In summary
Certification CyberFundamentals (CyFun) Basic is not just an obligation related to NIS2. In 2026, it has become a Concrete commercial argument For Belgian SMEs: the Basic level is blocked 82 % of actual cyberattacks with only 34 bars, it sets off at 2 to 4 months, and reassures clients and employers who now require proof of security from their suppliers.
- CyFun is the official repository of the Belgian Cybersecurity Centre (CCB), recognised as a valid path to NIS2 compliance.
- The Basic level comprises 34 moves and covers 82 % of the most common attacks, according to the CCB.
- The NIS2 directive is pushing large companies to demand proof of security from their entire supply chain, including SMEs outside its scope.
- A CyFun label does not automatically guarantee full NIS2 compliance: incident notification procedures still need to be covered separately.
- Key deadline: NIS2 entities were required to submit their CyFun self-assessment to the CCB by 18 April 2026.
What is CyFun (CyberFundamentals)?
CyFun is the official cybersecurity repository of Belgium, developed by the Centre for Cybersecurity Belgium (CCB). It translates major international standards — NIST Cybersecurity Framework, ISO 27001/27002, CIS Controls and IEC 62443 — into concrete, measurable requirements tailored to Belgian organisations.
Its unique feature is that the reference framework is fed by actual cyber incidents that have occurred in Belgium, to which the CCB has continuous access. The most effective measures against these incidents are listed as «key measures». This is what makes CyFun particularly relevant to the Belgian threat landscape.
CyFun is recognised by the CCB as one of two valid paths to compliance with the NIS2 directive, the other being the ISO/IEC 27001 standard. Both paths benefit from the same legal presumption of conformity.
The 4 levels of CyFun explained
CyFun relies on a four-tier progressive model. Each tier contains all the measures of the previous tier, plus additional requirements.
| Level | Measures | Coverage | For whom? |
|---|---|---|---|
| Small | ~10 rules | Estimate | Micro-organisations, little technical knowledge |
| Basic | 34 bars | ~82 % | SMEs and moderate security needs |
| Important | 117 measures | ~94 % | Organisations managing sensitive data |
| Essential | 140 measures | up to 100 % | Large companies, critical infrastructure |
Coverage of cyber-attacks by CyFun level
Share of actual attacks blocked, according to the CCB
The Basic level offers the best balance between effort and protection for an SME: 34 measures providing 82 % of cover.
Please note: A new version, CyFun 2025, was released in October 2025. It adds a sixth feature, Govern (governance), to the existing five (Identify, Protect, Detect, Respond, Recover). The 2023 and 2025 versions will coexist until 18 April 2027; each organisation will choose which one to apply.
Why is the Basic level sufficient for most SMEs
For the majority of Belgian SMEs, the Basic level is the right target. It covers the fundamentals that block the overwhelming majority of real-world attacks – those that actually affect small organisations – without imposing the documentary burden of an Essential level.
The priorities identified by the CCB for this foundation can be summarised as a few concrete pillars:
Multi-factor authentication
Multi-factor authentication on sensitive accesses, the first barrier against credential theft.
Backups
Reliable, tested, and restorable backups — platform-independent.
Endpoint protection
An EDR solution to detect and block threats on endpoints.
Access & Updates
Access management and regular patch implementation.
Network segmentation
Segment the network to limit the spread of an attack.
Phishing awareness
Training employees, the first line of defence against phishing.
In terms of timeframe, reaching the Basic level generally represents a undertaking of 2 to 4 months for an assisted SME — much lighter than a full ISO 27001 approach, while being recognised by the CCB as a valid path towards NIS2.
The business argument: your label becomes a differentiator
Here's the crux of the matter, the one that most articles about NIS2 forget to address.
The NIS2 directive requires large organisations to manage cybersecurity risk on their entire supply chain. In concrete terms, a large company, a hospital, or an energy actor subject to NIS2 is now asking its suppliers and service providers to demonstrate their own level of security.
Translation for your SME: even if it's outside the direct scope of NIS2, your clients who fall within it will ask you the question. And «we take security seriously» is no longer enough as a response.
Imagine the situation: a potential client subject to NIS2 has to choose between two IT providers. The offers are comparable, the prices are similar. One displays a CyFun Basic certification, the other does not. The choice is quickly made.
The CyFun label sends three strong signals to your market:
You speak the language of your regulated clients
Faced with a security questionnaire, you respond with recognised proof rather than promises. You accelerate the sales cycle and remove a barrier to purchase.
You are turning an obligation into an advantage.
Where GDPR was perceived as an imposed constraint, NIS2 is increasingly seen as an opportunity to stand out. A certified company positions itself at a higher level of quality.
You inspire confidence
A third-party verified label demonstrates a genuine commitment. It even facilitates access to cyber insurance, with insurers relying on the CyFun level to assess risk.
Attention: A CyFun label does not automatically mean NIS2 compliance
The misunderstanding to avoid
Holding a CyberFundamentals label does not, in itself, tick all the boxes for NIS2. Specific obligations – such as the strict incident notification deadlines to the CCB (24 hours, 72 hours, and then 30 days) – must be separately covered by your internal procedures.
The label is a solid foundation and a major component of your compliance, but it is part of a broader governance approach. This is where experienced support makes the difference between a «tick-box» certification and a truly operational security posture.
How to get your CyFun Basic label
The approach recommended by the CCB follows a four-step logic:
Determine your target level
Using the free CCB selection tool, based on a sector-specific risk assessment.
Perform a self-assessment
Measure by measure, documenting the evidence, via the official CCB Excel tool.
Bridge the gaps
Gap analysis, prioritising actions according to risk.
To get checked or certified
Official certification is carried out by a conformity assessment body (CAB) accredited by BELAC.
How GVISION supports you
At GVISION, we support Brussels and Belgian SMEs throughout the entire process: from the initial gap analysis to operational compliance, including the concrete deployment of expected technical measures (MFA, backups, EDR, segmentation, phishing awareness).
Our approach is that of a close partner, not a simple breakdown service: we translate the requirements of the standard into concrete actions, tailored to your size, your sector, and your budget. The aim is not just to obtain a badge, but to make your security a lasting asset – and an argument you can highlight to your clients.
Is CyFun Basic relevant to your business?
Take advantage of our free security audit: we'll assess your situation and provide a clear roadmap, free of jargon and obligation.
Request my free auditContact usFAQ — CyFun and certification
Is CyFun mandatory in Belgium?
What is the difference between CyFun and ISO 27001?
How long does it take to reach the Basic level?
Which CyFun level should I choose for my SME?
Does a CyFun label automatically bring me into compliance with NIS2?
How much does a CyFun Basic certification cost?
This article deals with a regulatory subject whose deadlines and terms are evolving. The information reflects the state of the CyFun repositories and NIS2 regulation in 2026. Sources: Centre for Cybersecurity Belgium (CCB / Safeonweb), cyfun.eu. For any compliance decisions, validate your specific situation with the CCB or our experts.





