We already have an SMS under the major-accident regulation. Is that enough?

The safety management system under the 12th BImSchV covers substance safety, not cybersecurity. When a cyber attack can lead to uncontrolled process states, NIS-2 closes the gap. The platform maps both systems together so cyber risks are documented in relation to substance safety.

Who is notified on a cyber incident in process OT?

On a cyber incident with security impact: the BSI within 24 hours. On substance release or process anomaly: the competent environmental authority under the major-accident regulation. For pharmaceutical actives possibly BfArM. The reporting logic needs clear triage at the start of the incident.

How do we handle recipes and process know-how?

Recipes and process IP are business-critical data with highest confidentiality. NIS-2 requires adequate encryption and access control. In practice: separate key sovereignty, need-to-know access, documented data flows to suppliers and customers.

What if we have multiple plants in different countries?

Multi-country rollout typically 16 to 26 weeks, depending on plant count and sector-specific local obligations (e.g. NIS-2 vs national implementations in other EU states). The platform supports multi-country with consolidated group reporting.

Do we have to treat all labs identically?

No. Lab automation usually has lower protection needs than production-process OT. The platform supports differentiated protection assessment. Important is documentation of the assessment, not one-size-fits-all.

NIS-2 for chemicals

Chemicals are Annex II. Plus major-accident regulation. Plus SEVESO.

Annex II of the German NIS-2 implementation act covers chemicals as an important entity. From 50 employees and 10 million euros revenue, the obligations apply. For operations with hazardous substances, the German major-accident regulation and SEVESO III directive add up. The Cybervize platform covers ISMS, OT assessment and supplier risk in one solution.

Book the NIS-2 risk check

Cybervize Platform maturity report per ISO 27001 as evidence of cross-industry consulting expertise

What NIS-2 means in practice for the chemical industry

Chemical companies with significant production or distribution size fall under NIS-2 Annex II as „important entity"; SEVESO / major-accident regulation applies additionally only to plants exceeding specific quantity thresholds for hazardous substances. Four consequences of this classification for chemical companies. Sector alone is not enough: classification additionally depends on size thresholds and concrete activity. The legally binding evaluation remains a matter for specialised counsel.

01 · Scope

Important entity, same ten minimum measures

Annex II means lower sanctions than Annex I, but the same obligations across the ten minimum measures per §30 of the German NIS-2 implementation act. On incidents, the BSI supervision kicks in reactively.

02 · Scope

OT process control systems in scope

Process control systems, MES, batch controllers and lab automation are part of the cybersecurity scope. A cyber incident in process OT can become a safety incident under the major-accident regulation.

03 · Scope

Major-accident regulation and SEVESO as interface

Whoever falls under the German major-accident regulation (12th BImSchV) or the SEVESO III directive has a safety management system (SMS) for hazardous substances. Cyber incidents that can lead to substance releases are double-reportable.

04 · Scope

Supply chain risk with concentration

Chemical supply chains often have single-source risks for precursors, specialty gases, catalysts. NIS-2 mandates supply-chain risk assessment. Plus supplier audits by customers in the pharmaceutical sector.

Five minimum measures with chemical examples

Five NIS-2 minimum measures per §30, translated for chemical practice.

Risk analysis with process-OT focus

Risk register that separates process control systems, MES and lab IT but ties them together. Cyber risks with impact on substance safety classified separately.

Security in procurement and maintenance of process equipment

Procurement process for new process control systems with security requirements, patch management with planned shutdown windows, remote maintenance documented and segmented.

Multi-track incident response

Incident response plan with three escalation paths: NIS-2 cyber incident to the BSI, major accident to environmental and occupational safety authorities, possibly pharma authorities for pharmaceutical actives.

Business continuity for production outages

BCM for plant outages with chemical safety as the top priority (safe plant state before availability). RTO and RPO per production asset documented.

Cryptography for process recipes

Recipes, batch data and process know-how encrypted at rest and in transit. Key management central. Access rights on a need-to-know basis.

Cybervize building blocks for the chemical industry

The Cybervize platform covers ISMS, BCM, assessment and supplier risk in one solution. For chemicals, OT modules and interfaces to SEVESO requirements are additionally relevant.

Service 01

NIS-2 risk check

Free 30-minute initial call with an indicative NIS-2 classification, top-5 gaps and a path recommendation.

Learn more Service 02

Cybervize platform

ISMS, compliance and evidence from a single platform. Multi-entity, multi-country, AI-supported.

Learn more Service 03

Virtual CISO

Platform plus permanent CISO function. For organisations without an in-house CISO.

Learn more Service 04

NIS-2 onboarding project

Gap assessment, roadmap, implementation via the platform. Fixed price from 4,500 euros.

Learn more

Self-check available

NIS-2 maturity check: 30 questions, 10 §30 BSIG measures, instant traffic light

Free, no signup, around 5 minutes. Detailed evaluation by email if desired.

Start the check

Why Cybervize fits the chemical industry

Industry experience in manufacturing including chemicals and pharma from 25 years of ISMS practice at PwC, Deloitte and KPMG. Methodology built for audit acceptance towards the BSI, occupational-safety authority and environmental regulators.

Process OT: control system and MES experience
Multi-site: group-wide rollout
NIS-2 + SEVESO: interface documented
25+: years of Big-Four ISMS

Frequently asked questions from the chemical industry

Classify NIS-2 for chemicals in 30 minutes

Free risk check with indicative NIS-2 classification, major-accident interface and path recommendation. Ideally with IT security and production leadership present.

Book the NIS-2 risk check

Memberships, programmes and partnerships

Content last reviewed: May 18, 2026

Chemicals are Annex II. Plus major-accident regulation. Plus SEVESO.

Book the NIS-2 risk check

What NIS-2 means in practice for the chemical industry

Chemicals are Annex II. Plus major-accident regulation. Plus SEVESO.

What NIS-2 means in practice for the chemical industry