Contractual Security Requirements

Mandatory Clauses

Contracts with service providers that have access to BAUER GROUP systems or data must contain the following minimum requirements:

Information Security

Clause	Description
Security standards	Adherence to appropriate technical and organizational measures (state of the art)
Encryption	Encryption of sensitive data at rest and in transit
Access control	Personalized accounts, least-privilege principle, MFA for administrative access
Patch management	Timely remediation of known vulnerabilities

Incident Management

Clause	Description
Reporting obligation	Immediate notification of security incidents (max. 24h)
Cooperation obligation	Support during analysis and remediation
Disclosure obligation	Complete information on scope and impact

§30(2) NO. 4 BSIG – SUPPLY CHAIN SECURITY

NIS2 explicitly requires that security measures in the supply chain are addressed, including security-related aspects concerning the relationship between the entity and its direct suppliers or service providers.

Audit and Inspection Rights

Clause	Description
Audit right	Right to audit security measures (in-house or through third parties)
Certificate submission	Obligation to present current security certifications
Compliance evidence	Annual evidence of adherence to contractual security requirements

Data Handling

Clause	Description
Data storage	Storage location and legal jurisdiction documented
Data deletion	Secure deletion after contract termination, with evidence
Data return	Return of all data in machine-readable format
Subcontractors	Approval required for subcontractors, same security requirements apply

Exit Strategy

Clause	Description
Transition period	Minimum 90 days of migration support
Data export	Complete data export in open formats
Knowledge transfer	Documentation of all relevant configurations and processes
Deletion confirmation	Written confirmation of complete data deletion

Contract Management Schedule

Activity	Interval	Responsible
Contract review	Upon conclusion / renewal	CISO + Procurement
SLA monitoring	Ongoing	IT Operations
Security clause review	Annually for critical service providers	CISO