Why Your Chlorine Dosing Supplier Is Your Biggest NIS2 Risk — Article 21(2)(d) Requirements for Water Utilities

In February 2021, an operator at a water treatment plant in Oldsmar, Florida, watched as the cursor on his screen began moving on its own. An attacker — who had gained access via an unsecured TeamViewer installation on an operator workstation — raised the sodium hydroxide (lye) concentration in the town’s water supply from 100 parts per million to 11,100 ppm: a 111-fold increase that, had it reached consumers, could have caused severe chemical burns. The operator reversed the change manually before any harm occurred. But the attack exposed something that now sits squarely in Article 21(2)(d) of the NIS2 Directive (EU) 2022/2555: the vendor with remote access to your dosing system is, by definition, the most dangerous entity in your supply chain.

For EU water utilities subject to NIS2 as essential entities under Annex I, Article 21(2)(d) is a specific legal obligation to address “security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.” In a water utility, three supplier categories define that obligation: the chemical dosing automation vendor, the SCADA remote monitoring SaaS platform, and the remote access system integrator. Each carries a different risk profile, a different classification question under NIS2, and a different set of contractual requirements.

This guide sets out what Article 21(2)(d) requires for each — and what happens when a supplier incident triggers an Article 23 notification obligation.

Who Must Comply: Water Utilities Under NIS2 Annex I

The NIS2 Directive lists the water sector under two entries in Annex I (“Sectors of High Criticality”):

Annex I Sector	Entity Types Covered
Sector 6 — Drinking water	Suppliers and distributors of water intended for human consumption within scope of Directive 2020/2184
Sector 7 — Wastewater	Undertakings collecting, conveying or treating urban wastewater, domestic wastewater or industrial wastewater

Annex I operators become essential entities when they exceed the medium-enterprise thresholds in Article 3: 250 or more employees, or annual turnover above €50 million. Under Article 3(1)(e), member states may designate smaller operators — including sole-provider local utilities — as essential regardless of size where the operator is the only drinking water supplier for a municipality. Important entity classification applies to medium-sized operators (50–249 employees, €10M–€50M turnover). The Article 21(2)(d) supply chain obligation applies to both classifications; the difference is supervisory approach.

Scenario	NIS2 Classification	Art.21(2)(d) Applies?
Water/wastewater utility, 250+ employees or €50M+ turnover	Essential entity	Yes — proactive supervision
Water/wastewater utility, 50–249 employees or €10M–€50M turnover	Important entity	Yes — reactive supervision
Water utility, sole provider for municipality	Essential (member state designation)	Yes
Chemical dosing vendor, SCADA SaaS, 50+ employees	Potentially Annex I MSP — see below	As regulated entity in own right
Micro-enterprise sub-contractor	Generally out of scope	Via flow-down clauses only

Penalty exposure for Art.21 and Art.23 non-compliance (Article 34):

Entity Type	Maximum Fine	Enforcement Body
Essential entity	€10,000,000 or 2% of global annual turnover (whichever is higher)	National competent authority or competent court
Important entity	€7,000,000 or 1.4% of global annual turnover (whichever is higher)	National competent authority or competent court

All essential and important entities must implement Article 21’s ten security measures. The supply chain obligation in Article 21(2)(d) is one of ten mandatory requirements — alongside risk analysis, incident handling, business continuity, access control, MFA, and others. Compliance with the others does not substitute for a documented, risk-based approach to direct supplier security.

Chemical Dosing Vendors — Your Highest-Consequence Art.21(2)(d) Supplier

No other vendor in a water utility’s supply chain carries the same physical harm potential as the chemical dosing automation supplier. This entity maintains remote access to the PLC and SCADA interface controlling chlorine disinfection, fluoridation, and pH adjustment via sodium hydroxide or lime slurry. A compromised setpoint is not a data breach — it is a water quality event with public health consequences.

The mechanism is direct. Modern water treatment plants automate chemical dosing through a closed-loop feedback system: sensors measure residual chlorine, fluoride concentration, or pH at multiple points in the treatment train and adjust dosing pump outputs in near-real time. The automation vendor — who supplies the control software, firmware updates, and remote diagnostic capability — holds credentials that can modify those setpoints. Under Article 21(2)(d), utilities must consider “the vulnerabilities specific to each direct supplier.” For a chemical dosing vendor, that vulnerability is network access to a physical process with direct public health consequences.

Documented incidents make this concrete. In the Oldsmar attack, the attacker accessed the plant via TeamViewer remote access software left accessible on an internet-facing workstation and raised sodium hydroxide from 100 ppm to 11,100 ppm — a change that could have caused chemical burns to consumers. In 2020, threat actors reportedly targeting Israeli water facilities attempted to manipulate chlorine concentration levels at multiple treatment sites, according to Israeli authorities and security researchers. More recently, researchers identified malware specifically designed to tamper with chemical dosing parameters in water treatment OT systems by modifying local configuration files. These incidents share a common vector: vendor-style remote access capability, whether exploited by external attackers or left unsecured as a standing attack surface.

What Article 21(2)(d) requires for this vendor tier:

The supply chain security obligation reads across to several other Article 21 measures that apply specifically to how vendor access is configured:

• Article 21(2)(i) (access control and asset management): the chemical dosing vendor’s remote access must be scoped and controlled, with credentials specific to the utility environment — not shared across the vendor’s engineering team via a shared VPN account.
• Article 21(2)(j) (MFA and secured communications): multi-factor authentication must apply to all remote vendor sessions connecting to OT networks. This is not optional where the access point is a safety-relevant system.
• Article 21(2)(a) (risk analysis): the chemical dosing vendor connection must appear as a high-consequence risk node in your information security policy, with its own treatment measures documented.

In practice, no chemical dosing vendor should be connecting to your OT environment via shared TeamViewer credentials on an internet-facing workstation. Dedicated, time-scoped remote access sessions — with MFA, session logging retained by the utility, and a utility-side approval step before any session begins — are the minimum standard Article 21(2)(d) demands for this tier. Setpoint changes made during vendor sessions should trigger a mandatory notification to the utility’s operations team, before and after the change.

SCADA Remote Monitoring SaaS — When Your Vendor Has NIS2 Obligations Too

SCADA remote monitoring platforms — cloud-based SaaS tools that aggregate telemetry from sensors, PLCs, and RTUs across a water treatment and distribution network — sit in an unusual position under NIS2. Depending on how the service is delivered, the vendor may itself be a regulated entity under Annex I of the Directive as a managed service provider, carrying its own Article 21 obligations.

The active administration test. Article 6(39) of the Directive defines a managed service provider as “an entity that provides services related to the installation, management, operation or maintenance of ICT products, networks, infrastructure, applications or any other network and information systems, via assistance or active administration carried out either on customers’ premises or remotely.”

The critical phrase is “active administration.” Guidance from Finland’s national competent authority (NCSC-FI) — one of the first EU NCAs to publish classification guidance for MSPs — describes active administration as the outsourcing of operations to the service provider. Development and provision of applications that the customer entity operates itself, without outsourced operational involvement, falls outside this definition.

For SCADA remote monitoring SaaS, this creates a test based on what the vendor actually does, not what their marketing materials say:

Vendor Capability	NIS2 Classification	What This Means for You
Provides dashboard only; utility configures setpoints and responds to all alerts	Likely outside MSP scope	Art.21(2)(d) supplier assessment applies; no NIS2 compliance demand on vendor
Holds admin credentials, configures alert thresholds, pushes firmware updates remotely	MSP under Art.6(39) — Annex I “ICT service management (B2B)”	Vendor has own NIS2 obligations; contractually require compliance evidence
Provides 24/7 monitored response, acknowledges alarms on utility’s behalf	Likely MSSP under Art.6(40)	Higher regulatory obligation on vendor; reference in contract and supplier assessment

Where a SCADA SaaS vendor qualifies as an MSP or MSSP under Annex I, your Article 21(2)(d) supplier assessment gains a regulatory lever: you can contractually require them to represent their own NIS2 compliance status and notify you if that status changes materially. This shifts part of the security assurance burden from questionnaire-based assessment to regulatory obligation.

Where the vendor falls outside the MSP definition — because they provide only a self-operated dashboard — Article 21(2)(d) still requires you to assess and manage their security posture as a direct supplier through questionnaires, audit rights, and security certifications. The lever changes; the obligation does not.

One practical complexity: SCADA SaaS vendors in the water sector are frequently smaller, specialised companies. Classification ambiguity is common — some vendors fall at the boundary between active administration and passive monitoring depending on which service tier the utility purchases. Where classification is unclear, engage the vendor directly and, if needed, seek written guidance from your national competent authority before finalising your supplier assessment approach.

Remote Access System Integrators — The Third Risk Category

Between the chemical dosing vendor (physical-consequence risk) and the SCADA SaaS platform (potential regulatory peer) sits the third supply chain risk category: remote access system integrators. These are engineering contractors — OT equipment manufacturers’ certified service partners and independent specialists — who maintain PLCs, RTUs, and SCADA control systems under multi-year service agreements.

System integrators typically access water utility OT environments via VPN using standing credentials, often shared across the integrator’s field engineering team and covering entire site networks rather than individual systems. The American Water Works incident in October 2024 illustrates the cascading exposure: ransomware deployed on the company’s IT network forced a precautionary isolation of OT systems, not because OT was directly compromised, but because flat network connectivity between IT and OT made isolation the only safe response when a lateral movement threat was present.

For remote access system integrators, Article 21(2)(d) requirements include:

• Scoped access: remote sessions limited to specific systems and tasks, not site-wide VPN tunnels
• Time-bounded sessions: no standing VPN credentials; each session authorised per-visit and credentials revoked on completion
• Session logging: all remote integrator activity logged and retained, with the utility retaining independent access to those logs — not relying on the integrator’s own logs
• Sub-contractor transparency: where integrators sub-contract maintenance work, sub-contractors must be disclosed and subject to equivalent access controls under your supply chain policy

A Three-Tier Supplier Register for Water Utilities

Article 21(2)(d) requires structured documentation of supply chain risks, taking into account “the vulnerabilities specific to each direct supplier.” A supplier register that treats a chemical dosing automation vendor the same as a stationery supplier will not satisfy that requirement under supervision.

A practical framework for supplier criticality classification in the water sector groups direct suppliers into three tiers based on the consequence of a security failure:

Tier	Vendor Examples	Failure Consequence	Minimum Required Scrutiny
Tier 1 — Physical consequence	Chemical dosing automation vendors (chlorine, fluoride, pH control)	Water quality event / public health emergency	Network isolation, MFA mandatory, setpoint-change alerting, annual audit right, 4-hour breach notification clause
Tier 2 — Operational consequence	SCADA remote monitoring SaaS, remote access system integrators, SCADA historians	Service disruption, data exfiltration, cascading OT failure	Dedicated jump host, scoped sessions, penetration test results sharing, NIS2 compliance representation (if Annex I MSP)
Tier 3 — Informational consequence	GIS/mapping vendors, engineering software suppliers, HR/payroll SaaS	Data breach, non-critical service interruption	ISMS questionnaire (ISO 27001 or equivalent), annual review, incident notification clause

The tier assignment for each supplier should be documented with the rationale in your supplier directory. Auditors expect to see that the classification reflects actual risk — specifically, what harm a compromise of that supplier’s access or services could cause to your essential service.

A note on Article 22. Article 21(3) requires utilities to take into account “the results of the coordinated security risk assessments of critical supply chains carried out in accordance with Article 22(1).” Article 22 authorises the Cooperation Group, working with the Commission and ENISA, to carry out such assessments — but uses discretionary language (“may carry out,” not “shall”). Where Article 22 assessments exist for products or services in your supply chain, you must consider their findings. Where they do not exist, Article 22 cannot defer your own Article 21(2)(d) assessment. There is no waiting period.

Contractual Security Requirements and Audit Rights Under Art.21(2)(d)

Article 21(2)(d) is not self-implementing through internal controls alone. The obligation covers “security-related aspects concerning the relationships between each entity and its direct suppliers” — the security requirements must be embedded in the contractual relationship itself.

Minimum clauses for all direct suppliers (all tiers):

• Reference to an applicable security standard (ISO 27001:2022, CIR 2024/2690, or national equivalent)
• Incident notification timeline (suppliers must notify the utility within a contractually defined window — see the Article 23 section below for why this matters)
• Right to audit: the utility may audit supplier security posture on reasonable notice, and the right extends to sub-contractors where relevant
• Sub-contractor conditions: no sub-contracting of access to utility OT or critical systems without prior written approval and application of equivalent security terms
• Termination for security failure: clear grounds for immediate termination if the supplier fails a security assessment or causes or contributes to a significant incident

Tier 1 additions (chemical dosing vendors):

• Remote access protocol: sessions must use dedicated, time-scoped connections (no standing VPN); MFA is mandatory for all remote connections to utility OT systems
• Setpoint change notification: vendor must notify the utility’s operations team before modifying any control parameter and provide a post-change report within one hour of completion
• Credential management: all remote access credentials specific to the utility environment must be maintained separately from the vendor’s general credential pool, with individual accountability for each engineer
• Physical security: vendor facilities where utility-specific access credentials or system configurations are stored are subject to documented physical security requirements

Tier 2 additions (SCADA SaaS, system integrators):

• NIS2 compliance representation (where vendor qualifies as Annex I MSP): contractual obligation to represent current NIS2 compliance status and notify the utility within 30 days of any material change
• Penetration testing: annual penetration test results to be shared with the utility within 30 days of completion, covering systems and interfaces used to access utility environments
• Dedicated jump host: remote access via utility-managed jump host or equivalent isolation mechanism; no direct VPN access to OT network segments
• Sub-contractor audit trail: list of sub-contractors with access to utility OT systems to be provided quarterly and updated within five working days of any change

When a Supplier Incident Triggers Art.23 Notification

Article 21(2)(d) and Article 23 are connected by practical reality: when a direct supplier’s systems are compromised and that compromise affects — or could affect — your essential service, your Article 23 notification clock starts running.

Under Article 23, essential entities must submit an early warning to their CSIRT or national competent authority within 24 hours of “becoming aware of a significant incident.” The incident does not need to have caused confirmed harm — the awareness trigger fires the moment the utility has reason to believe a significant disruption to its service provision is likely.

Why contractual notification timelines matter for Article 23 compliance. A chemical dosing vendor breached at 09:00, who notifies the utility at 14:00, means the utility’s 24-hour Article 23 window opened at 14:00. A supplier contractually required to notify within four hours of confirming a breach affecting utility systems gives the utility a workable window to assess impact, determine significance, and submit the early warning with adequate information for the competent authority. A supplier with no notification deadline gives the utility no such protection.

When does a supply chain incident become “significant”? Article 23(3) of the Directive sets out significance criteria based on actual or likely significant disruption to the provision of services. For water utilities, a chemical dosing vendor breach that affected or could plausibly have affected dosing control will meet the significance threshold in almost all scenarios — the essential service at risk is public health. A SCADA SaaS platform breach granting read-only telemetry access with no control plane exposure may not meet it, depending on the data exposed and the realistic attack paths that data enables. This is a fact-specific determination for each incident.

One principle applies in all scenarios: the awareness timestamp is when you became aware that a significant incident was likely, not when the root cause investigation concludes. Internal escalation chains and supplier notification clauses must both be calibrated to that trigger.

Frequently Asked Questions

Who counts as a “direct supplier” under Article 21(2)(d)?

A direct supplier is an entity with whom your organisation has a direct contractual relationship and who supplies products, services, or access relevant to your essential service. Sub-suppliers to whom you have no direct contract are not direct suppliers, but Article 21(2)(d) requires you to consider indirect supply chain risks in your broader risk analysis. Flow-down clauses — requiring direct suppliers to impose equivalent security obligations on their sub-contractors — are the standard mechanism for managing that exposure contractually.

Does Article 21(2)(d) cover cloud providers hosting SCADA data?

Where a cloud provider stores or processes data from your SCADA environment under a direct contract, they are a direct supplier subject to Article 21(2)(d) assessment. If the cloud provider qualifies as an Annex I entity (cloud computing service providers are listed under Annex I sector 8), they carry their own NIS2 compliance obligations. In that case, your supplier assessment can reference their regulated status alongside standard security questionnaire processes.

What if a chemical dosing vendor refuses audit rights?

Refusal to accept audit rights is a material risk indicator that should be escalated to your management body under Article 20. The options are: negotiate alternative assurance mechanisms (independent security certification, penetration test reports, evidence of ISO 27001 certification); implement additional compensating controls (enhanced monitoring of the vendor connection, setpoint-change alerting, network isolation of the vendor access path); or treat the refusal as an elevated residual risk requiring board-level risk acceptance documentation. Where no assurance path exists and the vendor connection cannot be adequately isolated, the residual risk may be unmanageable under the proportionality standard of Article 21.

Does an Article 22 coordinated assessment replace our own Article 21(2)(d) assessment?

No. Article 22 coordinated assessments are carried out at EU level by the Cooperation Group and are discretionary — the Directive states the Group “may” conduct them, not that it “shall.” Article 21(3) requires utilities to take those results into account where they exist, as a supplement to their own assessment. Where no Article 22 assessment has been published covering your supply chain components, you proceed with your own Article 21(2)(d) assessment. There is no provision in the Directive that defers the supply chain obligation pending an Article 22 assessment.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. NIS 2 Directive Article 21: Cybersecurity risk-management measures — nis-2-directive.com (primary text)
2. NIS 2 Directive Article 6: Definitions — nis-2-directive.com (primary text)
3. NIS 2 Directive Article 22: Union-level coordinated security risk assessments — nis-2-directive.com (primary text)
4. NIS 2 Directive Article 3: Essential and important entities — nis-2-directive.com (primary text)
5. Recommendations Following the Oldsmar Water Treatment Facility Cyber Attack — Dragos
6. SASE for Water Utilities: NIS2 SCADA Security 2026 — Jimber
7. Navigating NIS 2: a guide to applicability for managed service providers — Kemp IT Law
8. Digital infrastructure, digital services and ICT services — NCSC-FI / Traficom (Finland National Competent Authority)
9. NIS 2 Directive Article 34: Administrative fines for essential and important entities — nis-2-directive.com (primary text)