Sub ce prag de cifră de afaceri sunt obligat NIS2 ca producător chimic?

Conform Art. 2(1) NIS2 + Anexa II, ești ENTITATE IMPORTANTĂ automat dacă ai >50 angajați și >10M EUR cifră anuală sau bilanț >10M EUR. Sub prag — doar dacă produci substanțe Seveso clasa I/II sau ești furnizor critic pentru o entitate esențială (ex: bancar/sănătate). DNSC poate desemna individual entități prin decizie motivată (Art. 2(2)(b)).

Sunt deja conform Seveso III. Mai trebuie ceva pentru NIS2?

Da. Seveso III acoperă SAFETY (risc accidental). NIS2 acoperă CYBERSECURITY (risc malițios + rezilență digitală). Overlap doar pe Plan continuitate + raportare incidente. NIS2 adaugă: SOC, vulnerability management, supply chain audit, pentest anual, training cyber pentru personal operațional. Tipic 30-50% efort suplimentar față de baseline Seveso.

Cât costă un audit NIS2 inițial pentru o uzină chimică mid-size?

Audit baseline (gap analysis + roadmap): 30.000-80.000 EUR. Implementare măsuri prioritare (SOC, segmentation IT/OT, BCP): 200.000-800.000 EUR funcție de complexitate. Operare anuală SOC + monitoring + pentest: 60.000-150.000 EUR/an. CAI Technology oferă audit gratuit pentru companii peste 50 angajați.

Ce se întâmplă dacă nu raportez un incident în 24h?

Art. 34(4) NIS2 — amendă maximă 7 mil. EUR sau 1.4% din cifra anuală globală pentru entități importante (10M / 2% pentru esențiale). În plus, DNSC poate impune sancțiuni accesorii: ordonanță de remediere, audit obligatoriu pe cost propriu, publicarea sancțiunii. În cazuri grave, suspendare temporară activitate pentru entități esențiale (Art. 32(5)).

Pot externaliza obligațiile NIS2 către un MSP/MSSP?

Da, dar răspunderea juridică rămâne la operator. Contractul cu MSSP trebuie să acopere: SLA-uri explicit definite, drepturi audit, clauze notificare incident în 4-12h, retention log-uri 5 ani. MSSP-ul tău trebuie să fie el însuși conform NIS2 (cad sub Anexa I — ICT Service Management). Verifică-le statusul înainte de semnare.

Cum se va face inspecția DNSC? Cu ce frecvență?

Pentru ENTITĂȚI ESENȚIALE — inspecție ex-ante (proactivă) + ad-hoc. Frecvența așteptată: o dată la 2-3 ani pe baseline + ad-hoc post-incident. Pentru IMPORTANTE — ex-post (reactivă) doar după indicii de neconformitate. DNSC poate cere documente, intervievi personal cheie, poate efectua audit on-site. Refuzul cooperării = amendă separată Art. 34(8).

Există fonduri europene pentru implementarea NIS2 în industria chimică?

Da. Programe relevante: Digital Europe Programme (axe cybersecurity), Fondul European pentru Apărare (dacă produci substanțe dual-use), Programul Operațional Tranziție Justă (RO, pentru instalații în reconversie). Plus apel PNRR Componenta C7-Investiția 4 (cyber pentru sectoare critice) — eligibilitate verificabilă cu LEXNOMIA.

Annex II — Important Entities · Manufacturing

⚗️NIS2 for Chemical Industry — deadlines, obligations, fines

Chemical Industry fall under NIS2 (Directive (EU) 2022/2555 + Romanian Emergency Ordinance 155/2024). See Art.21 obligations, deadlines, max fines and compliance roadmap for Annex II.

Last reviewed: 2026-05-23 · CAI Technology · echipa Lexnomia + AEGIS

🎯 Who is covered

Manufacturers, importers, distributors and downstream users of chemical substances operating units classified under Seveso III (upper-tier major-accident hazard) or producing dangerous substances in relevant volumes. Also includes logistics warehouses and chemical transporters.

Examples in Romania

Azomures (nitrogen fertilisers)Chimcomplex Borzesti (chlorine, caustic soda)OMV Petrom PetrochemicalsRAFO OnestiSolventul (Constanta)Linde Gas Romania

Applicability thresholds

Automatic IMPORTANT-entity status (Annex II) for entities with >50 employees and annual turnover >EUR 10 million. Below-threshold companies may be brought into scope if they produce Seveso class I/II substances or REACH SVHC substances. DNSC may designate entities individually by reasoned decision (Art. 2(2)(b) NIS2).

📅 Regulatory timeline

2022-12-27
Directive (EU) 2022/2555 published in the Official Journal of the EU
2024-10-17
EU deadline for transposing NIS2 into national law
2024-12-23
Romania publishes OUG 155/2024 (partial transposition, behind schedule)
2025-01-22
OUG 155/2024 enters into force; DNSC designated as competent authority
2025-Q4
First DNSC sectoral guidance for chemicals and Seveso operators
2026-Q2
First expected DNSC inspection window for important entities
2027-12-11
Cyber Resilience Act (CRA) enters into application — SBOM becomes mandatory

📋 Key obligations

IT-OT segmentation per IEC 62443

effort: high

Networks controlling reactors, valves and dosing systems must be isolated from the corporate IT side through an industrial DMZ. IEC 62443-3-3 requires a minimum Security Level SL2 for Seveso lines and SL3 for high-hazard installations. Patch management cycle: <30 days on HMI/SCADA, <90 days on PLCs where downtime is technically justified. Annual audit by a notified body.

Recommended controls: IEC 62443-3-3 SL2/SL3Network segmentation IT/OTWazuh agents pe HMI WindowsSuricata IDS pe DMZ OT

Business continuity plan (BCP) with defined RTO/RPO

effort: high

For each critical production line: maximum RTO (Recovery Time Objective) of 4-12 hours, maximum RPO (Recovery Point Objective) of 1 hour for process data. Scenarios must cover cyber, fire, flood and supply-chain disruption. Annual testing is mandatory, with a report to the DPO and to DNSC if results reveal critical deficiencies.

Recommended controls: ISO 22301 BCP frameworkBackup imutabil offline (3-2-1 rule)DR site secundar cu cold/warm failover

Supply-chain audit and cybersecurity-by-design for OT components

effort: medium

Suppliers of PLCs, DCSs, connected sensors and MES software must be audited against a cybersecurity baseline. An SBOM (Software Bill of Materials) becomes mandatory for new equipment from 2027 (CRA). Contracts must include clauses for supplier incident notification within 24 hours. Asset inventory must be complete, with firmware version tracking.

Recommended controls: SBOM CycloneDX 1.6Vendor risk questionnaireContinuous vulnerability monitoring (CVE feed)

Intellectual property protection (formulas, recipes, process parameters)

effort: medium

Industrial espionage is one of the principal threats in the chemicals sector — in 2019, Bayer and BASF publicly confirmed they had been compromised by the Winnti APT, with persistent access for months before detection. Sensitive data (compositions, optimisation parameters, key customer lists) must be encrypted at rest and in transit, with DLP on email and cloud storage, and exceptional-access monitoring (alerts on deviations >3 sigma from baseline). Access must be compartmentalised by operational need, NOT by generic role.

Recommended controls: DLP (Microsoft Purview, Trellix DLP)Encryption AES-256 + post-quantum (CAI-AUTH)PAM pentru acces escalatUEBA pentru anomaly detection

Incident notification to DNSC + sectoral authority + ANSPDCP (where personal data is affected)

effort: medium

Preliminary notification within 24 hours (Art. 23(4)(a)) — even before root cause is known. Detailed update within 72 hours, including impact assessment and actions taken. Final report within one month. For critical chemicals, parallel notification to the joint Romanian Seveso authorities — ANPM (National Environmental Protection Agency) + IGSU (General Inspectorate for Emergency Situations) + GNM (National Environmental Guard) per Law 59/2016 Art. 7 — where Seveso substances are affected.

Recommended controls: SIEM cu rule-uri Art.23 NIS2Procedură incident response cu RACI clarTabletop exercises trimestriale

📰 Real incidents, concrete lessons

Norsk Hydro

2019 · Norway (global operations, including primary aluminium production)

Type: LockerGoga ransomware

Impact: EUR 70-90 million in losses, 4-7 days of partial downtime, manual switch-over on critical lines

Lesson: Weak IT/OT network segmentation allowed the ransomware to propagate from corporate IT into OT. Manual fallback procedures preserved operational safety.

Public source ↗

BASF + Bayer (coordinated attack)

2019 · Germany

Type: Industrial espionage — Winnti APT

Impact: Persistent access in corporate networks for months, discovered accidentally through a third-party honeypot; both companies publicly confirmed in February 2019.

Lesson: Slow detection without EDR + UEBA + DLP on the baseline. Compartmentalisation by operational need plus exceptional-access monitoring would have reduced time-to-detection from months to days.

Public source ↗

Colonial Pipeline (oil/gas — identical vector for chemicals)

2021 · United States

Type: DarkSide ransomware

Impact: Five-day shutdown of the largest pipeline on the US East Coast; ransom of approximately USD 4.4 million paid (partially recovered later by the FBI).

Lesson: A VPN with compromised credentials and no MFA was the initial vector. Hybrid MFA plus post-quantum for remote OT access covers this class of risk.

Public source ↗

⚠️ Typical threats

• Industrial espionage
• Atac ICS pe reactor/proces
• Disruption pe instalații pilot

💰 Maximum fines

Max 7 mil. EUR sau 1.4% cifra afaceri

📊 Romania compliance status

Azomureș, Chimcomplex în implementare. Sector general la 30-40%.

🛡️ How CAI Technology helps

AEGIS — Observability + SecOps with AI

Unified SIEM for on-premise DCs: logs + metrics + threat detection + AI incident analysis.

ARTEMIS — AI Pentest · Hunt · Reveal · Strike

Autonomous pentest platform with 5 AI agents and 6 audit types. From 2€ per scan, no subscription.

Lexnomia — EU Compliance Audit Platform

Self-serve compliance audit across 7+ EU regulations: GDPR, NIS2, DORA, EU AI Act, ISO 27001, CRA, DSA.

📚 Adjacent regulations with overlap

Seveso III (Directiva 2012/18/UE) · Law 59/2016 (Romania)

Dangerous substances classes I-II; overlap with BCP and incident reporting to ISU (the Romanian Emergency Situations Inspectorate) and the Ministry of Environment. NIS2 adds the cybersecurity layer on top of Seveso safety requirements.

REACH (Regulamentul 1907/2006) · Directly applicable + Law 349/2007 implementation (Romania)

Registration of chemical substances and submission of toxicological data to ECHA. REACH data is sensitive IP (formulas, manufacturing process) — NIS2 coverage is mandatory.

CRA — Cyber Resilience Act (Regulamentul (UE) 2024/2847) · Directly applicable from 11 December 2027

Mandatory SBOM and security-update support for products with digital elements — directly affects OT equipment marketed to chemical manufacturers.

EU AI Act (Regulamentul (UE) 2024/1689) · Directly applicable in tranches 2025-2027

Where chemical companies use AI for process control or safety anomaly detection, the systems fall under the high-risk regime (Annex III). Audit trail and transparency are mandatory.

❓ Frequently asked

Below what turnover threshold am I obliged under NIS2 as a chemical manufacturer?

Under Art. 2(1) NIS2 + Annex II, you are an IMPORTANT ENTITY automatically if you have >50 employees and >EUR 10 million annual turnover or balance-sheet total >EUR 10 million. Below threshold — only if you produce Seveso class I/II substances or you are a critical supplier to an essential entity (e.g. banking / healthcare). DNSC may designate entities individually by reasoned decision (Art. 2(2)(b)).

We already comply with Seveso III. Do we still need anything for NIS2?

Yes. Seveso III covers SAFETY (accidental risk). NIS2 covers CYBERSECURITY (malicious risk + digital resilience). The overlap is limited to the business continuity plan and incident reporting. NIS2 adds: SOC, vulnerability management, supply-chain audit, annual pentest, cyber training for operational staff. Typically 30-50% additional effort on top of the Seveso baseline.

How much does an initial NIS2 audit cost for a mid-size chemical plant?

Baseline audit (gap analysis + roadmap): EUR 30 000-80 000. Implementation of priority measures (SOC, IT/OT segmentation, BCP): EUR 200 000-800 000 depending on complexity. Annual SOC operation + monitoring + pentest: EUR 60 000-150 000 per year. CAI Technology offers a free audit for companies above 50 employees.

What happens if I miss the 24-hour incident report?

NIS2 Art. 34(4) — maximum fine of EUR 7 000 000 or 1.4% of global annual turnover for important entities (EUR 10 million / 2% for essential entities). In addition, DNSC may impose accessory sanctions: remediation order, mandatory audit at own cost, publication of the sanction. In serious cases, temporary suspension of activity for essential entities (Art. 32(5)).

Can I outsource NIS2 obligations to an MSP/MSSP?

Yes, but legal responsibility remains with the operator. The MSSP contract must cover: explicitly defined SLAs, audit rights, incident-notification clauses within 4-12 hours, 5-year log retention. Your MSSP must itself comply with NIS2 (Annex I — ICT Service Management). Verify their status before signing.

How will DNSC inspections work? At what frequency?

For ESSENTIAL ENTITIES — ex-ante inspection (proactive) plus ad-hoc. Expected frequency: once every 2-3 years on baseline plus ad-hoc post-incident. For IMPORTANT entities — ex-post (reactive) only after indications of non-compliance. DNSC may request documents, interview key personnel and conduct on-site audits. Refusal to cooperate is a separate fine under Art. 34(8).

Are there European funds for NIS2 implementation in the chemical industry?

Yes. Relevant programmes: Digital Europe Programme (cybersecurity axes), European Defence Fund (where you produce dual-use substances), Just Transition Programme (RO, for facilities being reconverted). Plus the PNRR Component C7-Investment 4 call (cyber for critical sectors) — eligibility can be verified with LEXNOMIA.

🔗 Official sources

Are you in the chemical industry sector?

Free NIS2 audit for companies with 50+ employees. We reply within 24 business hours.

Request audit →