Introduction
This documentation describes the implementation of the NIS 2 Directive (EU) 2022/2555 and the German NIS2 Implementation Act (NIS2UmsuCG) at BAUER GROUP. It covers all ten risk management measures per §30(2) BSIG as well as obligations under §32 (reporting), §33 (registration), and §38 (management duties).
LEGAL BASIS
NIS 2 Directive (EU) 2022/2555 – Measures for a high common level of cybersecurity across the Union.
BSIG §30(1): Essential and important entities are obligated to take appropriate, proportionate and effective technical and organizational measures to avoid disruptions to the availability, integrity, authenticity and confidentiality of information technology systems, components and processes.
Scope
| Area | Description |
|---|---|
| Software Development | Custom B2B software, embedded systems and AI-driven workflows |
| IT Infrastructure | Server operations, network infrastructure and cloud services |
| Managed Services | IT services and support for B2B customers |
| Internal IT | Systems and processes for internal operations |
Complementary Documentation
| Documentation | Regulation | Focus | URL |
|---|---|---|---|
| NIS2 (this document) | (EU) 2022/2555 / BSIG | Organization & Operations | nis2.docs.bauer-group.com |
| CRA | (EU) 2024/2847 | Products & Software | cra.docs.bauer-group.com |
| AI Act | (EU) 2024/1689 | AI Systems | ai-act.docs.bauer-group.com |
Documentation Structure
| No. | Chapter | §30 BSIG | Content |
|---|---|---|---|
| 1 | Introduction | — | Scope, legal framework, structure |
| 2 | Risk Management | No. 1 | Risk analysis, ISMS, asset inventory |
| 3 | Incident Management | No. 2 + §32 | Incident response, reporting obligations |
| 4 | Business Continuity | No. 3 | Backup, disaster recovery, crisis management |
| 5 | Supply Chain Security | No. 4 | Vendor assessment, security requirements |
| 6 | Vulnerability Management | No. 5 | Scanning, patch management, secure development |
| 7 | Effectiveness Review | No. 6 | Security audits, KPIs, penetration testing |
| 8 | Training & Awareness | No. 7 | Mandatory training, cyber hygiene |
| 9 | Cryptography | No. 8 | Encryption, key management |
| 10 | Access Control | No. 9–10 | Authentication, MFA, secure communication |
| 11 | Governance | §38 | Management duties, governance structure |
| 12 | Compliance Matrix | All | Complete requirements mapping |