Man and child lying next to each other and looking at a smartphone together.

Data protection and information security

We are committed to ensuring that our customers retain control over their data and can manage their digital lives autonomously.

For the principle of data sovereignty

Protecting personal data and mitigating cyber risks are our highest priorities. We act in accordance with the law, transparently and proactively to build trust and contribute to a secure digital society.

Policies

We’re playing it safe

We protect personal data based on recognized standards and applicable laws, such as the General Data Protection Regulation (GDPR).

The Telecommunications Act (TKG) and the ISO 27001:2022 Information Security Management System. The corporate data protection standard forms the basis of the data protection management system and aims to ensure that data is processed lawfully and protected according to the current state of the art. It is supplemented by internal guidelines such as the information security policy, the data protection incident policy, and the crisis management policy.

Our resilience framework describes the fundamental security control objectives, which we specify in guidelines and standards and from which we derive control requirements. The effectiveness of information security measures is regularly reviewed – including through internal and external audits, such as ISO 27001 certification audits, internal audit reviews, and internal control assessments.

Specific internal guidelines and procedures govern how we deal with threats and vulnerabilities, and how we raise employee awareness of these issues. These guidelines form the basis for robust security and data protection management, ensuring both transparency regarding data usage and the responsible handling of information. Implementing information security also includes the technical and organizational protection of our network and IT systems. This approach is supported by the Cyber Fusion Center, which coordinates comprehensive protective measures against cyberattacks.

Targets

We had the following targets by the end of 2025:

No data protection breaches or security incidents that result in fines or other sanctions.
Increasing the completion rate of the “Information Security” training among our employees to over 90%.

Performance

Encouraging results

As in the previous year, there were no data protection breaches or security incidents in 2025 that would have led to fines or other sanctions.
The completion rate for information security training in 2025 was 88.5% (2024: 89.6%), just below the target of over 90%. We further strengthened our employees’ security awareness through numerous additional awareness measures supplementing the mandatory training.

Actions

Prevention, monitoring, response: our resilience triad

Minimising risks from the outset: We rely on the principle of “Privacy by Design and Default” to protect personal data as effectively as possible from the very beginning. By minimising data processing and access rights, we reduce potential attack surfaces.

Keeping security in focus: Our Cyber Fusion Center (CFC) is a central hub for improving cyber security. Here, systems and networks are continuously monitored, threats are identified, and incidents are handled quickly and in a coordinated manner. The Network Operations Center (NOC) provides additional support by monitoring network components to detect anomalies early and ensure the stability of our services.

Targeted skills development: Through mandatory and regularly updated training on data protection and information security, we strengthen our employees’ awareness of current threats and regulatory requirements. In 2025, numerous additional measures covering various security topics were offered to address individual needs and further enhance security awareness.

Proactively addressing threats: In addition, we use Cyber Threat Intelligence (CTI) and the Threat Intelligence Programme to analyse the evolving threat landscape. This allows us to anticipate risks and initiate preventative measures to counter potential threats.

This three-pronged approach of prevention, monitoring, and rapid response strengthens the protection of digital infrastructure.

Prioritising data privacy: As a telecommunications provider, we process large amounts of mobility and usage data. The Data Anonymisation Platform (DAP) is a multi-stage process that anonymises this data. You can find more information about data protection here.

Business value

Keeping an eye on the dangers

Our Threat Intelligence Programme enables us to identify threats early and take preventative action. Attacker tactics and risks are continuously analysed, including in key areas such as 5G networks, IoT, ransomware, supply chains, cloud security, and social engineering. Emerging threats like AI-based attacks, malware trends, and phishing targeting business tools are also monitored. The programme delivers actionable insights for rapid decision-making, strengthens the resilience of digital infrastructure, and enhances the reliability of our services for our business customers.

Next steps

Certainly a good idea

As with compliance, we want to expand our AI-powered risk analyses and threat intelligence systems to further optimise prevention. The self-service platforms should also be usable for data protection requests and security certificates.

Woman in a green shirt standing at a desk with a laptop and office supplies; building and tree visible through the window.

Business impact story:
O₂ Telefónica enables secure network architectures for public administration

ekom21, an IT service provider for local authorities and public institutions in Hesse, uses our SD-WAN-based network architecture with integrated security functions to enable access to cloud services and technically secure the operation of sensitive applications.

Click here for the story: “We needed a flexible and, above all, secure network solution.”