diff --git a/src/main/helm/templates/network_policy.yaml b/src/main/helm/templates/network_policy.yaml
index a8815da780422e4a3a2f9403625c48a76b20c11f..f79c861df6bbba4c29ed3f7c79c579b86ee0b4a5 100644
--- a/src/main/helm/templates/network_policy.yaml
+++ b/src/main/helm/templates/network_policy.yaml
@@ -73,13 +73,18 @@ spec:
     ports:
       - port: 9000
         protocol: TCP
+{{- if ((.Values.ozgcloud).bayernid).enabled }}
   - to:
     - podSelector: 
         matchLabels:
           component: bayernid-proxy
+    - namespaceSelector:
+        matchLabels:
+          kubernetes.io/metadata.name: {{ required "ozgcloud.bayernid.proxy.namespace must be set if bayernid is enabled" (((.Values.ozgcloud).bayernid).proxy).namespace }}
     ports:
       - port: 9090
         protocol: TCP 
+{{- end }}
   - to:
     - namespaceSelector:
         matchLabels:
diff --git a/src/test/helm/network_policy_test.yaml b/src/test/helm/network_policy_test.yaml
index 3280407398331229256ffbc36619650cade77a28..8328e0e7a06f805c964c5fbf7a7ab26c9805aaa9 100644
--- a/src/test/helm/network_policy_test.yaml
+++ b/src/test/helm/network_policy_test.yaml
@@ -177,10 +177,15 @@ tests:
                 - port: 5353
                   protocol: TCP
 
-  - it: should add egress rule to nachrichten-bayernid-proxy
+  - it: should add egress rule to nachrichten-bayernid-proxy if bayernid is enabled
     set:
       networkPolicy:
         dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        bayernid:
+          enabled: true
+          proxy:
+            namespace: bayernidProxyNamespace
     asserts:
       - contains:
           path: spec.egress
@@ -188,10 +193,43 @@ tests:
             to:
             - podSelector: 
                 matchLabels:
-                  component: nachrichten-bayernid-proxy
+                  component: bayernid-proxy
+            - namespaceSelector:
+                matchLabels:
+                  kubernetes.io/metadata.name: bayernidProxyNamespace
+            ports:
+            - port: 9090
+              protocol: TCP 
+
+  - it: should not add egress rule to bayernid-proxy if bayernid is disabled
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        bayernid:
+          enabled: false
+    asserts:
+      - notContains:
+          path: spec.egress
+          content:
+            to:
+            - podSelector: 
+                matchLabels:
+                  component: bayernid-proxy
             ports:
             - port: 9090
               protocol: TCP 
+  
+  - it: should throw error if bayernid-proxy is enabled but bayernid namespace is not set
+    set:
+      networkPolicy:
+        dnsServerNamespace: test-dns-namespace
+      ozgcloud:
+        bayernid:
+          enabled: true
+    asserts:
+      - failedTemplate:
+          errorMessage: ozgcloud.bayernid.proxy.namespace must be set if bayernid is enabled
 
   - it: add ingress rule by values
     set: