Solar_Farm_Workers_S_1107

23 February 2026

Self generated power and NIS2 compliance: What you need to know

Written by:Alec VaerenberghHeidi WaemElisabeth Verbrugge

With Flanders' mandatory solar panel (PV) obligation taking effect on 1 April 2026, many organisations are preparing to install photovoltaic systems on their buildings. But a less anticipated consequence looms: these same installations could bring your organisation within the scope of Belgium's NIS2 cybersecurity law. Here's what you need to know – and what's still unclear.

 

The Flemish PV obligation: A quick reminder

From 1 April 2026, buildings in Flanders connected to an electricity supply point (EAN) with an annual consumption exceeding 1 GWh must have solar panels installed. For public organisations, the threshold is significantly lower at 250 MWh per year. The obligation falls on owners, long-lease holders, and building rights holders of the relevant buildings.

 

NIS2 and electricity producers: The catch

Under Belgium's NIS2 law, “producers” as defined in EU Directive 2019/944 – meaning “any natural or legal person who generates electricity” – fall within scope if they qualify as at least a medium-sized enterprise. This includes entities operating solar panels or wind turbines connected to the electrical grid, even if they mainly consume the self-generated electricity themselves. This applies across all of Belgium, not just Flanders.

The Centre for Cybersecurity Belgium (CCB) has now provided specific scenarios in its updated FAQ (version 2.1) to clarify this position.

 

The CCB's scenarios: When are you in scope?
Scenario NIS2 in scope?
Your organisation owns solar panels and consumes all generated electricity itself, but the panels are connected to the grid. Yes – You still qualify as a “producer.”
Your organisation owns solar panels, but no electricity is injected into the grid. No – Without grid connection, no societal/economic risk to the grid exists.
Your organisation rents a building with solar panels it does not own, but consumes the electricity (wholly or partly). No – You don’t “generate” electricity if you don't own/operate the panels.
Another organisation uses space on your roof to place and operate solar panels. No – Same principle as above.
Your organisation purchases electricity from another organisation operating solar panels on your building. No – You’re a consumer, not a producer.

 

Key threshold: The size-cap matters

NIS2 obligations only apply if your organisation qualifies as at least a medium-sized enterprise, meaning the entity has:

  • 50 or more employees (calculated in annual work units); or
  • annual turnover exceeding EUR10 million and an annual balance sheet total exceeding EUR10 million.

Importantly, data from partner and linked enterprises generally has to be consolidated when calculating size. This could push smaller entities above the threshold unexpectedly.

 

The good news: A lighter touch

The CCB acknowledges that self-consumption electricity producers were “not the intended highly critical entities targeted in the electricity sub-sector” of NIS2. So, while these entities are in scope, a less stringent supervision approach applies.

In practice, this means:

  • You still have to register as an NIS2 entity.
  • You still have to report significant incidents.
  • You still have to apply cybersecurity measures – but using a lower assurance level of the CyberFundamentals (CyFun®).
  • Framework (eg “Basic”) will be considered proportionate.
  • Your management bodies must be trained and are responsible to approve the cybersecurity measures and oversee their implementation.

This solution takes into account the “rather limited societal and economic impact” of self-consumption electricity production.

Naturally, if your organisation falls within the scope of NIS2 for other activities, this more flexible supervisory approach won't apply.

 

Remaining questions and inconsistencies

While the CCB's scenarios provide helpful guidance, several gaps and tensions remain:

Does self-consumption allow an escape from the NIS2 scope?

More clarity is needed on whether NIS2 applicability depends on any physical connection to the public grid, or on the actual and meaningful injection of electricity into that grid.

The distinction between installations that are technically grid connected (and are therefore in scope) and those that don't inject electricity (and would be out of scope) is crucial. Yet most commercial, non residential PV systems are grid connected even when self consumption is maximised – meaning injection is minimal or purely incidental.

The CCB’s guidance suggests that mere physical grid connection – regardless of the volume or frequency of injection – triggers NIS2 obligations. This interpretation risks sweeping in far more organisations than the risk based rationale behind NIS2 would seem to warrant.

One may reasonably question this approach. If the policy logic is that generation “not injected into the grid” doesn't pose systemic risk, it becomes difficult to justify why an organisation that consumes virtually all of its self generated electricity but is physically grid connected should still fall in scope. In both situations, the impact on grid stability is similarly limited.

A more proportionate approach could be to apply a minimum annual injection threshold, combined with the medium‑sized enterprise test, as dual criteria for determining NIS2 applicability. This would better align with the directive’s risk‑based intent and provide clearer boundaries for operators.

What about Power Purchase Agreements (PPAs) and other third-party ownership models?

Many organisations use PPAs or third-party ownership models to install solar capacity without having direct ownership. While the CCB's scenarios suggest these structures keep the building occupant out of scope, the precise boundaries are untested. For example, if a financing company owns solar panels under a leasing arrangement but the panels are operated by the building owner, it's unclear which of these entities could fall under the NIS2 scope.

 

What should you do now?
  • Assess your exposure. Determine whether your (planned) PV installation will make you an electricity “producer” under NIS2, particularly if your organisation meets the medium-enterprise threshold and wasn't otherwise in scope.
  • Prepare for compliance. If NIS2 applies, register immediately and begin your implementation journey.
  • Monitor developments. The CCB's interpretation may evolve, and further clarification on edge cases (hybrid structures) may emerge.

 

How we can help

The intersection of energy obligations and cybersecurity regulation creates complex compliance challenges. We can help with:

  • scoping assessments to determine your NIS2 exposure;
  • structuring PV ownership arrangements to manage regulatory risk;
  • implementing cybersecurity frameworks aligned with CyFun® requirements; and
  • registration and ongoing compliance support.

Contact

Alec Vaerenbergh
Partner
Heidi Waem
Partner
Elisabeth Verbrugge
Counsel
Print

Related capabilities

Energy and Natural ResourcesData, Privacy and CybersecurityCompliance