Process Safety Incident or NIS2 Cyber Breach? The Art.23 Classification Decision Chemicals CISOs Get Wrong

In August 2017, an unnamed Saudi Arabian petrochemical facility experienced what its process engineers initially classified as a safety system malfunction. The Triconex Safety Instrumented System tripped unexpectedly — twice. The investigation that followed revealed something unprecedented: malware, later named Triton, had been deployed inside the plant specifically to disable its safety systems and enable a catastrophic physical incident [4].

That investigation ran under no NIS2 obligation — the directive did not exist yet. But the classification failure it exposed — treating a cyber-induced safety event as a mechanical malfunction — is precisely the gap NIS2 Article 21(2)(b) is designed to close, and Article 23 is designed to detect [2].

Chemical manufacturers operating under the October 2024 NIS2 transposition deadline face a compliance problem generic templates do not address: your plant already has an incident reporting regime. Seveso III (Directive 2012/18/EU) has governed major accident notification to environmental and safety authorities since 2012 [3]. NIS2 adds a second, parallel track — to a completely different competent authority, on a different timeline, with different content requirements [1].

This guide provides the Art.23 classification decision tree for distinguishing Seveso major accidents from NIS2 significant incidents, maps the Triton/TRISIS case to Article 21(2)(b) response gaps, and builds the dual-regime notification playbook your incident commander needs at hour one. If you are new to the NIS2 reporting timelines themselves, the NIS2 incident reporting guide covers the Art.23 framework in full before you apply it sector-specifically here.

NIS2 Scope for Chemicals: Important Entity, Not Essential — and No CIR to Hide Behind

Chemicals sector entities fall under Annex II of NIS2 (EU) 2022/2555, classifying them as Important Entities — not Essential [6]. Both classifications carry identical Article 21 security measure obligations and Article 23 reporting timelines. The differences are in supervision model and penalty ceiling.

Factor	Essential Entity (Annex I)	Important Entity (Annex II — Chemicals)
Supervision model	Proactive, ex-ante — authorities can audit before incidents occur	Reactive, ex-post — authorities typically audit after incidents or complaints
Max penalty (Art.34)	€10 million or 2% of global annual turnover, whichever is higher	€7 million or 1.4% of global annual turnover, whichever is higher
Art.21 obligations	Identical	Identical
Art.23 reporting timelines	Identical	Identical

The ex-post supervision model is frequently misread as a compliance shortcut. It is not. It means competent authorities arrive after an incident — with full examination powers — expecting complete documentation of every classification decision made in the hours and days following the event. That expectation makes rigorous incident log records more important for Important Entities, not less.

Size threshold: Your chemicals facility qualifies as an Important Entity if it exceeds the micro and small enterprise thresholds defined in Commission Recommendation 2003/361/EC — broadly, more than 50 employees or annual turnover above €10 million. Facilities below that threshold are excluded from NIS2 unless a Member State specifically designates them. See the Essential vs. Important Entity classification guide for the full size-threshold decision logic.

No CIR 2024/2690 applies to you. Commission Implementing Regulation (EU) 2024/2690 — which provides sector-specific incident significance thresholds and detailed measure specifications — applies only to nine entity types: DNS service providers, TLD name registries, cloud computing services, data centre services, content delivery networks, managed service providers, MSSPs, online marketplace and search engine providers, and trust service providers [5]. Chemical manufacturers are not on that list. Your compliance posture rests directly on NIS2 Articles 21 and 23 without the implementing regulation’s concrete sector thresholds to guide you — which makes the classification decision tree below the central practical tool you need.

Seveso Major Accident vs. NIS2 Significant Incident: Different Regimes, Different Definitions

The single most important distinction for chemicals compliance teams: Seveso and NIS2 define “incident” using entirely different criteria, report to different competent authorities, and run on different timelines. One plant event can trigger both simultaneously — and neither notification satisfies the other.

Seveso III (Directive 2012/18/EU), Article 3(13) defines a major accident as: “an occurrence such as a major emission, fire, or explosion resulting from uncontrolled developments in the course of the operation of any establishment covered by this Directive, and leading to serious danger to human health or the environment, immediate or delayed, inside or outside the establishment, and involving one or more dangerous substances” [3].

The definition is entirely physical: it turns on what substances were released and what danger resulted. The cause — mechanical failure, operator error, or a cyberattack — is not part of the trigger. If dangerous substances were released and serious danger resulted, it is a Seveso major accident regardless of origin.

NIS2 Article 23(3) defines a significant incident as one that: (a) has caused or is capable of causing severe operational disruption of the services or financial loss for the entity; or (b) has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage [1].

The NIS2 definition turns on impact to network and information systems. A ransomware attack that shuts down your order management system with no dangerous substance release is a NIS2 significant incident. A mechanical valve failure causing a dangerous chemical release is a Seveso major accident — but not a NIS2 incident at all unless network systems were also involved.

Factor	Seveso Major Accident	NIS2 Significant Incident
Definition trigger	Physical outcome: emission, fire, or explosion; serious danger to humans or environment	Cyber impact: severe operational disruption or financial loss; or considerable damage to others
Cause required?	No — cause is irrelevant to Seveso classification	Yes — requires a network/information system security failure
Notification recipient	Competent environmental/health/safety authority (varies by Member State)	National CSIRT or cybersecurity competent authority
Timeline	“As soon as practicable” (Art.16 Seveso III) — effectively immediate for active emergencies	24h early warning, 72h notification, 1-month final report (Art.23(4) NIS2)
Can one event trigger both?	Yes — when a cyberattack causes or enables a plant event involving dangerous substances. Both run simultaneously.

The competent authority for Seveso and the competent authority for NIS2 are almost never the same body. In Germany, Seveso notifications go to the state-level Landesbehörde; NIS2 notifications go to BSI. In France: DREAL for Seveso, ANSSI for NIS2. In Poland: WIOS for Seveso, CSIRT GOV for NIS2. Filing with one satisfies no obligation to the other.

The Art.23 Classification Decision Tree for Chemicals Facilities

The question a chemicals CISO faces at 2 AM is not “what happened” — it is “what regime is this, and which clock am I running?” The three-gate logic below delivers the answer without requiring a legal opinion under time pressure.

Gate 1 — Was there a network or information system security event?
If there is evidence of unauthorized access, malware deployment, network disruption, or anomalous system behavior with no other explanation: proceed to Gate 2.
If the event has no evidence of network/information system involvement (pure mechanical failure, operator error, weather event): this is a Seveso-only evaluation. NIS2 Art.23 is not triggered. Document the Gate 1 assessment in writing and close the NIS2 track.

Gate 2 — Does the impact meet Art.23(3) significance thresholds?
(a) Did the incident cause or could it cause severe operational disruption or financial loss for the entity?
OR
(b) Did it cause or could it cause considerable material or non-material damage to others — customers, suppliers, or the public?
If YES to either: proceed to Gate 3.
If NO: document as a minor incident. No Art.23 notification required, but preserve the classification reasoning for ex-post audit.

Gate 3 — Does the event also carry Seveso-relevant physical consequences?
Did the cyber event result in, or create conditions for, a major emission, fire, explosion, or uncontrolled process event involving dangerous substances?
If YES: dual-track activation. NIS2 Art.23 notification to CSIRT/cybersecurity authority AND Seveso Article 16 notification to the environmental/safety authority, running simultaneously. Neither filing waits for the other to complete.
If NO: NIS2-only notification. Seveso Art.16 is not triggered.

What this means for your incident log: Every event that reaches Gate 1 needs a documented Gate 2 and Gate 3 assessment — the reasoning captured in writing, not reconstructed from memory six months later. Under the ex-post supervision model, this documented classification is the primary evidence the authority will examine.

The 24-hour early warning (Art.23(4)(a)) asks two specific questions: whether the incident is suspected of being caused by unlawful or malicious acts, and whether it could have a cross-border impact [1]. Neither question has a parallel in Seveso reporting. Both require a cybersecurity judgment, not a process safety judgment. The CISO must be involved in this assessment from hour one regardless of where the event appeared to originate. For the full Art.23 notification procedure — including the mandatory form fields and submission process — the Art.23 incident notification guide covers each stage.

What Triton/TRISIS Revealed About Art.21(2)(b) Compliance Gaps

In 2017, a threat actor later attributed by Mandiant to Russia’s Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM) deployed malware inside a Saudi Arabian petrochemical facility [4]. The malware — known as Triton, TRISIS, or HatMan — targeted Schneider Electric Triconex Safety Instrumented Systems, making it the first piece of malware designed specifically to attack industrial safety systems with the objective of enabling physical harm.

The Triconex SIS monitors process parameters — temperature, pressure, flow rates — and automatically brings the plant to a safe state if any parameter exceeds its operating limit. Disabling the SIS does not directly cause an explosion. It removes the protective layer that prevents one when a process upset occurs.

Triton was designed to reprogram SIS controllers to fail safe (trip) or, depending on attacker timing, to continue operating in a programmed unsafe state. In June 2017, the safety system tripped unexpectedly. Process engineers investigated and found no mechanical root cause. In August 2017, it tripped again — and only then did a full forensic investigation reveal the malware [4].

The classification failure this exposed: In both initial responses, the event was routed to process engineering as a potential SIS hardware malfunction. The cybersecurity investigation was not opened until the second trip forced a deeper forensic search. Under NIS2 Art.23(4), the 24-hour early-warning clock starts when the entity “becomes aware” of a significant incident [1]. If your classification system routes unexpected SIS behavior exclusively to process engineering, the Art.23 clock never starts — because no one classifies the event as a cybersecurity incident.

The Art.21(2)(b) gap: Article 21(2)(b) requires entities to maintain incident handling procedures [2]. For a chemicals facility, those procedures must explicitly include OT trigger conditions — not just IT events. A generic incident handling policy built around server breaches, data exfiltration, or phishing will not capture a Triton-pattern attack. The following behaviors must be defined as mandatory cybersecurity investigation triggers in your Art.21(2)(b) policy:

• Safety Instrumented System trip or controller fault with no identified mechanical root cause
• DCS setpoint change or interlock modification not attributable to authorized operator action in the change management log
• Anomalous polling or unexpected write commands observed on historian server communication logs
• Network traffic between the OT process network and IT systems not matching the documented architecture baseline

If your Art.21(2)(b) policy does not include these OT trigger conditions, a Triton-pattern attack proceeds to its second stage while your incident log still reads “mechanical investigation — pending.” For the six-phase response structure that these OT triggers feed into, the NIS2 incident response playbook guide provides the full runbook framework.

DCS Historian Communication: The IT/OT Bridge That Creates Dual Exposure

A DCS historian server collects real-time process data — temperatures, pressures, flow rates, valve positions — from the process network and makes it available to IT systems for production reporting, regulatory documentation, and management dashboards. That function creates a network bridge between OT and IT.

Most chemical facilities implement this bridge as a one-way data feed through a DMZ. Implementation quality varies significantly, and in many plants the security architecture of the historian connection was never formally reviewed — it was established during the original DCS installation project, using the security assumptions of that era, and has operated without architectural reassessment since.

The attack vector: Spear-phishing compromises an IT workstation. The attacker moves laterally to the historian server, which holds authenticated credentials to the OT process network for data polling. From the historian, the attacker reads real-time process parameters — providing operational intelligence about plant state — and uses the historian as a staging point to reach DCS engineering workstations through whatever network paths exist between them.

Art.21(2)(e) gap: This sub-clause requires “security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure” [2]. A historian connection established in 2008 or 2012 and never subjected to a network security architecture review is an undocumented vulnerability. That constitutes an Art.21(2)(e) deficiency whether or not it has been exploited.

Art.23 trigger without a physical event: If an attacker compromises historian access and corrupts the integrity of real-time process data, operators lose the ability to make safe operating decisions for a process involving dangerous substances. That loss of data integrity is severe operational disruption under Art.23(3)(a) — even before any valve moves or alarm triggers [1]. At an upper-tier Seveso site, the Art.23 clock starts when you confirm the historian data cannot be trusted, not when a physical consequence materializes.

Your Art.21(2)(b) incident handling policy must reach historian anomalies: Unusual authentication requests, unexpected write commands, communication between the historian and non-documented endpoints, and DCS network traffic at unusual hours must reach the CISO as cybersecurity alerts — not just the plant IT team as infrastructure tickets.

The Dual-Regime Notification Playbook: Two Clocks, Two Authorities, One Incident

A cyberattack that causes or threatens a chemical process upset activates two parallel notification obligations. Neither satisfies the other. Both run from the moment classification is confirmed at Gate 3.

Clock 1 — NIS2 Art.23(4) [1]:

• Hour 24: Early warning to CSIRT/national cybersecurity authority. Content: suspected malicious or unlawful act? Cross-border impact potential?
• Hour 72: Incident notification. Content: severity assessment, initial impact scope, indicators of compromise where available.
• Month 1: Final report. Content: detailed description, root cause, mitigation measures taken, cross-border impacts confirmed or ruled out.

Clock 2 — Seveso III Art.16 [3]:

• As soon as practicable: Notify the competent environmental/health/safety authority. Content: circumstances of the accident, dangerous substances involved, data for assessing effects on human health and environment, emergency measures taken. No fixed-hour deadline — but “as soon as practicable” in the context of an ongoing plant emergency means immediately, not after the cyber investigation concludes.

Track	Who Files	Recipient	Content Focus
NIS2 Art.23	CISO / cybersecurity team	National CSIRT or cybersecurity competent authority	Attack vectors, indicators of compromise, service disruption scope
Seveso Art.16	EHS / Process Safety Manager	Environmental/health/safety competent authority	Dangerous substances, quantities, emergency measures, human health risk
Both tracks	Coordinated by incident commander	Different authorities — no unified single point	Do not conflate content; each authority expects its regulatory framework

The coordination failure that happens in practice: At hour 12 of a major incident, the CISO manages the cyber response and files the NIS2 early warning. The EHS Manager manages the physical plant response and handles the Seveso notification. Neither team has visibility into what the other has filed. Six months later, two separate competent authorities request documentation — and the entity cannot reconcile its two notification timelines because no single incident commander owned both tracks simultaneously.

Role-responsibility matrix for dual-regime incidents:

Role	NIS2 Track	Seveso Track	Coordination
Incident Commander	Authorizes Art.23 early warning	Authorizes Seveso Art.16 notification	Owns both tracks; single point of accountability
CISO	Files Art.23 notifications; leads cyber investigation	Provides cyber-cause input to EHS team	Reports to incident commander
EHS / Process Safety Manager	Provides Art.23(3) impact assessment input	Files Seveso notification; leads process safety response	Reports to incident commander
Legal / Compliance	Reviews Art.23 filings for regulatory completeness	Reviews Seveso content for legal accuracy	Advises both tracks
Board	Informed of significant incidents per Art.21(4) management accountability	Informed of major accidents	Briefed jointly; management personally accountable under NIS2

The incident commander role requires authority from both the cybersecurity chain and the process safety chain. In most chemicals facilities, that combined authority does not currently sit in a single designated role. Designating it in the incident handling policy — with explicit sign-off from both CISO and EHS Manager — is an Art.21(2)(b) requirement, not an optional governance improvement.

Building the Art.21(2)(b) Incident Handling Policy for OT Environments

A generic NIS2 incident handling policy covers email compromise, data exfiltration, DDoS events, and ransomware. For a chemicals facility with Seveso obligations, it must also address OT-specific events that are cybersecurity incidents even when they initially present as process safety events.

OT trigger definitions for Gate 1 classification — add these to your Art.21(2)(b) policy:

• SIS trip or controller fault, no mechanical root cause: Mandatory cybersecurity investigation trigger. Within four hours: examine SIS communication logs, engineering workstation access records, and DCS authentication history.
• Unexpected DCS setpoint change or interlock modification: Investigate the authorization chain. Is this action in the change management log? Which workstation? Which credential?
• Historian server anomalies: Unusual authentication, unexpected write commands, communication with non-documented endpoints — CISO alert required, not just plant IT notification.
• OT network traffic not matching documented architecture baseline: Immediate isolation assessment before resuming normal operations.

Art.23 clock awareness — define “became aware” for OT events: The 24-hour clock starts at the point you have evidence of a network/information system security event — not when forensics confirms it. “Investigating a possible mechanical fault” does not pause the Art.23 clock if cyber indicators are present. Train incident responders on this distinction explicitly.

Dual-trigger designation: The policy must specify — with explicit sign-off from both CISO and EHS Manager — which event types simultaneously trigger the NIS2 Art.23 notification track and the Seveso Art.16 notification track. This list cannot be created under time pressure at hour two of a live incident.

Incident log classification fields to add for OT events:

• Gate 1: Network/information system event confirmed? Y/N + evidence basis
• Gate 3: Seveso major accident potential assessed? Y/N + outcome
• Art.23 clock start time: [timestamp of first cyber indicator]
• Seveso Art.16 notification filed: Y/N + timestamp
• Incident commander assigned: [name and role]

Annual joint tabletop exercise: Run a tabletop annually with both the cybersecurity team and the process safety team responding to a Triton-pattern scenario — a safety system trip where the initial report looks like a mechanical fault. The exercise tests whether the team runs Gate 1 classification or routes the event directly to process engineering. If they route it directly, the Art.21(2)(b) policy has not been operationalized.

Key Takeaways

1. Chemicals sector entities are Important Entities under NIS2 Annex II. CIR 2024/2690 does not apply — you apply Art.21 and Art.23 directly, without sector-specific implementing guidance.
2. Seveso major accidents and NIS2 significant incidents have different triggers, different competent authority recipients, and different timelines. One plant event can activate both simultaneously. Neither notification satisfies the other.
3. The Triton/TRISIS case demonstrates that a cyberattack on a Safety Instrumented System will be misclassified as a mechanical event if your Art.21(2)(b) incident handling policy does not include explicit OT trigger conditions.
4. DCS historian communication creates an IT/OT network bridge with Art.21(2)(e) architecture gaps. Historian data integrity compromise is severe operational disruption under Art.23(3)(a) — even before any physical plant event occurs.
5. Dual-regime incidents require a single incident commander with authority to activate both the NIS2 Art.23 track and the Seveso Art.16 track simultaneously. Most chemicals facilities do not have this role designated today.

Frequently Asked Questions

Does NIS2 apply to small chemicals manufacturers?
Only to those exceeding the micro and small enterprise thresholds in Commission Recommendation 2003/361/EC — broadly, more than 50 employees or annual turnover above €10 million. Facilities below that threshold are excluded unless a Member State specifically designates them.

If we file a Seveso notification, does that satisfy our NIS2 Art.23 obligation?
No. Seveso notifications go to the environmental/health/safety competent authority. NIS2 Art.23 notifications go to the national CSIRT or cybersecurity competent authority. These are separate filings to separate authorities, with separate mandatory content requirements [1][3].

What is the penalty for missing an Art.23 notification deadline?
For Important Entities (chemicals sector), up to €7 million or 1.4% of global annual turnover, whichever is higher [6]. Member States may impose additional administrative measures, and management personal accountability applies under Art.21(4).

Are there sector-specific NIS2 incident thresholds for chemicals?
No. CIR 2024/2690, which provides entity-type-specific significance thresholds, does not apply to chemicals [5]. Apply the general Art.23(3) criteria directly: severe operational disruption or financial loss; or considerable damage to others [1].

Does a Triton-type SIS attack automatically trigger the 24-hour early warning?
Yes, if Gates 1 and 2 are satisfied. Malware targeting your SIS is a network/information system security event (Gate 1). A functioning SIS is essential to safe plant operation — its compromise creates the potential for severe operational disruption (Gate 2). File the early warning within 24 hours of confirming the malware, not after completing the forensic investigation.

---

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. Article 23 — Reporting obligations, NIS2 Directive (EU) 2022/2555
2. Article 21 — Cybersecurity risk-management measures, NIS2 Directive (EU) 2022/2555
3. Directive 2012/18/EU (Seveso III), EUR-Lex
4. Triton (malware), Wikipedia
5. Commission Implementing Regulation (EU) 2024/2690, EUR-Lex
6. Article 34 — General rules on penalties, NIS2 Directive (EU) 2022/2555