When is a chemical company subject to NIS2?

Chemical companies fall under NIS2 Annex II No. 7 (chemical substances) once they meet medium enterprise size (50 employees or 10M EUR annual turnover per SME Recommendation 2003/361/EC Art. 2) and industrial production structure. Operations manufacturing, processing, and distributing hazardous chemicals may be classified as Essential Entities irrespective of size if their failure threatens critical supply chains.

How does NIS2 relate to the Major Accident Ordinance (12th BImSchV) in chemicals?

The Major Accident Ordinance (12th BImSchV) governs physical safety obligations for operations handling hazardous substances; NIS2 adds cybersecurity obligations for IT and OT systems. Both frameworks overlap on emergency plans and internal alarm systems. A cyberattack on a process control system triggering a major accident can trigger both NIS2 reporting obligations under § 32 BSIG-neu and authority notification obligations under § 19 of the Störfall-Verordnung.

What OT protection obligations apply to chemical plants under NIS2?

Process control systems (DCS), PLC safety controllers (SIS), and field devices qualify as critical OT infrastructure under § 30 BSIG-neu. Mandatory measures include network segmentation between process layer and office IT, access control for control rooms, patch management for DCS systems, and backup concepts for recipe data. IEC 62443 provides supplementary security requirements for industrial automation systems in the chemical sector.

What fines do chemical plants face for NIS2 violations?

§ 65 BSIG-neu provides Important Entities (medium chemical companies) fines up to 10 million Euro or 2 percent of global annual revenue. Essential Entities (large groups) face the same ceilings. Managing directors are personally liable under § 38 BSIG-neu. For incidents triggering the Störfall-Verordnung, additional fines under BImSchG § 62 may arise.

What do NIS2 supply-chain obligations mean for chemical companies?

§ 30 Para. 2 No. 4 BSIG-neu requires supply-chain security. Chemical companies must impose security requirements on DCS/SIS system vendors (e.g. Emerson, Honeywell, Yokogawa), raw material suppliers with IT interfaces, and logistics partners. Outgoing obligations apply when the chemical plant itself is a critical supplier to pharmaceutical operations, energy producers, or water utilities.

When must chemical plants register with the BSI?

§ 33 BSIG-neu requires registration within three months of determining NIS2 applicability. For operations meeting the criteria upon BSIG-neu's entry into force, a three-month transitional period applies. Registration is via the BSI reporting portal with sector classification (chemical substances), entity category, and contact details.

Are chemical company managing directors personally liable for NIS2 compliance?

§ 38 BSIG-neu requires management to approve, supervise, and train on cybersecurity measures. In cases of proven organizational negligence, personal liability is threatened. Chemical plants should integrate NIS2 requirements into their existing safety management systems, coordinate the Störfall-Verordnung and IEC 62443, and archive all management resolutions and training records in an audit-proof manner.

Industry-specific Self-Check

Is my chemical operation affected by NIS2?

Base chemistry, specialty chemistry, formulators: the chemical industry falls directly under Annex II NIS2. Seveso and REACH add requirements on top.

Step 1 / 2

Production and process structure

NIS2 Annex II No. 7 covers the manufacture of chemical substances. Check what applies to your operation.

Manufacture of basic or specialty chemicalsOrganic / inorganic synthesis, polymerisation, catalysis, refiningOperation of process-automated production systemsDCS / SCADA / process control systems, batch or continuous productionApplication of the Major Accidents Ordinance (12th BImSchV)Extended obligations under Seveso III Directive, safety report requiredB2B supply to downstream processors or end customersPharmaceutical industry, automotive paint manufacturers, agrochemistry, trade, export

Step 2 / 2

Company size

Chemical Industry: The Complete NIS2 Guide

Chemical companies with 50 or more employees or EUR 10 million in annual revenue are in scope under NIS2 Annex II No. 5 (Manufacturing). Operators of facilities with hazardous substances under the Seveso III Directive face a regulatory overlap that requires a coordinated compliance strategy. This guide is written for plant managers, safety officers, and IT managers in the chemical industry.

Who is affected?

Chemical companies (NACE C.20) fall under NIS2 Annex II No. 5 when they exceed the SME thresholds: at least 50 employees or at least EUR 10 million in annual revenue (EU Recommendation 2003/361/EC Art. 2).

Large chemical groups (BASF, Bayer, Evonik, etc.) are generally Essential Entities under Annex I if their production capacity fulfills critical supply functions. Operators of Seveso III upper-tier establishments are additionally required to conduct safety analyses under § 3 of the 12th BImSchV.

A specialty chemical company with 200 employees, a production facility with hazardous substances, and a laboratory network is clearly subject to NIS2 and is an Important Entity.

Obligations under § 30 BSIG-new

§ 30 BSIG-new requires seven obligation categories that are especially relevant for chemical companies because of the combination of IT, process control, and Seveso safety requirements:

Risk analysis and management: Process control systems (DCS/PLC), laboratory information systems (LIMS), ERP, and customer portal connections must all be assessed. IT systems relevant to hazardous incidents must be treated with priority.
Incident handling: A cyberattack on the process control system is simultaneously an IT security incident (NIS2) and potentially a hazardous incident under BImSchG. Both escalation paths must be coordinated.
Business continuity: Plant shutdowns initiated for IT reasons can be dangerous (exothermic processes, pressure buildup). BCPs must describe safe shutdown procedures and manual control options.
Supply chain security: Suppliers of process control technology, LIMS software, and logistics service providers must be reviewed for security standards.
Access control and MFA: Access to process control systems and corporate networks must be secured by MFA. Maintenance access from equipment manufacturers is particularly critical.
Encryption: Recipe data, research data, and customer data must be encrypted. Patent-critical research results warrant special protection.
Training and awareness: Operations staff, laboratory employees, and administrative personnel must receive regular cybersecurity training.

Deadlines and reporting obligations

BSI registration under § 33 BSIG-new within three months. For security incidents under § 32 BSIG-new: initial report within 24 hours, full report within 72 hours, final report within 30 days.

A cyberattack on the process control system of a chemical plant must be reported to the BSI within 24 hours. At the same time, reporting obligations under § 19 BImSchG (significant accidents) may be triggered.

Fines and personal liability

Important Entity (Annex II): up to EUR 7 million or 1.4% of turnover. Essential Entity (Annex I): up to EUR 10 million or 2% of turnover.

§ 38 BSIG-new: personal liability for management. Combined with environmental liability (UmwHG) and Hazardous Incidents Ordinance sanctions, the risk for managing directors of chemical companies is significant.

Seveso III and NIS2: harmonizing safety concepts instead of duplicating them

The Seveso III Directive (2012/18/EU, transposed as 12th BImSchV) requires operators of facilities with hazardous substances to implement comprehensive safety management systems. The overlap with NIS2 is substantial:

Seveso III Art. 8 requires a "Major Accident Prevention Policy" (MAPP) with systematic hazard analysis. NIS2 § 30 BSIG-new requires a risk analysis for IT systems. Both obligations intersect in chemical companies: IT failures can trigger hazardous incidents, and hazardous incidents can damage IT infrastructure.

Harmonization potential: the MAPP can integrate the NIS2 IT security risk analysis. Emergency plans under Seveso III Art. 12 can encompass NIS2 contingency plans. This avoids duplication and allows building an integrated safety management system.

First steps

Clarify headcount and revenue. Important or Essential Entity?
Check: is the facility subject to Seveso III obligations? If so, conduct a gap analysis between MAPP and NIS2.
Map all IT systems that influence production processes.
Identify all remote maintenance access points for process control technology.
Ensure network segmentation separates the OT network from office IT.
Develop an incident response plan that coordinates NIS2 reporting and BImSchG escalation.
Register with the BSI.

Common pitfalls

NIS2 and Hazardous Incidents Ordinance treated separately: Both frameworks address the safety of chemical facilities. An integrated approach is more efficient and reduces compliance costs.

Process control system treated as a "closed system": Modern DCS and PLC systems are reachable over networks. The attack path "from office network to process control system" is the most common technique used against chemical companies.

Patent-critical research data not specially protected: Theft of recipes and research data through industrial espionage is an underestimated risk.

Maintenance access from equipment manufacturers not assessed: External service providers with access to process control technology are critical suppliers under § 30 Para. 2 No. 4 BSIG-new.

Use the industry-specific NIS2 calculator for the chemical industry to determine your obligations.

Authored by

Julian Köhn

Founder & CEO, Kopexa

Julian Köhn is Founder and CEO of Kopexa. He has been building security and compliance solutions for European mid-market companies for over 10 years. Focus areas: NIS2, ISO 27001, GDPR, TISAX. Kopexa was founded to make GRC transparent and self-service for SMEs.

LinkedIn View profile

Reviewed by

Kopexa GRC Team

Subject Matter Experts — NIS2, ISO 27001, KRITIS

The Kopexa GRC Team consists of security and compliance experts certified in ISO 27001, CISA, CRISC. The team develops framework mappings and validates content on NIS2, KRITIS, and industry-specific requirements.

Last updated: 2026-04-17

Frequently asked questions

Industry-specific answers on NIS2 obligations, thresholds, and sanctions.

Is my chemical operation affected by NIS2?

Chemical Industry: The Complete NIS2 Guide

Who is affected?

Obligations under § 30 BSIG-new

Deadlines and reporting obligations

Fines and personal liability

Seveso III and NIS2: harmonizing safety concepts instead of duplicating them

First steps

Common pitfalls

Frequently asked questions

01When is a chemical company subject to NIS2?

02How does NIS2 relate to the Major Accident Ordinance (12th BImSchV) in chemicals?

03What OT protection obligations apply to chemical plants under NIS2?

04What fines do chemical plants face for NIS2 violations?

05What do NIS2 supply-chain obligations mean for chemical companies?

06When must chemical plants register with the BSI?

07Are chemical company managing directors personally liable for NIS2 compliance?