Critical Infrastructure in Belgium: Electrabel, Engie, and the FANC Nuclear Reality

Belgium is not a small country in critical infrastructure terms. It is a dense one.

The distinction matters because density changes the rules. A footprint that combines two operating nuclear sites, the headquarters of NATO and SHAPE, the port of Antwerp, three European institutions and one of the highest concentrations of cross-border telecommunications cables in Europe is not a manageable inventory. It is a coupled system. What happens at one node tends to be felt at the next within hours, sometimes within minutes. Operators who treat Belgium as a peripheral market underestimate the operational reality. Operators who treat it as a concentrated, regulated, politically observed market behave with appropriate caution.

This article describes that reality from the manufacturer's perspective. It does not catalogue every site. It examines how Electrabel, Engie, the Federal Agency for Nuclear Control, BIPT and the surrounding ecosystem of utilities and telecommunications carriers form a critical infrastructure landscape whose protection requires a discipline that imported templates do not provide.

The footprint that does not look its size

Belgium has roughly eleven million inhabitants and a national territory of approximately thirty thousand square kilometres. Inside that area, the country operates two nuclear power stations, hosts the political and military command structures of the Atlantic alliance, manages the second-largest port in Europe and routes a disproportionate share of European data traffic through cable landings and exchanges concentrated around Brussels and Antwerp. The list is not exhaustive. It is sufficient.

The concentration produces three effects that any serious security operator should understand before designing a programme. The first is geographic compression. The travel time between the Doel site near Antwerp and the centre of Brussels is roughly an hour. The travel time between Tihange and the German border is shorter. A coordinated incident that targets multiple nodes is not a logistical problem for an attacker. It is a logistical problem for the responder. The second effect is regulatory layering. Belgian operators answer to federal authorities, to regional authorities for parts of the response, to FANC for anything nuclear, to BIPT for anything telecommunications, and increasingly to European supervisors under NIS2 and CER. The third effect is reputational sensitivity. Belgium has, in the public memory of European security policy, been associated with both the 2016 Brussels attacks and the prolonged debate over nuclear plant safety that followed reports of insider incidents at Doel in the previous decade. That history shapes how regulators behave. It also shapes how operators are expected to behave.

The footprint does not look its size on a map. It behaves like a country twice the size, because every node is close to another node, and because the political weight of what is protected does not scale with square kilometres. Operators who plan for Belgium as if it were a quiet province of the European energy map will eventually meet a regulator who disagrees. The conversation that follows is not pleasant.

Electrabel and Engie. The operator behind the reactors

Electrabel is the operating company. Engie is the parent. The distinction matters less in commercial terms than in security terms, because operational responsibility for the nuclear fleet sits with Electrabel as the licensed operator under Belgian law, while strategic decisions about the fleet's future, its workforce and its investment trajectory are made at the Engie group level. Both layers carry security obligations. Neither layer can delegate them to the other without leaving a gap.

The Belgian nuclear fleet has been the subject of political contestation for the better part of two decades. The phase-out law of 2003 set the principle. Successive governments adjusted the schedule. The current arrangement, following the 2022 agreement between the federal government and Engie, keeps Doel 4 and Tihange 3 in operation beyond their originally scheduled closure dates, into the next decade. The other units have entered or are entering the decommissioning phase. For security planning, this matters in two ways. The active sites require continuous physical and cyber protection at the standard expected of operating nuclear plants under IEC 62443 industrial control system guidance and the additional regime imposed by FANC. The decommissioning sites require a different protection profile, because the threat surface changes. Spent fuel storage, dismantling logistics, contractor management during prolonged construction phases and the residual political symbolism of a nuclear site that is no longer producing power but still contains radioactive material all create vulnerabilities that are easy to underweight.

Electrabel and Engie also operate gas distribution, hydroelectric assets and a portfolio of conventional generation across Belgium and the surrounding region. The security operator who maps the Belgian footprint and stops at the two nuclear sites has missed roughly half the picture. Substations, gas transmission infrastructure, the LNG terminal at Zeebrugge operated by Fluxys, and the underground gas storage at Loenhout form a network whose interruption has direct consequences for industrial activity in northern France, the Netherlands, western Germany and Luxembourg. Belgium is not only a consumer of European energy. It is a transit country. The security implications of that role are seldom discussed at the level they deserve.

A manufacturer working with Electrabel or Engie at the perimeter level operates inside a procurement environment in which the references that count are nuclear-grade. The standards are not abstract. ISO 27001, IEC 62443 for industrial control, ASIS International physical security principles and the Belgian implementation of NIS2 form the baseline. Operators that arrive without that baseline are not unwelcome. They are simply not relevant.

FANC. A regulator with a long memory

The Federal Agency for Nuclear Control, known by its French acronym FANC or its Dutch acronym FANC, was established in 2001 to consolidate Belgian nuclear oversight in a single independent authority. It reports to the Minister of the Interior. Its remit covers reactor safety, radiological protection, transport of radioactive material, and the security of nuclear sites and materials. Its powers are extensive. Its tolerance for ambiguity is low.

FANC's authority over physical security at Belgian nuclear sites is the part that matters most for operators outside the reactor halls. The agency sets requirements for perimeter protection, access control, intrusion detection, contractor vetting and the integration of all of these into a coherent design basis threat. The design basis threat is not public in its detail. Its existence and its general categories are. The point for any operator working at or near a nuclear site is that the requirements are not negotiable in the way that commercial security requirements often are. A camera angle, a sensor placement or a contractor's clearance level is not subject to project-management trade-offs. It is subject to inspection.

The agency has a long memory. The reports of irregularities at Doel in the previous decade, including the partially clarified 2014 sabotage of a turbine lubrication system, shaped its institutional posture. It now treats insider risk with a seriousness that some operators in other European countries still consider excessive. It is not excessive. It is appropriate. The lesson Belgium absorbed, and that other operators would do well to absorb, is that physical perimeter protection without integrated personnel security is half a programme. CISA's insider threat guidance and the NIST CSF 2.0 emphasis on identity, governance and supply chain security express the same principle in different vocabulary.

For a manufacturer of perimeter detection, mobile surveillance towers or robotic patrol platforms, working in a FANC-regulated environment requires acceptance of three constraints. The first is that the regulator will inspect, and will inspect again. The second is that documentation is not an afterthought. Every component, every firmware version, every maintenance event and every alarm must be traceable. The third is that the integration with the operator's existing systems is the operator's responsibility, but the demonstration that the integration works is shared. A vendor who delivers hardware and disappears is not welcome. A vendor who participates in the testing and the audit cycles, year after year, becomes part of the protected infrastructure rather than a supplier of it.

Doel and Tihange. Two sites, two profiles

Doel and Tihange share a regulator, an operator and a national context. They share little else in operational terms. The differences shape how a security programme around them must be designed.

Doel sits on the Scheldt, north of Antwerp, in a flat polder landscape that is densely populated, intensively farmed and crossed by major shipping lanes. The site is visible from the river. It is reachable by road in minutes from the port of Antwerp and from the Dutch border. Its security profile is shaped by the proximity of one of Europe's busiest container ports, by the maritime traffic on the Scheldt and by the political weight of the Flemish region in which it sits. Perimeter protection at Doel must contend with the visibility of the site, with the volume of legitimate movement around it and with the public sensitivity that any incident at the site would produce within hours in both Belgian and Dutch media.

Tihange sits on the Meuse, between Liège and Namur, in the hilly terrain of Wallonia. The site is closer to the German border than to Brussels. Aachen lies less than a hundred kilometres away. The German political and public sensitivity to Tihange has been a persistent feature of the cross-border conversation, with the city of Aachen and the surrounding North Rhine-Westphalian authorities periodically requesting clarifications, contingency arrangements and information-sharing protocols. The security profile at Tihange is therefore not only a Belgian matter. It is a binational matter in everything except the formal authority of FANC. A serious incident at Tihange would trigger a German response within the hour, regardless of whether the formal cross-border mechanisms have been activated.

Both sites are protected by a combination of Electrabel's own security organisation, federal police presence, and, where relevant, military reinforcement under the OVG mechanism. The mechanism has been in operation since the 2015 to 2018 period of heightened terrorism alert and has continued at varying levels since. For a manufacturer supplying technology to either site, the lesson is that the protective architecture is layered and that the layers communicate. A sensor that triggers in the Electrabel control room may produce a federal police dispatch within minutes. The communication path is engineered. It must remain engineered when new components are added.

The two sites have also become reference points for what serious nuclear security looks like in a small, dense, regulated European country. The standards that have evolved around them, in close dialogue with FANC, with IAEA missions and with the operator's own internal audit, form a benchmark that any operator working in adjacent critical infrastructure should at least understand. The benchmark is not a checklist. It is a posture.

BIPT and the telecommunications layer

The Belgian Institute for Postal Services and Telecommunications, known as BIPT, is the regulator for electronic communications, postal services and parts of the digital infrastructure. Its security mandate has grown substantially with the implementation of NIS2 and the European Electronic Communications Code. BIPT now oversees, in addition to its traditional regulatory functions, the cybersecurity obligations of Belgian telecommunications operators, including the three mobile network operators, the fixed-line incumbents and a growing number of specialised providers serving enterprise and government clients.

Belgium's telecommunications layer is significant beyond the size of its domestic market. The country hosts important internet exchange capacity, a concentration of submarine cable landings on the North Sea coast and the Brussels-area data centre cluster that serves European institutions, NATO and a substantial share of multinational corporate operations. The 5G rollout has proceeded under a security framework that explicitly addresses supply-chain risk, in line with the European 5G Toolbox developed after 2019. Operators are required to assess vendor risk, restrict high-risk vendors from sensitive parts of the network and report on their security posture to BIPT on a defined cadence.

The physical security of telecommunications infrastructure in Belgium is less visible than that of the nuclear sites, but no less consequential. Exchange buildings, mobile network core sites, cable landing stations and the increasingly important edge-computing facilities that support latency-sensitive industrial applications form a network whose interruption would affect not only consumer services but also the operational technology that runs ports, energy grids and emergency services. A coordinated physical attack on a small number of carefully chosen telecommunications nodes would produce effects that exceed, in immediate operational disruption, what most decision-makers expect.

BIPT has not historically had the field presence of a physical-security regulator. It has the legal authority to require it. The trajectory under NIS2 is toward more substantive supervision of physical and cyber security as integrated domains. Manufacturers and integrators serving Belgian telecommunications operators should plan accordingly. The standards that apply, including ISO 27001, IEC 62443 for industrial systems supporting the network, and the BSI and ENISA reference frameworks for telecommunications security, will continue to converge. The book BOSWAU + KNAUER. From Building to Security Technology develops the underlying argument that physical and digital protection cannot be separated in operational practice, even when they are separated in regulatory taxonomy.

Coordination, or the absence of a single conductor

Belgium does not have a single agency that coordinates critical infrastructure protection in the way that, for example, CISA functions in the United States or the BSI functions for cybersecurity in Germany. The Belgian model is distributed. The National Crisis Centre, known as Crisiscentrum or Centre de crise, plays a central role in incident response and coordination across federal services. The Centre for Cybersecurity Belgium, known as CCB, leads on cybersecurity policy and serves as the national CSIRT. FANC handles nuclear. BIPT handles telecommunications. The regional governments hold competences over parts of the response, particularly in civil protection and certain transport infrastructure. The federal police, the military, the intelligence services VSSE and ADIV, and the customs administration each have defined roles.

This distribution is not chaos. It is a system. It works because the actors know each other, because the country is small enough that the senior leadership of each agency has met repeatedly, and because the post-2016 reforms tightened the coordination protocols that the Brussels attacks had exposed as inadequate. The system is also fragile in ways that are characteristic of distributed models. A coordinated incident that crosses multiple sectors requires multiple agencies to align their actions within minutes. The bandwidth for that alignment is finite. The political pressure that follows any visible failure is intense.

For operators, the practical implication is that a security programme in Belgium must anticipate multi-agency contact. An incident at a nuclear site involves FANC, the federal police, the operator, the Crisis Centre and potentially the military. An incident at a telecommunications hub involves BIPT, CCB, the operator, the Crisis Centre and the federal police. An incident at the port involves federal customs, the federal police, the port authority, the Crisis Centre and potentially the maritime authority. A vendor whose technology is involved at any of these moments will be asked, in detail, what its components did, why they did it, and what the audit trail shows. The vendors that have prepared for this conversation in advance will answer in minutes. The vendors that have not will answer in weeks, by which point the regulator will already have formed an opinion.

The coordination model also creates an opportunity. Operators that build their internal security architecture to integrate cleanly with the Belgian distributed response model gain an advantage in tenders, audits and renewals. Operators that build for a hypothetical centralised model and try to retrofit Belgian realities later spend more, take longer and lose credibility in the process.

What holds

Belgium's critical infrastructure landscape is small in geography and large in consequence. The two nuclear sites, the operator and parent that run them, the regulator that supervises them, the telecommunications layer that connects them to the European economy and the coordination model that ties the whole picture together form a system that does not tolerate amateur security work. The standards are explicit. The history is recent. The political attention is continuous.

For operators in this environment, the question is not whether to invest in serious perimeter protection, integrated detection and disciplined documentation. The question is whether the investment will be made before the next inspection, the next incident or the next regulatory cycle, or after. The cost difference between before and after is substantial. The reputational difference is larger.

BOSWAU + KNAUER works with operators in regulated critical-infrastructure environments where the gap between assumed and actual protection is the relevant operational risk. The three paths into that work are described elsewhere in detail. The first, a sixty-minute confidential conversation, exists for decision-makers who want to test their assumptions against an external perspective before committing to anything further. It remains the appropriate first step for most Belgian operators who recognise themselves in the description above.

Frequently asked questions

What is FANC?

The Federal Agency for Nuclear Control is Belgium's independent nuclear regulator, established in 2001 and reporting to the Minister of the Interior. Its remit covers reactor safety, radiological protection, the transport of radioactive material and the security of nuclear sites and materials. It supervises the operating sites at Doel and Tihange, the decommissioning of the older units, and the broader nuclear sector including medical and industrial applications. Its physical-security authority is extensive and its inspection regime is continuous. Operators working in or near Belgian nuclear facilities operate inside FANC's expectations whether or not they are directly licensed by the agency.

What is Doel?

Doel is one of Belgium's two nuclear power stations, located on the Scheldt north of Antwerp in a densely populated and intensively trafficked polder landscape. The site has hosted four reactors over its operating history, of which Doel 4 remains in operation under the 2022 lifetime-extension agreement between the federal government and Engie. The site is operated by Electrabel, a subsidiary of Engie, under licence from FANC. Doel's proximity to the port of Antwerp, to the Dutch border and to major shipping lanes shapes its security profile and the cross-border attention it receives.

Who is BIPT?

The Belgian Institute for Postal Services and Telecommunications is the national regulator for electronic communications, postal services and parts of the digital infrastructure. Its security mandate has expanded substantially under NIS2 and the European Electronic Communications Code. It supervises the cybersecurity posture of Belgian telecommunications operators, manages the implementation of the European 5G Toolbox in Belgium, and increasingly addresses the physical security of telecommunications infrastructure as an integrated component of network resilience. Its authority over operators serving the European institutions, NATO and the Brussels data-centre cluster gives it influence beyond Belgium's domestic market.

How does Belgium coordinate?

Belgium uses a distributed coordination model rather than a single centralised critical-infrastructure agency. The National Crisis Centre coordinates incident response across federal services. The Centre for Cybersecurity Belgium leads on cybersecurity and serves as the national CSIRT. FANC handles nuclear, BIPT handles telecommunications, regional governments hold parts of the civil-protection mandate, and the federal police, military and intelligence services each have defined roles. The model functions because the actors are familiar with each other and the country is geographically compact. It requires operators to plan for multi-agency contact during any significant incident, which has direct implications for the documentation and integration standards their security programmes must meet.