Escalation & Communication
Escalation Matrix
| Severity | Initial Notification | Escalation to Exec. Mgmt. | BSI Report | Customer Notification |
|---|---|---|---|---|
| Critical | CISO + Exec. Mgmt. immediately | Immediately | Assessment within 4h | Without delay if affected |
| High | CISO within 1h | Within 4h | Assessment within 24h | If services are affected |
| Medium | CISO within 24h | Next regular report | No (standard case) | Only if directly impacted |
| Low | IT team | No | No | No |
Communication Plan
Internal Communication
| Recipient | Channel | Content | Timing |
|---|---|---|---|
| Incident response team | Encrypted messenger / conference call | Technical details, measures | Immediately upon detection |
| Executive management | Direct conversation or encrypted email | Situation summary, impact, measures | Per escalation matrix |
| Affected departments | Email + meeting | Impact on their area, expected duration | After initial assessment |
| All employees | Only if necessary (e.g., phishing wave) | Warning + instructions for action | After exec. management approval |
External Communication
| Recipient | Channel | Content | Timing |
|---|---|---|---|
| BSI | Reporting platform | Per §32 reporting model | 24h / 72h / 1 month |
| Affected customers | Direct notification (email + phone) | Nature, scope, measures, recommendations | Without delay if affected |
| Data protection authority | Reporting portal | GDPR Art. 33/34 if personal data affected | 72 hours |
| Law enforcement | Formal report | If a criminal offense is suspected | After exec. management decision |
Customer Notification in Case of Incidents
When a security incident affects customer data or services, the notification includes:
- Nature and scope of the incident
- Affected data or services
- Countermeasures taken
- Recommended actions for the customer
- Contact person for inquiries
- Expected duration of the disruption
NIS2-REGULATED CUSTOMERS
Customers who are themselves subject to NIS2 regulation must report significant security incidents to the BSI within 24 hours. Prompt and complete information from the BAUER GROUP enables these customers to meet their own reporting obligations.
Emergency Contacts
The following contacts are available at all times (including outside business hours):
| Role | Availability |
|---|---|
| CISO | 24/7 via mobile phone |
| IT on-call | 24/7 via on-call duty |
| Executive management | Reachable via mobile phone |
| BSI reporting platform | Online portal (24/7) |