NIS2 Chemicals Supply Chain: Why DCS Vendor Remote Access (Emerson, Honeywell, ABB) Is Your Highest Art.21(2)(d) Risk

When an Emerson DeltaV engineer connects remotely to a chemical plant’s control network, that session carries direct write access to reactor temperature setpoints, pressure limits, and reagent feed ratios. In most European chemical facilities, the DCS vendor’s remote support channel reaches deeper into the process network than the plant’s own cybersecurity team can observe — let alone interrupt. Article 21(2)(d) of NIS2 Directive 2022/2555 names supply chain security, specifically the security-related aspects of relationships with direct suppliers and service providers, as a mandatory cybersecurity risk-management measure for all in-scope entities [1]. For chemicals manufacturers, that obligation covers four sector-specific supply chain vectors that generic compliance frameworks were not built to handle.

This article maps each vector to its Art.21(2)(d) obligation: DCS vendor privileged remote access (Emerson, Honeywell, ABB), tier-3 raw material supplier ERP API integrations, process simulation software vendor dependencies, and CAS-based chemical data service integrity. For each, we set out what Art.21(2)(d) requires, what the typical documentation gap looks like in practice, and what controls close it — along with the penalty exposure that makes this a board-level compliance priority. The broader NIS2 supply chain security framework covers the cross-sector Art.21(2)(d) methodology; this guide addresses the chemicals-specific layer on top of it.

Who Falls Under NIS2 in the Chemicals Sector

The chemicals sector sits in Annex II of NIS2 Directive 2022/2555, covering the manufacture, production, and distribution of chemical substances and preparations under NACE Rev. 2 Section C, Division 20. This Annex II classification determines both the applicable size threshold and the supervision model that governs how competent authorities enforce compliance.

Who qualifies as an Important Entity: any chemicals entity with 50 or more employees, or annual turnover exceeding €10 million. This threshold captures the full range from mid-sized specialty chemicals producers to major groups. Member states may designate larger Annex II chemical entities as Essential Entities where they determine the company is of particular societal or economic significance — but this remains at member state discretion and is not automatic [5].

Supervision model under Art.33: Important Entities are subject to reactive (ex-post) supervision. Competent authorities act after receiving notification of a significant incident or following a complaint, rather than proactively auditing. This does not reduce Art.21(2)(d) obligations: Art.33 supervisory powers include on-site inspections, targeted information requests, and binding remediation orders. When a DCS vendor incident triggers an Art.23 notification, the Art.21(2)(d) supply chain documentation is the first file a competent authority requests.

Penalty ceiling (Art.34(5)): a maximum of €7 million or 1.4% of global annual turnover, whichever is higher [4]. For a chemicals group operating at the scale of a major European producer, 1.4% of global revenue is the operative ceiling — not the flat €7 million figure. The “whichever is higher” clause was written for exactly this sector.

The Four Art.21(2)(d) Supply Chain Vectors in Chemicals Manufacturing

Art.21(2)(d) requires entities to implement measures addressing supply chain security, specifically “security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” When determining appropriate measures, entities must “take into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers and service providers” [2]. For chemicals manufacturers, four categories of direct supplier and service provider relationships carry risk profiles that standard IT supply chain guidance was not designed to address.

Supply Chain Vector	Art.21(2)(d) Relationship Type	Consequence if Compromised
DCS vendor remote access (Emerson, Honeywell, ABB)	Direct service provider — process control maintenance	Reactor excursion; production shutdown; chemical release risk
Tier-3 raw material supplier ERP APIs	Direct supplier — procurement integration	Procurement data theft; order manipulation; REACH data exposure
Process simulation software (AspenTech, AVEVA)	Direct service provider — ICT service	Process IP theft; simulation parameter manipulation; REACH errors
CAS-based chemical data services	Direct service provider — ICT data service	Wrong substance identity — REACH violations, GHS misclassification

Each involves a relationship with a direct supplier or service provider that activates Art.21(2)(d). The sections below examine the risk profile and required controls for each, beginning with the vector carrying the highest consequence potential.

DCS Vendor Remote Access — Why Emerson, Honeywell, and ABB Sessions Are Your Highest-Risk Art.21(2)(d) Exposure

Distributed control systems manage the process automation backbone of chemical manufacturing. Emerson’s DeltaV platform, Honeywell’s Experion PKS, and ABB’s System 800xA govern reactor control loops, distillation column operations, heat exchanger monitoring, and emergency shutdown systems across most large-scale European chemical facilities. All three vendors maintain remote access channels for ongoing maintenance: firmware updates, patch deployment, configuration backups, parameter tuning, and incident troubleshooting.

These remote sessions are categorically different from standard IT vendor access in three ways that elevate their Art.21(2)(d) classification to the highest-risk tier.

Write access to physical process setpoints. A remote DeltaV engineering session can modify setpoints governing reactor temperature, pressure limits on a distillation column, or reagent feed ratios on a continuous chemical process. Unlike a software vendor’s remote desktop session on an office workstation, a compromised DCS session has direct physical consequence potential: overpressure in a reactor vessel, thermal runaway, improper reagent dosing, or loss of emergency shutdown function. The attack surface is not data — it is the physical process itself.

Persistent, shared vendor-side credentials. DCS vendors commonly retain persistent remote access long after initial plant commissioning, and frequently use shared credentials accessible to multiple support engineers across their global organisation [7]. A credential compromise at the vendor’s side simultaneously exposes every customer site where those shared credentials are active. Most chemical companies have no visibility into the vendor’s credential management practices — they are rarely specified in maintenance contracts that pre-date NIS2.

No Art.21(2)(d) terms in legacy maintenance agreements. Art.21(2)(d) requires entities to assess “the overall quality of cybersecurity practices” of their suppliers [2]. Maintenance agreements established before October 2024 typically contain no minimum security standards for remote access sessions, no mandatory incident notification requirements, no audit rights, and no termination triggers for security failures. A contract that grants persistent DCS access without any of these terms is an Art.21(2)(d) documentation gap in plain sight.

Active CISA advisory track record confirms technical risk. The US Cybersecurity and Infrastructure Security Agency has published advisories covering Emerson ValveLink product vulnerabilities (July 2025), four vulnerabilities in Honeywell’s OneWireless device management platform (September 2025), and ABB MV Drives vulnerabilities where successful exploitation could allow an attacker to “gain full access to the drive or cause a denial-of-service condition” in the critical manufacturing sector [8]. The ICS vulnerability landscape for the three major DCS vendors is active, not historical.

The Colonial Pipeline incident (2021) established what happens when privileged OT access combines with absent multi-factor authentication: a compromised VPN account with no MFA was the attack vector that led to a six-day shutdown of major fuel distribution infrastructure [7]. Chemical plants using DCS remote access channels that lack time-bounded sessions, MFA gates, and session recording carry structurally equivalent exposure.

Art.21(2)(d) control requirements for DCS vendor access:

• Time-bounded sessions: no persistent standing access — each maintenance engagement requires a freshly issued, time-limited credential for the specific systems in scope
• MFA gate before session establishment: multi-factor authentication required for all DCS remote connections — this simultaneously satisfies Art.21(2)(j) requirements
• Full session recording: keystrokes, commands, and screen activity captured for forensic accountability; primary evidence in any post-incident review
• Immediate-termination capability: a designated plant operator must be able to disconnect any active vendor session in real time
• Contractual security clauses in maintenance agreements: add minimum access standards, incident notification within Art.23 timelines, audit rights, no credential sharing, and sub-contractor access restrictions to all DCS vendor contracts
• IEC 62443-2-4 as the implementation framework: this standard specifies security requirements for suppliers of industrial automation and control system services and provides the technical reference for applying NIS2 Art.21(2)(d) to DCS maintenance vendor relationships [5]

For guidance on classifying DCS vendors by criticality tier in your supplier register, the NIS2 supplier classification guide covers the four-tier methodology applicable to Art.21(2)(d) direct service providers.

Tier-3 Raw Material Supplier ERP APIs — Where Procurement Becomes an Attack Surface

Large chemicals manufacturers at BASF, Bayer, or Evonik scale operate ERP environments — typically SAP or Oracle — with API integrations into raw material suppliers for demand signalling, purchase order submission, delivery tracking, and inventory replenishment triggers. Where a tier-3 supplier — a specialist feedstock producer with 50 to 200 employees — supplies directly under a purchase contract, that supplier qualifies as a “direct supplier” under Art.21(2)(d). Their API access into the buyer’s ERP is an Art.21(2)(d) supply chain exposure point requiring the same vulnerability assessment as any other direct supplier.

The cybersecurity risk lies not in the raw materials but in the API access afforded to smaller suppliers into the buyer’s procurement system. A tier-3 company with an active ERP API connection has read access to procurement data — purchase volumes, production scheduling signals, commodity pricing benchmarks — and, depending on integration design, potential write access to order confirmations or delivery records. The security posture of a 100-employee feedstock supplier is not equivalent to the buyer’s, and the API connection is the gap.

This attack surface was concretely targeted in the CVE-2025-31324 incident (March 2025): a zero-day vulnerability in SAP NetWeaver exploited by nation-state-affiliated threat actors that specifically targeted procurement and supply chain data in industrial organisations. The data visible through tier-3 ERP API integrations — production volumes, supplier dependencies, commodity positioning — is exactly what strategic adversaries seek when targeting major chemical groups.

Art.21(2)(d) requires entities to assess “vulnerabilities specific to each direct supplier” [2]. For tier-3 ERP API suppliers, the proportionate response is:

• Include all ERP API suppliers in the supplier classification register, with criticality scored by data access scope and write permissions granted
• Apply minimum security requirements via supplier portal terms or contractual amendment: MFA on supplier-side API credentials, incident notification obligations, no API credential delegation to third parties without prior written approval
• Implement API controls on the buyer side: scope-limited API keys per supplier, rate limiting, anomaly detection on procurement access patterns, and periodic access log review against expected supplier activity

Process Simulation Software and CAS Database Integrity

Process simulation software

Aspen HYSYS and Aspen Plus (AspenTech) and AVEVA Process Simulation are the dominant chemical process modelling platforms. Chemical engineers use these tools to model reactor behaviour, optimise distillation sequences, calculate heat integration, and validate process modifications before physical implementation. These platforms hold some of the most competitively sensitive data a chemical company owns: reaction kinetics, catalyst performance parameters, yield optimisation curves, and process configurations representing decades of engineering investment.

The transition toward SaaS licensing models — AspenTech’s aspenONE subscription, for instance — introduces remote vendor access for license management and technical support that qualifies process simulation vendors as Art.21(2)(d) service providers. If simulation data is manipulated through a compromised vendor support session, the consequence is not limited to IP theft: incorrect process parameters carried forward into reactor sizing or process modification validation could result in operation outside the facility’s design envelope. REACH compliance calculations that rely on simulated yield data are also at risk if the underlying process model is tampered with. Treat process simulation platform vendors as direct service providers requiring contractual security obligations, audit rights, and access documentation under Art.21(2)(d).

CAS database integrity

The Chemical Abstracts Service (CAS), a division of the American Chemical Society, maintains the world’s authoritative chemical substance registry — covering over 200 million organic and inorganic substances identified by CAS Registry Numbers. Chemical companies depend on CAS numbers operationally for REACH substance registration, GHS/SDS classification, procurement specification, quality control testing, and export control compliance on dual-use chemicals.

API integrations with CAS services allow chemical companies to programmatically query substance identities and retrieve regulatory classifications. This API relationship is an ICT service dependency that falls within Art.21(2)(d): if the API credential is compromised or a wrong CAS number is introduced into the procurement system, the downstream consequence is a REACH registration against the wrong substance, an incorrect GHS classification flowing into safety data sheets, or a different chemical being received than the one specified in the production recipe. These are not theoretical scenarios — they are the direct consequence of treating chemical data service APIs as low-risk vendor relationships.

The appropriate control is out-of-band verification of substance identity against physical certificate of analysis data for high-consequence materials, rather than relying solely on API-supplied CAS identifiers in procurement and quality management workflows.

Art.21(2)(d) Implementation — Penalty Exposure, Audit Evidence, and the Documentation Gap

Art.34(5) sets the penalty ceiling for Important Entities at €7 million or 1.4% of global annual turnover, whichever is higher [4]. For a major European chemicals group, 1.4% of global revenue is the operative ceiling by a substantial margin. The “whichever is higher” structure was designed to ensure penalties remain proportionate to the scale of the entity — and at major chemicals company scale, the percentage threshold governs.

Art.33’s reactive supervision model for Important Entities means that competent authorities act after a significant incident is notified rather than proactively auditing all entities. This creates a specific enforcement pathway that compliance officers in the chemicals sector need to plan around: when a compromised DCS vendor remote session results in an Art.23 incident notification, the first request from the competent authority is for the Art.21(2)(d) supply chain documentation. Gaps in that documentation — no contractual audit rights over the DCS vendor, no vendor session logs, no completed supplier self-assessment questionnaires for your tier-3 ERP API suppliers — are the enforcement leverage points. The DLA Piper supply chain analysis confirms that ICT vendors with privileged network access must receive contractual flow-downs including security requirements, incident reporting clauses, and audit rights [6].

Documentation required for Art.21(2)(d) compliance in the chemicals sector:

Documentation Element	Who Owns It	NIS2 Basis
Supplier classification register (all direct suppliers and service providers, access type, criticality tier, assessment status)	Compliance Officer / Procurement	Art.21(2)(d) + Art.21(3) [2]
Contractual security clauses covering incident notification, audit rights, access controls, and sub-contractor restrictions	Legal / Procurement	Art.21(2)(d) — required for all direct suppliers [6]
DCS vendor session logs (who accessed, when, which systems, what was changed)	OT Security / CISO	Art.21(2)(d) + Art.21(2)(i)
Supplier Self-Assessment Questionnaires for all Tier 1 critical suppliers, including DCS vendors and ERP API providers	CISO / Compliance Officer	Art.21(2)(d) — assess cybersecurity practices of direct suppliers
Incorporation of Art.22 coordinated assessment results where applicable	Compliance Officer	Art.21(3) — reference to Art.22(1) results [2][3]

The chemicals manufacturing NIS2 compliance guide covers the full Art.21 scope before addressing sector-specific supply chain vectors, providing the broader programme context for the documentation set above.

Article 22 Coordinated Assessments — What They Mean and What They Do Not Replace

Article 22 of NIS2 allows the Cooperation Group, working with the Commission and ENISA, to “carry out coordinated security risk assessments of specific critical ICT services, ICT systems or ICT products supply chains” [3]. This provision introduces the possibility of EU-level coordinated assessments covering industrial supply chains — including, potentially, DCS vendor supply chains serving critical EU process industries.

Two points matter for chemicals entities planning Art.21(2)(d) compliance now.

First, the operative word in Art.22(1) is “may” — coordinated assessments are discretionary, not guaranteed. No Art.22 assessment has been designated for chemicals sector DCS supply chains as of mid-2026. Waiting for an Art.22 finding before commencing your own Art.21(2)(d) assessment is not a defensible compliance position: the entity-level obligation exists independently of whether the Commission has triggered an Art.22 process for your supply chain.

Second, where an Art.22 coordinated assessment is published for a relevant ICT supply chain, entities must incorporate its results into their own Art.21(2)(d) programme per Art.21(3) [2]. The Art.22 assessment supplements the entity-level obligation — it does not replace it. Practical implication: proceed with your own supplier classification, contractual security review, and vendor session control implementation now, and incorporate Art.22 findings if and when they are published for DCS or process simulation supply chains.

Frequently Asked Questions

Is the chemicals sector in Annex I or Annex II of NIS2?

Chemicals (manufacture, production, and distribution, NACE Rev. 2 Division 20) is an Annex II sector. Chemical companies meeting the 50-employee or €10 million revenue threshold qualify as Important Entities. Annex I sectors — energy, transport, banking, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space — carry a different supervision regime under Art.32, including proactive auditing rather than the reactive Art.33 model that applies to chemicals [5].

Does Art.21(2)(d) apply to every supplier, or only those with network access?

Art.21(2)(d) applies to all direct suppliers and service providers. However, the proportionality principle in Art.21(1) — “appropriate and proportionate” measures — means that assessment resources should be prioritised by risk. Suppliers with network or API access to critical systems (DCS vendors, ERP API providers, process simulation platform vendors) represent higher-risk relationships requiring more rigorous documentation and contractual controls than suppliers of consumable materials with no digital access to your systems [1].

Are DCS vendors (Emerson, Honeywell, ABB) required to comply with NIS2 themselves?

DCS vendors providing maintenance services to NIS2-covered entities participate indirectly in the NIS2 supply chain framework — they are not directly obligated by the directive unless they independently qualify as in-scope entities in their own right. Your Art.21(2)(d) obligation is to assess and contractually control their access to your systems, not to audit their internal compliance programme. The contractual security clause requiring audit rights is how you obtain the visibility Art.21(2)(d) demands [6].

What is IEC 62443-2-4 and how does it relate to Art.21(2)(d) for DCS vendors?

IEC 62443-2-4 specifies security requirements for suppliers of industrial automation and control system services — including the remote access standards, security procedures, and incident notification requirements that apply to vendors like Emerson, Honeywell, and ABB when servicing your DCS. It is the primary implementation standard for applying NIS2 Art.21(2)(d) to DCS maintenance vendor relationships in process industries, and referencing IEC 62443-2-4 in your vendor security clauses provides a defensible, internationally recognised standard against which to audit compliance [5].

Key Takeaways

Chemical entities classified as Important Entities under NIS2 face four Art.21(2)(d) supply chain vectors that standard compliance frameworks were not built to handle. DCS vendor remote access — from Emerson, Honeywell, and ABB — carries the highest consequence risk because it involves direct write access to physical process control networks, persistent shared vendor credentials, and maintenance contracts that predate any NIS2 security obligation. Tier-3 raw material supplier ERP API integrations, process simulation software vendor dependencies, and CAS-based chemical data service relationships complete the chemicals sector supply chain risk picture and each requires proportionate controls and contractual documentation.

The Art.33 reactive supervision model means that documentation quality is tested at the worst possible moment — after an incident occurs. Building the supplier classification register, contractual security clauses, and DCS session control evidence now, before that moment arrives, is the only defensible compliance posture under Art.21(2)(d).

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. Article 21 — Cybersecurity Risk-Management Measures — NIS-2-Directive.com (Tier 1: primary directive text)
2. Article 21(3) — Supplier Assessment Obligations — NIS2Resources.eu (Tier 1: primary directive text)
3. Article 22 — Union Level Coordinated Security Risk Assessments — NIS-2-Directive.com (Tier 1: primary directive text)
4. Article 34 — Administrative Fines for Important Entities — NIS-2-Directive.com (Tier 1: primary directive text)
5. NIS2 Scope: Chemicals Sector — NIS2Directive.eu (Tier 2: sector compliance analysis)
6. NIS2 Directive Explained Part 3: Supply Chain Security — DLA Piper (Tier 2: law firm analysis)
7. Privileged Access Management in OT Environments — ShieldWorkz (Tier 3: OT security specialist)
8. CISA Flags Critical ICS Vulnerabilities in ABB, Emerson, and Honeywell Equipment — Industrial Cyber (Tier 2: CISA advisory reporting)