NIS2 Compliance – BAUER GROUP (English)

Governance

BAUER GROUP — Tue, 24 Mar 2026 00:10:02 GMT

Governance

LEGAL BASIS

§38(1) BSIG – Management of essential and important entities is obligated to approve the risk management measures taken by these entities per §30 and to supervise their implementation.

§38(3) BSIG – Management must regularly participate in training to acquire sufficient knowledge and skills for identifying and assessing risks and risk management practices.

Management Duties

The German NIS2 implementation establishes personal obligations of management for cybersecurity:

Duty	Description	Evidence
Approval	Formal approval of risk management measures	Documented sign-off
Supervision	Ongoing control of implementation	Regular reports
Training	Personal participation in cybersecurity training	Attendance record
Liability	Personal liability for breach of duty (§38(2) BSIG)	—

LIABILITY

Under §38(2) BSIG, management is personally liable for damages resulting from breach of their approval and supervision duties. Waiver agreements and settlements are void.

Governance Structure

Role	Responsibility
Management	Approval of measures, resource allocation, personal training
Information Security Officer (ISO)	Operational control, risk analysis, incident coordination, BSI contact
IT Lead	Technical implementation, system security, patch management
Department Heads	Compliance with security policies in their area

Reporting

Report	Recipient	Interval
Security status	Management	Quarterly
Incident reports	Management	Event-driven (high/critical immediately)
Annual security report	Management	Annually
KPI report	ISO / Management	Monthly

Management Training Obligation

Management participates at least annually in cybersecurity training covering:

Current threat landscape and relevant incidents
NIS2/BSIG obligations and liability
Risk management and measure assessment
Incident response process and escalation

AI Act Synergy

The AI Act governance framework complements NIS2 governance requirements for AI-powered systems. Details in the AI Act Governance Documentation.

Training & Awareness

BAUER GROUP — Tue, 24 Mar 2026 00:10:02 GMT

Training & Awareness

LEGAL BASIS

§30(2) No. 7 BSIG – Basic cyber hygiene practices and information security training

§38(3) BSIG – Management must regularly participate in training.

Training Program

Basic Training (all employees)

Topic	Content	Interval
Phishing & social engineering	Recognition, reporting channels, practical examples	Annually
Password & access security	Strong passwords, MFA, password managers	Annually
Secure communication	Email security, encrypted channels	Annually
Incident reporting	Reporting obligation, channels, contacts	Annually
Data protection basics	Personal data, GDPR basics	Annually

Role-Specific Training

Target Group	Additional Content
Management	NIS2 obligations per §38, liability, governance (mandatory)
IT administration	Secure system operation, patch management, logging
Software development	Secure coding, OWASP Top 10, supply chain security
Project management	Security requirements in projects, risk assessment

Onboarding

New employees receive before system access:

Introduction to information security policy
Basic cyber hygiene training
Acknowledgment of security policies

Documentation

Attendance records maintained centrally
Training completion is a prerequisite for system access rights
Annual evaluation of completion rates as KPI

AI Act Synergy

The AI competence program (Art. 4 AI Act) complements NIS2 training obligations. Details in the AI Act Compliance Documentation.

Authentication & MFA

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Authentication & MFA

Multi-Factor Authentication

MFA Requirements

Access Type	MFA Required	Preferred Method
External access (VPN, portals)	Yes -- mandatory	FIDO2 / WebAuthn
Administrative system access	Yes -- mandatory	FIDO2 / TOTP
Cloud services / SaaS	Yes -- mandatory	TOTP / FIDO2
Email access	Yes -- mandatory	TOTP / FIDO2
Internal applications (LAN)	Risk-based	TOTP (if required)

MFA Methods (Ranking)

Method	Security Level	Application
FIDO2 / WebAuthn	Highest (phishing-resistant)	Preferred for all access
TOTP (Authenticator app)	High	Standard alternative
Push notification	Medium	Only with number matching
SMS OTP	Low -- not permitted	Not allowed (SIM swapping risk)

MFA Exceptions

Exceptions to the MFA requirement are only possible in justified cases:

Documented justification required
ISO approval mandatory
Compensating controls defined
Time-limited with scheduled review
Service accounts: IP allowlisting + API key instead of MFA

Password Policy

Requirement	Standard
Minimum length	16 characters
Recommendation	Passphrase (4+ words)
Complexity	No forced special characters (length > complexity)
Password manager	Mandatory for all employees
Reuse	Prohibited (unique password per service)
Breach check	Automatic verification against HaveIBeenPwned / known-breach lists
Expiry	No forced expiry (per NIST 800-63B), rotation only upon suspected compromise

Service Accounts

Requirement	Implementation
No shared accounts	Every service account has a documented owner
Minimal privileges	Least privilege, only required API scopes
Rotation	API keys rotated at least annually
Monitoring	Anomaly detection for service account usage
Documentation	Purpose, owner, permissions, creation date

Authorization & Permission Management

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Authorization & Permission Management

Access Control Model

BAUER GROUP employs a role-based access control (RBAC) model:

Principle	Implementation
Least Privilege	Every account receives only the minimum necessary permissions
Need-to-Know	Data access only on business necessity
Separation of Duties	Critical operations require multiple persons
Default Deny	No access without explicit authorization

Role Definitions

Role	Permissions	Granted by
User	Access to assigned applications and data	Supervisor + IT
Developer	Code repositories, staging environments, CI/CD	Team lead + IT
Administrator	System configuration, user management, monitoring	ISO + IT Lead
Root / Superadmin	Full access to infrastructure	IT Lead only, four-eyes principle

Permission Lifecycle

Grant

Request by employee or supervisor
Approval by responsible data/system owner
Implementation by IT
Documentation in the permission inventory

Change

On role change: revoke old permissions, grant new permissions
Deadline: within 5 business days of role change
Review of old permissions by supervisor

Revocation (Offboarding)

Step	Deadline	Responsible
Account deactivation	On last working day, before end of work	IT
Email forwarding	Set up to delegate (time-limited)	IT
Shared credentials	Rotation of all shared access credentials	IT + Department
Hardware return	On last working day	Supervisor
VPN / remote access	Immediate deactivation	IT

Authorization Audit

Review	Interval	Action
Full permission review	Semi-annually	Each system owner reviews permissions for their systems
Orphaned accounts	Monthly (automated)	Deactivation of accounts without a corresponding active employee
Privileged accounts	Quarterly	Review of all admin permissions for necessity
Service accounts	Semi-annually	Owner confirms necessity and scope

Secure Communication

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Secure Communication

LEGAL BASIS

§30(2) No. 10 BSIG -- Secured voice, video and text communication, and secured emergency communication systems where appropriate within the entity

Communication Channels

Channel	Encryption	Authentication	Use
Email	TLS in transit, optional S/MIME	SPF/DKIM/DMARC	Standard business communication
Encrypted messenger	End-to-end (E2E)	Account-based + MFA	Sensitive internal communication, incident response
Video conferencing	TLS, transport encryption	Meeting codes + waiting room	Meetings, customer communication
VPN	IPsec / WireGuard	Certificate + MFA	Remote access to internal systems
Telephone	Standard network (unencrypted)	Caller ID	Not for confidential information

Email Security in Detail

DNS-Based Authentication

Mechanism	Configuration	Purpose
SPF	TXT record with authorized mail servers	Prevents sender spoofing
DKIM	Signing of outgoing emails (≥ 2048 bit)	Integrity verification
DMARC	Policy: `reject`, reporting to ISO	Enforces SPF+DKIM, reports violations
MTA-STS	Enforced TLS for incoming emails	Prevents downgrade attacks
DANE/TLSA	DNS-based certificate binding	Additional TLS verification

Handling Classified Data via Email

Classification	Permitted via email?	Additional measures
Public	Yes	None
Internal	Yes	Standard TLS
Confidential	Only if necessary	Encrypted attachment or secure exchange platform
Strictly confidential	No	Only via E2E-encrypted channels

Emergency Communication

Fallback Channels

In the event that primary communication channels are compromised or unavailable:

Priority	Channel	Availability
1	Mobile phone (personal)	24/7
2	Alternative messenger (predefined)	24/7
3	Landline telephone	Business hours

Preparation Measures

Current contact lists of key personnel available offline (printed or on a separate device)
Predefined code words for identity verification during telephone communication
Annual reachability exercise with all crisis team members
Backup communication plan is part of the crisis management documentation

Backup Strategy

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Backup Strategy

3-2-1 Rule in Detail

Backup Types

Type	Description	Interval	Storage Requirement
Full backup	Complete backup of all data	Weekly (Sunday)	100%
Incremental	Only data changed since last backup	Daily	~5-15%
Configuration backup	Git-based versioning of all configs	Upon every change	Minimal

Backup Targets by Data Type

Data Type	Primary Backup	Secondary Backup	Offsite	Encryption	Retention
Databases	Local storage	Object storage (cloud)	Yes	AES-256	90 days
Customer data	Local storage	Object storage (cloud)	Yes	AES-256	Per contract, min. 30d
Server configurations	Git repository	Remote repository	Yes	Repository-level	Indefinite
Email archive	Local storage	Object storage	Yes	AES-256	90 days
Key material	Encrypted vault	Offline copy	Yes (physically separated)	AES-256 + passphrase	Lifetime of the key

3-2-1 RULE

Maintain at least 3 copies of data, on 2 different media types, with 1 copy stored offsite. This principle is the foundation for resilient data protection per §30(2) No. 3 BSIG.

Restore Verification

Test	Interval	Scope	Acceptance Criterion
Automated integrity check	With every backup	Checksum	Checksum matches
Restore test (sample)	Monthly	Individual files / databases	Data correct and complete
Full restore test	Quarterly	Complete system	RTO met, data consistent
DR simulation	Annually	Entire infrastructure	All RTO/RPO targets achieved

Monitoring

Backup success/failure is monitored automatically
Failed backups generate immediate alerts
Storage capacity and retention periods are monitored
Monthly backup report to CISO

Crisis Management

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Crisis Management

Crisis Definition

A crisis exists when a security incident:

Threatens the operational capability of the organization
Affects multiple systems or locations simultaneously
Requires external communication with customers, authorities or media
Exceeds the capacity of regular escalation channels

Crisis Team

Role	Person	Task
Crisis team lead	Executive Management	Decision-making, resource allocation, external communication
Technical lead	CISO	Situational awareness, technical coordination of measures
IT Operations	IT Management	Recovery, system management
Communications	Executive Management / PR	Customer, authority and media communication (if applicable)
Legal / Data Protection	DPO / external counsel	GDPR reporting, criminal complaint, liability matters

Crisis Process

Phase 1: Alerting (< 1 hour)

CISO alerts crisis team via mobile phone (no email if systems are compromised)
Initial situation report: What is known, what is affected, what is the immediate threat?
Crisis team meeting (on-site or conference call via backup channel)

Phase 2: Situational Awareness (< 4 hours)

Complete impact analysis
Decision on communication strategy
Prepare BSI report (if reportable incident)
Prepare customer notification (if affected)

Phase 3: Response (days to weeks)

Coordinated recovery per DR plan
Regular crisis team updates (at least daily)
Ongoing BSI communication
Customer communication (status updates)

Phase 4: Return to Normal Operations

Verification of all restored systems
Formal end of crisis mode by executive management
Handover to regular operations

Phase 5: Post-Incident Review (< 30 days)

Comprehensive post-mortem analysis
BSI final report
Lessons learned and action plan
Update of DR plan, playbooks and risk analysis

Exercise Types

Exercise Type	Interval	Participants
Tabletop exercise	Annually	Crisis team + IT
Communication exercise	Annually	Crisis team
Technical DR simulation	Annually	IT team

EXERCISE PLANNING

Crisis exercises should cover a variety of scenarios over time, including ransomware, data center outage, supply chain compromise and data breach. Each exercise should be documented with findings and improvement actions.

Disaster Recovery

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Disaster Recovery

Recovery Objectives

Service Category	RTO	RPO	Priority
Critical production systems	< 4 hours	< 1 hour	1 – Immediate recovery
Customer-facing services	< 8 hours	< 4 hours	2 – High priority
Internal systems	< 24 hours	< 24 hours	3 – Normal
Archive / documentation	< 72 hours	< 1 week	4 – Low

Recovery Procedures

Scenario: Single System Failure

Identify root cause (hardware, software, configuration)
Activate failover (if available)
Restore system from backup or rebuild
Apply configuration from Git repository
Verify integrity before returning to production
Enhance monitoring for 24 hours

Scenario: Ransomware

Immediately: Isolate all affected systems from the network
Determine scope of encryption
Verify backup integrity (identify clean backups)
Restore systems from verified backups
Rotate all credentials
Close attack vector before bringing systems back online

NO RANSOM PAYMENTS

The BAUER GROUP does not pay ransom under any circumstances. Payment finances criminal organizations and provides no guarantee of data recovery.

Scenario: Data Center Outage

Activate crisis team
Failover to secondary site (if available)
Prioritized recovery by service category
Activate customer communication
Ensure provisional operations
Complete recovery after primary site availability

Failover Systems

System	Failover Type	Switchover Time
DNS	Automatic (Anycast / health check)	< 5 minutes
Web applications	Manual (backup deployment)	< 1 hour
Databases	Replication (for critical systems)	< 15 minutes
Email	Secondary MX record	Automatic

DR Test Schedule

Test	Interval	Scope
Tabletop exercise	Semi-annually	Walk through a scenario without actual system changes
Restore test	Quarterly	Actual restoration of individual systems
Full DR simulation	Annually	Complete failover scenario with time measurement

CRA & AI Act Synergies (Detail)

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

CRA & AI Act Synergies (Detail)

Detailed Requirement Mapping

§30 No. 2 -- Incident Management vs. CRA Art. 14

Aspect	NIS2 (§32 BSIG)	CRA (Art. 14)	Synergy
Trigger	Significant operational incident	Product vulnerability / incident	Shared initial assessment process
Early warning	24h to BSI	24h to ENISA	Parallel notification using shared template
Detailed report	72h	72h	Data reusable
Final report	1 month	14 days	Separate reports, shared root cause analysis
Templates	NIS2 Reporting Obligations	CRA ENISA Reporting	Designed for compatibility

§30 No. 4 -- Supply Chain vs. CRA Annex I Part II No. 1

Aspect	NIS2	CRA	Synergy
Software dependencies	-- (NIS2 references CRA)	SBOM + Dependency Policy	CRA leading
IT service providers	Vendor Assessment	--	NIS2 leading
Contractual requirements	Security Clauses	Annex I Part II No. 1	Shared contractual standards

§30 No. 5 -- Vulnerabilities vs. CRA Art. 10/11

Aspect	NIS2	CRA	Synergy
CVE monitoring (products)	-- (NIS2 references CRA)	CRA Vulnerability Management	CRA leading
CVE monitoring (infrastructure)	Scanning	--	NIS2 leading
Patch management	Patch Management	CRA: Product updates	Shared timelines
Secure development	Secure Development	CRA: Security by design	Shared development standards

AI Act Synergies

NIS2 Measure	AI Act Article	Description
No. 1 -- Risk management	Art. 9 (Risk management system)	NIS2 ISMS provides the methodological foundation for AI risk management
No. 7 -- Training	Art. 4 (AI Literacy)	AI Act Training Program as extension
No. 8 -- Cryptography	Art. 15 (Cybersecurity)	Cryptography standards also apply to AI systems
No. 9 -- Access control	Art. 14 (Human oversight)	Access control concepts as foundation for AI oversight

Overall Architecture

NIS2 (Organization & Operations)
  +-- Risk Management <---- AI Act (AI Risk Management, Art. 9)
  +-- Incident Management <---- CRA (Product Incidents, Art. 14)
  +-- Supply Chain <---- CRA (Software SBOM, Annex I)
  +-- Vulnerabilities <---- CRA (Product CVEs, Art. 10/11)
  +-- Training <---- AI Act (AI Literacy, Art. 4)
  +-- Cryptography <---- AI Act (Cybersecurity, Art. 15)
                    <---- CRA (Product Encryption, Annex I)

Encryption Standards

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Encryption Standards

Protocol Requirements

TLS (Transport Layer Security)

Requirement	Standard
Minimum version	TLS 1.2
Recommended version	TLS 1.3
Prohibited versions	SSL 3.0, TLS 1.0, TLS 1.1
Cipher suites (TLS 1.3)	TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256
HSTS	Enabled with min. 1 year, includeSubDomains

SSH

Requirement	Standard
Key type	Ed25519 (preferred), RSA-4096 (fallback)
Password login	Disabled
Root login	Disabled
Protocol version	SSH-2 exclusively

Email (SMTP)

Requirement	Standard
Transport encryption	STARTTLS (opportunistic), MTA-STS (enforced)
SPF	Configured for all domains
DKIM	Signing active, key length ≥ 2048 bit
DMARC	Policy: reject, reporting active

Database Encryption

Type	Method	Application
Transparent Data Encryption (TDE)	AES-256	Entire database at rest
Column-level encryption	AES-256	Highly sensitive fields (credentials, PII)
Connection encryption	TLS 1.2+	All database connections

Backup Encryption

Aspect	Standard
Algorithm	AES-256
Key management	Separate key per backup set
Key rotation	On every full backup
Key storage	Separate from backup, encrypted vault

Key Management & Certificate Management

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Key Management & Certificate Management

Key Lifecycle

Phase	Requirements
Generation	Cryptographically secure random number generators (CSPRNG), minimum key lengths per BSI TR-02102
Distribution	Encrypted channel, personalized handover, no plaintext transmission
Storage	Encrypted storage, need-to-know access control, audit trail
Usage	Only for defined purpose, no repurposing
Rotation	Scheduled per rotation intervals, unscheduled upon suspected compromise
Archival	Encrypted, time-limited, only for decryption of legacy data
Destruction	Secure deletion (cryptographic erasure or physical destruction), documented

Rotation Intervals

Key Type	Rotation	Notes
TLS certificates	90 days (Let's Encrypt automated)	Automated renewal
SSH keys	Annually or upon personnel change	Personalized keys
API keys	Annually or upon suspected compromise	Automated where possible
Backup keys	On every full backup	Archive old key for restore
Database keys	Annually	Planned rotation during maintenance window

Certificate Management

Inventory

All certificates are tracked centrally:

Attribute	Description
Domain / Common Name	Which domain the certificate covers
Issuer	CA (Let's Encrypt, internal CA)
Expiry date	Automatic monitoring
Renewal process	Automatic / Manual
Responsible party	Assigned administrator

Monitoring

Check	Interval	Action on Finding
Expiry date check	Daily (automated)	Alert 30 days before expiry, escalation 7 days before expiry
Certificate chain validation	Weekly	Alert on invalid chain
Revocation status (OCSP/CRL)	On every connection (client)	Reject connection for revoked certificate

Revocation Process

Upon compromise of a certificate:

Immediate revocation at the CA
Issue and deploy a new certificate
Verify whether the compromised key was used elsewhere
Document the incident and incorporate into risk analysis

Audit Program

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Audit Program

Audit Types

Type	Description	Interval	Conducted by
Internal Audit	Review of ISMS conformity and measure implementation	Annually	ISO
Technical Audit	Configuration review, hardening check, vulnerability assessment	Semi-annually	IT + ISO
Penetration Test	Simulated attack on infrastructure and applications	Annually	External provider
Authorization Audit	Review of all access rights for currency and necessity	Semi-annually	ISO
Backup Audit	Restore tests and backup integrity verification	Quarterly	IT Operations
Vendor Audit	Review of critical vendors for contractual compliance	Annually	ISO + Procurement

Audit Scope

Internal ISMS Audit

Review Area	Audit Points
Information security policy	Currency, management sign-off, dissemination
Risk analysis	Completeness, currency, risk treatment plans
Incident management	Process documentation, exercises, reporting deadlines
Access control	MFA enforcement, permissions, on-/offboarding
Training	Completion rates, content currency
Business continuity	Backup tests, DR plan, crisis exercises

Penetration Test Scope

Scope	Description
External attack surface	Publicly reachable services, web applications, APIs
Internal infrastructure	Network segmentation, lateral movement, privilege escalation
Social engineering	Phishing simulation (optional, by arrangement)
Excluded	Denial-of-service tests against production systems

Audit Documentation

Every audit is documented with:

Audit scope and timeframe
Audit methodology
Findings with severity rating (Critical / High / Medium / Low / Informational)
Recommended remediation measures
Responsible party and remediation deadline
Follow-up date

Finding Management

Severity	Remediation Deadline	Escalation
Critical	48 hours	Immediate escalation to management
High	30 days	To ISO in next regular report
Medium	90 days	Quarterly report
Low	Next audit cycle	None

KPIs & Metrics

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

KPIs & Metrics

Security KPIs

Vulnerability Management

KPI	Definition	Target	Measurement
Patch compliance	% of vulnerabilities patched within defined deadlines	≥ 95%	Monthly
Open critical vulnerabilities	Count of unpatched CVSS ≥ 9.0 vulnerabilities	0	Weekly
Mean Time to Patch (MTTP)	Average days until patch deployment	Critical: < 2d, High: < 7d	Monthly

Incident Management

KPI	Definition	Target	Measurement
Mean Time to Detect (MTTD)	Time from attack onset to detection	< 24 hours	Per incident
Mean Time to Respond (MTTR)	Time from detection to containment	Critical: < 4h, High: < 24h	Per incident
Reporting compliance	% of incidents reported to BSI within required deadlines	100%	Per incident

Access Control

KPI	Definition	Target	Measurement
MFA coverage	% of accounts with active MFA	100% (external access)	Monthly
Orphaned accounts	Count of active accounts without a corresponding employee	0	Monthly
Offboarding compliance	% of accounts deactivated within 24h of departure	100%	Per event

Business Continuity

KPI	Definition	Target	Measurement
Backup success rate	% of successful backup jobs	≥ 99%	Daily
Restore success rate	% of successful restore tests	100%	Quarterly
RTO compliance	Recovery time within defined target	100%	Per test / incident

Training

KPI	Definition	Target	Measurement
Training completion	% of employees who completed mandatory training	100%	Annually
Management training	Management has completed cybersecurity training	Yes	Annually
Phishing click rate	% of employees clicking on simulated phishing	< 5%	Semi-annually

Reporting Structure

Report	Content	Recipient	Interval
Security Dashboard	All KPIs at a glance	ISO	Continuous
Monthly Security Report	KPI trends, open findings, incidents	ISO + IT Lead	Monthly
Quarterly Management Report	KPI summary, risk status, measures	Management	Quarterly
Annual Security Report	Overall assessment, audit results, improvement plan	Management	Annually

Management Duties per §38 BSIG

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Management Duties per §38 BSIG

Legal Obligations

§38(1) -- Approval and Supervision

Management is personally obligated:

Duty	Description	Evidence
Approval	Formal approval of all risk management measures per §30	Signed approval document
Supervision	Ongoing control of proper implementation	Regular security reports, KPI reviews

§38(2) -- Personal Liability

Management is personally liable for damages resulting from breach of their duties under paragraph 1
Waiver agreements are void
Settlements on compensation claims are void
Compensation claims of the entity against management cannot be excluded

§38(3) -- Training Obligation

Management must regularly participate in training
Purpose: Sufficient knowledge for identifying and assessing risks
Content: Risk management practices and their impact on the entity's services

Implementation at BAUER GROUP

Approval Process

Step	Description	Documentation
1. ISO prepares measure proposal	Based on risk analysis and §30 requirements	Measure plan
2. Presentation to management	Explanation of risks and proposed measures	Presentation materials
3. Discussion and adjustment	Management may request changes	Meeting minutes
4. Formal approval	Management signature	Approval document with date and signature
5. Implementation mandate	Resource allocation and responsibility assignment	Documented mandate

Supervision Mechanisms

Mechanism	Interval	Format
KPI dashboard	Monthly	Digital report
Quarterly management report	Quarterly	Presentation + discussion
Annual security report	Annually	Written report with action plan
Event-driven escalation	On High/Critical level	Immediate notification

Training Evidence

Aspect	Implementation
Frequency	At least annually
Format	In-person training or qualified webinar
Trainer	ISO or external cybersecurity expert
Evidence	Attendance confirmation with date, content, duration
Archival	Minimum 3 years

Liability Minimization

To minimize the personal liability risk of management:

Measure	Description
Documented approval	Approve and archive every measure in writing
Regular reports	Demonstrable supervision through acknowledgment and discussion of reports
Documented training	Retain attendance records
Adequate resources	Allocate budget and personnel for information security
Timely response	Take prompt action when risks become known

Reporting & Governance Structure

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Reporting & Governance Structure

Organizational Structure

Management
  +-- Information Security Officer (ISO)
  |     +-- Risk Analysis & ISMS
  |     +-- Incident Management & BSI Contact
  |     +-- Audit & Compliance
  |     +-- Training & Awareness
  +-- IT Lead
  |     +-- IT Operations (Server, Network, Cloud)
  |     +-- Software Development
  |     +-- Helpdesk / Support
  +-- Data Protection Officer (DPO)
        +-- GDPR Compliance

ISO -- Role and Authority

Aspect	Description
Reporting line	Directly to management (independent of IT Lead)
Responsibilities	ISMS operation, risk analysis, incident coordination, BSI reporting, audit coordination
Authority	Authority to order immediate measures during security incidents, escalation to management
Independence	ISO must not be simultaneously responsible for operational management of the systems under review

Reporting Structure

Regular Reports

Report	Content	Recipient	Interval	Format
Security KPI Dashboard	Patch compliance, MTTD/MTTR, MFA coverage, open findings	ISO	Continuous	Dashboard
Monthly Report	KPI trends, new vulnerabilities, incident overview, measure status	ISO + IT Lead	Monthly	Summary report
Quarterly Report	Summary, risk status, audit results, budget	Management	Quarterly	Presentation
Annual Report	Overall assessment, audit results, year-over-year comparison, improvement plan	Management	Annually	Written report

Event-Driven Reports

Trigger	Recipient	Deadline	Format
Critical security incident	Management + ISO	Immediately	Verbal + written follow-up
BSI notification per §32	Management	In parallel with notification	Written
Critical audit finding	Management	Within 48h	Written
Material change in threat landscape	Management + IT	Without delay	Brief notification

Documentation Obligations

The following documents are maintained and available at all times:

Document	Responsible	Review Cycle
Information security policy	ISO, approved by management	Annually
Risk analysis and risk treatment plan	ISO	Annually + event-driven
Asset inventory	IT + ISO	Continuous
Incident response playbooks	ISO + IT	Annually + after incidents
Backup and DR documentation	IT Operations	Annually + after changes
Permission matrix	IT + Departments	Semi-annually
Training records	HR + ISO	Continuous
Audit reports and finding tracker	ISO	After each audit
BSI reporting documentation	ISO	Per incident
Vendor assessments	ISO + Procurement	Annually

Escalation & Communication

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Escalation & Communication

Escalation Matrix

Severity	Initial Notification	Escalation to Exec. Mgmt.	BSI Report	Customer Notification
Critical	CISO + Exec. Mgmt. immediately	Immediately	Assessment within 4h	Without delay if affected
High	CISO within 1h	Within 4h	Assessment within 24h	If services are affected
Medium	CISO within 24h	Next regular report	No (standard case)	Only if directly impacted
Low	IT team	No	No	No

Communication Plan

Internal Communication

Recipient	Channel	Content	Timing
Incident response team	Encrypted messenger / conference call	Technical details, measures	Immediately upon detection
Executive management	Direct conversation or encrypted email	Situation summary, impact, measures	Per escalation matrix
Affected departments	Email + meeting	Impact on their area, expected duration	After initial assessment
All employees	Only if necessary (e.g., phishing wave)	Warning + instructions for action	After exec. management approval

External Communication

Recipient	Channel	Content	Timing
BSI	Reporting platform	Per §32 reporting model	24h / 72h / 1 month
Affected customers	Direct notification (email + phone)	Nature, scope, measures, recommendations	Without delay if affected
Data protection authority	Reporting portal	GDPR Art. 33/34 if personal data affected	72 hours
Law enforcement	Formal report	If a criminal offense is suspected	After exec. management decision

Customer Notification in Case of Incidents

When a security incident affects customer data or services, the notification includes:

Nature and scope of the incident
Affected data or services
Countermeasures taken
Recommended actions for the customer
Contact person for inquiries
Expected duration of the disruption

NIS2-REGULATED CUSTOMERS

Customers who are themselves subject to NIS2 regulation must report significant security incidents to the BSI within 24 hours. Prompt and complete information from the BAUER GROUP enables these customers to meet their own reporting obligations.

Emergency Contacts

The following contacts are available at all times (including outside business hours):

Role	Availability
CISO	24/7 via mobile phone
IT on-call	24/7 via on-call duty
Executive management	Reachable via mobile phone
BSI reporting platform	Online portal (24/7)

Reporting Obligations per §32 BSIG

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Reporting Obligations per §32 BSIG

Three-Tier Reporting Model

Tier 1: Early Warning (24 Hours)

Field	Content
Deadline	24 hours after becoming aware of the significant incident
Recipient	BSI via reporting platform
Content	Nature of the incident, initial suspicion of cause
Specifics	Indicate whether an unlawful or malicious act is suspected; whether cross-border impact is possible

Tier 2: Update Report (72 Hours)

Field	Content
Deadline	72 hours after becoming aware
Recipient	BSI via reporting platform
Content	Initial assessment of the incident: severity, impact
Specifics	Indicators of compromise (IoC) where available; update of initial assessment

Tier 3: Final Report (1 Month)

Field	Content
Deadline	1 month after becoming aware (extension upon request possible)
Recipient	BSI via reporting platform
Content	Detailed description: root cause, measures taken, cross-border impact
Specifics	If the incident is still ongoing: interim report instead of final report; final report after resolution

REPORTING DEADLINES

All deadlines run from the moment the entity becomes aware of the significant incident. "Awareness" means the point at which the CISO or a member of the incident response team has confirmed that the event constitutes a significant incident per the criteria below.

Criteria for Significant Security Incidents

An incident is considered significant if at least one of the following criteria is met:

Criterion	Threshold
Serious operational disruption	Services to customers are restricted or unavailable
Financial losses	Direct or indirect losses above the materiality threshold
Harm to third parties	Other persons or entities are significantly affected
Data loss	Personal or business-critical data compromised

Internal Reporting Flow

Incident detected
  → CISO informed (< 1h)
    → Initial assessment: Significant yes/no? (< 4h)
      → If yes: Prepare BSI early warning (< 24h)
        → Inform executive management
          → Assess GDPR reporting (Art. 33: 72h to supervisory authority)
            → Assess CRA reporting (Art. 14: 24h to ENISA)

Parallel Reporting Obligations

Regulation	Trigger	Deadline	Recipient
NIS2 / §32 BSIG	Significant security incident	24h / 72h / 1 month	BSI
GDPR Art. 33	Personal data breach	72 hours	Competent supervisory authority
CRA Art. 14	Actively exploited product vulnerability	24h / 72h / 14d	ENISA + national CSIRT

PARALLEL REPORTING OBLIGATIONS

A single incident may trigger reporting obligations under multiple regulations simultaneously. The initial assessment process evaluates all applicable frameworks. Templates are designed to be compatible to ensure efficient parallel reporting. See also CRA & AI Act Synergies.

Documentation Requirements

Every reportable incident must be fully documented:

Chronological sequence of events with timestamps
All decisions with rationale
Communication with BSI (report IDs, correspondence)
Measures taken and their effectiveness
Lessons learned and follow-up actions

Retention period: At least 3 years after closure of the incident.

Incident Response Process

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Incident Response Process

5-Phase Model

The incident response process of the BAUER GROUP follows the established NIST SP 800-61 framework, adapted to the requirements of §30(2) No. 2 BSIG.

Phase 1: Preparation

Measure	Description
Incident response team	Defined roles: CISO (lead), IT Ops, Development, Communications
Tooling	Log aggregation, monitoring dashboards, ticketing system
Documentation	Response playbooks for the most common scenarios
Communication	Predefined contact lists, escalation paths, templates
Exercises	At least annually tabletop exercise or simulation

Phase 2: Detection and Analysis

Detection Method	Description	Response Time
Automated monitoring	Log-based anomaly detection, threshold alerts	Real-time
Vulnerability alerts	CVE feeds, dependency monitoring, vendor advisories	< 4 hours
Employee reports	Phishing suspicion, unusual behavior	Immediately upon detection
External reports	Customers, partners, security researchers, BSI	Immediately upon receipt

Analysis steps:

Initial assessment: Is the incident real? (Triage)
Classification by severity (Critical / High / Medium / Low)
Impact analysis: Which systems, data and customers are affected?
Reporting obligation check: Does the incident constitute a significant incident per §32 BSIG?
Initial forensic assessment: Attack vector, timeframe, indicators of compromise (IoC)

Phase 3: Containment

Strategy	Application	Example
Short-term	Immediate damage limitation	Isolate network segment, lock account
Long-term	Sustained containment	Take affected system offline, firewall rule
Evidence preservation	Before any remediation	Memory dump, log export, disk image

EVIDENCE PRESERVATION

Always secure forensic evidence before initiating any cleanup or remediation measures. Evidence is critical for root cause analysis, regulatory reporting and potential law enforcement involvement.

Phase 4: Eradication and Recovery

Step	Description
Eliminate root cause	Remove malware, deactivate compromised accounts, patch vulnerability
Clean systems	Reinstall or verified restore from clean backup
Rotate credentials	All potentially compromised passwords, API keys, certificates
Verify integrity	Confirm system integrity before returning to production
Enhance monitoring	Increased surveillance for 30 days after recovery

Phase 5: Post-Incident

Activity	Deadline	Responsible
Post-mortem meeting	Within 5 business days	CISO
Root cause analysis	Within 10 business days	CISO + IT
Lessons learned document	Within 15 business days	CISO
Action plan	Within 20 business days	CISO + Executive Management
Risk analysis update	Within 30 days	CISO

Playbooks

Predefined response playbooks exist for the most common scenarios:

Scenario	Immediate Actions	Escalation
Ransomware	Network isolation, verify backup integrity, DO NOT pay ransom	Immediately: CISO + Exec. Management + law enforcement if applicable
Data leak	Close access path, determine scope, assess GDPR reporting	Immediately: CISO + Exec. Management + DPO
Phishing (successful)	Lock account, reset password, verify MFA	< 1h: CISO
DDoS	Activate CDN/WAF, contact upstream provider	Immediately: IT Ops + CISO
Supply chain compromise	Isolate affected component, review SBOM	Immediately: CISO + Development

CRA & AI Act Synergies

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

CRA & AI Act Synergies

Fundamental Principle

The BAUER GROUP is subject to three complementary EU cybersecurity regulations. To avoid duplication of effort and minimize internal compliance overhead, synergies are leveraged systematically: existing processes from CRA and AI Act compliance are referenced for NIS2 purposes, not duplicated.

Synergy Overview

NIS2 Measure (§30)	CRA Coverage	AI Act Coverage	NIS2-Specific
No. 1 – Risk management	Partial (product-related, Art. 10)	Art. 9 (AI risk management)	ISMS, organizational risk analysis
No. 2 – Incident management	Art. 14 (product vulnerabilities)	—	Operational incidents, §32 reporting
No. 3 – Business continuity	—	—	Entirely NIS2-specific
No. 4 – Supply chain	Art. 10(4), Annex I Part II No. 1	—	Vendor assessment
No. 5 – Vulnerabilities	Art. 10(6), Art. 11 (product CVEs)	—	Infrastructure CVEs
No. 6 – Effectiveness	—	—	Entirely NIS2-specific
No. 7 – Training	—	Art. 4 (AI Literacy)	Cyber hygiene, BSIG-specific
No. 8 – Cryptography	Annex I Part II (product encryption)	Art. 15 (AI cybersecurity)	Infrastructure encryption
No. 9 – Access control	—	Art. 14 (human oversight)	Personnel security, MFA
No. 10 – Secure communication	—	—	Entirely NIS2-specific

Detailed Synergies

Vulnerability Management (No. 5)

Aspect	CRA Process	NIS2 Supplement
CVE monitoring	CRA: Trivy + Grype + OSV-Scanner	Infrastructure scanners (network, servers)
SBOM	CRA: CycloneDX generation + Cosign signing	Reference to CRA SBOM
Patch management	CRA: product updates	NIS2: infrastructure patches (OS, firmware)
Disclosure	CRA: ENISA reporting	NIS2: BSI reporting

Reporting Obligations (No. 2 / §32)

Aspect	CRA (Art. 14)	NIS2 (§32 BSIG)
Trigger	Actively exploited vulnerability in products	Significant security incident in operations
Early warning	24 hours to ENISA	24 hours to BSI
Detailed report	72 hours	72 hours
Final report	14 days	1 month
Reporting authority	ENISA Single Reporting Platform	BSI reporting platform

PARALLEL REPORTING OBLIGATIONS

An incident may trigger both reporting obligations. The shared initial assessment process automatically determines whether a CRA and/or NIS2 report is required. The templates are designed to be compatible.

Supply Chain (No. 4)

Aspect	CRA Process	NIS2 Supplement
Software dependencies	CRA: Dependency Policy + SBOM	Reference to CRA
Service providers	—	NIS2: hosting, cloud, support partners
Audit rights	CRA: supplier audits	NIS2: service provider audits

Effort Optimization

Through consistent use of existing CRA groundwork, the NIS2-specific additional effort is reduced to:

Area	Effort without Synergies	Effort with Synergies	Savings
Vulnerability management	Full build-out	Infrastructure supplement only	~60%
Incident response	Full build-out	Operational incidents + §32 only	~40%
Supply chain	Full build-out	Vendor assessment only	~50%
Training	Full build-out	Reference AI Literacy (Art. 4)	~20%

Asset Inventory

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Asset Inventory

Purpose

The asset inventory records all information technology systems, components and processes of the BAUER GROUP. It provides the foundation for risk analysis and enables the assignment of protective measures to specific assets.

Asset Categories

Server Systems

Attribute	Description
Hostname / ID	Unique identification
Type	Physical / Virtual / Container
Location	Data center, provider
Operating system	Including version and patch level
Purpose	Production, staging, backup
Responsible	Assigned administrator
Protection requirement	Normal / High / Very High

Network Components

Firewalls with ruleset version and last review date
Switches and routers with firmware version
VPN gateways and access points
DNS servers and load balancers

Applications

Attribute	Description
Name / Version	Application with current version
Type	In-house development / Third-party / SaaS
License	License type and expiry date
Support	Support status and contact
Data classification	Which data classes are processed
Dependencies	Other systems, libraries, APIs

Cloud Services

Provider with location and legal jurisdiction
Contract term and SLAs
Data classification of stored data
Exit strategy and data portability

Data Assets

Classification	Storage Location	Backup	Encryption
Public	Any	Optional	Optional
Internal	Access-controlled	Yes	In transit
Confidential	Access-controlled + encrypted	Yes + encrypted	At rest + in transit
Strictly Confidential	Isolated + encrypted	Yes + encrypted + offsite	At rest + in transit + audit

Maintenance Schedule

Activity	Interval
Inventory update	Upon every change (deployment, decommissioning)
Completeness check	Semi-annually
Protection requirement assessment	Annually or upon change
Responsibility review	Upon personnel change

Information Security Policy

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Information Security Policy

Purpose

The Information Security Policy defines the framework for protecting all information technology systems, components and processes of the BAUER GROUP. It serves as the overarching directive of the ISMS and is approved by executive management.

Protection Goals

Protection Goal	Definition	Measures
Confidentiality	Information is accessible only to authorized persons	Access control, encryption, classification
Integrity	Information is complete and unaltered	Hash verification, versioning, change control
Availability	Systems and data are accessible when needed	Redundancy, backup, monitoring
Authenticity	Identity of users and systems is verified	MFA, certificates, digital signatures

Scope

The Information Security Policy applies to:

All employees, executive management and external service providers with system access
All information technology systems operated in-house and by third parties
All locations and remote workplaces
All phases of the information lifecycle (creation, processing, storage, deletion)

Responsibilities

Role	Responsibility
Executive Management	Approval of the policy, provision of resources (§38 BSIG)
CISO	Development, maintenance and monitoring of compliance
IT Management	Technical implementation of requirements
All Employees	Adherence to policies, reporting of violations

§38 BSIG – MANAGEMENT OBLIGATIONS

Executive management must approve cybersecurity risk management measures and oversee their implementation. They are personally liable for breaches and are required to undergo regular cybersecurity training.

Review Cycle

Activity	Interval	Responsible
Policy review	Annually	CISO + Executive Management
Event-driven review	Upon significant changes or incidents	CISO
Approval	After each review	Executive Management
Communication	After approval to all employees	CISO

Classification Schema

Level	Description	Examples	Measures
Public	No restrictions	Marketing materials, published documentation	No special measures
Internal	For BAUER GROUP employees only	Internal processes, organization charts	Access control
Confidential	Business-critical, restricted access	Customer data, contracts, credentials	Encryption + access control
Strictly Confidential	Highest protection level	Key material, security architecture	Encryption + need-to-know + audit trail

Risk Analysis

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Risk Analysis

Methodology

The risk analysis follows a structured process, aligned with ISO 27005 and BSI IT-Grundschutz:

Establish context → Identify risks → Analyze risks → Evaluate risks → Treat risks

Threat Catalog

Category	Threats	Relevance
Cyberattacks	Ransomware, phishing, DDoS, APT, supply chain attack	High
Insider threats	Intentional data theft, negligent misuse	Medium
Technical failure	Hardware failure, software defect, network outage	Medium
Natural events	Power outage, flooding, fire	Low
Third parties	Compromise of a service provider, SaaS outage	Medium

Risk Assessment Matrix

Risks are evaluated by likelihood and impact:

	Low Impact	Medium Impact	High Impact	Very High Impact
Very likely	Medium	High	Critical	Critical
Likely	Low	Medium	High	Critical
Possible	Low	Low	Medium	High
Unlikely	Low	Low	Low	Medium

RISK APPETITE

Risks rated Critical or High require immediate treatment. Medium risks must be addressed within the next review cycle. Low risks are monitored and documented.

Risk Treatment Plan

For each identified risk, the following fields are documented:

Field	Description
Risk ID	Unique identifier
Description	Nature of the risk and affected assets
Assessment	Likelihood x Impact
Treatment option	Avoid / Mitigate / Transfer / Accept
Measure	Specific technical or organizational measure
Responsible	Assigned owner
Deadline	Implementation date
Residual risk	Risk level after implementation of measures
Approval	Executive management approval for risk acceptance

Process Integration

Trigger	Action
Annual review cycle	Complete review of all risks
New system / service provider	Risk analysis prior to go-live
Security incident	Event-driven reassessment of affected risks
Significant change	Risk analysis for architectural or process changes
External threat landscape	Reassessment upon relevant CVEs or advisories

Contractual Security Requirements

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Contractual Security Requirements

Mandatory Clauses

Contracts with service providers that have access to BAUER GROUP systems or data must contain the following minimum requirements:

Information Security

Clause	Description
Security standards	Adherence to appropriate technical and organizational measures (state of the art)
Encryption	Encryption of sensitive data at rest and in transit
Access control	Personalized accounts, least-privilege principle, MFA for administrative access
Patch management	Timely remediation of known vulnerabilities

Incident Management

Clause	Description
Reporting obligation	Immediate notification of security incidents (max. 24h)
Cooperation obligation	Support during analysis and remediation
Disclosure obligation	Complete information on scope and impact

§30(2) NO. 4 BSIG – SUPPLY CHAIN SECURITY

NIS2 explicitly requires that security measures in the supply chain are addressed, including security-related aspects concerning the relationship between the entity and its direct suppliers or service providers.

Audit and Inspection Rights

Clause	Description
Audit right	Right to audit security measures (in-house or through third parties)
Certificate submission	Obligation to present current security certifications
Compliance evidence	Annual evidence of adherence to contractual security requirements

Data Handling

Clause	Description
Data storage	Storage location and legal jurisdiction documented
Data deletion	Secure deletion after contract termination, with evidence
Data return	Return of all data in machine-readable format
Subcontractors	Approval required for subcontractors, same security requirements apply

Exit Strategy

Clause	Description
Transition period	Minimum 90 days of migration support
Data export	Complete data export in open formats
Knowledge transfer	Documentation of all relevant configurations and processes
Deletion confirmation	Written confirmation of complete data deletion

Contract Management Schedule

Activity	Interval	Responsible
Contract review	Upon conclusion / renewal	CISO + Procurement
SLA monitoring	Ongoing	IT Operations
Security clause review	Annually for critical service providers	CISO

Vendor Assessment

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Vendor Assessment

Assessment Process

Initial Assessment (Prior to Engagement)

Step	Description	Responsible
1. Requirements profile	Define security requirements based on protection needs	Business unit + CISO
2. Information gathering	Obtain security documentation, certifications, references	Procurement
3. Evaluation	Review against scoring criteria	CISO
4. Risk assessment	Determine residual risk, define measures	CISO
5. Decision	Approval or rejection	CISO + Executive Management (for critical vendors)

Scoring Criteria

Criterion	Weight	Scoring Scale
Security certifications (ISO 27001, SOC 2, BSI C5)	25%	0-3 (none / in progress / available / current)
Incident response capability	20%	0-3 (no process / basic / documented / tested)
Location / legal jurisdiction	15%	0-3 (insecure / third country with safeguards / EU / DE)
Contract design	15%	0-3 (standard / customized / audit rights / comprehensive)
Subcontractor transparency	10%	0-3 (no info / list / approval required / contractual)
Track record	15%	0-3 (unknown / < 1 year / 1-3 years / > 3 years)

Minimum scores: 12/18 for standard vendors, 15/18 for critical vendors.

SCORING METHODOLOGY

Each criterion is scored from 0 to 3. The weighted total determines the overall score. Vendors below the minimum threshold must either improve their security posture or be rejected. Exceptions require CISO and executive management approval with documented risk acceptance.

Reassessment Intervals

Vendor Category	Assessment Interval
Critical infrastructure providers	Annually
Cloud and SaaS providers	Annually
Software suppliers	Upon contract renewal
Support partners	Every 2 years
Event-driven	Upon security incident or significant change at the vendor

Vendor Categorization

Category	Definition	Examples	Requirements
Critical	Outage impacts core business	Hosting, primary cloud services	Highest security requirements, annual audit right
Important	Outage impacts individual services	SaaS tools, DNS provider	High requirements, incident reporting obligation
Standard	Outage has low impact	Consulting, maintenance	Basic requirements

Awareness & Cyber Hygiene

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Awareness & Cyber Hygiene

Awareness Program

Ongoing Measures

Measure	Description	Interval
Phishing simulation	Realistic phishing emails sent to all employees	Semi-annually
Security advisories	Current warnings for relevant threats (e.g., new phishing wave)	Event-driven
Onboarding briefing	Security induction for new employees	Upon joining
Annual mandatory training	Refresher on all basic topics	Annually

Phishing Simulation

Aspect	Description
Frequency	2x per year
Difficulty level	Varies (basic to advanced)
Evaluation	Click rate, report rate, department comparison
Remedial training	Automatic for employees who clicked
Target click rate	< 5%

Cyber Hygiene Rules

Workplace

Rule	Description
Screen lock	Automatic after 5 minutes of inactivity
Clean desk	No confidential documents left in the open
Removable media	USB drives only with IT approval
Personal devices	No access to corporate data from personal devices without MDM

Passwords & Authentication

Rule	Description
Password manager	Mandatory for all employees
Unique passwords	Each service receives its own password
MFA	Enabled for all external services and admin access
Password sharing	Prohibited -- access only via personalized accounts

Communication

Rule	Description
Suspicious emails	Do not open, do not forward, report to ISO
Confidential data	Transmit only via encrypted channels
Public networks	Use only with VPN
Unknown callers	Never disclose credentials or internal information

Documentation

Evidence	Description	Retention
Training completion	Attendance confirmation per module	Minimum 3 years
Phishing results	Aggregated statistics per campaign	2 years
Onboarding confirmation	Signed security policy acknowledgment	Duration of employment

Training Program

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Training Program

Mandatory Training

Basic Training -- All Employees

Module	Content	Duration	Interval
Information Security Fundamentals	Protection goals, data classification, responsibilities	30 min	Annually
Phishing & Social Engineering	Recognition, current attack patterns, reporting channels	30 min	Annually
Password & Access Security	Password managers, MFA, screen locking	20 min	Annually
Incident Reporting	Reporting obligation, channels, contacts, examples	15 min	Annually
Data Protection	Personal data, GDPR fundamentals, data subject rights	20 min	Annually

Total duration: ~2 hours per year

Management Training (§38(3) BSIG)

Content	Description
Current threat landscape	Relevant attacks, trends, industry-specific risks
NIS2/BSIG obligations	§30 measures, §32 reporting obligations, §38 liability
Risk management	Reading and assessing risk analyses, approving measures
Incident escalation	Role of management during incidents, communication decisions

Duration: 2--3 hours per year, delivered by ISO or external trainer

Role-Specific Training

Target Group	Modules	Duration	Interval
IT Administration	Secure configuration, patch processes, log management, hardening	4h	Annually
Software Development	Secure coding, OWASP Top 10, dependency management, code review	4h	Annually
Project Management	Security requirements, risk assessment in projects	2h	Annually
Helpdesk / Support	Social engineering recognition, escalation, data protection	2h	Annually

Training Methods

Method	Application
E-learning	Basic and mandatory training, self-paced
In-person training	Management training, role-specific workshops
Phishing simulation	Practical awareness testing, semi-annually
Security advisories	Current warnings via email during acute threats

Patch Management

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Patch Management

Patch Deadlines by Severity

Severity	CVSS	Deadline	Escalation upon Overdue
Critical	>= 9.0	48 hours	Immediately to CISO + Executive Management
High	7.0-8.9	7 days	After 5 days to CISO
Medium	4.0-6.9	30 days	Monthly report
Low	< 4.0	Next release cycle	Quarterly report

Patch Process

Standard Process (Medium / Low)

Vulnerability identified through scanning or CVE monitoring
Assessment and prioritization
Test patch in staging environment
Deploy to production within the deadline
Verification: scan confirms remediation

Emergency Process (Critical / High)

Immediate assessment by IT Ops + CISO
Implement workaround if patch is not immediately available (e.g., WAF rule, network isolation)
Test patch (shortened test phase, parallel if necessary)
Emergency deployment (outside regular maintenance windows permitted)
Verification and documentation

EMERGENCY PATCHING

Critical vulnerabilities (CVSS >= 9.0) must be addressed within 48 hours. If a patch is not available, compensating controls must be implemented immediately and documented. The CISO must approve all emergency patches.

Exception Handling

When a patch cannot be applied within the deadline:

Step	Description
Justification	Documented rationale (technical incompatibility, patch unavailability)
Compensating measure	Workaround, network isolation, enhanced monitoring
Approval	CISO approval required; executive management approval for critical systems
Time limit	Maximum exception duration defined, with review date

Patch Tracking Metrics

Metric	Measurement	Target
Patch compliance rate	Percentage of vulnerabilities patched within deadline	>= 95%
Mean Time to Patch (MTTP)	Average time from CVE publication to patch deployment	Critical: < 48h, High: < 7d
Open critical vulnerabilities	Number of unpatched CVSS >= 9.0 vulnerabilities	0
Exceptions	Number of active patch exceptions	Minimize

Vulnerability Detection & CVE Monitoring

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Vulnerability Detection & CVE Monitoring

Scanning Program

Infrastructure Scanning

Method	Tool Category	Interval	Scope
Network scan	Port scanner, service detection	Weekly	All reachable IP ranges
Vulnerability scan	Trivy, OpenVAS or equivalent	Weekly	Servers, containers, network devices
Compliance scan	Configuration audit	Monthly	Hardening guidelines, CIS Benchmarks

Application Scanning

Method	Tool Category	Interval	Scope
SAST (Static Analysis)	Code analysis in CI/CD	On every commit	In-house developments
Dependency scan	Dependabot, Trivy	Continuous (automated)	All software dependencies
Container scan	Trivy	On every build	Docker images

CRA SYNERGY

Product-related vulnerability scanning (SBOM generation, multi-engine scanning with Trivy + Grype + OSV-Scanner) is documented in the CRA Compliance Documentation. NIS2 scanning focuses on infrastructure and operational systems.

CVE Monitoring

Sources

Source	Type	Relevance
NVD (National Vulnerability Database)	CVE database	All deployed products
BSI advisories	Advisories, security notices	Infrastructure and standard software
Vendor advisories	Manufacturer notifications	Deployed products
GitHub Security Advisories	Dependency alerts	Open-source dependencies
CERT-Bund	Warning notices	Critical infrastructure

Assessment Flowchart

CVE published
  → Relevance check: Is the affected product deployed in our environment?
    → Yes: CVSS score + contextual assessment
      → Critical/High: Immediate escalation to IT Ops
      → Medium: Include in patch cycle
      → Low: Next release cycle
    → No: Archive

Vulnerability Tracking

Each identified vulnerability is documented with the following fields:

Field	Description
ID	CVE number or internal ID
Affected system	Hostname, application, component
CVSS score	Original assessment
Contextual assessment	Adjustment for our environment (reachable? exploitable?)
Status	Open / In Progress / Resolved / Accepted
Measure	Patch, workaround, configuration change
Deadline	Per patch management deadlines
Responsible	Assigned administrator or developer

Secure Development

BAUER GROUP — Mon, 23 Mar 2026 23:52:26 GMT

Secure Development

Security in SDLC Phases

Phase	Security Measure	Description
Design	Threat modeling	Identification of attack vectors before implementation
Implementation	Secure coding guidelines	OWASP Top 10, input validation, parameterized queries
Code review	Four-eyes principle	Security-relevant changes require peer review
Test	Automated security tests	SAST, dependency scan in CI/CD
Deployment	Hardening	Least privilege, secure configuration, secrets management
Operations	Monitoring + patching	Log analysis, vulnerability scanning, patch management

CI/CD Security Pipeline

Every commit passes through the following automated checks:

Step	Tool Category	Blocks on Failure
Markdown lint / Code lint	markdownlint, ESLint	Yes
Build	Framework-specific	Yes
Dependency audit	npm audit, Trivy	On high/critical
SAST (if applicable)	Code analysis	On critical

Dependency Management

Measure	Description
Lockfile	All dependencies are versioned and locked (package-lock.json)
Automated updates	Dependabot checks weekly for new versions
Audit	`npm audit` in CI pipeline, blocks on high/critical
Review	New dependencies require justification and review
Minimization	As few dependencies as possible, preferring actively maintained ones

Secrets Management

Requirement	Implementation
No secrets in code	Pre-commit hook checks for patterns (API keys, passwords)
Environment variables	Secrets via environment variables, not in files
CI/CD secrets	Via GitHub Actions Secrets, not in the repository
Rotation	Regular rotation of API keys and service accounts

CRA SYNERGY

The product-related secure development pipeline (SBOM generation, Cosign signing, multi-engine vulnerability scanning) is documented in the CRA Compliance Documentation. NIS2 secure development standards complement CRA requirements by covering infrastructure and operational codebases.

Access Control & Secure Communication

BAUER GROUP — Mon, 23 Mar 2026 23:10:16 GMT

Access Control & Secure Communication

LEGAL BASIS

§30(2) No. 9 BSIG – Personnel security, access control concepts and asset management

§30(2) No. 10 BSIG – Use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communication, and secured emergency communication systems where appropriate

Access Control Principles

Principle	Implementation
Least privilege	Minimum rights per task requirement
Need-to-know	Data access only on business necessity
Separation of duties	Critical operations require multiple persons
Four-eyes principle	Security-relevant changes with review

Authentication

Multi-Factor Authentication (MFA)

MFA is mandatory for:

All external access (VPN, web portals)
Administrative system access
Cloud services and SaaS applications
Email access

Preferred MFA methods: hardware tokens (FIDO2/WebAuthn), authenticator app (TOTP). SMS-based MFA is not permitted.

Server Access

SSH with key-based authentication (Ed25519)
Password-based SSH login disabled
Root login disabled, access only via personalized accounts

Password Management

Requirement	Minimum Standard
Minimum length	16 characters (passphrase recommended)
Password manager	Mandatory for all employees
Password reuse	Prohibited
Compromised passwords	Automatic check against known-breach lists

On-/Offboarding

Process	Measure	Deadline
Onboarding	Set up personalized accounts, MFA setup, basic training	Before first working day
Role change	Adjust permissions, review old rights	Within 5 business days
Offboarding	Deactivate all access, return hardware, key rotation	On last working day

Secure Communication

Communication Channels

Channel	Security	Use
Email	TLS transport encryption, SPF/DKIM/DMARC	Standard business communication
Encrypted messenger	End-to-end encryption	Sensitive internal communication
Video conferencing	TLS-encrypted, access controls	Meetings, customer calls
VPN	IPsec/WireGuard	Remote access to internal systems

Email Security

SPF – Sender Policy Framework configured for all domains
DKIM – DomainKeys Identified Mail for signature verification
DMARC – Domain-based Message Authentication, Reporting and Conformance (policy: reject)

Emergency Communication

Predefined fallback communication channels (phone, alternative messenger)
Current contact lists of key personnel available offline
Regular verification of reachability

Business Continuity

BAUER GROUP — Mon, 23 Mar 2026 23:10:16 GMT

Business Continuity

LEGAL BASIS

§30(2) No. 3 BSIG – Business continuity, including backup management and disaster recovery, and crisis management

Backup Strategy

BAUER GROUP applies the 3-2-1 rule:

Principle	Implementation
3 copies	Production data + 2 backups
2 different media	Local storage + cloud/offsite
1 offsite copy	Geographically separated location

Backup Intervals

Data Type	Interval	Retention	Encryption
Databases	Daily (incremental), weekly (full)	90 days	AES-256
Configurations	On change (Git-based)	Unlimited (versioning)	Repository-level
Customer data	Daily	Per contract, min. 30 days	AES-256
Email	Daily	90 days	AES-256

Recovery Objectives

Service	RTO (Recovery Time)	RPO (Recovery Point)
Critical production systems	< 4 hours	< 1 hour
Internal systems	< 24 hours	< 24 hours
Archive / documentation	< 72 hours	< 1 week

Disaster Recovery

Regular restore tests – Quarterly verification of recoverability
Documented recovery procedures per system
Failover systems for business-critical services
Escalation plan with clear responsibilities and communication channels

Crisis Management

In the event of a crisis (e.g. ransomware, total outage):

Activate crisis team (ISO, management, IT lead)
Establish situational awareness and document
Activate communication plan (internal, customers, authorities)
Restore per documented DR plan
Post-incident review with lessons learned and plan adjustment

Compliance Matrix

BAUER GROUP — Mon, 23 Mar 2026 23:10:16 GMT

Compliance Matrix

Complete mapping of all NIS2 requirements to documentation, implementation and synergies.

§30 BSIG – Risk Management Measures

No.	Measure	Documentation	Status
1	Risk analysis and IT security concepts	Risk Management	✅ Implemented
2	Incident handling	Incident Management	✅ Implemented
3	Business continuity / BCM	Business Continuity	✅ Implemented
4	Supply chain security	Supply Chain Security	✅ Implemented
5	Secure acquisition, development, maintenance	Vulnerability Management	✅ Implemented
6	Effectiveness review	Effectiveness Review	✅ Implemented
7	Training & awareness	Training & Awareness	✅ Implemented
8	Cryptography	Cryptography	✅ Implemented
9	Access control & personnel security	Access Control	✅ Implemented
10	MFA & secure communication	Access Control	✅ Implemented

Additional BSIG Obligations

Section	Obligation	Documentation	Status
§32	Reporting obligations	Incident Management	✅ Implemented
§33	Registration obligation	Organizationally implemented	✅ Implemented
§38	Management duties	Governance	✅ Implemented

CRA Synergies

NIS2 Measure	CRA Documentation	Synergy
No. 2 – Incidents	CRA Incident Response	Product incidents via CRA, operational incidents via NIS2
No. 4 – Supply chain	CRA Supply Chain	Software supply chain via CRA, service providers via NIS2
No. 5 – Vulnerabilities	CRA Vulnerability Management	Product CVEs via CRA, infra CVEs via NIS2
No. 5 – SBOM	CRA SBOM & Signing	SBOM generation and signing via CRA

AI Act Synergies

NIS2 Measure	AI Act Reference	Synergy
No. 1 – Risk management	Art. 9 AI Act (risk management)	NIS2 ISMS as foundation for AI risk management
No. 8 – Cryptography	Art. 15 AI Act (cybersecurity)	Cryptography standards also apply to AI systems
No. 9 – Access control	Art. 14 AI Act (human oversight)	Access control as foundation for AI oversight

Cryptography

BAUER GROUP — Mon, 23 Mar 2026 23:10:16 GMT

Cryptography

LEGAL BASIS

§30(2) No. 8 BSIG – Concepts and procedures for the use of cryptography and, where appropriate, encryption

Standards

BAUER GROUP follows BSI (TR-02102) and ISO/IEC 27001 Annex A.10 recommendations:

Area	Standard	Minimum Requirement
Symmetric encryption	AES	AES-256
Asymmetric encryption	RSA / ECDSA	RSA-4096 / ECDSA P-384
Hash functions	SHA-2 / SHA-3	SHA-256+
TLS	TLS 1.2+	TLS 1.3 preferred
Key derivation	PBKDF2 / Argon2	Argon2id preferred

Encryption

Data at Rest

Full disk encryption on all server systems
Database encryption for sensitive data
Backup encryption (AES-256)

Data in Transit

TLS 1.2+ for all external connections, TLS 1.3 preferred
SSH for server administration (Ed25519 keys)
VPN for remote access to internal systems

Key Management

Aspect	Implementation
Key generation	Cryptographically secure random generators
Key storage	Encrypted storage, access control
Key rotation	At least annually for long-term keys
Key destruction	Secure deletion on decommissioning

Certificate Management

Let's Encrypt for public TLS certificates (automated renewal)
Certificate expiry monitoring
Documented processes for certificate renewal and revocation

Effectiveness Review

BAUER GROUP — Mon, 23 Mar 2026 23:10:16 GMT

Effectiveness Review

LEGAL BASIS

§30(2) No. 6 BSIG – Concepts and procedures for assessing the effectiveness of risk management measures in information technology security

Annual Security Review

Review Area	Method	Responsible
Risk analysis	Update of risk assessment	ISO
Incident response	Tabletop exercise / simulation	ISO + IT team
Backup & recovery	Restore test	IT operations
Access control	Authorization audit	ISO
Training	Completion rates and knowledge testing	HR / ISO

KPIs

KPI	Target	Measurement
Patch compliance	≥ 95% within defined deadlines	Monthly
Mean Time to Detect (MTTD)	< 24 hours	Per incident
Mean Time to Respond (MTTR)	< 4 hours (critical)	Per incident
Training completion	100% mandatory training	Annually
Backup restore success rate	100%	Quarterly test

Penetration Tests

External tests – Annually by independent provider
Internal tests – Event-driven for significant changes
Scope – Infrastructure, web applications, internal systems
Result utilization – Findings feed into risk analysis and action planning

PDCA Cycle

Phase	Activity
Plan	Risk analysis, measure planning, training planning
Do	Implementation of measures, operation of security systems
Check	KPI measurement, audits, penetration tests, incident evaluation
Act	Corrective actions, risk analysis adjustment, process improvement

Incident Management

BAUER GROUP — Mon, 23 Mar 2026 23:10:16 GMT

Incident Management

LEGAL BASIS

§30(2) No. 2 BSIG – Incident handling

§32 BSIG – Reporting obligations for significant security incidents

Classification

Level	Criteria	Response Time
Critical	Data loss, complete service outage, active compromise	Immediate
High	Partial outage, access to sensitive data possible, active attack	< 4 hours
Medium	Limited functionality, failed attacks, vulnerability discovered	< 24 hours
Low	Anomaly without direct impact, policy violation without damage	Next business day

Incident Response Process

1. Detection and Reporting

Monitoring systems, log analysis and manual detection
Every employee is obligated to report suspected incidents immediately
Central reporting to the Information Security Officer (ISO)

2. Analysis and Assessment

Classification by severity
Determination of affected systems, data and customers
Assessment: Is this a reportable incident under §32 BSIG?

3. Containment

Immediate isolation of compromised systems
Blocking of affected credentials
Activation of failover systems for service outages
Evidence preservation before remediation

4. Eradication and Recovery

Removal of attack cause (malware, compromised accounts)
Restoration from backups for data loss
Verification of system integrity before return to service
Rotation of all potentially compromised credentials

5. Post-Incident Review

Post-mortem analysis with root cause determination
Documentation and derivation of improvement measures
Update of risk analysis as needed

Escalation Matrix

Level	Initial notification	Escalation	Customer notification
Critical	ISO + Management	Immediate	Without delay
High	ISO	< 1 hour	If affected
Medium	ISO	Regular	Only on impact
Low	IT Team	Next meeting	No

Reporting Obligations per §32 BSIG

Tier	Deadline	Content
Early warning	24 hours	Type of incident, suspicion of unlawful action, cross-border impact
Update	72 hours	Severity, impact, indicators of compromise (IoC)
Final report	1 month	Root cause, measures taken, cross-border impacts

DUAL REPORTING CRA + NIS2

As a CRA manufacturer and NIS2 entity, two separate reporting obligations may be triggered: CRA report to ENISA (24h/72h/14d) and NIS2 report to BSI (24h/72h/1 month). Details in the CRA Documentation.

Introduction

BAUER GROUP — Mon, 23 Mar 2026 23:10:16 GMT

Introduction

This documentation describes the implementation of the NIS 2 Directive (EU) 2022/2555 and the German NIS2 Implementation Act (NIS2UmsuCG) at BAUER GROUP. It covers all ten risk management measures per §30(2) BSIG as well as obligations under §32 (reporting), §33 (registration), and §38 (management duties).

LEGAL BASIS

NIS 2 Directive (EU) 2022/2555 – Measures for a high common level of cybersecurity across the Union.

BSIG §30(1): Essential and important entities are obligated to take appropriate, proportionate and effective technical and organizational measures to avoid disruptions to the availability, integrity, authenticity and confidentiality of information technology systems, components and processes.

Scope

Area	Description
Software Development	Custom B2B software, embedded systems and AI-driven workflows
IT Infrastructure	Server operations, network infrastructure and cloud services
Managed Services	IT services and support for B2B customers
Internal IT	Systems and processes for internal operations

Complementary Documentation

Documentation	Regulation	Focus	URL
NIS2 (this document)	(EU) 2022/2555 / BSIG	Organization & Operations	nis2.docs.bauer-group.com
CRA	(EU) 2024/2847	Products & Software	cra.docs.bauer-group.com
AI Act	(EU) 2024/1689	AI Systems	ai-act.docs.bauer-group.com

Documentation Structure

No.	Chapter	§30 BSIG	Content
1	Introduction	—	Scope, legal framework, structure
2	Risk Management	No. 1	Risk analysis, ISMS, asset inventory
3	Incident Management	No. 2 + §32	Incident response, reporting obligations
4	Business Continuity	No. 3	Backup, disaster recovery, crisis management
5	Supply Chain Security	No. 4	Vendor assessment, security requirements
6	Vulnerability Management	No. 5	Scanning, patch management, secure development
7	Effectiveness Review	No. 6	Security audits, KPIs, penetration testing
8	Training & Awareness	No. 7	Mandatory training, cyber hygiene
9	Cryptography	No. 8	Encryption, key management
10	Access Control	No. 9–10	Authentication, MFA, secure communication
11	Governance	§38	Management duties, governance structure
12	Compliance Matrix	All	Complete requirements mapping

Regulatory Framework

BAUER GROUP — Mon, 23 Mar 2026 23:10:16 GMT

Regulatory Framework

Legal Sources

Legal Source	Status	Relevance
NIS 2 Directive (EU) 2022/2555	In force since 16.01.2023	EU framework directive
NIS2UmsuCG (Omnibus Act)	In force since 06.12.2025	German implementation
BSIG (Revised)	In force since 06.12.2025	Central obligations
Implementing Regulation (EU) 2024/2690	In force	Detailed technical requirements
KRITIS Umbrella Act	Adopted 29.01.2026	Physical resilience

Applicability

The NIS2 Directive distinguishes two categories:

Category	Criteria	Sanctions
Essential entities	Annex I sectors, ≥250 employees or ≥€50M turnover	Up to €10M or 2% of global annual turnover
Important entities	Annex I/II sectors, ≥50 employees or ≥€10M turnover	Up to €7M or 1.4% of global annual turnover

§30 BSIG – Ten Risk Management Measures

No.	Measure	Documentation
1	Risk analysis and information system security concepts	Risk Management
2	Incident handling	Incident Management
3	Business continuity (BCM, backup, disaster recovery, crisis management)	Business Continuity
4	Supply chain security	Supply Chain Security
5	Security in acquisition, development and maintenance	Vulnerability Management
6	Effectiveness assessment concepts and procedures	Effectiveness Review
7	Basic cyber hygiene practices and training	Training & Awareness
8	Cryptography concepts and procedures	Cryptography
9	Personnel security, access control concepts	Access Control
10	Multi-factor authentication, secured communication	Access Control

Additional Obligations

Section	Obligation	Documentation
§32 BSIG	Reporting obligations for significant security incidents	Incident Management
§33 BSIG	Registration obligation with BSI	Organizationally implemented
§38 BSIG	Approval, supervision and training obligations of management	Governance

CRA Synergy

CRA-compliant processes (vulnerability management, incident response, supply chain) largely fulfil the corresponding NIS2 requirements. Details in the CRA Compliance Documentation.

Risk Management

BAUER GROUP — Mon, 23 Mar 2026 23:10:16 GMT

Risk Management

LEGAL BASIS

§30(2) No. 1 BSIG – Concepts relating to risk analysis and information system security

Information Security Policy

BAUER GROUP operates an Information Security Management System (ISMS) covering the protection goals of confidentiality, integrity, availability and authenticity. The information security policy is reviewed and approved annually by management.

Systematic Risk Analysis

Step	Description	Interval
Asset identification	Recording of all critical systems, data and processes	Ongoing
Threat analysis	Identification of relevant threat scenarios	Annually
Vulnerability assessment	Technical and organizational vulnerabilities	Annually + event-driven
Risk assessment	Likelihood × impact	Annually
Risk treatment	Avoid, mitigate, transfer, accept	After assessment

Risk Treatment Options

Option	Description	Application
Avoid	Eliminate the risk source	When economically justifiable
Mitigate	Technical/organizational measures	Standard approach
Transfer	Insurance, outsourcing to qualified provider	For residual risks
Accept	Conscious acceptance with documentation	Only for low residual risk, management approval

Asset Inventory

All IT systems, components and processes are recorded in a central inventory:

Server systems – Physical and virtual servers with location, purpose and owner
Network components – Firewalls, switches, routers with firmware versions
Applications – Custom and third-party software with license and support status
Data assets – Classification by protection need (normal, high, very high)
Cloud services – External services with provider, location and contract status

Standards Orientation

ISO/IEC 27001:2022 – Information security management systems
BSI IT-Grundschutz – Methodological framework for risk analysis
Implementing Regulation (EU) 2024/2690 – Detailed NIS2 technical requirements

Supply Chain Security

BAUER GROUP — Mon, 23 Mar 2026 23:10:16 GMT

Supply Chain Security

LEGAL BASIS

§30(2) No. 4 BSIG – Supply chain security including security-related aspects of the relationships between entities and their direct suppliers or service providers

Vendor Overview

Category	Examples	Risk Assessment
Infrastructure	Hetzner, Netcup (hosting, servers)	High – availability
Cloud services	Object storage, DNS	High – confidentiality
Software suppliers	Third-party libraries, SaaS	Medium – supply chain risk
Support partners	Maintenance, consulting	Low – limited access

Assessment Criteria

Criterion	Description
Security certifications	ISO 27001, SOC 2, BSI C5 or equivalent
Location / jurisdiction	EU jurisdiction preferred, third-country transfers only with guarantees
Incident response capability	Documented process, reporting timelines compatible with §32 BSIG
Contract design	Security requirements, audit rights, termination clauses
Subcontractors	Transparency regarding further subcontractors

Contractual Security Requirements

Contracts with service providers include:

Minimum information security requirements
Obligation to immediately report security incidents
Audit and inspection rights
Data retention and deletion provisions
Exit strategy and data repatriation

Review Cycle

Activity	Interval
Re-assessment of critical providers	Annually
Contract review	On renewal / change
Event-driven review	On security incident or material change

CRA Synergy

Software supply chain management (SBOM, signing, dependency policy) is described in the CRA Supply Chain Documentation. NIS2 supplements this with IT service provider and infrastructure vendor assessment.

Vulnerability Management

BAUER GROUP — Mon, 23 Mar 2026 23:10:16 GMT

Vulnerability Management

LEGAL BASIS

§30(2) No. 5 BSIG – Security measures in acquisition, development and maintenance of IT systems, components and processes, including vulnerability management and disclosure

Vulnerability Detection

Method	Description	Interval
Automated scanning	Infrastructure and application scans	Weekly
CVE monitoring	Monitoring of relevant CVE feeds and advisories	Ongoing
Dependency monitoring	Automated checking of software dependencies (Dependabot, Trivy)	Ongoing
Penetration tests	External and internal tests by qualified testers	Annually

Patch Management

Severity	Deadline	Example
Critical (CVSS ≥ 9.0)	48 hours	Remote code execution, actively exploited
High (CVSS 7.0–8.9)	7 days	Privilege escalation, data leak
Medium (CVSS 4.0–6.9)	30 days	Denial of service, information disclosure
Low (CVSS < 4.0)	Next release cycle	Cosmetic issues, low impact

Secure Development

For custom software:

Security by design – Security requirements from the design phase
Code review – Four-eyes principle for security-relevant changes
Automated tests – Lint, build, security scan in CI/CD pipeline
Dependency pinning – Versioned and verified dependencies

Coordinated Vulnerability Disclosure

Reporting channels for external security researchers documented
Processing timelines for reported vulnerabilities defined
Coordination with discoverers before publication

CRA Synergy

Product-related vulnerability management (SBOM-based CVE monitoring, CycloneDX, Trivy scanning) is described in the CRA Vulnerability Management Documentation. NIS2 supplements this with infrastructure and operational vulnerability management.