The
Bundeskriminalamt and the
Bundesnetzagentur are jointly responsible for implementing the relevant
EU Regulation on addressing the dissemination of terrorist content online.
Regulation (EU) 2021/784 on addressing the dissemination of terrorist content online ("Terrorist Content Online Regulation", in short: TCO Regulation) entered into force on 7 June 2021. Its provisions have been applicable since 7 June 2022. The Regulation lays down uniform rules to address the misuse of hosting services for the dissemination to the public of terrorist content online.
The provisions apply to companies offering hosting services in the EU, irrespective of whether or not their main establishment is located in an EU Member State.
Authorities which have become aware of the publication of terrorist content online will issue an order requiring the content to be removed and/or access to the content to be disabled. Providers must comply with the order within one hour of receipt. Providers failing to comply with an order and systematically and persistently failing to comply with the provisions may be liable to a penalty of up to 4% of their global turnover of the preceding business year.
Competences
The responsibilities and tasks of the competent authorities in Germany are set out in the Act addressing terrorist content online (TerrOIBG, in German).
Bundeskriminalamt
The Bundeskriminalamt (BKA) is responsible for issuing orders requiring the removal of terrorist content and for scrutinising compliance with these orders. The dissemination of terrorist content counts as a criminal offence, which is why only the BKA – and not the Bundesnetzagentur – can order the removal of the content.
Bundesnetzagentur
The Bundesnetzagentur is responsible for:
- Overseeing the implementation of specific measures
(pursuant to Article 5 of the TCO)
If a hosting service is repeatedly exposed to terrorist content, the provider must take specific measures to protect the service against terrorist content. Providers can essentially decide which specific measures to take, but they must act in a proportionate and non-discriminatory manner and take particular account of the fundamental rights of the users and the freedom of expression and information. This avoids the removal of legal content. The Bundesnetzagentur checks the measures taken and requests any necessary additional measures.
In order to make proportionate decisions, the Bundesnetzagentur has commissioned a study on specific measures. It provides a basic understanding of the possible and appropriate content moderation measures that a hosting service provider can take to counter the dissemination of illegal and, in particular, terrorist content via its service.
- Imposing penalties
(pursuant to Article 18 of the TCO Regulation/Section 6 TerrOIBG)
The Bundesnetzagentur can impose fines of up to €5mn in regulatory offence proceedings on providers failing to comply with their obligations. Legal entities with an annual turnover of more than €125mn can even be fined up to 4% of their global turnover of the preceding business year.
Designation of a legal representative
(Article 17 of the TCO Regulation)
Hosting service providers which do not have their main establishment in the EU but offer services in the EU must designate a legal representative in the EU. The legal representative is responsible for receiving, complying with and implementing decisions from authorities. If a provider's legal representative resides in Germany, notification of the designation must be sent immediately to the following E-mail adress tco@bnetza.de
Transparency reports
The information according to Article 8 TCO Regulation is available here:
Questions and answers
Aims and parties involved
What are the Terrorist Content Online Regulation and Terrorist Content Online Act about?
The EU adopted Regulation (EU) 2021/784 on addressing the dissemination of terrorist content online (Terrorist Content Online Regulation) to tackle the misuse of hosting services for the dissemination of terrorist content online. The aims of the Regulation are to:
- address the misuse of hosting services for the dissemination of terrorist content online;
- ensure the prompt removal of terrorist content online;
- prevent radicalisation.
The Regulation has been applicable since 7 June 2022.
Germany's Terrorist Content Online Act (TerrOIBG) implements the Regulation, setting out the national responsibilities and the rules for financial penalties for infringements of the Regulation. The Act designates the Bundeskriminalamt, the state media authorities and the Bundesnetzagentur as the competent authorities.
Useful links:
Terrorist Content Online Act: Terroristische-Online-Inhalte-Bekämpfungs-Gesetz (TerrOIBG) (in German)
Terrorist Content Online Regulation: Regulation (EU) 2021/784
Who are the parties involved?
Who the Terrorist Content Online Regulation is aimed at
Do you fall under the definition of a hosting service provider?
The term "hosting service provider" within the meaning of the Terrorist Content Online Regulation means something slightly different from what the term is generally taken to mean. Hosting service providers within the meaning of the Terrorist Content Online Regulation ("TCO hosting service provider") provide services that meet the following three requirements:
Content within the meaning of the Terrorist Content Online Regulation may be individual files such as texts, images, videos or downloads but can also be entire websites or platforms if, for example, their content largely serves the purpose of disseminating terrorist content.
In practice, a distinction is made, depending on the business model offered, between indirect hosting service providers and hosting service providers within the meaning of the Terrorist Content Online Regulation (TCO hosting service provider). The Bundesnetzagentur's interpretation is that the Terrorist Content Online Regulation only fully applies to TCO hosting service providers.
A classification as a TCO hosting service provider or indirect hosting service provider applies to an individual business model (for each individual service offered by a hosting provider) and not to an individual company. A company may therefore be classified as both a TCO and an indirect hosting service provider.
TCO hosting service providers are understood to be providers offering
services for the storage and dissemination of information by technical means on the internet and for the storage of information provided by and at the request of a content provider (within the meaning of Article 2 point (1) of the Regulation).
- For example, TCO hosting service providers may be providers of social media, video, image and audio-sharing services, as well as file-sharing services or other cloud services, insofar as those services are used to make the information stored available to the public at the direct request of a content provider.
- "At the request of" does not necessarily require a contractual relationship between the content provider and the hosting service provider. However, a contract between a hosting service provider and a content provider is a strong indication that the hosting service provider is to be regarded as a TCO hosting service provider.
- The hosting service providers do not have to operate the technical infrastructure used to store the information themselves.
- Hosting service providers just need to be able to have an influence on the information stored and to store the information at the request of the content provider. This does not exclusively mean a hosting service provider's own technical influence. For instance it is sufficient if hosting service providers can completely shut off the service or have the service shut off (for example by contractual arrangement with a third party that has technical access). It should be noted that the influence exerted by the hosting service providers relates only to their ability to block or delete content.
- They do not need to be able to edit or modify the content. (Article 2 points (1) and (3) and recitals 4 and 14 of the Regulation)
- Services offered free of charge by hosting service providers may fall within the scope of the Regulation if they are very similar to services otherwise charged for (for example by a large number of other providers in the sector). (
"generally provided for remuneration"
pursuant to Article 1(b) Directive (EU) 2015/1535.
Indirect hosting service providers are understood to be providers that offer services for arranging hosting services or, for example, provide the technical infrastructure or other support services for other hosting service providers (such as server operators) and that are not in direct contact with the content providers. The services offered therefore do not involve storing information at the direct request of a content provider and therefore generally do not fall within the scope of the Terrorist Content Online Regulation.
What obligations do hosting service providers have under the Terrorist Content Online Regulation within the meaning of TCO hosting service providers?
The Regulation is fully applicable to TCO hosting service providers.
Under the Regulation and the Terrorist Content Online Act, hosting service providers must:
- establish a contact point (Article 15 of the Regulation);
- designate a legal representative in a Member State in which the service is offered if they do not have their main establishment in the EU (Article 17);
- comply with removal orders issued by competent authorities in the EU by the applicable deadlines (Article 3(3) and Article 4(1) and (2));
- comply with orders issued by the Bundesnetzagentur under Article 5(4), (5) and (6);
- comply with information requirements for the administrative monitoring programme (Article 21);
- draw up a transparency report if action under the Regulation has been or was to be taken in a given year (Article 7);
- establish a complaint mechanism for the reinstatement of content or access to content where the removal of content or disabling of access to content as a result of a specific measure under the Regulation was unjustified (Article 10 in conjunction with Article 5);
- inform content providers about the removal of terrorist content or disabling of access to content (Article 11);
- inform the Bundeskriminalamt if they become aware of terrorist content involving an imminent threat to life (Article 14(5)).
What is a contact point and when does information about the contact point qualify as having been made publicly available?
Article 15 of the Terrorist Content Online Regulation requires hosting service providers to designate a contact point for the receipt of removal orders by electronic means and their prompt processing.
The contact point qualifies as having been "made publicly available" when the TCO hosting service provider has notified the competent authorities (Bundeskriminalamt and Bundesnetzagentur) of an email address for the receipt of removal orders under the Regulation by sending the email address to tco@bka.bund.de and tco@bnetza.de.
The contact point notified is stored by the Bundeskriminalamt at European level in Europol's PERCI system and can be used by the relevant competent authorities in the EU to issue removal orders.
Alternatively, hosting service providers can post information about their contact point on their website.
For example:
Contact point under Regulation (EU) 2021/784 of the European Parliament and of the Council.
Email: tco-kontaktstelle@exampledomain.de.
Contact is possible in the following languages: German [English, etc].
[This email address is only intended for communications under Regulation (EU) 2021/784. No other queries will be answered.]
Which rules apply to indirect hosting service providers?
Please note: a classification as a TCO hosting service provider or an indirect hosting service provider applies to an individual business model (for each individual service offered by a hosting provider) and not to an individual company.
The Terrorist Content Online Regulation is not fully applicable to indirect hosting service providers.
Indirect hosting service providers are not required to establish a contact point for the receipt of removal orders or notify the competent authorities of the contact point.
The Bundeskriminalamt and the Bundesnetzagentur would like indirect hosting service providers to voluntarily notify the Bundeskriminalamt and the Bundesnetzagentur of their contact point by sending an email to tco@bka.bund.de and tco@bnetza.de so that the providers can be contacted for the purposes of collecting information. The email addresses provided voluntarily will also be stored in the PERCI system but will only be used to contact indirect hosting service providers in order to obtain the contact details of TCO direct hosting service providers if the authorities do not have these details.
No removal requests or orders will be sent to these email addresses and there is no deadline for a response.
Reporting obligations
Which reporting obligations must you meet every year as a TCO hosting service provider?
At the latest by 1 March of every year you must report the following information for the previous year to the Bundesnetzagentur:
- the number of access requests issued by competent authorities regarding content stored by hosting service providers pursuant to Article 6 of the Terrorist Content Online Regulation (as per Article 21(1)(c)) in a given calendar year and
- the number of complaint procedures initiated and actions taken by the hosting service providers pursuant to Article 10 of the Regulation (as per Article 21(1)(d)) in a given calendar year.
A reporting form is available here: TCO-Monitoring (pdf / 147 KB)
What is a complaint mechanism within the meaning of Article 10 of the Terrorist Content Online Regulation?
TCO hosting service providers that take specific measures pursuant to Article 5 of the Regulation must establish an effective and accessible mechanism allowing content providers to submit a complaint concerning the removal of content or disabling of access to content.
All requests must be examined promptly. If the removal of content or disabling of access to content was unjustified, the content or access must be reinstated without undue delay. The complainant must be informed within two weeks of receipt of the complaint. If a complaint is rejected, the reasons must be given.
Do you have to draw up a transparency report every year?
No, only TCO hosting service providers that have taken special action to address the dissemination of terrorist content or that have been required to take action pursuant to the Terrorist Content Online Regulation in a given calendar year are required by Article 7 of the Regulation to draw up a transparency report on those actions for that year and publish the report before 1 March of the following year.
Transparency reports must include at least the following information (Article 7(3) of the Regulation):
Please note: hosting service providers must provide information even if there are no cases to report. For instance, if they have not handled any complaints in accordance with Article 10 in the reporting period, they need to report the number as zero.
You have become aware of terrorist content involving an imminent threat to life. Who do you have to inform?
If you are a TCO hosting service provider and become aware of matters/terrorist content involving an imminent threat to life, you must promptly take appropriate measures to prevent the dissemination of the content and inform the authorities responsible for the investigation and prosecution of criminal offences in the Member State concerned (in the case of Germany, the Bundeskriminalamt). If you cannot identify the Member State concerned, promptly inform Europol and transmit the necessary information concerning the terrorist content to Europol for appropriate follow-up. (Article 14(5) of the Regulation)
A form with all the key data is available on the Bundeskriminalamt's website Notification of imminent threat to life
Please make sure that you provide as much information as possible (such as URLs, account data, media files), that the information is as accurate as possible and that you provide documentation of the terrorist content, such as screenshots. Please also provide contact details for any queries to ensure that the matter can be dealt with as quickly as possible.
Further information on the Terrorist Content Online Regulation and details of the contact point at the Bundeskriminalamt for hosting service providers are available at: Bundeskriminalamt
Bundeskriminalamt 24/7 contact point for notification of an imminent threat to life:
Email tco-threat@bka.bund.de
Tel. +49 2225 8920030
Europol 24/7 contact point for notification of an imminent threat to life:
Email O1-13@europol.europa.eu
Tel. +31 70 3531100
(Please make sure you state that the matter relates to Article 14(5) of the Terrorist Content Online Regulation.)
You have become aware of terrorist content not involving an imminent threat to life. Who can you inform?
If you become aware of terrorist content online not involving an imminent threat to life, please report the criminal online content to the competent police authority in the federal state where you live.
The federal states have set up special reporting portals for internet users to report criminal content: „Online-Wachen“
Please make sure that you provide as much information as possible, that the information is as accurate as possible and that you provide documentation of the content, such as screenshots. Please also provide contact details for any queries to ensure that the matter can be dealt with as quickly as possible.
Removal orders
You have received a removal order. What do you have to do?
The specified terrorist content must be removed or access to the content disabled in all EU Member States within one hour of receipt of the removal order.
The competent authority that issued the removal order and the Bundeskriminalamt must be informed when the content has been removed or access to the content has been disabled. (Article 3(3) and (6) of the Terrorist Content Online Regulation)
Please complete the template for "Feedback following removal of or disabling of access to terrorist content" set out in Annex II to the Regulation and indicate the time of the removal or disabling.
What should you do if you do not have all the necessary information to comply with the removal order or if the removal order contains "manifest" errors?
Please inform the competent authority that issued the removal order and the Bundeskriminalamt without undue delay using the template for "Information about the impossibility to execute the removal order" set out in Annex III to the Terrorist Content Online Regulation. (Article 3(8) of the Regulation).
What should you do if it is not possible for you to remove content or disable access to content?
Please complete the template for "Information about the impossibility to execute the removal order" set out in Annex III to the Terrorist Content Online Regulation. Please inform the competent authority that issued the removal order and the Bundeskriminalamt without undue delay and explain your reasons. (Article 3(7) of the Regulation)
Do you have to comply with a removal order from an authority in another country and, if so, what is the deadline?
The same applies in this case: the specified terrorist content must be removed or access to the content disabled within one hour.
Can you have a removal order from another country scrutinised?
Yes, but you first have to comply with the order and remove the content or disable access to the content.
If you receive a removal order from a competent authority in another EU Member State, you can submit a reasoned request within 48 hours of receiving the removal order for the Bundeskriminalamt to scrutinise the order.
The Bundeskriminalamt will adopt a reasoned decision within 72 hours of receiving your request as to whether or not there is an infringement of the Terrorist Content Online Regulation. (Article 4(4) of the Regulation)
Can you challenge a removal order?
Yes.
Information about redress possibilities is included in the removal order. Section G of the removal order contains information about competent bodies or courts, deadlines and procedures for challenging the removal order. This applies to both removal orders issued by the Bundeskriminalamt and to orders from authorities in other countries.
What happens if you do not comply with a removal order?
Failure by a TCO hosting service provider to comply with a removal order is a regulatory offence and is subject to a fine of up to €5mn (section 6 of the Terrorist Content Online Act).
In certain cases (hosting service providers with an annual turnover of more than €125mn) a fine of up to 4% of the global turnover of the preceding business year can be imposed for a regulatory offence that has been committed deliberately.
Specific measures
Which specific measures can you take to prevent the dissemination of terrorist content?
The following downloadable table provides a non-exhaustive list of possible measures for the various provider categories with regard to what can be reasonably expected of the providers.
This serves as a starting point for providers to take their own measures. This does not mean that all the measures ticked must be taken on a cumulative basis. The hosting service provider affected must itself always select the measure to be taken and adapt it to the hosting service affected. Other or different measures may also be taken that are suitable, targeted, proportionate, non-discriminatory and take the fundamental rights of the user into account while effectively curtailing the dissemination of terrorist content online.
It is incumbent on the Bundesnetzagentur to evaluate in specific individual cases whether the measures are sufficient to meet the goal within the meaning of the Terrorist Content Online Regulation. (Article 5 of the Terrorist Content Online Regulation, section 1(2) Terrorist Content Online Act)
Table of possible measures (pdf / 59 KB)
The diagram shows the interworking of the measures from the table above.
Please send any questions or complaints about terrorist content online to the e-mail address given below.
