Voor wie is de CyFun-certificering bedoeld?

De NIS2-wet is van toepassing op organisaties die essentiële diensten leveren zoals vermeld in bijlage I en II van de wet. CyFun is geschikt voor: Kleine en middelgrote ondernemingen (KMO’s): Die hun basisbeveiliging op orde willen brengen zonder complexe beheerssystemen; Grote ondernemingen: Die een solide fundament willen leggen voor verdere beveiligingsmaatregelen zoals ISO 27001; Publieke en semi-publieke instellingen: Die verplicht zijn om aan de eisen van de NIS2-richtlijn te voldoen; Dienstverleners en toeleveranciers: Die klanten zekerheid willen bieden over hun informatiebeveiliging. Kortom, de certificering is relevant voor elke organisatie die cyberveiligheid serieus neemt en/of wil voldoen aan wet- en regelgeving.

Welke niveaus kent CyFun?

CyberFundamentals kent in het kader van verificatie of certificering drie niveaus, elk gericht op organisaties van verschillende omvang en risicoprofiel: CyFun Basic Het zekerheidsniveau CyFun Basic omvat standaardmaatregelen voor informatiebeveiliging die geschikt zijn voor alle bedrijven. Deze maatregelen bieden effectieve bescherming met technologie en processen die meestal al beschikbaar zijn. Indien nodig, worden de maatregelen aangepast en verfijnd. CyFun Important Het zekerheidsniveau CyFun Important is ontworpen om, naast de bekende cyberbeveiligingsrisico’s, ook de risico’s op gerichte cyberaanvallen door actoren met gangbare vaardigheden en middelen te minimaliseren. CyFun Essential Het zekerheidsniveau CyFun Essential biedt extra bescherming tegen geavanceerde cyberaanvallen door actoren met uitgebreide vaardigheden en middelen.

CyFun verification and NIS2

The NIS2 Act aims to strengthen the cybersecurity of networks and information systems
that are of general interest to public safety. Organizations that fall under its scope must
comply with a number of obligations.

With our BELAC accreditation, we can perform a verification for
CyberFundamentals (CyFun).

If you successfully complete the verification, you can apply for a CyFun label.
This allows you to demonstrate (a presumption of) compliance with NIS2!

On this page, you will find everything you need to know about CyFun. Request a
CyFun verification without obligation, and we will personally discuss the options with you.

Request CyFun verification

Scope of the NIS2

To be covered by the Belgian NIS2 Act, an organization must be established in Belgium and provide a service listed in Annexes I and II of the NIS2 Act. The thresholds for medium-sized enterprises must be exceeded. This includes, among others, medium-sized enterprises with more than 50 employees or an annual turnover of more than €10 million.

Use this NIS2 scope test tool to test whether your organization is a so-called essential or important entity.

Obligations to important and essential entities

The NIS2 Act imposes several obligations on essential and important entities. Organizations within its scope must take measures to improve their cybersecurity, manage incidents, and report them.

Registration
NIS2 entities falling within the scope of the Belgian NIS2 Act must register their organization with the Belgian Cybersecurity Centre (CCB);
Cybersecurity Risk Measures
Essential and important entities must implement appropriate measures to secure their networks and information systems, prevent incidents, and mitigate the impact of incidents on their customers and other services;
Significant Incident Reporting
Both entities must inform the national CSIRT (in Belgium, this is the CCB) of any major incident affecting their services, including information on potential cross-border effects;
Management Responsibility
The governing bodies of NIS2 entities must approve cybersecurity measures and oversee their implementation. If the entity fails to comply with these measures, the governing body is responsible.

Essential entities must also undergo a mandatory regular conformity assessment, choosing from three options: CyFun certification, ISO/IEC 27001 certification, or an inspection by the CCB inspection service.

Important entities are legally required to conduct their own risk assessment and implement appropriate security measures to protect their networks and information systems. The CyFun program is the means by which cybersecurity can be demonstrated.

Supervision and sanctions

The CCB has been designated as the national authority for cybersecurity and will monitor compliance with the law.

Fines

The CCB can impose fines for failure to report, discipline directors, and fail to comply with oversight. Significant fines can be imposed on important and essential entities.

Warnings

The CCB may also issue warnings, including instructions to stop or change behavior, disclose violations, appoint a control officer, implement recommendations, suspend certifications or licenses, and ban management positions for essential entities.

Who is CyFun for?

The NIS2 Act applies to organizations that provide essential services as listed in Annexes I and II of the Act. CyFun is suitable for:

Small and medium-sized enterprises (SMEs): Those who want to improve their basic security without complex management systems;
Large enterprises: Those who want to lay a solid foundation for further security measures;
Public and semi-public institutions: Those who are required to comply with the requirements of the NIS2 directive;
Service providers and suppliers: Those who want to offer customers certainty about their information security.

In short, CyFun is relevant for any organization that takes cybersecurity seriously and/or wants to comply with laws and regulations.

Why CyFun verification is important for your organization

Achieving CyFun verification offers numerous benefits for Belgian organizations looking to take their cybersecurity to the next level.

The key benefits include:

Protection against cyber threats: Minimizes the risk of data breaches and cyberattacks;
Customer and partner trust: Demonstrates your organization’s commitment to cybersecurity;
Legal compliance: Helps meet legal obligations;
Operational continuity: Reduces the risk of business disruptions due to cyber incidents;
Continuous improvement: Supports the regular evaluation and optimization of security measures.

What levels does CyFun have?

CyberFundamentals offers three levels, each designed for organizations of varying sizes and risk profiles:

CyFun Basic
The CyFun Basic assurance level includes standard information security measures suitable for all companies. These measures provide effective protection using technology and processes that are generally already available. If necessary, the measures are adapted and refined.

CyFun Important
The CyFun Important assurance level is designed to minimize the risk of targeted cyberattacks by actors with common skills and resources, in addition to known cybersecurity risks.

CyFun Essential
The CyFun Essential assurance level provides additional protection against advanced cyberattacks by actors with extensive skills and resources.

The verification process

To obtain CyberFundamentals verification, an organization must complete the following steps:

Conduct a risk assessment
Use the CyFun Selection Tool to select the appropriate assurance level;
Complete your Self-Assessment and implement corrective actions
Use the CyFun Self-Assessment Tool for self-assessment and management reporting;
Request a verification or audit from Brand Compliance
Have your Self-Assessment verified by Brand Compliance;
Request your label at Safeonweb@work
After completing the conformity assessment process with your verification body, request your CyFun label.

Request verification

The process at Brand Compliance

The Brand Compliance process will look like this:

ISO 27001 & CyberFundamentals

In some cases, it’s also possible to obtain a CyFun® label with ISO 27001 certification. The certification must then meet certain requirements.

ISO 27001:2023