Why CyFun Is the Most Underrated Tool in NIS2 Compliance — And Why That Won't Last
By Paul C Dwyer

Across the EU, thousands of organisations are scrambling to work out what NIS2 actually requires them to do. They have read the directive. They understand they now carry obligations around risk management, incident reporting, supply-chain security and governance accountability. What they do not have is a concrete, prioritised, audit-ready answer to the only question that matters on a Monday morning: where do we start, and how do we prove we have done it?
Meanwhile, a framework that answers exactly that question — built by a national cybersecurity authority, cross-mapped to every major international standard, and available at no licensing cost — sits largely unknown outside the country that created it.
That framework is CyFun. And the gap between how useful it is and how little it is discussed is, frankly, one of the odder things in the compliance landscape. This piece is an attempt to close that gap, because the window in which knowing CyFun is a genuine differentiator rather than a baseline expectation is already starting to close.

What CyFun actually is
CyFun — the CyberFundamentals Framework — was developed and is owned by the Centre for Cybersecurity Belgium (CCB), the national authority operating under the direct authority of the Belgian Prime Minister. "CyFun®" is a registered trademark of the CCB, and its only authentic source is cyfun.eu. That provenance matters: this is not a vendor framework or a consultancy product. It is a national cybersecurity baseline produced by the body responsible for a country's cyber resilience.
What makes CyFun unusual — and useful — is that it was never designed to compete with the established standards. It was designed to sit on top of them and translate them into action. The framework is built on and cross-mapped to four internationally recognised standards: the NIST Cybersecurity Framework, ISO 27001/27002, the CIS Controls, and IEC 62443, the last of which covers operational technology. In other words, CyFun is a practical implementation layer over the frameworks most security professionals already half-know.
The 2025 edition brought CyFun into full alignment with NIST CSF 2.0. It now comprises six core functions, with Govern added as a new foundation beneath the five that practitioners already recognise — Identify, Protect, Detect, Respond and Recover. Beneath those six functions sit 22 categories and 106 subcategories. The addition of Govern is not cosmetic: it is the function that directly addresses the governance and management-accountability obligations that NIS2 places squarely on boards and senior leadership.
CyFun then organises everything into three assurance levels — Basic, Important and Essential — assigned according to an organisation's criticality and size, and governed by what the CCB calls the "Principle of Balance": the idea that security measures should be proportionate to the risks an organisation actually faces, rather than uniform across every entity.
One point worth clearing up immediately, because it trips up almost everyone new to the framework: CyFun's three assurance levels are not the same thing as NIS2's classification of "essential" and "important" entities. They share the same words, but they are entirely separate. Your NIS2 category is a legal classification of how regulated you are. Your CyFun assurance level is a measure of how much security rigour your risk profile demands. An organisation's two designations can, and often do, differ.
Why this is becoming an EU story, not just a Belgian one
It would be easy to dismiss CyFun as a Belgian curiosity. That would be a mistake, and an increasingly expensive one.
Belgium was the first EU member state to fully transpose NIS2 into national law, and it has built one of the most structured and actively enforced implementations in the Union. The Belgian model deliberately links legal obligation to a concrete assurance framework rather than leaving compliance abstract — and that design choice is being watched closely by other member states wrestling with the same transposition problem.
The framework's recognition is now extending beyond Belgium's borders. France, Romania and Ireland have been cited among the countries beginning to recognise CyFun, with others expected to follow. For practitioners and organisations outside Belgium, this is the legitimate "get ahead of it" argument: the framework you learn now is increasingly the one converging across the bloc.
There is a deeper reason the skill transfers, too. Because CyFun cross-maps to NIST CSF, ISO 27001/27002, CIS Controls and IEC 62443, learning CyFun is, in effect, learning the common grammar that sits underneath most major cybersecurity frameworks. Time invested in understanding it is not time locked into a single jurisdiction's scheme. It is time spent becoming fluent in the structure shared by nearly everything else.
Who should be paying attention
Three groups in particular should treat CyFun as a priority rather than a curiosity.
In-scope entities that need a defensible, concrete route to demonstrate NIS2 compliance — and who would rather adopt a ready-made, regulator-built framework than invent their own control set from first principles.
Consultants and practitioners who want a portable, EU-spreading competency that compounds in value as recognition widens. In a market where everyone claims NIS2 expertise, demonstrable command of a specific, recognised implementation framework is a real differentiator.
Boards and senior management, who now carry personal liability under NIS2 and need to understand the instrument through which their organisation's accountability obligations are actually operationalised.
The urgency is real and grounded in the enforcement reality now arriving across the EU. Belgium has already moved from transposition into active enforcement, with concrete compliance checkpoints and consequences for entities that fail to demonstrate progress. The broader NIS2 enforcement wave is following across member states. The organisations that will struggle are the ones that treated the directive as a paper exercise and never reached a concrete implementation framework.

Why CyFun matters more than its profile suggests

The single most valuable thing about CyFun is also the simplest to state.
NIS2 tells you what outcomes to achieve. CyFun tells you what to do tomorrow morning.
The directive's obligations are, by design, abstract — they describe results, not methods. That abstraction is exactly where most compliance programmes stall. CyFun takes those obligations and turns them into a concrete, prioritised, measurable set of controls. It closes the distance between "we must manage cyber risk appropriately" and "here are the specific measures, in priority order, that we will implement and evidence."
Several features make it especially well-suited to the problem NIS2 creates:
It is action-oriented and scalable. Rather than facing an all-or-nothing certification cliff, an organisation can begin at the Basic level and progress upward as maturity grows. Starting small is not a workaround — it is the intended path, provided there is a credible timeline toward the appropriate level.
It is free. The framework itself carries no licensing cost, which is a meaningful contrast with the certification economics of the alternative compliance routes.
It is built for measurement rather than box-ticking. The structure is designed so that teams can track genuine maturity progress over time — monitoring incidents, training staff, verifying supplier security — instead of producing a binder that satisfies an auditor once and gathers dust.
And critically, it embeds the governance accountability NIS2 demands. The new Govern function maps directly onto the directive's requirements for management oversight and the personal liability that now attaches to directors and senior leaders. This is precisely why CyFun is not merely an IT department concern. It is a board-level instrument, because the exposure NIS2 creates is a board-level exposure.
Why CyFun rewards being learned properly
There is a trap in CyFun's greatest strength. Because it is pragmatic and accessible, it is easy to assume it can be picked up casually from the published documentation. In practice, the parts that determine whether an implementation actually holds up are exactly the parts that reward structured learning.
Selecting the correct assurance level is a judgement, not a lookup. Interpreting controls correctly — understanding the difference between a key measure that uses "shall" and a recommendation that uses "should" — materially changes what compliance means. And evidencing properly, so that an implementation survives independent verification rather than merely looking complete internally, is a discipline in its own right.
This is the difference between knowing about CyFun and being able to run a CyFun programme. The first you can get from a blog. The second is what training exists to provide — and it is why understanding the framework itself and understanding how to run the compliance programme around it are two complementary skills, not one.
The window is closing
CyFun is, right now, an underrated framework. That is precisely what makes it an opportunity. The organisations and professionals who learn it now are operating ahead of a curve that is visibly bending toward broader EU adoption. The ones who wait will learn it eventually too — but as table stakes, at the point where it has stopped conferring any advantage at all.
The most pragmatic, audit-ready, freely available route through NIS2's abstraction problem already exists. The only real question is whether you understand it before your competitors and your regulators expect you to.
HEAD OFFICE
-
ICTTF Ltd
ICTTF House
First Floor Unit 15
N17 Business Park
Tuam, Co Galway
H54 H1K2 -
info@icttf.org
support@icttf.org -
+353 (0)1 905 3263

