T-Mobile US Inc.: 10-K Risk Factor Changes

Our business involves the receipt, storage, and transmission of confidential information about our customers, such as sensitive personal, account and payment information, confidential information about our employees and suppliers, and other sensitive information about our Company, such as our business plans, transactions, financial information, and intellectual property (collectively, “Confidential Information”). Additionally, to offer services to our customers and operate our business, we utilize several applications and systems, including those we own and operate, such as our wireless network, as well as others provided to us by third parties, such as cloud service providers and SaaS companies (collectively, “Systems”). We are subject to persistent cyberattacks and threats to our business from bad actors seeking to gain unauthorized access to Confidential Information and compromise Systems to undermine availability or integrity. They are perpetrated by a variety of groups and persons, including nation state-sponsored parties, malicious actors, employees, contractors, or other unrelated third parties. Some actors reside in jurisdictions where law enforcement measures to address such attacks are ineffective or unavailable. Cyberattacks against companies like ours are increasing in frequency and scope of potential harm over time, and the methods used to gain unauthorized access constantly evolve, making it increasingly difficult to anticipate, prevent, and detect incidents successfully in every instance. In some cases, these bad actors exploit bugs, errors, misconfigurations or other vulnerabilities in our Systems to obtain Confidential Information. In other cases, these bad actors obtain unauthorized access to Confidential Information by exploiting insider access or utilizing log in credentials taken from our customers, employees, or third-party providers through credential harvesting, social engineering or other means. Other bad actors aim to cause serious operational disruptions to our business and Systems through ransomware or distributed denial of services attacks. Although we regularly work to identify, track and remedy any security vulnerabilities, given the complex nature of our Systems and the tools that are available to us, we may be unable to identify vulnerabilities in a timely manner, or to apply patches or compensating measures that address such vulnerabilities, before bad actors can exploit them. The exploitation of a security vulnerability before patches or measures are applied could materially compromise Confidential Information and Systems. In addition, we routinely rely upon third-party providers whose products and services are used in our business. These third-party providers have experienced, and will continue to experience cyberattacks that involve attempts to expose our Confidential Information and/or to create operational risk that could materially and adversely affect our business, and these providers also face other security challenges common to all parties that collect and process information. Additionally, our Systems include components from third parties or fourth parties we do not control and may have compromises, defects, flaws, or design errors unknown to us. 13 13 13 Table of Contents Table of Contents As a result of the previously disclosed cyberattacks in August 2021 and January 2023, we incurred significant costs in connection with, among other things, responding to and resolving mass arbitration claims, multiple class action lawsuits and an FCC investigation. For more information on the foregoing, see “– Contingencies and Litigation – Litigation and Regulatory Matters” in Note 18 – Commitments and Contingencies of the Notes to the Consolidated Financial Statements. In addition to the August 2021 cyberattack and the January 2023 cyberattack, we have experienced unrelated non-material incidents involving unauthorized access to certain Confidential Information and Systems. Typically, these incidents have involved attempts to commit fraud by taking control of a customer’s phone line, often by exploiting insider access or using compromised credentials. In other cases, the incidents have involved unauthorized access to certain of our customers’ private information, including payment information, financial data, social security numbers or passwords, and our intellectual property. Some of these incidents have occurred at third-party providers, including third parties who provide us with various Systems and others who sell our products and services through retail locations or take care of our customers. In November 2024, it was publicly reported that a nation-state actor called “Salt Typhoon” successfully infiltrated the telecommunications networks of certain of our competitors to obtain information on their customers. While we have no evidence that any of our Systems or Confidential Information were impacted in any significant way, we may face similar attempts in the future. Our procedures and safeguards to prevent unauthorized access to Confidential Information and to defend against cyberattacks seeking to disrupt our operations must be continually evaluated and enhanced to address the ever-evolving threat landscape and changing cybersecurity regulations, including while we adapt complex digital transformation efforts. These preventative actions require the investment of significant resources and management time and attention. Additionally, we do not have control of the cybersecurity systems, breach prevention, and response protocols of our third-party providers, including through our cybersecurity programs or policies. While T-Mobile may have contractual rights to assess the effectiveness of many of our providers’ systems and protocols, we do not have the means to always know or assess the effectiveness of all of our providers’ systems and controls. We cannot provide any assurances that actions taken by us, or our third-party providers, including through our cybersecurity programs or policies, will adequately repel a significant cyberattack or prevent or substantially mitigate the impacts of cybersecurity breaches or misuses of Confidential Information, unauthorized access to our networks or Systems or exploits against third-party environments, or that we, or our third-party providers, will be able to effectively identify, investigate, and remediate such incidents in a timely manner or at all. We expect to continue to be the target of cyberattacks, given the nature of our business, and we expect the same with respect to our third-party providers. We also expect that threat actors will continue to gain sophistication including in the use of tools and techniques (such as AI) that are specifically designed to circumvent security controls, evade detection, and obfuscate forensic evidence, making it more challenging for us to identify, investigate and recover from future cyberattacks in a timely and effective manner. In addition, we have acquired and continue to acquire companies with cybersecurity vulnerabilities or unsophisticated security measures, which exposes us to significant cybersecurity, operational, and financial risks. If we fail to protect Confidential Information or to prevent operational disruptions from future cyberattacks, there may be a material adverse effect on our business, reputation, financial condition, cash flows, and operating results.

Our business involves the receipt, storage, and transmission of confidential information about our customers, such as sensitive personal, account and payment card information, confidential information about our employees and suppliers, and other sensitive information about our Company, such as our business plans, transactions, financial information, and intellectual property (collectively, “Confidential Information”). Additionally, to offer services to our customers and operate our business, we utilize a number of applications and systems, including those we own and operate as well as others provided by third-party providers, such as cloud services (collectively, “Systems”). We are subject to persistent cyberattacks and threats to our business from a variety of bad actors, many of whom attempt to gain unauthorized access to and compromise Confidential Information and Systems. In some cases, the bad actors exploit bugs, errors, misconfigurations or other vulnerabilities in our Systems to obtain Confidential Information. In other cases, these bad actors may obtain unauthorized access to Confidential Information by exploiting insider access or utilizing log in credentials taken from our customers, employees, or third-party providers through credential harvesting, social engineering or other means. Other bad actors aim to cause serious operational disruptions to our business and Systems through ransomware or distributed denial of services attacks. Cyberattacks against companies like ours have increased in frequency and scope of potential harm over time, and the methods used to gain unauthorized access constantly evolve, making it increasingly difficult to anticipate, prevent, and detect incidents successfully in every instance. They are perpetrated by a variety of groups and persons, including state-sponsored parties, malicious actors, employees, contractors, or other unrelated third parties. Some of these persons reside in jurisdictions where law enforcement measures to address such attacks are ineffective or unavailable, and such attacks may even be perpetrated by or at the behest of foreign governments. 12 12 12 Table of Contents Table of Contents In addition, we routinely rely upon third-party providers whose products and services are used in our business. These third-party providers have experienced in the past, and will continue to experience in the future, cyberattacks that involve attempts to obtain unauthorized access to our Confidential Information and/or to create operational disruptions that could adversely affect our business, and these providers also face other security challenges common to all parties that collect and process information. In August 2021, we disclosed that our systems were subject to a criminal cyberattack that compromised certain data of millions of our current customers, former customers, and prospective customers, including, in some instances, social security numbers, names, addresses, dates of birth and driver’s license/identification numbers. As a result of the August 2021 cyberattack, we are subject to numerous claims, lawsuits and regulatory inquiries, the ongoing costs of which may be material, and we may be subject to further regulatory inquiries and private litigation. For more information, see “– Contingencies and Litigation – Litigation and Regulatory Matters” in Note 17 – Commitments and Contingencies of the Notes to the Consolidated Financial Statements. In January 2023, we disclosed that a bad actor was obtaining data through a single Application Programming Interface (“API”) without authorization that was only able to provide a limited set of customer account data, including name, billing address, email, phone number, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features. Our investigation indicated that the bad actor(s) obtained data from this API for approximately 37 million current postpaid and prepaid customer accounts, though many of these accounts did not include the full data set. As a result of the August 2021 cyberattack and the January 2023 cyberattack, we have incurred and may continue to incur significant costs or experience other material financial impacts, which may not be covered by, or may exceed the coverage limits of, our cyber liability insurance, and such costs and impacts may have a material adverse effect on our business, reputation, financial condition, cash flows and operating results. In addition to the August 2021 cyberattack and the January 2023 cyberattack, we have experienced other unrelated non-material incidents involving unauthorized access to certain Confidential Information and Systems. Typically, these incidents have involved attempts to commit fraud by taking control of a customer’s phone line, often by exploiting insider access or using compromised credentials. In other cases, the incidents have involved unauthorized access to certain of our customers’ private information, including credit card information, financial data, social security numbers or passwords, and to certain of our intellectual property. Some of these incidents have occurred at third-party providers, including third parties who provide us with various Systems and others who sell our products and services through retail locations or take care of our customers. Our procedures and safeguards to prevent unauthorized access to Confidential Information and to defend against cyberattacks seeking to disrupt our operations must be continually evaluated and enhanced to address the ever-evolving threat landscape and changing cybersecurity regulations. These preventative actions require the investment of significant resources and management time and attention. Additionally, we do not have control of the cybersecurity systems, breach prevention, and response protocols of our third-party providers, including through our cybersecurity programs or policies. While T-Mobile may have contractual rights to assess the effectiveness of many of our providers’ systems and protocols, we do not have the means to know or assess the effectiveness of all of our providers’ systems and controls at all times. We cannot provide any assurances that actions taken by us, or our third-party providers, including through our cybersecurity programs or policies, will adequately repel a significant cyberattack or prevent or substantially mitigate the impacts of cybersecurity breaches or misuses of Confidential Information, unauthorized access to our networks or systems or exploits against third-party environments, or that we, or our third-party providers, will be able to effectively identify, investigate, and remediate such incidents in a timely manner or at all. We expect to continue to be the target of cyberattacks, given the nature of our business, and we expect the same with respect to our third-party providers. We also expect that threat actors will continue to gain sophistication including in the use of tools and techniques (such as artificial intelligence) that are specifically designed to circumvent security controls, evade detection, and obfuscate forensic evidence, making it more challenging for us to identify, investigate and recover from future cyberattacks in a timely and effective manner. In addition, we have acquired and continue to acquire companies with cybersecurity vulnerabilities or unsophisticated security measures, which exposes us to significant cybersecurity, operational, and financial risks. If we fail to protect Confidential Information or to prevent operational disruptions from future cyberattacks, there may be a material adverse effect on our business, reputation, financial condition, cash flows, and operating results.

Our future success depends in substantial part on our ability to attract, recruit, hire, motivate, develop, and retain talented personnel possessing the qualifications, experiences, capabilities and skills we need for all areas of our organization, including our CEO and members of our senior leadership team. Succession planning to ensure effective transfer of knowledge and a seamless transition when key personnel depart is also important to our long-term success. Additionally, as we continue to make significant investments in new technologies and new business areas, we are increasingly dependent on being able to hire and retain technically skilled employees, including those with expertise in AI and machine learning. Both external factors, such as fluctuations in economic and industry conditions, changes in U.S. immigration policies, regulatory changes, political forces and the competitive landscape, and internal factors, such as employee tolerance for changes in our corporate culture, organizational changes, limited remote working opportunities, and our compensation programs, may impact our ability to effectively manage our workforce. Further, employee compensation and benefit costs may increase due to inflationary pressures, and if our compensation does not keep up with inflation or that of our competitors’, we may see increased employee dissatisfaction and departures or difficulty in recruiting new employees. If key employees depart or we are unable to recruit and integrate new employees successfully, our business could be negatively impacted.

Our future success depends in substantial part on our ability to recruit, hire, motivate, develop, and retain talented personnel for all areas of our organization, including our CEO and members of our senior leadership team. Both external factors, such as fluctuations in economic and industry conditions, changes in U.S. immigration policies, and the competitive landscape, and internal factors, such as employee tolerance for changes in our corporate culture, organizational changes, limited remote working opportunities, and our compensation programs, may impact our ability to effectively manage our workforce. Further, employee compensation and benefit costs may increase due to inflationary pressures, and if our compensation does not keep up with inflation or that of our competitors’, we may see increased employee dissatisfaction and departures or difficulty in recruiting new employees. If key employees depart or we are unable to recruit and integrate new employees successfully, our business could be negatively impacted.

The current sociopolitical environment is characterized by deep complexity, volatility, and polarization on various social and political issues. The increasing intersection of technology and politics has led to rapid and unpredictable shifts in public sentiment. Social media and digital platforms have amplified the voices of various stakeholders, creating the potential for swift change in public opinion and stronger reactions to corporate actions. As a company that sells products and services across the nation to millions of customers, these dynamics increase the risk of potential reputational damage, boycotts, and shifts in consumer behavior that could adversely affect our brand, sales and profitability. Our ability to respond effectively, sensitively, and authentically to the expectations and concerns of our customers, employees, and other stakeholders is key to mitigating these risks. If we are unable to manage these challenges effectively, there may be adverse impacts to our business, reputation, financial condition, and operating results. Additionally, we are subject to emerging and evolving regulatory requirements and frameworks regarding environmental, social and governance matters, including potential new or revised disclosure rules proposed by the SEC and recently enacted or proposed legislation in jurisdictions such as California. The ultimate scope of these regulations may change as they are finalized, and they may not be uniform across jurisdictions. Meeting these obligations may require significant investments of time, capital, and personnel.

The current sociopolitical environment is characterized by deep complexity, volatility, and polarization on various social and political issues. The increasing intersection of technology and politics has led to rapid and unpredictable shifts in public sentiment. Social media and digital platforms have amplified the voices of various stakeholders, creating the potential for swift change in public opinion and stronger reactions to corporate actions. As a company that sells products and services across the nation to millions of customers, these dynamics increase the risk of potential reputational damage, boycotts, and shifts in consumer behavior that could adversely affect our sales and profitability. In this fluid and volatile sociopolitical environment, our ability to respond effectively, sensitively, and authentically to the expectations and concerns of our customers, employees, and other stakeholders is key to mitigating these risks. If we are unable to manage these challenges effectively, there may be adverse impacts to our business, reputation, financial condition, and operating results.

The wireless communications services industry is highly competitive. As the industry reaches saturation, competition in all market segments, including prepaid, postpaid, enterprise and government customers will likely further intensify, putting pressure on pricing and/or margins for us and all our competitors. Our ability to attract and retain customers will depend on multiple factors, such as network quality and capacity, customer service excellence, effective marketing strategies, competitive pricing, compelling value propositions, and distribution and logistics capabilities. Additionally, targeted marketing approaches for diverse customer segments, coupled with continuous innovation in products and services, are essential for retaining and 12 12 12 Table of Contents Table of Contents expanding our customer base. If we are unable to successfully differentiate our services from our competitors, it would adversely affect our competitive position and ability to grow our business. We have seen and expect to continue to see intense competition in all market segments from traditional Mobile Network Operators (“MNOs”), such as AT&T and Verizon, who have each invested heavily in spectrum, their wireless networks, and services and device promotions, and DISH, as it continues to build out its wireless network and roll out services. Numerous other regional MNOs and MVNOs offering wireless services may also compete with us in some markets, including cable providers, such as Comcast, Charter, Cox, and Altice, as they continue to diversify their offerings to include wireless services offered under MVNO agreements. As new products and services emerge, we may also be forced to compete against non-traditional competitors from outside of the wireless communications services industry, such as satellite providers, offering similar connectivity services using alternative technologies. In the market for broadband services, traditional cable providers, AT&T, Verizon, and other players such as satellite and fiber providers, all compete for customers. To complement our fixed wireless service, we have agreed to enter into joint venture agreements aimed at establishing a robust fiber wireline network in certain geographic regions that we believe will complement our fixed wireless services in those areas. However, these partnerships also involve inherent risks. See “Any acquisition, divestiture, investment, joint venture or merger may subject us to significant risks, any of which may harm our business” for further discussions of such risks. If we are unable to compete effectively in attracting and retaining customers in markets where we operate, it could negatively impact our business, financial condition, and operating results.

The wireless communications services industry is highly competitive. As the industry reaches saturation with a relatively fixed pool of customers, competition will likely further intensify, putting pressure on pricing and margins for us and all our competitors. Our ability to attract and retain customers will depend on key factors such as network quality and capacity, customer service excellence, effective marketing strategies, competitive pricing, and compelling value propositions. Additionally, targeted marketing approaches for diverse customer segments, including Prepaid, Postpaid, Business and Government customers, coupled with continuous innovation in products and services, are essential for retaining and expanding our customer base. If we are unable to successfully differentiate our services from our competitors, it would adversely affect our competitive position and ability to grow our business. We have seen and expect to continue to see intense competition in all market segments from traditional Mobile Network Operators (MNOs), such as AT&T and Verizon, particularly as they invest in spectrum, their wireless network and services, and device promotions, and DISH as it continues to build out its wireless network and roll out services. Numerous other smaller and regional MNOs and MVNOs offering wireless services may also compete with us in some markets, including cable providers, such as Comcast, Charter, Cox, and Altice, as they continue to diversify their offerings to include wireless services offered under MVNO agreements. As new products and services emerge, we may also be forced to compete against non-traditional competitors from outside of the wireless communications services industry, such as satellite providers, offering similar connectivity services using alternative technologies. In broadband connectivity services, AT&T and Verizon, as well as numerous other players, such as satellite providers and cable companies, compete for customers in an increasingly competitive environment. If we are unable to compete effectively in attracting and retaining customers, it could negatively impact our business, financial condition, and operating results.

Since 2020, more than a dozen states have enacted new, comprehensive privacy laws that create new data privacy rights for residents of those states and new compliance obligations for us and the industry in general, in addition to private rights of action for certain types of data breaches. These include the California Consumer Privacy Act (“CCPA”) and similar laws in other states. Pending legislation in a number of other states would create similar laws elsewhere. All of these new privacy laws and others that we expect to be developed and enacted going forward will impose additional data protection obligations and potential liability on companies such as ours doing business in those states. Further, privacy laws also limit our ability to collect and use personal information. We have incurred and will continue to incur significant implementation costs to ensure compliance with the CCPA, new privacy laws in other states, and their related regulations, including managing the complexity of laws that vary from state to state. Both federal and state governments are considering additional privacy laws and regulations which, if passed, could further impact our business, strategies, offerings, and initiatives and cause us to incur further costs. Any actual or perceived failure to comply with the CCPA, other data privacy laws or regulations, or related contractual or other obligations, or any perceived privacy rights violation, could lead to investigations, claims, and proceedings by governmental entities and private parties, damages for contract breaches, and other significant costs, penalties, and other liabilities, as well as harm to our reputation and market position. AI-related laws and regulations continue to remain uncertain and may vary from jurisdiction to jurisdiction. Our obligations to comply with the evolving legal and regulatory landscape may require us to incur significant additional costs or limit our ability to incorporate certain AI capabilities into our business operations or product offerings. As we integrate AI technologies into our 20 20 20 Table of Contents Table of Contents business, we must navigate varying regulations that could impact our operations and product development. Failure to comply with these regulations could result in fines, penalties, or restrictions on our use of AI, which could adversely affect our business.

Since 2020, a number of states have enacted new, comprehensive privacy laws that create new data privacy rights for residents of those states and new compliance obligations for us and the industry in general, in addition to private rights of action for certain types of data breaches. These include the California Consumer Privacy Act (“CCPA”), recently modified by the California Privacy Rights Act (“CPRA”), similar laws in Colorado, Connecticut, Utah, and Virginia that went into effect in 2023, and similar laws in Delaware, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas that will go into effect in the next few years. Pending legislation in several other states would create similar laws elsewhere. All of these new privacy laws and others that we expect to be developed and enacted going forward will impose additional data protection obligations and 19 19 19 Table of Contents Table of Contents potential liability on companies such as ours doing business in those states. Further, privacy laws also limit our ability to collect and use personal information. We have incurred and will continue to incur significant implementation costs to ensure compliance with the CCPA, the CPRA, new privacy laws in other states, and their related regulations, including managing the complexity of laws that vary from state to state. Both federal and state governments are considering additional privacy laws and regulations which, if passed, could further impact our business, strategies, offerings, and initiatives and cause us to incur further costs. Any actual or perceived failure to comply with the CCPA, CPRA, other data privacy laws or regulations, or related contractual or other obligations, or any perceived privacy rights violation, could lead to investigations, claims, and proceedings by governmental entities and private parties, damages for contract breaches, and other significant costs, penalties, and other liabilities, as well as harm to our reputation and market position.

We are subject to regulatory oversight by various federal, state, and local agencies, as well as judicial review and actions, on issues related to the wireless industry that include, but are not limited to, roaming, interconnection, spectrum allocation and licensing, facilities siting, pole attachments, intercarrier compensation, Universal Service Fund (“USF”), 911 services, robocalling/robotexting, consumer protection, consumer privacy, and cybersecurity. We are also subject to regulations in connection with other aspects of our business, including device financing and insurance activities. The FCC regulates the licensing, construction, modification, operation, ownership, sale, and interconnection of wireless communications systems, as do some state and local regulatory agencies. In particular, the FCC imposes significant regulation on licensees of wireless spectrum with respect to how radio spectrum is used by licensees or at what power levels, the nature of the services that licensees may offer and how the services may be offered, and the resolution of issues of interference between operators in the same or adjacent spectrum bands. Changes necessary to resolve interference issues or concerns may have a significant impact on our ability to fully utilize our spectrum. Additionally, the FTC and other federal and state agencies have asserted that they have jurisdiction over some consumer protection matters, and the elimination and prevention of anticompetitive business practices with respect to the provision of wireless products and services. We cannot assure that the FCC or any other federal, state, or local agencies will not adopt or change regulations, change or discontinue existing programs, implement new programs, or take enforcement or other actions that would adversely affect our business, impose new costs, or require changes in current or planned operations, including timing of the shutdown of legacy technologies. We also face potential investigations by, and inquiries from or actions by state public utility commissions. We also cannot assure that Congress will not amend the Communications Act, from which the FCC obtains its authority, and which serves to limit state authority, or enact other legislation in a manner that could be adverse to our business. Further, government funded programs may be discontinued due to ongoing legal challenges to the FCC’s funding mechanism, which could result in the reduction in subsidies for low-income customers and the associated revenue. Failure to comply with applicable regulations could have a material adverse effect on our business, financial condition, and operating results. We could be subject to fines, forfeitures, and other penalties (including, in extreme cases, revocation of our spectrum licenses) for failure to comply with the FCC or other governmental regulations, even if any such noncompliance was unintentional. The loss of any licenses, or any related fines or forfeitures, could adversely affect our business, financial condition, and operating results.

We are subject to regulatory oversight by various federal, state, and local agencies, as well as judicial review and actions, on issues related to the wireless industry that include, but are not limited to, roaming, interconnection, spectrum allocation and licensing, facilities siting, pole attachments, intercarrier compensation, Universal Service Fund (“USF”), 911 services, robocalling/robotexting, consumer protection, consumer privacy, and cybersecurity. We are also subject to regulations in connection with other aspects of our business, including device financing and insurance activities. The FCC regulates the licensing, construction, modification, operation, ownership, sale, and interconnection of wireless communications systems, as do some state and local regulatory agencies. In particular, the FCC imposes significant regulation on licensees of wireless spectrum with respect to how radio spectrum is used by licensees, the nature of the services that licensees may offer and how the services may be offered, and the resolution of issues of interference between operators in the same or adjacent spectrum bands. Changes necessary to resolve interference issues or concerns may have a significant impact on our ability to fully utilize our spectrum. Additionally, the FTC and other federal and state agencies have asserted that they have jurisdiction over some consumer protection matters, and the elimination and prevention of anticompetitive business practices with respect to the provision of wireless products and services. We cannot assure that the FCC or any other federal, state, or local agencies will not adopt regulations, change or discontinue existing programs, implement new programs, or take enforcement or other actions that would adversely affect our business, impose new costs, or require changes in current or planned operations, including timing of the shutdown of legacy technologies. For example, in 2015 and 2016, the FCC established net neutrality and privacy regimes that applied to our operations. Both sets of rules potentially subjected some of our initiatives and practices to more burdensome requirements and heightened scrutiny by federal and state regulators, the public, edge providers, and private litigants regarding whether such initiatives or practices are compliant. While the FCC rules were largely rolled back in 2017, the FCC recently initiated a rulemaking proceeding proposing to reinstate the net neutrality rules, to reassert authority in the broadband privacy arena, and to subject broadband offerings to other forms of regulatory oversight. In addition, the current FCC updated transparency obligations to require nutrition-style broadband label disclosures in 2024 that could prompt regulatory inquiries. In addition, some states and other jurisdictions have enacted laws in these areas (including, for example, California and other states’ net neutrality laws, the CCPA and CPRA as discussed below) and others are considering enacting similar laws. It also is uncertain what rules may be promulgated under the current administration (e.g., the FTC has discussed promulgating privacy rules), perpetuating the risk and uncertainty regarding the regulatory environment and compliance around these issues. In addition, states are increasingly focused on the quality of service and support that wireless communications service providers provide to their customers and several states have proposed or enacted new and potentially burdensome regulations in this area. We also face potential investigations by, and inquiries from or actions by state public utility commissions. We also cannot assure that Congress will not amend the Communications Act, from which the FCC obtains its authority, and which serves to limit state authority, or enact other legislation in a manner that could be adverse to our business. Further, government funded programs, such as the Affordable Connectivity Program (ACP) and the Emergency Connectivity Fund (ECF) or Lifeline program, may discontinue due to the exhaustion of funding, which could result in the reduction in low-income customers and the associated revenue. Failure to comply with applicable regulations could have a material adverse effect on our business, financial condition, and operating results. We could be subject to fines, forfeitures, and other penalties (including, in extreme cases, revocation of our spectrum licenses) for failure to comply with the FCC or other governmental regulations, even if any such noncompliance was unintentional. The loss of any licenses, or any related fines or forfeitures, could adversely affect our business, financial condition, and operating results.

We continue to acquire and deploy new spectrum to expand and deepen our 5G coverage, maintain our quality of service, meet increasing or changing customer demands, and deploy new technologies. In order to expand and differentiate our services from our competitors, we will continue to actively seek to make additional investments in new spectrum, which could be significant. However, we may be unable to secure the additional spectrum necessary to maintain or enhance our competitive position on favorable terms or at all. The continued interest in acquiring spectrum by existing carriers and others, including speculators, may reduce our ability to acquire or renew spectrum holdings (such as 2.5Ghz), and/or increase the cost of spectrum that is made available in the secondary markets and government auctions. Additionally, the FCC may be unable to make sufficient additional spectrum available for auction to meet the demand from all interested parties. As a result, any such spectrum that is made available at auction may be subject to heightened competition and priced beyond levels we are able or willing to pay. Even if new spectrum becomes available to us, the FCC or other government entities may impose conditions on the acquisition and use of such spectrum, such as the configuration or geographic areas in which the spectrum may be deployed. These conditions may substantially increase the costs we incur or negatively affect the value of the spectrum to our business. If we cannot acquire needed spectrum from the government or otherwise, if competitors acquire spectrum that will allow them to provide services competitive with our services, or if we cannot deploy services over acquired spectrum on a timely basis without burdensome conditions, at reasonable cost, and while maintaining network quality levels, our ability to attract and retain customers and our business, financial condition and operating results could be materially and adversely affected.

We continue to deploy spectrum to expand and deepen our 5G coverage, maintain our quality of service, meet increasing customer demands, and deploy new technologies. In order to expand and differentiate from our competitors, we will continue to actively seek to make additional investment in spectrum, which could be significant. The continued interest in, and acquisition of, spectrum by existing carriers and others, including speculators, may reduce our ability to acquire and/or increase the cost of acquiring spectrum in the secondary market, including leasing, or purchasing additional spectrum in the 2.5 GHz band, or negatively impact our ability to gain access to spectrum through other means, including government auctions. Additionally, increased interest from third parties in acquiring spectrum may make it difficult to 14 14 14 Table of Contents Table of Contents renew leases of some of our existing 2.5 GHz spectrum holdings in the future. Furthermore, we have experienced delays in obtaining the spectrum from Auction 108, where we spent $304 million and won over 90% of the 2.5GHz licenses, due to the FCC losing its congressional auction authority to administer spectrum licenses. Subsequently, the FCC may not be able to provide sufficient additional spectrum to auction. In addition, we may be unable to secure the spectrum necessary to maintain or enhance our competitive position in any auction we may elect to participate in or in the secondary market, on favorable terms or at all. Any return on our investment in spectrum depends on our ability to attract additional customers, to provide additional services and usage to existing customers, and to efficiently manage network capacity. The FCC, or other government entities, may impose conditions on the acquisition and use of new wireless broadband mobile spectrum that may negatively impact our ability to obtain spectrum economically or in appropriate configurations or coverage areas. If we cannot acquire needed spectrum from the government or otherwise, if competitors acquire spectrum that will allow them to provide services competitive with our services, or if we cannot deploy services over acquired spectrum on a timely basis without burdensome conditions, at reasonable cost, and while maintaining network quality levels, our ability to attract and retain customers and our business, financial condition and operating results could be materially adversely affected.

We may pursue acquisitions of, investments in, or joint ventures or mergers with, other companies, or the acquisition of technologies, services, products or other assets that we believe would complement or expand our business. We may also elect to divest some of our assets to third parties. Some of these potential transactions could be significant relative to the size of our business and operations. Any such transaction would involve a number of risks and could present financial, managerial and operational challenges, including: •diversion of management attention from running our existing business; •increased costs to integrate the networks, spectrum, technology, personnel, customer base, distributors and business partners and business practices of the company involved in any such transaction with our business; •increased interest expense and leverage or limits on other uses of cash; •potential loss of talent during integration due to differences in culture, locations, or other factors; •difficulties in effectively integrating the financial, operational and sustainability systems of the business involved in any such transaction into (or supplanting such systems with) our financial, operational and sustainability reporting infrastructure and internal control framework in an effective and timely manner; •risks of entering markets in which the Company has no or limited experience and where competitors have stronger market positions; •potential exposure to material liabilities not discovered in the due diligence process or as a result of any litigation arising in connection with any such transaction; •significant transaction-related expenses in connection with any such transaction, whether consummated or not; •risks related to our ability to obtain any required regulatory approvals necessary to consummate any such transaction; and •any business, technology, service, or product involved in any such transaction may significantly under-perform relative to our expectations, and we may not achieve the benefits we expect from the transaction, which could, among other things, also result in a write-down of goodwill and other intangible assets associated with such transaction. We have entered into joint venture agreements aimed at establishing a robust fiber broadband network that complements our fixed wireless services. Once closed, differences in views among the joint venture participants may result in delayed decisions or disputes. Operating through joint ventures in which we do not hold a majority ownership interest results in us having limited control over many decisions made with respect to the businesses of the joint ventures. We also cannot control the actions of our joint venture partners. These joint ventures may not be subject to the same requirements regarding internal controls and internal 16 16 16 Table of Contents Table of Contents control over financial reporting that we follow. As a result, internal control problems may arise with respect to these joint ventures. Any of these risks could have a material adverse effect on our business, financial condition and results of operations and could also affect our reputation. Additionally, in connection with our merger (the “Merger”) with Sprint Corporation (“Sprint”) and related transactions, including the acquisition by DISH of certain prepaid wireless business (the “Prepaid Transaction” and, collectively, the “Transactions”), we agreed to fulfill various government commitments (the “Government Commitments”), including, among others, extensive 5G network build-out, delivering high-speed wireless services to the vast majority of Americans and marketing our in-home fixed wireless product to households where spectrum capacity is sufficient, as well as commitments related to national security, pricing and availability of rate plans. These Government Commitments materially increased our compliance obligations and could result in additional expenses and/or penalties in the future. In connection with the Prepaid Transaction, we and DISH entered into certain arrangements, including a Master Network Services Agreement (the “MNSA”), pursuant to which we provide DISH, for a period of seven years, network services for certain end users and infrastructure mobile network operator services to assist in the access and integration of the DISH network. Any failure to fulfill our obligations under the Government Commitments and the MNSA in a timely manner could result in substantial fines, penalties, or other legal and administrative actions, liabilities, and reputational harm.

We may pursue acquisitions of, investments in or mergers with other companies, or the acquisition of technologies, services, products or other assets, that we believe would complement or expand our business. We may also elect to divest some of our assets to third parties. Some of these potential transactions could be significant relative to the size of our business and operations. Any such transaction would involve a number of risks and could present financial, managerial and operational challenges, including: •diversion of management attention from running our existing business; •increased costs to integrate the networks, spectrum, technology, personnel, customer base and business practices of the company involved in any such transaction with our business; •potential loss of talent during integration due to differences in culture, locations, or other factors; •difficulties in effectively integrating the financial, operational and sustainability systems of the business involved in any such transaction into (or supplanting such systems with) our financial, operational and sustainability reporting infrastructure and internal control framework in an effective and timely manner; •potential exposure to material liabilities not discovered in the due diligence process or as a result of any litigation arising in connection with any such transaction; •significant transaction-related expenses in connection with any such transaction, whether consummated or not; •risks related to our ability to obtain any required regulatory approvals necessary to consummate any such transaction; and •any business, technology, service, or product involved in any such transaction may significantly under-perform relative to our expectations, and we may not achieve the benefits we expect from the transaction, which could, among other things, also result in a write-down of goodwill and other intangible assets associated with such transaction. For any or all of these reasons, as well as unknown risks, acquisitions, divestitures, investments, or mergers may have a material adverse effect on our business, financial condition, and operating results.

Our Board of Directors has authorized, and may from time to time authorize, stockholder return programs, consisting of repurchases of shares of our common stock, the payment of cash dividends, or both. The specific timing and amount of any share repurchases and any dividend payments under any stockholder return program will depend on prevailing share prices, general economic and market conditions, Company performance and other considerations, such as whether the Company determines that there are other uses for the funds currently authorized for the program that would be more advantageous for our business. In addition, the specific timing and amount of any dividend payments are subject to declaration on future dates by the Board of Directors in its sole discretion. 23 23 23 Table of Contents Table of Contents Any stockholder return program could impact our cash flows and affect the trading price of our common stock and increase volatility. We cannot guarantee that any stockholder return program will be fully consummated or that it will enhance long-term stockholder value. Our current and future stockholder return programs do not, and will not, obligate the Company to acquire any particular amount of common stock or to declare and pay any particular amount of dividends, and any program may be suspended or discontinued at any time at the Company’s discretion. Any announcement of termination of any program may result in a decrease in the price of our common stock.

On September 6, 2023, our Board of Directors authorized a stockholder return program of up to $19.0 billion through December 31, 2024 (the “2023-2024 Stockholder Return Program”). The 2023-2024 Stockholder Return Program consists of repurchases of shares of our common stock and the payment of cash dividends, with the amount available under the 2023-2024 Stockholder Return Program for share repurchases reduced by the amount of any cash dividends declared by us. As of December 31, 2023, we had used $2.2 billion to repurchase shares and paid $747 million in dividends, leaving up to $16.0 billion available for repurchases and dividends through December 31, 2024. We expect to pay quarterly dividends totaling approximately $3.0 billion in 2024 and to repurchase up to approximately $13.0 billion of additional shares. The specific timing and amount of any share repurchases, and the specific timing and amount of any dividend payments, under the 2023-2024 Stockholder Return Program will depend on prevailing share prices, general economic and market conditions, Company performance and other considerations, such as whether the Company determines that there are other uses for the funds currently authorized for the program that would be more advantageous for our business. In addition, the specific timing 23 23 23 Table of Contents Table of Contents and amount of any dividend payments are subject to declaration on future dates by the Board in its sole discretion. The 2023-2024 Stockholder Return Program could impact our cash flows and affect the trading price of our common stock and increase volatility. We cannot guarantee that the 2023-2024 Stockholder Return Program will be fully consummated or that it will enhance long-term stockholder value. The 2023-2024 Stockholder Return Program does not obligate the Company to acquire any particular amount of common stock or to declare and pay any particular amount of dividends, and the 2023-2024 Stockholder Return Program may be suspended or discontinued at any time at the Company’s discretion. Any announcement of termination of the 2023-2024 Stockholder Return Program may result in a decrease in the price of our common stock.

We and our affiliates are involved in various disputes, governmental and/or regulatory inspections, investigations and proceedings, mass arbitrations and litigation matters. For more information, see “– Contingencies and Litigation – Litigation and Regulatory Matters” in Note 18 – Commitments and Contingencies of the Notes to the Consolidated Financial Statements. In addition, we, along with equipment manufacturers and other carriers, are subject to current and potential future lawsuits alleging adverse health effects arising from the use of wireless handsets or from wireless transmission equipment such as cell towers. In addition, the FCC has from time to time gathered data regarding wireless device emissions, and its assessment of the risks associated with using wireless devices may evolve based on its findings. Any of these allegations or changes in risk assessments could result in customers purchasing fewer devices and wireless services, could result in significant legal and regulatory liability, and could have a material adverse effect on our business, reputation, financial condition, cash flows and operating results. Such legal proceedings can be complex, costly, and highly disruptive to our business operations by diverting the attention and energy of management and other key personnel. The assessment of the outcome of legal proceedings, including our potential liability, if any, is a highly subjective process that requires judgments about future events that are not within our control. The amounts ultimately received or paid upon settlement or pursuant to final judgment, order or decree may differ materially from amounts accrued in our financial statements. In addition, litigation or similar proceedings could impose restraints on our current or future manner of doing business. Such potential outcomes including judgments, awards, settlements or orders could have a material adverse effect on our business, reputation, financial condition, cash flows and operating results.

We and our affiliates are involved in various disputes, governmental and/or regulatory inspections, investigations and proceedings, mass arbitrations and litigation matters. Such legal proceedings can be complex, costly, and highly disruptive to our business operations by diverting the attention and energy of management and other key personnel. In connection with the Transactions, we became subject to a number of legal proceedings, including a putative shareholder class action and derivative lawsuit and a putative antitrust class action. For more information, see “– Contingencies and Litigation – Litigation and Regulatory Matters” in Note 17 – Commitments and Contingencies of the Notes to the Consolidated Financial Statements. It is possible that stockholders of T-Mobile and/or Sprint may file additional putative class action lawsuits or shareholder derivative actions against the Company and the legacy T-Mobile board of directors and/or the legacy Sprint board of directors. Among other remedies, these stockholders could seek damages. The outcome of any litigation is uncertain, and any such potential lawsuits could result in substantial costs and may be costly and distracting to management. Additionally, on April 1, 2020, in connection with the closing of the Merger, we assumed the contingencies and litigation matters of Sprint. Those matters include a wide variety of disputes, claims, government agency investigations and enforcement actions and other proceedings. Unfavorable resolution of these matters could require us to make additional reimbursements and pay additional fines and penalties. On February 28, 2020, we received a Notice of Apparent Liability for Forfeiture and Admonishment from the FCC, which proposed a penalty against us for allegedly violating Section 222 of the Communications Act and the FCC’s regulations governing the privacy of customer information. We recorded an accrual for an estimated payment amount as of March 31, 2020, which is included in Accounts payable and accrued liabilities on our Consolidated Balance Sheets. As a result of the August 2021 cyberattack, we are subject to numerous lawsuits, including consolidated class action lawsuits seeking unspecified monetary damages, mass consumer arbitrations, a shareholder derivative lawsuit and inquiries by various government agencies, law enforcement and other governmental authorities, and we may be subject to further regulatory inquiries and private litigation. We are cooperating fully with regulators and vigorously defending against the class actions and other lawsuits. On July 22, 2022, we entered into an agreement to settle the consolidated class action lawsuit. On June 29, 2023, the Court issued an order granting final approval of the settlement, which is subject to potential appeals. Under the terms of the settlement, we would pay an aggregate of $350 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel and the costs of administering the settlement. We would also commit to an aggregate incremental spend of $150 million for data security and related technology in 2022 and 2023. We previously paid $35 million for claims administration purposes. On July 31, 2023, a class member filed an appeal to the final approval order challenging the Court’s award of attorneys’ fees to class counsel. We expect the remaining portion of the $350 million settlement payment to fund claims to be made once that appeal is resolved. In connection with the class action settlement and other settlements of separate consumer claims that have been previously completed or are currently pending, we recorded a total pre-tax charge of approximately $400 million during the three months ended June 30, 2022. In light of the inherent uncertainties involved in such matters and based on the information currently available to us, we believe it is reasonably possible that we could incur additional losses associated with these proceedings and inquiries, and we will continue to evaluate information as it becomes known and will record an estimate for losses at the time or times when it is both probable that a loss has been incurred and the amount of the loss is reasonably estimable. In addition, in connection with the January 2023 cyberattack, we have received notices of consumer class actions and regulatory inquires, to which we will continue to respond in due course. Ongoing legal and other costs related to these proceedings and inquiries, as well as any potential future proceedings and inquiries related to the August 2021 cyberattack and the January 2023 cyberattack, may be substantial, and losses associated with any adverse judgments, settlements, penalties or 20 20 20 Table of Contents Table of Contents other resolutions of such proceedings and inquiries could be significant and have a material adverse impact on our business, reputation, financial condition, cash flows and operating results. We, along with equipment manufacturers and other carriers, are subject to current and potential future lawsuits alleging adverse health effects arising from the use of wireless handsets or from wireless transmission equipment such as cell towers. In addition, the FCC has from time to time gathered data regarding wireless device emissions, and its assessment of the risks associated with using wireless devices may evolve based on its findings. Any of these allegations or changes in risk assessments could result in customers purchasing fewer devices and wireless services, could result in significant legal and regulatory liability, and could have a material adverse effect on our business, reputation, financial condition, cash flows and operating results. The assessment of the outcome of legal proceedings, including our potential liability, if any, is a highly subjective process that requires judgments about future events that are not within our control. The amounts ultimately received or paid upon settlement or pursuant to final judgment, order or decree may differ materially from amounts accrued in our financial statements. In addition, litigation or similar proceedings could impose restraints on our current or future manner of doing business. Such potential outcomes including judgments, awards, settlements or orders could have a material adverse effect on our business, reputation, financial condition, cash flows and operating results.

We rely on robust internal controls to provide reasonable assurance regarding the reliability of our financial information and the preparation of our financial statements. These controls include, among other things, properly designed processes, clear policies and procedures, competent personnel, effective oversight functions, and reliable information systems that facilitate the collection, processing, and communication of financial data. As we continue to refine and improve our systems to align with our evolving business needs, there is no assurance that these improvements will be implemented without delays or disruptions. A failure or significant delay in updating our systems, or a failure to effectively integrate new systems with existing processes, could compromise the effectiveness of our internal controls. If our internal controls are not effectively designed or properly implemented, or if changes to our business processes or organizational structure outpace our internal controls’ ability to adapt, we could experience material weaknesses or other deficiencies. Any material weaknesses or other control deficiencies that may arise in the future could require significant time and resources to remediate. If we are unable to remediate material weaknesses in internal control over financial reporting, then our ability to analyze, record and report financial information free of material misstatements, to prepare financial statements within the time periods specified by the rules and forms of the SEC and otherwise to comply with the requirements of Section 404 of the Sarbanes-Oxley Act would be negatively impacted. As a result, we could face legal fines and penalties, diminished investor confidence, and adverse impacts on our access to the capital markets, potentially resulting in a decline in our stock price and harm to our reputation. 19 19 19 Table of Contents Table of Contents

Under Section 404 of the Sarbanes-Oxley Act, we, along with our independent registered public accounting firm, are required to report on the effectiveness of our internal control over financial reporting. There can be no assurance that remediation of any material weaknesses that may be identified would be completed in a timely manner or that the remedial measures will prevent other control deficiencies or material weaknesses. If we are unable to remediate material weaknesses in internal control over financial reporting, then our ability to analyze, record and report financial information free of material misstatements, to prepare financial statements within the time periods specified by the rules and forms of the SEC and otherwise to comply with the requirements of Section 404 of the Sarbanes-Oxley Act would be negatively impacted. As a result, we may experience negative impacts to our business financial condition or operating results, which would restrict our ability to access the capital markets, require the expenditure of significant resources to correct the weaknesses or deficiencies, subject us to fines, penalties, investigations, or judgments, harm our reputation, or otherwise cause a decline in trading price of our stock and investor confidence. 18 18 18 Table of Contents Table of Contents