Besondere Bedeutung kommt bei NIS2 der Absicherung industrieller Steuerungssysteme zu – also jener Systeme, die in Chemieanlagen Produktionsprozesse überwachen und regeln. | Securing industrial control systems is of particular importance under NIS2 – that is, those systems that monitor and control production processes in chemical plants.

NIS2 Directive: Cybersecurity Obligations for the Chemical Industry

2 min

The European Union’s NIS2 Directive is fundamentally changing the cybersecurity requirements for the chemical industry. What was long regarded as an IT issue unrelated to the sector is now an operational reality: cyberattacks on industrial facilities are on the rise, and chemical plants are among the declared targets. At the same time, it is evident that risk awareness remains underdeveloped across large parts of the sector – particularly in small and medium-sized companies, which often have neither a designated information security officer nor a structured emergency response plan. The NIS2 Directive sets binding minimum standards in this regard and explicitly includes chemical companies within the scope of obligated companies.

Fundamentally, the Directive distinguishes between two categories of affected facilities: ‘critical’ and ‘important’ facilities. Chemical plants are assigned to one of these categories depending on their size and societal significance. This classification determines the extent of supervision by the responsible authorities as well as the severity of potential sanctions in the event of breaches – including substantial fines for management failing to fulfil their duty of care.

Three-Tier Reporting Requirement as a Key Instrument

Operators of chemical plants are obliged to implement comprehensive security measures and comply with a three-tier reporting requirement for cyber incidents, which replaces the previous single-tier regulation. Within 24 hours of an incident being detected, an initial report must be submitted to the Federal Office for Information Security (BSI) – containing basic information on the nature and scope of the incident as well as initial containment measures. This must be followed, within 72 hours at the latest, by a detailed interim report containing an analysis, the impact on systems and further measures. Finally, a full final report must be submitted within one month of the initial report, documenting the causes, countermeasures and their effectiveness.

This three-stage process has a clear objective: to ensure that authorities are informed at an early stage without burdening the affected organisations with excessive documentation requirements during the active phase of an incident. The phased reporting process allows companies to react quickly initially and provide more detailed information as soon as it becomes available.

Requirements for Technical and Organisational Measures

In addition to the reporting obligation, the NIS2 Directive requires, at an operational level, a formal risk management procedure for the continuous identification and assessment of threats, technical protective measures such as multi-factor authentication, firewalls and regular software updates, as well as emergency and recovery plans. Added to this are targeted staff training sessions on cybersecurity topics and the regular review of both physical and digital infrastructures.

Particular importance is attached to the security of industrial automation systems – that is, those systems that monitor and control production processes in chemical plants. A successful attack at this level can not only cause data loss but also directly jeopardise plant safety. The relevant normative framework for this area is the international IEC 62443 series of standards, which deals with the cybersecurity of industrial automation and control systems and takes a holistic approach for operators, integrators and manufacturers. In addition, the KAS-51 guideline from the Commission for Plant Safety recommends specific protective measures against unauthorised interference – including cyberattacks and extortion attempts.

The German implementing legislation, known as the ‘NIS2 Implementation and Cybersecurity Strengthening Act’, was debated at first reading in the German Bundestag on 11 October 2024 and referred to the Committee on Internal Affairs for further consideration. The NIS2 Implementation and Cybersecurity Strengthening Act has now come into force in Germany, following approval by the Bundestag and Bundesrat in November 2025.

Source: Trade journal ‘PROCESS’

Foto: joyfotoliakid

Weserland GmbH
Hansastraße 9-17
30419 Hannover

+49 511 97 997 0
info@weserland.eu