When digital security meets chemicals law

With the adoption of the NIS2 Directive in 2023, the European Union created a new framework to strengthen IT security and to increase the resilience of critical and important entities against cyber attacks across Europe. Since EU directives do not apply directly in the member states, they have to be transposed into national law. Germany has now implemented these requirements, albeit with some delay, through the NIS2UmsuCG[1] act, adding its own specific nuances, particularly within the restructured BSIG. The resulting obligations also affect many companiesthat are subject to REACH registration. Not all affected companies are likely to be aware of this yet. The legal changes came into force on 6 December 2025, without any transitional period being granted.

The interface of IT security and chemicals law

The connection between IT security and the chemicals law requirements of REACH is not immediately obvious. Nevertheless, the new legal situation means that certain companies subject to REACH registration now face substantial cyber-security obligations as well.

Under the revised Section 28(2) No. 3 in conjunction with Annex 2, Sector 3.1.1 of the BSIG [2], manufacturers and importers subject to REACH are generally classified as “important entities.” The condition for meeting this classification is that either they have at least 50 employees or they have both annual sales and an annual balance sheet total of more than 10 million euros each. The use of the word “or” makes it clear that meeting just one of these two criteria is enough to be classified as an “important entity.”

National implementation and impact

In a departure from the European directive, the German legislator has opted to link the cyber-security requirements directly to existing REACH-registration obligations for manufacturers and importers. This approach avoids the creation of additional legal criteria that would in turn require their own definitions. It establishes a clear distinction between affected and exempt entities based on criteria that companies are already familiar with, and self-assessment is now much easier for those affected. At the same time, however, it shifts the scope of application for some market participants relative to EU requirements and potentially those of other member states.For example, in a deviation from the EU rules, distributors as defined under REACH are not included under German law, even though they Cyber security and REACH, even though they might be considered affected entities in other European member states. These country-specific discrepancies mean that requirements across the EU are not fully harmonised.

Of particular importance is the fact that obligations arising under chemicals law are now directly linked to requirements from a completely different legal field. This link may not be not readily apparent to many companies, especially smaller ones, yet it has far reaching consequences.

Between financial burden and added value

A decision to register a substance is not made lightly by companies, a key factor being the financial burden that registration entails. The administrative outlay and the substantial costs incurred range from the preparation of registration dossiers and data access rights to ECHA fees and often lead companies to forego registration in favour of alternative solutions. The new BSIG requirements impose further obligations on affected companies, impacting entirely different organisational, personnel, and financial areas that are often even more challenging to manage. Conversely, these measures also protect companies that may not have previously implemented adequate cyber-security measures. The financial damage caused by cyber attacks has increased substantially year over year; in Germany alone, it was estimated at over EUR 200 billion for 2024 – an increase of around 20% over the previous year [3].

Companies would therefore be well advised to comply with these legal requirements, both to protect themselves and to avoid legal sanctions, which are substantial: for “important entities”, violations can incur fines of up to EUR 7 million or up to 1.4% of total global annual turnover. These penalties are considerably higher than those imposed under German chemicals law.

Pressure to act due to lack of transition period

Since cyber crime is projected to continue its upward trend and cause disproportionately high levels of damage and since valuable time has been lost due to the delayed national implementation, companies have not been granted a transition period to comply with the new legal obligations.

It is therefore to be hoped that all affected companies have already addressed the new legal situation and implemented effective and efficient measures. For companies encountering these requirements for the first time, the recommended first step is to use the non-binding and free “affectedness check” provided by the BSI on its website [4]. 

References

[1] Act on the Implementation of the NIS-2 Directive and for the Regulation of Essential Features of Information Security Management in the Federal Administration, https://www.gesetze-im-internet.de/bsig_2025/

[2] Act on the Federal Office for Information Security and on the Information Technology Security of Entities, https://www.recht.bund.de/bgbl/1/2025/301/VO.html

[3] Statistics on cyber criminality. Available at: https://de.statista.com/statistik/kategorien/kategorie/21/themen/896/branche/cyberkriminalitaet/#overview

[4] Federal Office for Information Security (BSI) (n.d.): NIS-2 Affectedness Check. Available at: https://www.bsi.bund.de/DE/Themen/Regulierte-Wirtschaft/NIS-2-regulierte-Unternehmen/NIS-2-Betroffenheitspruefung/nis-2-betroffenheitspruefung_node.html

• Save article in bookmarks
• Print this article