NIS2 in Belgium: Are you considered an ‘energy producer’ if you generate power solely for your own use?

This raises an important question for many companies that generate energy, sometimes exclusively for internal use, such as through solar panels, wind turbines, or residual heat: do they also fall under the NIS2 rules, and are they therefore considered highly critical entities?

Most businesses initially associate the term “critical entities” with traditional utilities or vital sectors, such as hospitals and financial institutions. However, the reality is more nuanced – particularly for organisations that, for ecological, economic or operational reasons (such as within the circular economy), generate their own energy.

Context: entity types under NIS2

The NIS2 Directive outlines in Annexes I and II specific sectors and subsectors that are considered “highly critical” or “other critical” to society. Organisations active within these sectors and above a certain size threshold (e.g. qualifying as medium or large enterprises) are, in principle, subject to the NIS2 legislation.

For the energy sector, this includes energy producers. The definitions of “producer” or “generator” are broad – referring to any legal entity that generates energy, particularly electricity. A key question is whether a company that generates energy solely for its own use – perhaps feeding only a small surplus back into the grid – falls within this definition.

The regulator’s interpretation

According to the Belgian competent regulator’s interpretation[i], it does not matter whether energy generation is only a side activity or exclusively for own consumption. If a company generates energy and fits the definition of an “entity type” within the energy sector, it can fall within the scope of the NIS2 legislation – provided it also meets the so-called “size cap” (i.e. qualifies as a medium or large enterprise). This means that a business with solar panels for internal use could, technically, be regarded as an “energy producer.” The regulator appears to confirm that it is not decisive whether energy generation is a commercial core activity. Even if the energy is used primarily or entirely internally, the entity could still be classified as a “highly critical” organisation.

Proportionality and supervision

Naturally, this raises the question: would such a company be subject to the same obligations as a traditional utility provider with large-scale energy production? The answer is more nuanced. The legislation itself allows for a proportional approach, meaning that supervisory authorities can apply lighter oversight if the societal impact of a cyber incident is considered low.

In practice, this likely means that companies must still comply with the core obligations under NIS2 (such as registration and reporting major incidents), but that the regulator can take into account the limited societal impact when assessing cyber resilience requirements. As a result, less stringent security measures may suffice for entities generating energy mainly for internal use.

Implications for companies

1. Assessing your business
   • Determine whether your business – by generating electricity through solar panels, wind turbines, or residual heat – falls within the broad legal definition of “producer.”
   • Keep in mind that even production for primarily internal use may qualify, due to the wide scope of the definition and the regulator’s strict interpretation.
2. Size of the business
   • The NIS2 legislation applies only to medium and large enterprises, based on staff numbers, turnover and/or balance sheet total.
   • If you have fewer than 50 FTEs and do not meet the turnover or balance criteria, you are generally exempt.
3. Side activities count
   • Even if energy generation is a small-scale side activity – and you deliver little to no energy to third parties – you may still fall within scope.
   • The law provides only a few exceptions (e.g. for wastewater or waste management), not for energy production.
   • This means you cannot assume that “side activity” automatically implies exemption.
4. Proportionality
   • In practice, the regulator is likely to apply less rigorous oversight if the societal impact is minimal.
   • However, the duty to register and report major incidents remains fully in force.

Conclusion

Belgium’s NIS2 law has a wider scope than many businesses initially expect. Even companies not primarily active in the energy sector – but that generate electricity or heat, whether due to sustainability policies or participation in the circular economy – may come under the scope of NIS2.

The good news is that a proportional approach is often possible: entities that generate energy on a small scale for internal use do not have to meet the same – often strict – obligations as major players in the energy sector. However, registration, reporting of significant incidents, and maintaining an appropriate level of security remain essential.

Further reading

Navigating cybersecurity compliance: Our country-by-country guide to the EU NIS2 Directive

[i] See question 1.22.1.1. NIS2 FAQ Website v2.0.1 NL.pdf)