The European Commission’s new cybersecurity package: an end to the broad scope of the NIS2 rules in the energy sector?

Legal Eubdate
13 May 2026
Data security and cybercrime
Digital, data protection & AI
Environmental and energy law

At the end of January 2026, the European Commission proposed amendments to the NIS2 Directive as part of its new cybersecurity package (Commission Proposal). The NIS2 Directive contains rules for the cybersecurity of network and information systems that are of general interest to public safety. Today, while often overlooked, these NIS2 rules have a very broad scope of application in the energy sector, ranging from large grid operators to SMEs that install solar panels primarily for their own consumption needs.

This contribution discusses the basic principles underlying the current NIS2 legislation and its scope, with a particular focus on the energy sector. Further, it takes a closer look at the amendments proposed by the European Commission.

NIS2 in a nutshell

The NIS2 Directive was transposed by the Act of 26 April 2024 (“NIS2 Act”) and the Royal Decree of 9 June 2024. In essence, NIS2 applies to entities that at least qualify as medium-sized within the meaning of Recommendation 2003/361/EC (see our previous contribution for more information on the size criterion). 

In addition, these entities need to be “active” in one of the sectors set out in its Annexes I and II. These sectors range from transport, healthcare and energy (Annex I - highly critical sectors) to manufacturing, food production and chemicals (Annex II - other critical sectors). However, and as explained below, the threshold of being “active” in the energy sector is met sooner than one might expect.

As clarified in our previous contribution, NIS2 entities have to comply with certain obligations such as registering with the Centre for Cybersecurity Belgium (CCB) and ensuring that management bodies approve and oversee cybersecurity measures, with failures incurring personal liability.

Penalties range up to EUR 10 million or 2% of global turnover for essential entities, and EUR 7 million or 1.4% for important entities. In addition, NIS2 also introduces personal liability incumbent on management bodies for failing to comply with their cybersecurity risk management obligations.

Application of the current NIS2 legislation in the energy sector

Grid operators, gas suppliers, producers, operators of charging points, operators of district heating networks, and several other actors in the energy sector may fall within its scope where they qualify at least as a medium-sized enterprise.

Application of the NIS2 Act to “energy producers” is particularly relevant, given the broad definition of the term. An energy producer is defined as "a natural or legal person who generates electricity". This concept is not limited to professionals mainly active in the energy sector, or to producers with a minimum installed capacity. The CCB has recently stated that an entity operating solar panels or wind turbines connected to the electricity gridqualifies as a producer, even where the electricity generated is primarily consumed by the entity itself (see question 1.22.1.1 of the NIS2 FAQ dated March 2026). Consequently, such entities fall within the scope of NIS2, provided they qualify as a medium-sized or larger enterprise.

In concrete terms, this means that an entity that primarily produces electricity for its own consumption (for example, a company that installs solar panels on its office building) may fall under the NIS2 Act if it meets the criteria for being a medium-sized or large enterprise. 

The same goes for Energy Service Companies (ESCOs) that operate solar panels to supply electricity to a (decentralised) heat network or EV charging points. This activity falls under the broad definition of energy producer and could thus come within the ambit of the NIS2 legislation. This is in addition to the stand-alone application of NIS2 to operators of district heating and cooling networks and operators of charging points. 

As stated by the CCB in the NIS2 FAQs and in line with recital 4 to the Commission Proposal, it has already been agreed at EU level that producers mainly producing electricity for themselves are not the highly critical entities for which the NIS2 Directive seeks to establish a high level of cybersecurity. While this finding does not mean these entities will no longer qualify under the NIS2 Act, they could nonetheless be subject to less stringent supervision. As has been stated by the CCB, this means in practice that it would be considered proportionate for these producers to still meet their obligations by satisfying a lower level of assurance in terms of the Cyber Fundamentals Framework. This does not alter the fact that these producers would still have to register, as well as reporting significant incidents and applying cybersecurity measures.

In short, the NIS2 Act currently applies to all medium-sized and large enterprises that generate electricity regardless of production capacity or core activity. As a result, a medium-sized enterprise that has installed solar panels primarily for its own consumption or for consumption by its clients now has to comply with the fundamental cybersecurity obligations under the NIS2 Act.

Limitation of scope under the European Commission’s proposal

This all may change in the future. The European Commission recently published a new cybersecurity package, which includes a proposal to amend the NIS2 Directive. The changesare aimed at simplifying compliance with cybersecurity obligations and ensuring streamlined, coherent implementation of the regulatory framework. 

For the energy sector, the amendment to Annex I is of particular importance because it introduces a threshold for energy producers. The definition of energy producer would be amended to specify that producers whose total production capacity does not exceed 1 MW will fall outsideit. This represents a significant reduction in the scope of application. The amendment is in line with what has already been agreed at European level and determined by the CCB: namely, that entities producing electricity primarily for their own consumption are not intended to qualify as highly critical entities, and that a lower level of cybersecurity is justified as far as they are concerned.

Furthermore, the Commission’s proposal adds new entities to the list of critical sectors, such as hydrogen storage operators and hydrogen transport network operators. 

What does the future hold? 

All of this has a significant impact on the cybersecurity rules that need to be followed in the energy sector. However, before it comes into force, the proposal must first be adopted by the European Parliament and the Council and then be transposed into Belgian law. We will of course closely monitor these developments for you. 

Although the scope of application will likely be more limited in future, the importance of cybersecurity in the energy sector cannot be overstated. For all electricity producers, charging point operators and grid operators, cybersecurity remains a key focus in their operations. 

Eubelius is happy to assist you with NIS2 compliance and any NIS2-related questions. Please do not hesitate to contact us.

Anneleen Van de Meulebroucke

Partner
Thomas

Thomas Vandenberghe

Counsel
Arne

Arne Verliefde

Attorney

European Commission proposes the long-awaited Industrial Accelerator Act: the key aspects

In early March the European Commission published a proposed regulation with measures to strengthen European manufacturing industry, which is...

Environmental law: wrap-up 2025 and preview 2026

The end of the year is an excellent time to reflect on the most important developments in environmental law.

The EU Data Act in force: What changes on 12 September 2025?

On 12 September 2025, the EU Data Act entered into force, introducing a transformative framework to create a fairer data economy.