CyberSec Update #19 – REACH and NIS2

In this edition of CyberSec Update, we explain how the production and distribution of chemicals are subject to obligations under the Polish National Cybersecurity System Act (UKSC) and how these obligations are linked to the REACH Regulation.

UKSC and the chemical sector – who is covered?

Under the UKSC, the following undertakings are classified as important entities:

• entities engaged in the production of substances and the distribution of substances or mixtures within the meaning of the REACH Regulation;
• entities engaged in the manufacture of articles from substances or mixtures, as referred to in Article 3(3) of the REACH Regulation.

What is REACH and why does it matter?

REACH is an EU regulation that has been in force for almost 10 years and governs the placing of chemicals on the EU market. Entities covered by REACH are required, among other things, to register chemical substances placed on the market, assess the risks associated with their use and provide information on safe use throughout the supply chain.

NIS2 also applies to “non-chemical” companies

The key point is that even if an organisation manufactures products that appear to be unrelated to chemicals, in practice it may still be subject to obligations arising from NIS2.

This follows from the definition of an “article” under REACH. An article is an object which during production is given a specific shape, surface or design determining its function to a greater degree than its chemical composition.

As a result, articles may include products that are not intuitively associated with the chemical sector, such as paints, jewellery, cosmetics or plastic packaging.

Why does the legislator place such strong emphasis on this sector?

The explanatory memorandum to the draft amendment of the UKSC points to significant risks, in particular the disruption of supply chains, especially where a given substance is not easily available and sourcing substitutes may take considerable time.

Incidents involving chemicals may also lead to environmental contamination and pose risks to human health and life. Moreover, breaches of the confidentiality of information systems controlling chemical production may result from intelligence activities and negatively affect the functioning of the state as a whole.

Production or distribution – an alternative interpretation

Importantly, the legislator clarifies that the phrase “production and distribution” should be interpreted alternatively. This means that the regulations apply both to entities that produce and distribute, as well as to those that only produce or only distribute substances, mixtures and articles made from chemical substances. The aim is to cover the entire supply chain in the chemical sector.

Mini checklist

• Do you produce substances or distribute substances or mixtures within the meaning of REACH?
• Do you sell mixtures such as paints, varnishes or cosmetics?
• Do you manufacture products that may qualify as articles under REACH, for example plastic packaging, furnishing elements or textiles?