Since the Belgian NIS2 law went into effect on Oct. 18, 2024, your organization needs a concrete framework to structure cybersecurity measures. The CyberFundamentals framework (CyFun) is just that framework. Developed by the Center for Cybersecurity Belgium (CCB), CyFun translates the abstract NIS2 obligations into measurable, practical steps that you as an IT manager can implement immediately. In this article, we explain how the framework is structured, which level suits your organization and which deadlines you absolutely must not miss by 2026.
What exactly is the CyberFundamentals framework?
CyberFundamentals is a set of concrete security measures that will help your organization protect data, reduce the likelihood of common cyber attacks and structurally increase digital resilience. The CCB built the framework on four internationally recognized standards: NIST Cybersecurity Framework 2.0, ISO 27001/27002, CIS Controls and IEC 62443 (for operational technology). That combination makes CyFun both internationally recognizable and specifically tailored to the Belgian context.
Important for your daily practice: the framework is freely available, modular and offers a clear growth path. You don’t have to implement everything at once. CyFun lets you work step by step to a higher level of security, exactly as your organization can handle it.
And it is more than a recommendation. For organizations subject to the Belgian NIS2 law, CyFun is one of two recognized routes to compliance. The other is ISO 27001 certification. Both are considered equivalent by the CCB.
Six features form the backbone of CyFun
The 2025 version of the CyberFundamentals framework is fully aligned with NIST CSF 2.0. The biggest change from the previous version? There are now six core functions instead of five. The new function “Govern” has been added as a foundation under the five existing functions.
Govern (Governing) lays the foundation for everything that follows. This is where you set cybersecurity policy, assign roles and responsibilities, and embed security in your risk management strategy. This is also the function that covers the NIS2 requirement around governance accountability.
Identify maps your digital environment. Which systems, data and processes are business critical? Where are the vulnerabilities? A good asset inventory and business impact analysis are at the core here.
Protect focuses on preventive measures. These include access management with multi-factor authentication, network segmentation, data encryption and security awareness training for employees.
Detect (Detect) ensures that you notice suspicious activity in a timely manner. Logging, continuous monitoring and intrusion detection systems are typical measures in this function.
Respond describes how you act during an incident. From incident response planning to crisis communication and damage control.
Recover includes everything needed to restore normal operations after an incident. It includes backup management, disaster recovery and the essential post-incident analysis (“what have we learned?”).
The addition of Govern is not just an administrative change. In the CyFun 2025 version, the number of governance-related controls has doubled from 2023. This reflects a fundamental shift: cybersecurity is no longer a technical project, but a governance responsibility.
Four CyberFundamentals levels: which one fits your organization?
The framework works with four levels of assurance (assurance levels), each serving a different risk profile. Each level builds on the previous one.
Small is intended for micro organizations without an in-house IT department. This level contains ten fundamental rules of thumb for basic security. It is a starting point, not a final destination.
Basic is the minimum standard recommended by the CCB for any Belgian company. With 34 controls, this level focuses on fending off opportunistic attacks. According to CCB data, the Basic level covers about 82% of historically known cyber attacks.
Important adds 99 additional controls and increases the coverage level to 94%. This level is aimed at organizations facing targeted attacks. Important: Organizations covered as an “important entity” under NIS2 are recommended to pursue at least this level.
Essential is the highest level, with approximately 140 to 200 controls protecting against advanced attacks (Advanced Persistent Threats). Essential NIS2 entities are required by law to work toward this level.
Which level applies to your organization is determined with the CyFun Selection Tool. That’s a risk assessment made available by the CCB. The tool takes into account your industry, company size and the potential impact of a cyber incident on society.
The April 18, 2026 deadline: what should you have ready by when?
For organizations that fall under the Belgian NIS2 law as an essential entity, April 18, 2026 is the first hard deadline. By that date, you must be able to submit proof of conformity to the CCB. You have two options in this regard.
Option 1: the CyFun track. You must have obtained at least a Verification Statement (Verification Statement) for the Basic or Important level. This is an intermediate step toward full Essential certification, which must be completed by April 18, 2027.
Option 2: the ISO 27001 track. You submit your Statement of Applicability (SoA) to the CCB, demonstrating that your chosen measures are equivalent to the requirements of the relevant CyFun level. The CCB’s inspection service will specifically verify that the key measures from CyFun are covered.
Important to know: the CCB can sanction organizations that falsely claim too low a collateral level. So a sound risk analysis is not a casual exercise, but the legal basis for your decision.
The same duty-of-care obligations apply to major entities, but enforcement is reactive: the CCB intervenes primarily after an incident or upon evidence of serious deficiencies.
Achieving the CyFun label: four steps from analysis to certification
The Conformity Assessment Scheme (CAS) describes the standard process for obtaining a CyberFundamentals label. As an IT manager, you and your team go through four stages.
In the first phase, you perform a risk assessment with the CyFun Selection Tool. The result determines which assurance level suits your organization.
The second phase is self-assessment and implementation. Using the CyFun Self-Assessment Tool, an Excel tool with spiderweb diagrams for management reporting, you map the current state of affairs. The gaps you identify form your implementation roadmap.
In the third phase, you have an external verification performed by an authorized Conformity Assessment Body (CAB) accredited by BELAC. The CAB assesses the implementation and maturity of your controls.
After a positive audit report, in stage four you apply for the CyFun label through the Safeonweb@Work portal. This provides you with formal proof of compliance.
The lead time depends on your starting position. Organizations that already have basic measures in place can be compliant within one to three months. If you are starting virtually from scratch, three to six months is a more realistic timeline.
CyFun 2025: what’s new from the previous version?
The update to CyFun 2025 is more than a cosmetic tweak. About 70% of the original 2023 measures have been retained, but the remaining 30% have been updated or replaced with controls with a stronger focus on governance and incident response.
Key innovations at a glance. The number of controls around incident management has doubled. Controls focused on vendor and supply chain security have also doubled. The number of governance controls has been expanded from 8 to over 20. And OT-specific guidelines have been included within each domain for the first time.
That emphasis on supply chain security is particularly relevant. Under NIS2, not only are you responsible for your own security, but you must also assess the cyber risks of your direct suppliers. The CCB recommends that all organizations in the supply chain of an NIS2 entity achieve at least the CyFun Basic level. An NIS2 entity can even contractually impose this on its suppliers.
Both versions of the framework (2023 and 2025) will continue to coexist temporarily, but only the new version will eventually be accepted for self-assessments and conformity assessments.
CyberFundamentals or ISO 27001: how to choose the right framework?
This is one of the most frequently asked questions. Both frameworks are recognized by the CCB as pathways to NIS2 compliance, but they differ substantially in approach.
CyFun is specifically designed for the Belgian context, takes into account local requirements and is available for free. Its modular structure makes it more practical and less complex for medium-sized organizations. The framework is action-oriented: you know exactly which measures to implement.
ISO 27001 is an internationally recognized standard with a broader scope that also covers information security in general. The certification is globally recognizable, which can be valuable if you have international customers who specifically request ISO 27001.
For most Belgian SMEs, CyFun is the most pragmatic choice: faster to implement, directly aligned with NIS2 and with no certification costs for the framework itself. Want a comprehensive comparison? Then read our article on ISO 27001 or CyberFundamentals: how to choose the right framework for NIS2 compliance.
The fines and penalties for non-compliance
Belgium’s NIS2 law applies stiff penalties. Essential entities risk fines of up to 10 million euros or 2% of annual global turnover, whichever is higher. Major entities face a maximum of 7 million euros or 1.4% of global turnover.
But financial penalties are not the only risk. Directors can be held personally liable for gross negligence. In the worst case, they may even be temporarily denied performance of their duties. The law explicitly requires management to approve cybersecurity measures and oversee their implementation.
Want to know more about Belgium’s specific NIS2 obligations? Our complete NIS2 guide for Flemish companies gives you the complete overview.
Use the VLAIO grant to reduce costs
Did you know that as a Flemish SME you can receive up to 45% subsidy on cybersecurity advice and training? Since February 2026, cybersecurity has been the only consulting topic still eligible for VLAIO’s SME portfolio. Small enterprises get 45% back, medium-sized enterprises 35%, with a maximum of 7,500 euros per year.
In addition, VLAIO offers the Cybersecurity Improvement Pathways: guidance pathways with recognized service providers with 50% subsidy for SMEs. The cost of these trajectories ranges from 7,100 to 39,900 euros. Non-SMEs covered by NIS2 can also claim a 35% subsidy.
Cyberplan is an approved service provider with VLAIO. That means you can partially fund our audits, gap analyses and training through these grants. As a result, a CyberFundamentals gap analysis need not be a heavy investment.
Practical getting started: your first three steps
Enough theory. As an IT manager, you want to know what you can do tomorrow. Here are the three steps that will get you started concretely.
Step 1: Determine your obligations. Check through the CCB’s CyFun Selection Tool to see if your organization is covered by NIS2 and what level of assurance applies. Register your organization on the Safeonweb@Work portal if it has not already done so.
Step 2: Conduct a self-assessment. Download the CyFun Self-Assessment Tool and map your current security level. The tool automatically generates an overview of the gaps you need to close, including maturity scores by category.
Step 3: Create an implementation plan. Translate the identified gaps into a concrete roadmap with priorities, responsibilities and timelines. Focus first on the key measures, which are those that will be tested first in an audit.
Does your team not have the capacity to manage this process internally? Then it makes sense to engage a specialized cybersecurity partner who knows the CyFun framework and has experience with Belgian SMEs.
How Cyberplan helps you with CyberFundamentals compliance
Cyberplan guides Flemish companies through the entire CyFun process: from the initial gap analysis to preparation for the external audit. Our team of more than 20 certified experts (OSCP, CISSP, CEH, CISM) performs technical audits that are directly plotted against CyFun requirements. The result is not a thick report gathering dust, but a concrete roadmap with clear priorities in understandable language.
As a recognized VLAIO service provider, our pathways are eligible for subsidies. Small businesses effectively pay up to 45% less through the SME portfolio.
Want to know where your organization stands in relation to the CyberFundamentals framework? Book a no-obligation consultation and together we will review which steps are most urgent for you.
Frequently asked questions about the CyberFundamentals framework
Is the CyberFundamentals framework mandatory for my company?
It depends on your NIS2 classification. Organizations that fall under the Belgian NIS2 law as an essential or significant entity must choose between CyFun or ISO 27001 as their compliance route. For all other Belgian enterprises, CyFun is strongly recommended but not required by law.
What is the difference between a CyFun verification and a CyFun certification?
A verification applies to the Basic and Important levels and is performed by an authorized Conformity Assessment Body. A certification is reserved for the Essential level and follows a more extensive audit process. Both result in an official CyFun label.
How long does it take to become CyberFundamentals-compliant?
The lead time depends on your starting position. Organizations with basic measures already in place can be compliant within one to three months. If you are starting largely from scratch, count on three to six months for the full process including implementation.
Can I combine the CyFun track with VLAIO grants?
Yes. Cybersecurity consulting and training are eligible for the SME portfolio (45% for small businesses, 35% for medium-sized). In addition, VLAIO subsidizes Cybersecurity Improvement Pathways by 50% for SMEs. Both grants are cumulative with the CyFun implementation track.
What are the key measures in CyFun and why are they important?
Key measures are those that the CCB considers critical. In a formal audit, these are tested first. Failure to meet a key measure can result in an automatic “fail,” even if the other controls are in order. Examples include multi-factor authentication, backup management and incident response procedures.
