|
Cybersecurity Risk Management and Strategy Disclosure
|12 Months Ended
Dec. 31, 2024
|Cybersecurity Risk Management, Strategy, and Governance [Line Items]
|Cybersecurity Risk Management Processes for Assessing, Identifying, and Managing Threats [Text Block]
|Our cybersecurity approach strives to adequately protect our information, systems, assets, physical locations,
and people. From a business perspective, this means protecting key information assets and complying with
applicable international and national privacy laws, information security policies and contractual obligations.
Our Information Security Policy, adopted in 2023, defines our information security management objectives and
principles, and our Data Privacy Policy, effective since 2021, provides for a consistent level of company-wide
data privacy and data protection. In addition, our Information Classification Policy, introduced internally during
the year ended December 31, 2023, provides a system for classifying and protecting our physical and digital
assets. These policies are applicable to BioNTech SE and its affiliates, including all Supervisory Board and
Management Board members, as well as all other officers and employees, and are part of our overall Information
Security Management System, or ISMS, that became effective in 2024 as part of the preparation for the ISO
27001 certification, which is expected to be completed in the first quarter of 2025.
The ISMS enables us to systematically manage information security through defined processes and structures.
This helps to reduce the risks of business interruptions, disclosure of sensitive data or intellectual property, and
other damages caused by IT security incidents. Additionally, as an operator of an essential service, we are
regulated by the IT Security Act and must comply with legislative requirements, including the implementation of
security measures to reduce the information security risks.
We aim to prevent the implementation of overly complicated and time-consuming procedures that may lead to an
unnecessary increase in effort. We are striving to align the protection of data and the provision of essential
service with our organizational context and economic approach. We aim to create an ISMS that is not limited to
documentation but is fully integrated into daily practice.
Our processes for assessing, identifying, and managing material risks from cybersecurity threats are integrated
into our overall enterprise risk management system, which was developed with input from internal and external
experts.
To achieve and preserve information security, we strive for the orderly planning, implementation, control, and
optimization of all activities required for the protection of data privacy and the detection, response and recovery
of data privacy risks. We are committed to the continual improvement of our ISMS based on the results of the
performance evaluation. We will initially seek certifications for our main manufacturing facility and an R&D site in
addition to the cybersecurity organization.
We take responsibility for the transparent communication and proper processing of personal data. This includes
the storage, access, retention, and security of all personal data when engaging with patients, employees,
customers, business partners, and vendors. We communicate our practices in a data privacy statement on our
corporate website. We require the third parties with which we contract to adhere to contractual privacy and
security provisions, and we request specific information from major vendors about their practices in protecting
data privacy.
When processing personal data, we are responsible for ensuring that we comply with applicable data protection
laws. These include the European Union’s General Data Protection Regulation (GDPR), the German
Commercial Code (HGB), the German Federal Data Protection Act (BDSG), the German IT Security Act 2.0 (IT-
SiG 2.0), the German Federal Office for Information Security Act (BSIG), and other privacy and data security
laws in the jurisdictions where we operate. In April 2023, we were designated as a part of Germany’s critical
infrastructure (KRITIS) under the BSIG, which has resulted in heightened reporting and verification obligations.
We are in the process of implementing a global data privacy framework that sets out the requirements and
standards applicable to processing personal data. The framework is being designed to foster compliance with
the applicable regulations and sets minimum standards for the Company. As part of our global strategy, privacy-
related documents, such as informed consent forms for clinical trials, are being standardized company-wide. The
forms facilitate the user-friendly implementation of the standards we have established and provide transparency
on how and why we process personal data.
In 2024, there were no substantiated complaints concerning material data breaches, including leaks, thefts, or
losses of personal data such as patient or customer data. Contracts and confidentiality agreements with clinical
trial sites were compliant with relevant regulations. We do not believe that any cybersecurity threats in 2024,
including as a result of any previous cybersecurity incidents, have materially aﬀected or are reasonably likely to
materially aﬀect us, including our business strategy, results of operations, or financial condition. For a discussion
of cybersecurity and data privacy-related risks and uncertainties, see Item 3.D, “Risk Factors,” of this Annual
Report on Form 20-F.
|Cybersecurity Risk Management Processes Integrated [Flag]
|true
|Cybersecurity Risk Management Processes Integrated [Text Block]
|Our Information Security Policy, adopted in 2023, defines our information security management objectives and
principles, and our Data Privacy Policy, effective since 2021, provides for a consistent level of company-wide
data privacy and data protection. In addition, our Information Classification Policy, introduced internally during
the year ended December 31, 2023, provides a system for classifying and protecting our physical and digital
assets. These policies are applicable to BioNTech SE and its affiliates, including all Supervisory Board and
Management Board members, as well as all other officers and employees, and are part of our overall Information
Security Management System, or ISMS, that became effective in 2024 as part of the preparation for the ISO27001 certification, which is expected to be completed in the first quarter of 2025.
|Cybersecurity Risk Management Third Party Engaged [Flag]
|true
|Cybersecurity Risk Third Party Oversight and Identification Processes [Flag]
|true
|Cybersecurity Risk Materially Affected or Reasonably Likely to Materially Affect Registrant [Flag]
|false
|Cybersecurity Risk Board of Directors Oversight [Text Block]
|We take a centralized approach to managing cyber and information security to facilitate consistent compliance
across entities and locations. Our overarching strategy was developed in 2021 by the Chief Operating Officer, or
COO, and Chief Information Security Officer, or CISO, in alignment with the Data Protection Officer and Head of
Global Security and Protection, and is regularly updated. The ISMS was implemented in 2024.
•The ISMS audit committee (the Committee) is comprised of three people from the supervisory board and
the CFO. The Committee supports the ISMS and approves related policies and IT security protection
measures. They are informed about the implementation progress and functioning of the ISMS and
determine the risk appetite as well as our risk strategy. The progress of the ISMS, along with related Key
Performance Indicators, is presented to the Committee on an annual basis. The Committee also informs
the entire Management Board about the outcome of its review.
|Cybersecurity Risk Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our COO and Management Board member, Sierk Poetting, is responsible for assessing and managing our
material risks from cybersecurity threats. His ambit includes reviewing our information security capabilities,
reporting data privacy issues to the Management Board, and supporting our Information Security Organization,
or ISO, in obtaining the resources it needs. The COO’s extensive experience in risk management, operations
and corporate governance, with over 11 years of experience in the pharmaceutical industry in particular, are
critical to the management of cyber and information security at the Company.
|Cybersecurity Risk Process for Informing Board Committee or Subcommittee Responsible for Oversight [Text Block]
|Our COO and Management Board member, Sierk Poetting, is responsible for assessing and managing our
material risks from cybersecurity threats. His ambit includes reviewing our information security capabilities,
reporting data privacy issues to the Management Board, and supporting our Information Security Organization,
or ISO, in obtaining the resources it needs. The COO’s extensive experience in risk management, operations
and corporate governance, with over 11 years of experience in the pharmaceutical industry in particular, are
critical to the management of cyber and information security at the Company.
•The COO is supported by the CISO, who leads the ISO and is accountable for security strategy,
operations, and policy development and implementation. Our CISO, Raimond Jähn, was the department
lead of our IT security team starting in 2016, has led the cyber and information security transformation
program towards a new operating model since 2021, and was formally designated as CISO by the COO
in 2023. Our Head of Cyber and Information Security, Data Protection Officer, and Head of Global
Security and Protection each bring in additional expertise.
•Data privacy matters fall under the purview of our Chief Legal Officer, or CLO, and Management Board
member, James Ryan, who is supported by our Senior Director, Data Privacy. Dr. Ryan’s qualifications
include close to twenty years of expertise in legal and intellectual property matters, both within the
pharmaceutical industry as well as as an outside counsel with a focus on strategic life sciences
transactions. Together with his deep familiarity with the Company’s history, operations, and processes,
James Ryan is uniquely positioned to advise on data privacy matters.
|Cybersecurity Risk Role of Management [Text Block]
|We take a centralized approach to managing cyber and information security to facilitate consistent compliance
across entities and locations. Our overarching strategy was developed in 2021 by the Chief Operating Officer, or
COO, and Chief Information Security Officer, or CISO, in alignment with the Data Protection Officer and Head of
Global Security and Protection, and is regularly updated. The ISMS was implemented in 2024.
•The ISMS audit committee (the Committee) is comprised of three people from the supervisory board and
the CFO. The Committee supports the ISMS and approves related policies and IT security protection
measures. They are informed about the implementation progress and functioning of the ISMS and
determine the risk appetite as well as our risk strategy. The progress of the ISMS, along with related Key
Performance Indicators, is presented to the Committee on an annual basis. The Committee also informs
the entire Management Board about the outcome of its review.
Our COO and Management Board member, Sierk Poetting, is responsible for assessing and managing our
material risks from cybersecurity threats. His ambit includes reviewing our information security capabilities,
reporting data privacy issues to the Management Board, and supporting our Information Security Organization,
or ISO, in obtaining the resources it needs. The COO’s extensive experience in risk management, operations
and corporate governance, with over 11 years of experience in the pharmaceutical industry in particular, are
critical to the management of cyber and information security at the Company.
•The COO is supported by the CISO, who leads the ISO and is accountable for security strategy,
operations, and policy development and implementation. Our CISO, Raimond Jähn, was the department
lead of our IT security team starting in 2016, has led the cyber and information security transformation
program towards a new operating model since 2021, and was formally designated as CISO by the COO
in 2023. Our Head of Cyber and Information Security, Data Protection Officer, and Head of Global
Security and Protection each bring in additional expertise.
•Data privacy matters fall under the purview of our Chief Legal Officer, or CLO, and Management Board
member, James Ryan, who is supported by our Senior Director, Data Privacy. Dr. Ryan’s qualifications
include close to twenty years of expertise in legal and intellectual property matters, both within the
pharmaceutical industry as well as as an outside counsel with a focus on strategic life sciences
transactions. Together with his deep familiarity with the Company’s history, operations, and processes,
James Ryan is uniquely positioned to advise on data privacy matters.
For additional information on Sierk Poetting’s and James Ryan’s experience, see Item 6.A, “Directors and Senior
Management”.
|Cybersecurity Risk Management Positions or Committees Responsible [Flag]
|true
|Cybersecurity Risk Management Positions or Committees Responsible [Text Block]
|The ISMS audit committee (the Committee) is comprised of three people from the supervisory board and
the CFO. The Committee supports the ISMS and approves related policies and IT security protection
measures. They are informed about the implementation progress and functioning of the ISMS and
determine the risk appetite as well as our risk strategy. The progress of the ISMS, along with related Key
Performance Indicators, is presented to the Committee on an annual basis. The Committee also informs
the entire Management Board about the outcome of its review.
Our COO and Management Board member, Sierk Poetting, is responsible for assessing and managing our
material risks from cybersecurity threats. His ambit includes reviewing our information security capabilities,
reporting data privacy issues to the Management Board, and supporting our Information Security Organization,
or ISO, in obtaining the resources it needs. The COO’s extensive experience in risk management, operations
and corporate governance, with over 11 years of experience in the pharmaceutical industry in particular, are
critical to the management of cyber and information security at the Company.
•The COO is supported by the CISO, who leads the ISO and is accountable for security strategy,
operations, and policy development and implementation. Our CISO, Raimond Jähn, was the department
lead of our IT security team starting in 2016, has led the cyber and information security transformation
program towards a new operating model since 2021, and was formally designated as CISO by the COO
in 2023. Our Head of Cyber and Information Security, Data Protection Officer, and Head of GlobalSecurity and Protection each bring in additional expertise.
|Cybersecurity Risk Management Expertise of Management Responsible [Text Block]
|The COO is supported by the CISO, who leads the ISO and is accountable for security strategy,
operations, and policy development and implementation. Our CISO, Raimond Jähn, was the department
lead of our IT security team starting in 2016, has led the cyber and information security transformation
program towards a new operating model since 2021, and was formally designated as CISO by the COO
in 2023. Our Head of Cyber and Information Security, Data Protection Officer, and Head of Global
Security and Protection each bring in additional expertise.
•Data privacy matters fall under the purview of our Chief Legal Officer, or CLO, and Management Board
member, James Ryan, who is supported by our Senior Director, Data Privacy. Dr. Ryan’s qualifications
include close to twenty years of expertise in legal and intellectual property matters, both within the
pharmaceutical industry as well as as an outside counsel with a focus on strategic life sciences
transactions. Together with his deep familiarity with the Company’s history, operations, and processes,
James Ryan is uniquely positioned to advise on data privacy matters.
|Cybersecurity Risk Process for Informing Management or Committees Responsible [Text Block]
|Our COO and Management Board member, Sierk Poetting, is responsible for assessing and managing our
material risks from cybersecurity threats. His ambit includes reviewing our information security capabilities,
reporting data privacy issues to the Management Board, and supporting our Information Security Organization,
or ISO, in obtaining the resources it needs. The COO’s extensive experience in risk management, operations
and corporate governance, with over 11 years of experience in the pharmaceutical industry in particular, are
critical to the management of cyber and information security at the Company.
|Cybersecurity Risk Management Positions or Committees Responsible Report to Board [Flag]
|true
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef
|X
- References
+ Details
Reference 1: http://www.xbrl.org/2003/role/presentationRef