• Over 20 Year of Quick Impact Learning
  • Over 800 Students Trained with Fast Track Mastery
  • C-Level Trainers
  • Multilingual
Menu

CyFun 2025: Belgium’s Updated Framework for NIS2 Readiness

CyFun 2025: Belgium’s Updated Framework for NIS2 Readiness

CyFun 2025 (Cyber Fundamentals), the newest evolution of Belgium’s cybersecurity framework by the Centre for CyberSecurity Belgium was originally developed to help small and medium-sized enterprises (SMEs) to strengthen their cyber resilience. The updated version now closely aligns with European standards — including NIS2 — while keeping a pragmatic, scalable approach for organizations of all sizes.

This post is based on the webinar presentation: Nis Institute CyFun 2025 update

A Quick Refresher: What Is CyFun?

Cyfun (CyberFundamentals) is Belgium’s national framework designed to raise cybersecurity maturity across organizations through a structured, measurable model.
It defines four assurance levels:

  • Small – for micro-organizations without a dedicated IT department.
  • Basic – 34 essential controls for entry-level security hygiene.
  • Important – 99 additional  controls for higher-risk organizations.
  • Essential – 85 additional  advanced controls for critical entities.

The framework is rooted in international standards such as NIST CSF, ISO/IEC 27001–27002, CIS Controls, and IEC 62443 (for OT). It also includes tools such as:

  • A self-assessment Excel sheet with maturity scoring.
  • Policy templates to accelerate implementation.
  • A mapping tool to cross-reference with ISO, CIS, IEC 62443 and NIST controls.
  • The CyberFundamentals labeling scheme for verified or certified compliance.

What’s New in CyberFundamentals 2025

The 2025 edition introduces several  updates that bring it in step with the latest regulatory and technical developments:

  1. Alignment with NIST CSF 2.0 and European Legislation (NIS2)
    Governance is now added as a sixth function, expanding the model beyond “Identify, Protect, Detect, Respond, Recover.”
    The framework now comprises 6 functions, 22 categories, and 106 subcategories.
  2. Enhanced Focus on Supply Chain and OT Security
    Recognizing the interconnected nature of modern infrastructures, the new version extends control coverage for supply chains and operational technology (OT).
  3. Governance and Auditability Improvements
    New governance measures support verifiable compliance, making audits easier and clearer for certification bodies.
  4. Refined Controls and Clearer Wording
    Many controls have been rewritten for better clarity, auditability, and goal-based understanding.
  5. Clarifications on Maturity Model
    The self-assessment now provide usecases for documentation maturity and implementation maturity, with minimum target scores (e.g., 2.5/5 for Basic, 3.5/5 for Essential).
  6. European Cooperation
    Belgium, Ireland, and Romania are now co–scheme owners, with Portugal and Croatia observing or partially adopting CyberFundamentals. This collaboration paves the way for mutual recognition across the EU.

Certification and Labeling

CyberFundamentals offers three verification paths:

  • Basic and Important: Verification under ISO 17029, resulting in a “Verified” label.
  • Essential: Certification under ISO 17021-1, resulting in a “Certified” label.

These assessments are performed by accredited  Conformity Assessment Bodies (CABs) under BELAC supervision. Importantly, an ISO 27001 certification can also be used to obtain a CyberFundamentals label, provided all key measures are implemented and properly mapped.

However, as Johan Decock emphasized, holding a CyberFundamentals label does not automatically mean NIS2 compliance. Specific obligations like incident reporting timelines (24/72 hours and 1 month) must still be covered in internal procedures.

Implementation Roadmap

Organizations are advised to follow a three-step process:

  1. Selection Tool / Risk Assessment – determine the appropriate assurance level.
  2. Self-Assessment – evaluate maturity and document evidence.
  3. Verification or Certification – obtain official recognition from an accredited CAB.

For essential entities, the CCB expects implementation of at least the Basic or Important levels by April 2026, and full Essential certification by April 2027.

Webinar of 12/11/2025

Nis Institute hosted a webinar on 12 november 2025 on the CyFun 2025 framework. This webinar was presented by Johan Decock, with interventions from Peter Geelen an moderated by Jean-Luc Peeters.

This Blogpost provides the highlights of this webinar.

The presentation can be found here: Nis Institute CyFun 2025 update

Q&A Highlights

Q: Should key measures use “shall” or “should”?
A: Mandatory controls (key measures) must use “shall”;

Q: Can we start with the Basic level even if the selection tool recommends Important or Essential?
A: Yes — starting small is encouraged, provided the timeline toward higher levels is respected.

Q: Will the framework and tools be available in Dutch and French?
A: Booklets and requirements will be translated; helper tools (like the self-assessment sheet) remain in English for now.

Q: Is CyberFundamentals mandatory in Belgium?
A: NIS2–regulated entities must adopt either CyberFundamentals or ISO 27001.

Q: How often is the framework updated?
A: There’s no fixed cycle, but updates will follow major changes in NIST or ISO standards — likely every few years.

Q: Does CyberFundamentals cover privacy and data protection?
A: Some overlap exists, but full privacy-by-design coverage would require complementary frameworks such as ISO 27701 (PIMS).

Inhoudstabel