AI Regulation for Telecoms in Germany: EU AI Act, GDPR & TKG 2021
Short answer
Telecom operators in Germany face a three-layer AI regulatory framework: the EU AI Act with high-risk obligations from August 2026, GDPR governing any AI that processes subscriber data, and TKG 2021 adding sector-specific data and network obligations.
- EU AI Act high-risk obligations apply from August 2026 — scoring, fraud detection, and critical network AI all in scope
- GDPR Article 22 restricts automated subscriber profiling — customers have the right to a human review of AI decisions
- TKG 2021 adds sector-specific data minimisation, network neutrality, and security obligations on top of EU AI Act
Telecommunications operators in Germany face a layered AI regulatory framework: the EU AI Act (binding high-risk system obligations from August 2026), GDPR for any AI that processes personal data about subscribers, and the Telekommunikationsgesetz 2021 (TKG 2021) for communications-specific data and network obligations. These three regimes interact and overlap — meaning compliance requires a coordinated approach, not three separate workstreams.
This guide explains which AI regulation applies to telecoms in Germany, which use cases are high-risk, how GDPR and TKG 2021 intersect with the EU AI Act, and what practical steps operators should take before the August 2026 deadline.
EU AI Act and the Telecoms Sector — What Qualifies as High-Risk?
Telecommunications is one of the most AI-intensive sectors in the European economy. Telcos, MVNOs, and enterprise telecoms buyers use AI across a wide range of operations — and the EU AI Act treats these use cases very differently depending on what decisions the AI makes and who is affected.
Fraud Detection and Network Anomaly Systems
AI-powered fraud detection systems that automatically block accounts, suspend SIM cards, or restrict services based on behavioural analysis may qualify as high-risk where they make enforceable decisions affecting individuals’ access to telecommunications services. Under Annex III, AI systems used in credit and access decisions for essential services are explicitly high-risk. Telecom fraud detection that cuts off service is functionally equivalent to an access decision.
If your fraud detection AI can suspend or terminate a customer account without mandatory human review, you likely need full high-risk compliance: documented risk management, bias testing, explainability mechanisms, and logging of every automated decision.
Customer Scoring and Creditworthiness
AI used to assess customer creditworthiness for postpaid contracts, handset financing, or enterprise service agreements is classified as high-risk under Annex III, Point 5(b) of the EU AI Act. This applies whether you use a third-party credit bureau system or a proprietary internal scoring model. The key criterion is whether the AI is making or materially influencing a consequential decision about an individual.
Requirements for this use case include data quality documentation, bias analysis across demographic groups, explainability to customers, human review mechanisms, and logging of decisions for audit purposes. Customers have a right to a meaningful explanation of any automated decision that affects them — this intersects directly with GDPR Article 22 rights (see below).
Network Optimization and Critical Infrastructure AI
AI that manages network traffic, allocates bandwidth, or performs quality-of-service prioritisation operates in a nuanced area. Where the AI manages critical infrastructure — systems whose failure or disruption would have significant consequences for public safety or essential services — it may be classified as high-risk under Annex III, Point 2 (critical infrastructure management).
For most commercial network optimization tools, the risk level is lower. The key question is: does this AI make autonomous decisions that could cause service outages affecting essential services? If yes, treat it as potentially high-risk. The intersection with KRITIS (critical infrastructure protection) obligations under German law is also directly relevant here.
Automated Customer Service: Chatbots and IVR
AI-driven chatbots and interactive voice response (IVR) systems are not classified as high-risk but are subject to mandatory transparency obligations under Article 50 of the EU AI Act. Any system that interacts with customers while appearing to be human must disclose its AI nature clearly and at the start of the interaction.
For telecoms, this applies to customer support chatbots on web and mobile apps, AI voice agents in call centres, automated complaint handling systems, IVR systems using AI-generated speech, and messaging bots for billing queries. Failing to disclose is a direct regulatory violation, even if the underlying system is low-risk.
Predictive Maintenance
AI used for predictive maintenance of physical infrastructure (antenna systems, cable networks, data centres) is generally not high-risk under the current Annex III framework, provided it does not control infrastructure in a way that affects public safety. Document these systems in your AI inventory, but they do not require conformity assessments under the current framework.
August 2026 Deadline — What German Telcos Must Do Now
The EU AI Act entered into force on 1 August 2024. The high-risk system obligations that matter most for telecoms apply from 2 August 2026 for new deployments and 2 August 2027 for systems already in service. This timeline is not theoretical — the August 2026 deadline is under 18 months away and full compliance requires substantive organisational and technical work.
| Deadline | Requirement |
|---|---|
| 2 February 2025 | Prohibited AI systems must be discontinued |
| 2 August 2025 | General-purpose AI model (GPAI) obligations apply |
| 2 August 2026 | High-risk AI system obligations fully apply (Annex III) |
| 2 August 2026 | EU AI database registration mandatory for new high-risk deployments |
| 2 August 2027 | Obligations apply to existing high-risk systems already in service |
High-Risk System Compliance
If your AI system is high-risk, Chapter III of the EU AI Act requires the following before deployment:
- Risk management system — documented, ongoing assessment of risks throughout the AI system’s lifecycle
- Data governance — data quality standards, bias analysis, and documentation of training data sources and composition
- Technical documentation — full technical file per Annex IV, including system architecture and performance specifications
- Record-keeping — automatic logging of system inputs, outputs, and decision parameters for post-hoc audit
- Transparency — information provided to deployers and affected individuals about how the system works and what it decides
- Human oversight — effective mechanisms for humans to review, override, correct, or stop the AI system
- Accuracy and robustness — tested performance benchmarks, cybersecurity measures, and ongoing monitoring
- EU registration — entry in the EU AI database before deployment (mandatory from August 2026)
For telecoms, most high-risk AI obligations fall on the deployer (the telco) rather than the AI system provider, because the deployer determines the deployment context and the decisions being made.
General-Purpose AI (GPAI) Model Obligations
From 2 August 2025, additional obligations apply to general-purpose AI models embedded in telecom products. If you are deploying a GPAI model — or building products on top of a GPAI model such as GPT-4 or Gemini — you must conduct adversarial testing, maintain technical documentation, and provide sufficient information for downstream users to comply with their own obligations. Telecoms building proprietary AI assistants or network intelligence platforms on top of foundation models need to assess their GPAI obligations now.
See our EU AI Act August 2026 deadline guide for a full breakdown of compliance timelines across all obligation types.
GDPR and AI in Telecoms
Almost every AI system deployed by a telecom operator involves personal data — subscriber identifiers, network usage patterns, call metadata, location signals, or behavioural profiles. This means the EU AI Act operates in parallel with GDPR obligations that already apply to these systems. The interaction is not incidental: GDPR’s Article 22 rules on automated decision-making directly overlap with the EU AI Act’s transparency and human oversight requirements.
Network Metadata and Traffic Analysis as Personal Data
Traffic data and location data generated during communications are personal data under GDPR and specifically protected communications data under TKG 2021. AI systems that analyse network metadata for fraud detection, profiling, or service optimisation are processing personal data and must comply with GDPR’s data minimisation, purpose limitation, and retention principles.
This is particularly significant for AI systems that build long-term behavioural profiles of subscribers based on aggregated usage patterns. Even where individual transactions are anonymised, pattern analysis capable of re-identifying individuals triggers GDPR obligations.
Subscriber Profiling and GDPR Article 22
GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing — including profiling — that produce legal effects or similarly significant effects on them. For telecoms, this applies to:
- Automated decisions to reject a postpaid contract application
- AI-driven decisions to suspend, downgrade, or terminate a service
- Automated churn prediction systems that trigger contract intervention offers
- Credit risk scoring decisions that affect access to handset financing
Where Article 22 applies, telecoms must provide a lawful basis (usually explicit consent or contractual necessity), ensure the individual can request human review of the automated decision, and allow the individual to contest the decision and express their point of view.
These obligations directly parallel the EU AI Act’s human oversight requirements for high-risk systems. A properly designed compliance framework addresses both simultaneously rather than treating them as separate compliance tracks.
Marketing AI: Consent vs. Legitimate Interest
AI systems used for next-best-offer recommendations, churn prediction-triggered marketing, and personalised billing communications require a valid GDPR legal basis. For marketing purposes, consent is typically required under the ePrivacy Directive and GDPR — legitimate interest is a weaker basis for unsolicited commercial communications.
This becomes more complex when AI generates personalised offers based on inferred preferences derived from network behaviour or third-party data. The profiling involved in these systems requires transparency in privacy notices, and customers must have meaningful opt-out rights.
Sub-Processor Chains for AI Vendors
Telecoms routinely use third-party AI vendors — for network intelligence, customer analytics, fraud detection, or AI-powered CRM. Each of these vendors is likely a data processor under GDPR. Telcos must have valid Data Processing Agreements (DPAs) in place with each AI vendor, covering data categories processed, retention periods, security measures, and sub-processor restrictions.
Under the EU AI Act, telcos also need to assess what information their AI providers supply about the AI systems — specifically whether the provider’s technical documentation is sufficient to support the telco’s own high-risk compliance obligations. AI vendor contracts need to be reviewed and updated to reflect both GDPR and AI Act requirements.
TKG 2021 and AI Systems
For telecoms operating in Germany, the Telekommunikationsgesetz 2021 (TKG 2021) creates sector-specific obligations that sit alongside EU AI Act and GDPR requirements. The TKG 2021 does not address AI directly, but several of its provisions apply to AI systems deployed in network management, subscriber data processing, and customer interactions.
Data Minimisation for Network AI
§ 165 TKG 2021 governs the security of telecommunications networks and services. AI systems used in network security, fraud detection, and anomaly detection must be designed to process only the minimum data necessary for their function. Traffic data and location data must be deleted or anonymised as soon as they are no longer needed for transmission purposes — AI systems that retain this data for extended model training periods need specific legal authorisation.
§ 52 TKG 2021 addresses network neutrality obligations. AI systems that manage traffic prioritisation or quality-of-service decisions must not discriminate between traffic classes in ways that violate net neutrality rules. AI-driven traffic management is subject to oversight by the Bundesnetzagentur, which can investigate whether automated QoS decisions breach net neutrality — an obligation that is separate from and additional to EU AI Act obligations.
Security Requirements and KRITIS
Operators of critical telecommunications infrastructure under the BSI-Gesetz and KRITIS regulation face additional security requirements that directly affect how AI systems can be deployed in network operations. AI systems operating in KRITIS-classified networks:
- Must meet BSI-Gesetz security baselines
- Are likely subject to Annex III Category 2 (critical infrastructure AI) under the EU AI Act
- Require security incident reporting that may overlap with AI Act incident reporting obligations
- Need specific vulnerability management documentation
The Bundesnetzagentur (BNetzA) coordinates with national AI supervisory authorities when AI-related incidents affect regulated telecoms infrastructure. Compliance programmes should be designed to handle joint oversight scenarios.
Employee Monitoring in Telecoms
Telecoms operators often deploy AI in workforce management: call centre quality monitoring, agent performance scoring, scheduling optimisation, and productivity analytics. These applications fall under GDPR, the BetrVG (Works Constitution Act), and potentially the EU AI Act where they involve automated decisions that significantly affect employees.
Under § 26 BDSG and BetrVG § 87(1)(6), works councils have co-determination rights over technical systems that monitor employee behaviour. AI performance monitoring systems that influence hiring, promotion, or disciplinary decisions must be classified against EU AI Act Annex III, which includes AI used in employment and workforce management.
Our guide on AI employee monitoring compliance covers these obligations in detail.
Practical Compliance Checklist for Telecoms Operators
Use this checklist to assess your current readiness across all three regulatory frameworks:
Step 1: AI Inventory
- Map all AI systems used across your organisation
- Identify which systems interact with or make decisions about customers
- Identify which systems manage network infrastructure or operations
- Document which systems use third-party AI providers or foundation models
- Flag AI systems operating in KRITIS-classified infrastructure
Step 2: Risk Classification
- Classify each AI system against Annex III (high-risk) criteria
- Identify systems subject to transparency obligations under Article 50
- Flag any general-purpose AI models (GPAIs) embedded in your products
- Document GDPR Article 22 applicability for automated decision systems
- Review TKG 2021 obligations for network data and subscriber data processing
Step 3: High-Risk Compliance (where applicable)
- Appoint an AI Act compliance responsible person
- Implement risk management documentation for each high-risk system
- Commission data quality and bias assessments for training datasets
- Draft technical documentation per Annex IV
- Implement logging and record-keeping for automated decisions
- Design human oversight processes for each high-risk system
- Review AI vendor contracts for GPAI model documentation obligations
Step 4: GDPR and Transparency
- Update chatbot and IVR interfaces to include mandatory AI disclosure
- Implement Article 22 human review processes for automated decisions
- Update privacy notices to disclose AI-based profiling and decision-making
- Audit data processor agreements with all AI vendors
- Train customer service teams on AI disclosure and explanation rights
- Draft template explanations for automated decisions affecting customers
Step 5: Registration and Governance
- Register high-risk AI systems in the EU AI database (from August 2026)
- Establish an internal AI governance policy integrating AI Act, GDPR, and TKG obligations
- Align AI Act incident reporting with TKG 2021 and BSI-Gesetz security incident procedures
- Schedule regular internal audits of AI system performance and bias
How Compound Law Helps Telecoms Companies
Compound Law works with telecommunications companies across the DACH region on AI regulation compliance, combining expertise in telecom regulation, data protection law, and AI governance.
We help telecoms companies:
- Classify AI systems against Annex III and identify which systems require full high-risk compliance procedures
- Build compliance documentation including risk management frameworks, technical documentation files per Annex IV, and data governance policies
- Integrate AI Act compliance with GDPR and TKG obligations, ensuring a coherent regulatory approach across all three frameworks
- Design human oversight processes that satisfy AI Act and GDPR Article 22 requirements without creating operational bottlenecks
- Prepare for Bundesnetzagentur (BNetzA) oversight and coordinate between national AI Act enforcement and telecom-specific regulation
- Review AI vendor contracts for GPAI documentation obligations and data processor agreement compliance
- Train compliance and technical teams on practical AI governance requirements
Contact Compound Law for a free initial consultation on AI regulation compliance for your telecommunications business.
Frequently Asked Questions
What AI regulation applies to telecoms in Germany?
Telecom operators in Germany face three overlapping AI regulatory frameworks: the EU AI Act (high-risk system obligations from August 2026), GDPR (for all AI systems that process personal data about subscribers), and the TKG 2021 (sector-specific network and data obligations). These regimes interact — particularly for fraud detection systems, subscriber profiling, and network management AI. A compliant approach must address all three simultaneously rather than treating them as separate workstreams.
Is AI in telecoms high-risk under the EU AI Act?
Not all telecom AI is high-risk. AI used for customer credit scoring, access decisions affecting essential services, and critical infrastructure management is classified as high-risk under Annex III of the EU AI Act. Network optimization, predictive maintenance, and most operational tools are generally not high-risk. The classification depends on whether the AI makes or materially influences consequential decisions about individuals or critical infrastructure.
What does GDPR Article 22 mean for telecoms AI?
GDPR Article 22 gives subscribers the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. For telecoms, this covers automated decisions to reject a postpaid contract, suspend service, or determine credit terms. Where Article 22 applies, telcos must provide a lawful basis, offer human review of the automated decision, and allow customers to contest the outcome. This obligation directly overlaps with the EU AI Act’s human oversight requirements for high-risk systems.
What does the TKG 2021 require for AI systems?
The TKG 2021 does not regulate AI directly, but several provisions apply to AI-deployed systems. § 165 TKG 2021 requires network security AI to minimise data processing and meet security baselines. § 52 TKG 2021 subjects AI traffic management systems to net neutrality obligations overseen by the Bundesnetzagentur. KRITIS-classified telecoms face additional BSI-Gesetz security requirements that affect AI deployment in critical network infrastructure.
What is the deadline for AI Act compliance for telecoms?
The main high-risk AI system obligations under Chapter III apply from 2 August 2026 for new deployments. Telecoms companies deploying new high-risk AI systems must be fully compliant before go-live. Existing high-risk systems already in service have until 2 August 2027. General-purpose AI model obligations have applied since 2 August 2025. Prohibited AI practices were required to stop by 2 February 2025.
Do telcos need to register AI systems under the EU AI Act?
Yes — high-risk AI systems must be registered in the EU AI database before deployment. This obligation applies from 2 August 2026 for new deployments, and from 2 August 2027 for AI systems already in service before that date. The registration must include technical documentation, intended purpose, risk classification, and conformity assessment results. Non-high-risk systems such as chatbots are not required to be registered, but must comply with Article 50 transparency obligations.
What are the fines for non-compliance with the EU AI Act?
Fines for violations of high-risk system obligations can reach €20 million or 4% of global annual turnover, whichever is higher. Violations of prohibited AI practices carry fines of up to €35 million or 7% of global turnover. Providing incorrect information to supervisory authorities carries fines of up to €7.5 million or 1% of global turnover.
This guide provides general legal information and does not constitute legal advice. Specific compliance decisions require individual legal counsel based on your organisation’s AI systems and circumstances. Contact Compound Law for tailored advice.
