Will the “Solar Panel Obligation” for buildings in Flanders with high electricity consumption make your entity subject to NIS2 cybersecurity requirements?

The so-called Solar Panel Obligation

With a view to encouraging rational energy use and the use of renewable energy sources for companies, non-commercial institutions and public entities, the Flemish Government introduced an obligation to install solar panels on rooftops of buildings with high electricity consumption (“Solar Panel Obligation”). The primary intent is of course to promote the production and utilization of renewable energy locally, thereby contributing to Belgium’s international and EU-mandated envappliironmental commitments.

The Solar Panel Obligation applies to owners of buildings and other holders of rights in rem (e.g. leasehold rights)- residential, commercial or governmental - located in Flanders with electricity consumption higher than 1 gigawatt-hour per year. For governments the electricity consumption threshold is lower, i.e. 250 megawatt-hours per year (and 100 megawatt-hours as of 2026). Application of the Solar Panel Obligation needs to be assessed per electricity connection point each of which is identified via unique EAN number and which point can power one or multiple buildings (conversely, one building can be powered by multiple electricity connection points).

The deadline for compliance depends upon the year during which the above consumption threshold was exceeded for the first time, taking into account consumption figures starting from 2021. If the relevant consumption threshold was first exceeded in 2021 or 2022, the (first) solar panels need to be operational by 1 April 2026. If the threshold was exceeded from 2023 onwards, the (first) solar panels need to be operational by the 1st of January of the 4th year following the calendar year during which the threshold was exceeded (e.g. for the building(s) associated to one connection point that exceed(s) the threshold in 2024 compliance is due by 1 January 2028). Note that the deadline applies to the installation and usage of the solar panels, so to meet the Solar Panel Obligation it does not suffice to have your order placed by this deadline. The legislation does however temporarily allow a phased deployment of solar panels whereby only part of the required total capacity needs to be in place by the first deadline.

NIS2: Objective and Scope 

Directive (EU) 2022/2555, known as the NIS2 Directive, and the Belgian NIS2 Act transposing it, aims at strengthening the cybersecurity of organisations across critical sectors in Europe. It aims to establish a unified framework to bolster cybersecurity resilience and incident reporting within the European Union. 

The NIS2 law distinguishes between "essential" and "important" entities. The main distinction between essential and important entities lies in the level of supervision and severity of sanctions to which these entities are subject.

In principle, this distinction is based on the size of the entity and the service provided. The Belgian NIS2 Act applies to entities established in Belgium regardless of their legal form and whether public or private, of a type referred to in Annex I or II which qualify as either medium-sized or large enterprise under article 2 of the Annex to Recommendation 2003/361/EC, and which provide their services or carry out their activities (as included in Annex I or II) within the Union.

With respect to the service provided, it suffices for the organization to provide at least one of the services listed in Annex I or II. The highly critical sectors (Annex I) include services within the following (sub)sectors; energy, transport, banking and financial market infrastructures, public administration, health, drinking water, waste water, digital infrastructure, ICT service management (B2B) and space. Whilst other critical sectors (Annex II) include services within the following (sub)sectors; postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers and research. Although Member States can expand on the sectors and subsectors as listed in Annex I and II, Belgium did not expand on the covered sectors.

Organisations falling in scope of NIS2 must implement and maintain a range of cybersecurity measures. Such measures include establishing a risk management system, strengthening governance, securing your supply chain, setting up a robust incident handling and reporting system, yet usually start with registering your organization with the authorized national cybersecurity authority (for Belgium this is the ‘Centre for Cybersecurity Belgium’). Failure to comply with these obligations may expose the organization to administrative penalties and reputational harm.

Intersection between the Solar Panel Obligation and NIS2 

Moving on to the question that lies before us, namely whether organizations in Flanders complying with the Solar Panel Obligation will need to register with the Centre for Cybersecurity in Belgium (‘CCB’) as an essential or important entity under NIS2.

Prima facie, the mere installation of solar panels does not automatically result in the organisation falling in scope of NIS2. However, depending on whether all the scope criteria, i.e. sector and size, are fulfilled, it may indeed bring organisations subject to the Solar Panel Obligation in scope of NIS2 resulting not only in an obligation to register with the CCB yet also in having to implement further cybersecurity measures. 

The CCB has already confirmed that an organisation may fall in scope of NIS2 if it produces electricity, including via solar panels and even if mainly for its own consumption. Whether the production of energy is the primary activity of the organisation or not and whether such production is mainly for own consumption does not make a difference.

For this, the CCB refers to Article 3 read in conjunction with Annex I, point (1)(a) dash 4 of the Belgian NIS2 Act, namely “producers as defined in Article 2, point (38), of Directive (EU) 2019/944 on common rules for the internal market for electricity”. Article 2 (38) of the Directive 2019/944 defines ‘producer’ as “a natural or legal person who generates electricity”.

Consequently, organizations operating solar panels (or wind turbines) connected to the electrical grid, even if they mainly consume the self-generated electricity themselves, qualify as producers, and thus fall in scope of NIS2 if they are at least a medium-sized enterprise. 

This may come as quite a surprise, especially if the only reason the organization in Flanders has solar panels is due to the Solar Panel Obligation and even more so, if the core activity(ies) are not at all related to the energy sector or any other relevant NIS2 sector. After all the goal of NIS2 is to better secure organisations offering essential services in sectors deemed critical or key in the EU with a view to ensuring the continuity of such services when faced with an incident. 

The CCB does confirm that a lower level of supervision and cybersecurity assurance level can be applied to, respectively by such organisations as they are indeed not the intended highly critical entities targeted in the energy and electricity sub-sector by NIS2. Nevertheless, such organisation will need to register with the CCB (provided it meets the size cap of either medium or large enterprise). Depending on its (consolidated) size, such organisation will need to register as either important entity (if medium-sized) or essential entity (if large). Whether the energy generation is of a negligible scale or not (which may be assessed in light of output capacity, voltage, or contribution to the energy profile of the organization or local grid) seems irrelevant in Belgium.

Conclusion

Organisations having to comply with the Solar Panel Obligation will not automatically fall in scope of NIS2, nevertheless NIS2 is something to consider and further assess if you produce electricity via for instance solar panels, or wind turbines. As mentioned, you can satisfy the service criterion of the NIS2 scope test even if the production of electricity is not your primary service offering. Organisations whose primary services are not included in any of the NIS2 covered sectors may not have this on their radar. In particular since Belgium seems to apply a broader approach than other EU countries when it comes to the energy sector.