What is CyberFundamentals? Belgium's Official Cybersecurity Framework

CyberFundamentals is Belgium's official cybersecurity framework, created by the Centre for Cybersecurity Belgium (CCB). It provides a clear, structured approach to protecting your business - from basic measures for small companies to comprehensive controls for critical infrastructure.

CyberFundamentals framework visualization
CyberFundamentals: Belgian cybersecurity in 4 tiers

What is CyberFundamentals?

CyberFundamentals (often called CyFun) is the official Belgian cybersecurity framework developed by the Centre for Cybersecurity Belgium (CCB). It provides organizations with a structured, risk-based approach to cybersecurity.

  • Based on international standards: NIST CSF 2.0, ISO 27001, and CIS Controls
  • Tiered approach: Start small, grow as needed
  • Designed for all organizations: From micro-businesses to critical infrastructure
  • NIS2 aligned: Meets European cybersecurity requirements

The 6 Core Functions

CyberFundamentals organizes security measures into six functions, following the NIST Cybersecurity Framework structure:

GV

Govern

Establish cybersecurity governance, policies, and risk strategy

ID

Identify

Know your assets, risks, and business environment

PR

Protect

Implement safeguards: access control, training, data security, backups

DE

Detect

Monitor for anomalies and security events

RS

Respond

Take action when incidents occur

RC

Recover

Restore operations and learn from incidents

Why CyberFundamentals Matters

Many businesses know they need cybersecurity but don't know where to start. CyberFundamentals solves this by providing:

Clear guidance

No guessing what to do - the framework tells you exactly which controls to implement

Right-sized security

Start with 7 basic controls (Small tier) and expand only when you need to

NIS2 compliance

For organizations in NIS2 scope, CyberFundamentals is the recognized path to compliance in Belgium

Proof for stakeholders

Demonstrate to customers, insurers, and auditors that you take security seriously

The 4 Security Tiers

CyberFundamentals uses a tiered approach, allowing you to start simple and grow:

Tier Controls Coverage Best For
Small 7 First step Micro-businesses, getting started
Basic 34 82% SMEs with < 25 employees
Important 117 94% SMEs in NIS2 scope
Essential 140 100% Critical infrastructure

Coverage percentage indicates share of attack types defended against

Small Tier: 7 Essential Controls

The Small tier covers the absolute basics every organization should have:

1

Multi-Factor Authentication

Add a second verification step to all important accounts

2

Security Updates

Keep software and systems up to date

3

Antivirus

Use antivirus software on all devices

4

Network Security

Secure your network with firewalls and proper configuration

5

Backups

Regular backups of critical data, tested for recovery

6

Admin Rights

Limit administrator privileges to those who need them

7

Physical Security

Protect physical access to devices and data

How to Get Started

Getting started with CyberFundamentals is straightforward:

1

Assess your current state

Use a self-assessment tool to see where you stand on the 7 Small tier controls.

2

Start with Small tier

Implement the 7 basic controls. This is free and gives you a solid foundation.

3

Document your progress

Keep records of what you've implemented - this is your compliance evidence.

4

Grow when needed

If you're in NIS2 scope or want better protection, move to Basic, Important, or Essential tier.

CyberFundamentals and NIS2

If your organization falls under NIS2 (the EU cybersecurity directive), CyberFundamentals is your implementation path in Belgium. The CCB has designed the framework to map directly to NIS2 requirements.

  • Important entities: Use the Important tier (117 controls)
  • Essential entities: Use the Essential tier (140 controls)
  • The framework provides the specific controls needed to meet NIS2 obligations

How Easy Cyber Protection Helps

We make CyberFundamentals implementation simple:

Guided implementation — Step-by-step tasks walk you through each control
Progress tracking — See your compliance percentage at a glance
Evidence collection — Built-in documentation for audits and stakeholders
Free Small tier — Start with the 7 essential controls at no cost

Frequently Asked Questions

Is CyberFundamentals mandatory?

For organizations in NIS2 scope (essential and important entities), using a recognized framework like CyberFundamentals is effectively mandatory in Belgium. For others, it's voluntary but highly recommended.

How much does CyberFundamentals cost?

The framework itself is free - it's published by the CCB. Implementation costs depend on your current state and chosen tier. The Small tier (7 controls) can often be implemented with minimal investment.

Can I get certified?

Yes, you can get CyberFundamentals certification through accredited auditors. This provides external validation of your security posture.

How long does implementation take?

The Small tier can be implemented in days to weeks. Basic tier typically takes a few months. Important and Essential tiers are ongoing programs that may take 6-12 months to fully implement.

Do I need an IT department?

No. The Small tier is designed to be implementable by any organization. For higher tiers, you may want IT support, but many SMEs work with their existing IT partner.

What's the difference between CyberFundamentals and ISO 27001?

CyberFundamentals is built on ISO 27001 (among other standards) but is tailored for the Belgian context and specifically aligned with NIS2. It's generally more accessible for SMEs than a full ISO 27001 implementation.

Related Articles

Sources

  1. CCB CyberFundamentals Framework — Official CCB documentation
  2. NIS2 Directive (EU) 2022/2555 — European cybersecurity directive
  3. NIST Cybersecurity Framework — Foundation for CyberFundamentals structure