The Belgian NIS2 law has been in effect since Oct. 18, 2024, and the clock is ticking. Essential entities must complete their first compliance assessment by April 18, 2026. That means you have a choice to make now: are you working with ISO 27001 or CyberFundamentals (CyFun®)? Both frameworks provide a valid path to NIS2 compliance, but they differ significantly in approach, cost and lead time. In this article, we’ll help you make the right choice for your organization.
Why you need a framework for NIS2
The NIS2 legislation requires organizations to take “appropriate and proportionate” measures for cybersecurity. But how do you demonstrate compliance? The Center for Cybersecurity Belgium (CCB) offers three options for mandatory conformity assessment:
- A CyberFundamentals certification or verification by an accredited body.
- An ISO 27001 certification by an accredited body.
- An inspection by the CCB’s inspection service.
In practice, most organizations choose one of the first two options. Three-quarters of registered NIS2 entities in Belgium have now chosen a framework, and the majority choose CyFun. But that does not mean that ISO 27001 is the wrong choice. It depends on your situation.
What is ISO 27001 and how does it help with NIS2?
ISO/IEC 27001:2022 is an international standard for information security. At its core is an Information Security Management System (ISMS): a structured approach to identifying risks, choosing measures and continuously improving them. You decide which security measures apply based on a risk analysis. That makes ISO 27001 flexible, but also more complex to implement.
The strength of ISO 27001 lies in its international recognition. If your company operates internationally, is part of complex supply chains or works with customers who make ISO 27001 a requirement in their vendor risk assessments, this certificate has clear added value. Think of software companies working for government agencies or EU institutions, or manufacturing companies supplying large multinationals.
For NIS2 compliance, ISO 27001 does require you to pay extra attention to alignment. The Statement of Applicability (SoA) must be meticulously mapped to the NIS2 requirements. You must submit the scope and SoA to the CCB as part of the compliance assessment.
What is CyberFundamentals and why does Belgium choose it?
CyberFundamentals (CyFun®) is the Belgian cybersecurity framework, developed by the CCB as a pragmatic response to NIS2. It is based on internationally recognized standards such as NIST CSF 2.0, ISO 27001 and CIS Controls, but specifically tailored to the Belgian market.
The framework works with four maturity levels: Small (for micro organizations), Basic (basic security for all enterprises), Important (protection against targeted attacks) and Essential (protection against advanced threats). Each organization chooses the level that fits its risk profile.
The strength of CyFun® lies in its prescriptive approach. Whereas ISO 27001 asks you to determine your own measures, CyFun® tells you exactly which controls you need to implement. That saves a lot of interpretation and makes the process more predictable. In addition, the CCB offers free tools, including self-assessment spreadsheets and the CyFun® Selection Tool.
With the launch of CyFun 2025, the framework has been further refined. The update aligns with NIST CSF 2.0, pays more attention to supply chain security and adds governance measures from the Important level up. It also specifically addresses Operational Technology (OT) environments, which is relevant to manufacturing companies.
ISO 27001 vs. CyberFundamentals: the practical comparison
The choice between the two frameworks depends on some concrete factors. Here are the main points of comparison.
Implementation time. An ISO 27001 journey typically takes 6 to 13 months, depending on the existing maturity and complexity of your organization. CyberFundamentals can often be fully implemented within 3 to 6 months, thanks in part to its prescriptive controls and free tooling.
Costs. The total cost of ISO 27001 certification for an average SME is between 15,000 and 35,000 euros, including consultancy, audit costs and internal time investment. Added to this are annual surveillance audits ranging from €1,200 to €3,000. CyberFundamentals is available as a framework free of charge. The cost is in the implementation and mandatory verification or certification by an accredited body (CAB). For most SMEs, the total package at CyFun is significantly lower.
Legal protection in Belgium. This is a crucial difference. Obtaining a CyFun® label provides an immediate legal “presumption of conformity” under the Belgian NIS2 law. This means you are legally stronger in the event of an incident. With ISO 27001, you have to actively demonstrate that your measures comply with NIS2 requirements, which requires an additional layer of translation.
International recognition. This is where ISO 27001 scores significantly better. The certificate is recognized worldwide and is a requirement for many international customers and tenders. CyFun® is gaining prominence outside Belgium (including Ireland and Romania), but today is primarily a Belgian framework.
Suitability for SMEs. CyFun® is explicitly designed for an SME economy such as Belgium. Johan Klykens of the CCB describes it as a framework where “one control and one proof can ideally be reused by multiple parties.” The modular structure allows for step-by-step growth, which better reflects the reality of a medium-sized company.
When do you choose ISO 27001?
ISO 27001 is the better choice if your organization meets one or more of these criteria:
You operate internationally and work with customers or partners who have ISO 27001 as a requirement. Think of software companies that supply applications to government agencies, EU institutions or large multinationals. An ISO 27001 certificate saves you from filling out endless security questionnaires and opens doors in tenders.
You already have an existing management system (such as ISO 9001 or ISO 14001). The High Level Structure (HLS) of these standards overlaps, making a combined approach more efficient. Organizations with a mature governance structure benefit from the synergy.
You want maximum flexibility in your security approach. ISO 27001 allows you to choose your own controls based on your specific risk analysis and risk appetite. This is an advantage for complex organizations with hybrid IT environments or multiple sites.
When do you choose CyberFundamentals?
CyberFundamentals is a better fit if your organization recognizes itself in this situation:
You focus primarily on the Belgian market and have no international compliance requirements. CyFun® then offers the fastest and most cost-effective route to NIS2 compliance, with the immediate legal benefit of a “presumption of conformity.”
You are an SME without a dedicated compliance team. CyFun®’s prescriptive approach makes the process more predictable. You don’t have to interpret for yourself what measures are needed. The framework tells you exactly what is expected.
The April 2026 deadline is fast approaching and you haven’t started yet. With an average implementation time of 3 to 6 months, CyFun® offers a more realistic timeline than an ISO 27001 process that often takes twice as long.
You are a manufacturing company with OT environments. CyFun 2025 pays specific attention to Operational Technology and industrial networks, making the framework well suited to the realities of manufacturing companies.
The hybrid approach: the best of both worlds
What many organizations overlook: you don’t necessarily have to choose. CyberFundamentals is built on ISO 27001, NIST CSF 2.0 and CIS Controls. Anyone who starts with CyFun® and passes it successfully has already laid a solid foundation for possible ISO 27001 certification at a later stage.
This phased approach is particularly interesting for growing companies. You start with CyFun® to quickly meet your NIS2 obligations, and then build up to ISO 27001 when international ambitions or customer requirements make it necessary. This way you spread the investment and avoid having to make expensive choices under time pressure.
The deadlines: what must be done by when?
The following deadlines apply to essential entities:
By April 18, 2026: achieve CyFun® verification at Basic or Important level, or submit the scope and Statement of Applicability of your ISO 27001 pathway to the CCB. By April 18, 2027: complete full certification at the required final level.
For major entities, conformity assessment is basically voluntary, but highly recommended. Those with a CyFun® label or ISO 27001 certification enjoy a “presumption of conformity.” In the event of an incident or complaint, you will then be in a much stronger legal position.
About 1,500 essential and 2,500 significant entities are currently registered with the CCB in Belgium.
By April 2026, the CCB expects sufficient capacity for large-scale compliance audits. But the availability of accredited auditors is limited. Those who wait until the last minute risk delays.
VLAIO grants lower threshold
Regardless of which framework you choose: through VLAIO, you can recover a significant portion of the costs. Since February 2026, the SME consulting portfolio has been exclusively limited to cybersecurity. This makes the subsidy extra relevant.
Through the SME Portfolio, small enterprises receive 45% subsidy on cybersecurity advice and training, medium-sized enterprises 35%, with a maximum of 7,500 euros per year. In addition, VLAIO’s Cybersecurity Improvement Pathways offer 50% subsidy for SMEs on guidance pathways ranging from 7,100 to 39,900 euros. Non-SMEs covered by NIS2 can claim 35% subsidy.
Specifically, you can get a professional guidance program for your ISO 27001 or CyFun implementation for almost half the price. That subsidy makes the difference between “we’ll wait a while” and “we’ll start now.”
Frequently asked questions about ISO 27001 and CyberFundamentals
Should my company choose between ISO 27001 and CyberFundamentals?
Not necessary. Both frameworks are valid for NIS2 compliance. You can even start with CyFun® and move up to ISO 27001 later if your international ambitions require it. The frameworks are not mutually exclusive.
What does a CyberFundamentals implementation cost compared to ISO 27001?
CyFun® is available as a framework free of charge. Total implementation costs for an SME are typically lower than for ISO 27001, which costs between €15,000 and €35,000. The exact cost depends on your current maturity, company size and whether you hire external guidance.
What is the difference between a CyFun verification and a CyFun certification?
A verification applies to the Basic and Important levels and is performed by an accredited conformity assessment body (CAB). A certification is required for the Essential level and follows a more rigorous audit process. Both provide a legal presumption of conformity.
Can I get a grant through VLAIO for both ISO 27001 and CyberFundamentals?
Yes. The SME Portfolio subsidizes cybersecurity advice no matter which framework you choose. Small businesses get 45% back, medium-sized ones 35%. In addition, the Cybersecurity Improvement Program subsidizes up to 50% of the guidance costs.
What happens if I don’t meet the April 2026 deadline?
Essential entities that fail to complete their conformity assessment on time risk enforcement action by the CCB. Potential fines range up to €10 million or 2% of annual turnover. But even without a fine: in the event of an incident, you are more legally vulnerable without a compliance assessment.
Is CyberFundamentals only valid in Belgium?
CyFun® is a Belgian framework, but is gaining international prominence. Countries such as Ireland and Romania are showing interest. For purely Belgian compliance, it is a full-fledged choice. If you operate internationally, ISO 27001 offers broader recognition.
Making the right choice with customized guidance
Whether you choose ISO 27001, CyberFundamentals or a combination of both, the journey always starts with a clear picture of where you are today. A gap analysis reveals what measures you have already taken and where the priorities lie. This prevents you from spending time and budget on things you actually already have in order.
Cyberplan guides Flemish companies through the entire process, from initial vetting and risk analysis to technical implementation and preparation for compliance assessment. With a team of more than 22 certified cybersecurity experts (OSCP, CISSP, CEH, CISM), we combine in-depth technical knowledge with understandable communication. And as a registered VLAIO service provider, you can receive up to 45% subsidy on our services through the SME Portfolio.
Want to know which framework is best for your organization? Book a free consultation and we’ll help you determine the right direction, on time and on budget.
