Skip to content
BriefingsRSS · DSI
The Search Query That Returns Two Catastrophes
Regulatory RiskMay 13, 202611 min read

The Search Query That Returns Two Catastrophes

You type NIS2 into your regulatory database. It returns two results: the EU cybersecurity directive that just took effect in Sweden, and nickel disulfide — a Group 1 human carcinogen. If you work in Swedish chemical manufacturing, both are now your problem simultaneously, governed by three different regulators with no coordination between them. This is the governance gap where the incident happens.

~17 min

A Database Error That Is Not an Error

Imagine you are a compliance officer at a mid-sized Swedish chemical manufacturer. It is a Tuesday morning. You type four characters into your regulatory database.

NIS2.

You expect what everyone in your industry expects right now — the EU’s Network and Information Security Directive. The regulation that took effect in Sweden on January 15th, 2026. The one your CEO has been losing sleep over. The one that arrives with personal liability for executives, fines of up to €10 million, and a 24-hour incident reporting window so tight it assumes your security team never sleeps.

Instead, the database returns something else entirely.

NiS₂. Nickel disulfide. A black, odourless powder with a theoretical density of 5.8 grams per cubic centimetre. A Group 1 confirmed human carcinogen according to the International Agency for Research on Cancer. A compound whose safety data sheet does not recommend a paper mask. It mandates a full-face P100 respirator just to be in the same room as the ambient dust it generates.

Same four characters. Two completely different existential threats. And if you work in a Swedish chemical manufacturing facility in 2026, both of them are now your problem simultaneously — governed by different regulators, assessed by different authorities, and connected by a governance gap that neither framework was designed to close.

This is that story.

The Powder That Rewrites Your DNA

Before the regulatory collision can be understood, the compound needs to be understood — because NiS₂ is not a generic industrial chemical with a standard hazard profile. Its specific mechanisms of harm are what make the governance gap genuinely dangerous rather than merely administratively inconvenient.

Nickel is known to be a major carcinogenic heavy metal. Occupational and environmental exposure to nickel has been implicated in human lung and nasal cancers. In vitro and in vivo studies demonstrated that nickel can induce DNA damage through direct DNA binding and reactive oxygen species stimulation. Nickel can also repress the DNA damage repair systems, including direct reversal, nucleotide excision repair, base excision repair, mismatch repair, homologous-recombination repair, and nonhomologous end-joining repair pathways.

Read that last sentence carefully. Nickel does not merely damage DNA. It suppresses the body’s ability to repair the damage it causes. The human cell has multiple redundant repair pathways — evolutionary backup systems developed over millions of years to correct the genetic errors that accumulate in any living organism. Nickel systematically disables those pathways. The damage accumulates without correction. The genetic errors compound. The cancer risk builds over years of exposure that may produce no visible symptoms until the harm is irreversible.

Nickel has been identified as a human carcinogen inducing genome instability via DNA-embedded ribonucleotides and accumulation of topoisomerase I-DNA protein crosslinks — carcinogenic abnormalities with poor detectability by standard mutagenicity tests.

That final clause is the most important one for the risk management argument. The carcinogenic abnormalities that nickel exposure produces are poorly detected by the standard mutagenicity tests that regulatory risk assessment relies upon. The compound passes the tests designed to catch dangerous compounds. The standard detection framework was not built to identify the specific mechanisms through which nickel disrupts DNA replication. A facility whose occupational health assessment concluded that NiS₂ exposure was within acceptable parameters — based on standard testing protocols — may have reached that conclusion using tools that were never capable of detecting the specific harm the compound produces.

This is a chemical that hides its worst effects from the instruments designed to find them. It is, in the most precise sense, an advanced persistent threat to the human body — patient, systemic, and detectable only when the damage has already accumulated beyond the threshold of clinical intervention.

The Law That Arrived at the Same Address

The Swedish Cybersäkerhetslag — the national implementation of the EU’s NIS2 Directive, supplemented by the Cybersäkerhetsförordning SFS 2025:1507 — came into force on January 15, 2026. Its scope is the most important fact about it for this story.

NIS2 widens the scope of the original regulatory framework, requiring organisations across a broader array of sectors. Unlike its predecessor, the NIS2 Directive includes manufacturing sectors. The goal is to protect entities that provide services critical to economic and social activities.

Chemical manufacturing is explicitly within that expanded scope. A Swedish facility processing nickel disulfide as an industrial material — whether as an electrode component for sodium-ion battery manufacturing, as a catalyst in industrial chemistry, or as a refined product from nickel sulfide ore processing — is now a NIS2-regulated entity. Its digital systems are subject to mandatory security requirements. Its leadership is personally liable for compliance failures. And its incident reporting obligations operate on a timeline that was designed for the speed of a cyberattack, not the complexity of a chemical facility.

Swedish critical infrastructure shows a generally low competence level, highlighting a lack of readiness for the directive’s requirements. Larger organisations with roles like CISOs tend to have higher competence levels, yet significant gaps remain in meeting the directive’s demands.

The research on Swedish NIS2 readiness published before the January implementation date confirmed what practitioners already knew: the organisations most likely to struggle with compliance are not the large banks and energy utilities that NIS1 had already prepared. They are the mid-sized manufacturers, chemical processors, and industrial operators that NIS2’s expanded scope has brought into the regulatory perimeter for the first time — organisations that have never had a CISO, that have never mapped their OT architecture against a security framework, and that are now facing a reporting timeline that assumes a level of security infrastructure they have not yet built.

The 24-Hour Window and Why It Is Impossible in a Chemical Plant

The NIS2 incident reporting timeline is the provision that has generated the most anxiety among newly in-scope organisations — and for good reason. The framework is sequential, mandatory, and unforgiving.

Within 24 hours of becoming aware of a significant incident, the organisation must issue an early warning to CERT-SE and the Myndigheten för civilt försvar. Within 72 hours, a detailed incident notification must follow — describing the nature of the breach, its scope, and the initial mitigation steps taken. Within one month, a comprehensive final report must be submitted covering the full analysis, the long-term remediation, and the structural improvements implemented.

For a financial institution or a cloud services provider, this timeline is demanding but theoretically achievable. The organisation’s systems are digital. The breach is digital. The evidence is digital. The security team that detects the breach works in the same domain as the breach itself.

For a chemical manufacturing facility, the timeline collides with a physical reality that the directive’s architects were not primarily designing for.

DSI Advisory

Need intelligence like this on a decision you're facing?

DSI Advisory Services helps boards, business leaders, defence institutions, and security leaders understand threats before they reach the horizon — where cyber, geopolitics, and business risk converge.

Commission a bespoke intelligence productExplore advisory