect on T-Mobile US. We are therefore raising the risk significance of the risk category “Procurement and suppliers” from low to medium.
Data privacy and data security. All Group companies are subject to specific data privacy regulations (in the EU especially the General Data Protection Regulation (GDPR)). These requirements must be implemented and their compliance must be monitored. Data privacy incidents can be sanctioned with very high administrative fines (up to between 2 and 4 % of the total worldwide annual revenue of an undertaking). The European supervisory authorities’ concept for administrative fines applies. Under this concept, high fines may be imposed even for infringements with a low criticality. The supervisory authorities’ practice with respect to fines demonstrates that more and higher fines are being imposed. Despite mitigation measures and well-established data privacy management structures, it is not possible to fundamentally rule out data privacy incidents as almost all procedures/processes in the Group are relevant in terms of data protection. Errors may occur that are linked to reputation, cost, and sanction risks. Cybercrime and industrial espionage are on the rise and they are becoming ever more complex due to rapidly advancing technologies and attack methods. As a result, we face constant challenges and adjustments to protect our customer and business partner data, as well as our networks, technologies, products, and services against these attacks. Such incidents can lead, among other things, to business disruptions, embezzlement, or unauthorized access to confidential or personal information, and to loss of reputation. Due to the rise in successful cyberattacks against Deutsche Telekom in recent years, predominantly in the United States, and the growing overall threat level imposed by cyberattacks, as well as the supervisory authorities’ tougher practice with respect to data privacy-related fines, the risk significance of the risk category “Data privacy and data security” is rising from high to very high.
Financial risks. The war in Ukraine and the situation on the world market drove sharp rises in energy costs in 2022. Energy prices could remain volatile, although the price level on the world market has so far fallen slightly in 2023. Inflationary pressure in Germany and the United States resulted in further interest rate hikes in 2023, prompting a substantial further reduction in the variable-interest debt portfolio to temper interest rate sensitivity. By taking account of fluctuating energy prices and the changes to the debt portfolio during the planning process, we were able to lower the risk significance of the risk category “Financial risks” from high to medium.
Claims relating to charges for the shared use of cable ducts. In the claims filed by Vodafone Deutschland GmbH and Vodafone Hessen et al. (now Vodafone West GmbH) against Telekom Deutschland GmbH alleging excessive charges for the use of cable ducts, which were referred by the Federal Court of Justice back to the responsible Higher Regional Courts, the plaintiff Vodafone Deutschland GmbH has since updated its demand for relief, which it now puts at approximately EUR 826 million plus interest for the period from January 1, 2012 to December 31, 2022. It is currently not possible to estimate the financial impact with sufficient certainty.
Proceedings against T‑Mobile US in consequence of the cyberattack on T‑Mobile US in August 2021. In the proceedings against T‑Mobile US in relation to the cyberattack on T‑Mobile US in August 2021, the competent court issued an order on June 29, 2023 granting final approval of the agreement dated July 22, 2022 to settle the federal class action lawsuit. The order has been appealed, leading to a delay in the conclusion of the proceedings.
Assessment of the aggregate risk position
The aggregate risk position has deteriorated compared with the risks and opportunities as described in the 2022 combined management report (2022 Annual Report) due to a potential expansion of the ban on Chinese network components, the enduring pressures on global economic development, and the tense geopolitical situation. At the time of preparing this report, neither our risk management system nor our management could identify any material risks to the continued existence of Deutsche Telekom AG or a significant Group company as a going concern.