CyberFundamentals Framework 2025

CyFun® 2025 was created to match international standards like the NIST Cybersecurity Framework 2.0 and national and European legislations and regulations, such as the European NIS2 Directive. It includes the latest knowledge and best practices in cybersecurity.

In 2025, over 80 experts and organisations helped review the first draft. Their feedback made the framework easier to understand and more practical to use.

Key improvements

• Aligned with NIST Cybersecurity Framework (CSF) 2.0 and relevant European legislation (e.g. NIS2).
• Incorporates recent developments in information and cybersecurity.
• Integrates user feedback from CyFun®2023.
• Expands focus on supply chain security and operational technology (OT).
• Reformulates controls and guidelines to enhance clarity and auditability.
• Adds a specific goal to each control to improve understanding.
• Provides more comprehensive guidance on interpreting requirements.
• Introduces “Governance Measures” to align with global best practices for board-level cybersecurity oversight.
• Corrects grammatical, spelling, and editorial issues.

Transition period

To make the switch easier, both CyFun® 2023 and CyFun® 2025 will be both available for a while. After that, only the new version will be accepted for self-assessments and third party conformity assessment.

1. General 

To support the CyberFundamentals Framework, an MS Excel® self‑assessment tool has been developed. This tool incorporates the requirements for the ‘Basic’, ‘Important’, and ‘Essential’ assurance levels of the specific framework version it aligns with, as well as the requirements defined in the Conformity Assessment Scheme (CAS). The versions of the framework and the CAS used are clearly indicated within the tool. For this reason, the tool must not be modified during any verification or certification process. 

2. Tool layout 

In CyFun 2025, the structure has been improved for flexibility and ease of use: 

• There are three separate self-assessment tools, one for each assurance level:  
  • Basic
  • Important
  • Essential
• New filtering feature:  
  • Each control has a filter that shows only the items for the selected assurance level (Basic, Important, or Essential).
  • Organisations working toward Important or Essential levels can begin with the Basic controls by selecting the Basic filter in each sheet.
  • For the Important level, the Important controls can be added after the Basic controls are completed—using the same tool.
  • For the Essential level, the Essential controls can be added after completing both the Basic and Important controls, again within the same tool.
  • This approach removes the need to transfer scores between different tools, making the assessment process easier and more efficient. 
     
• The controls are assessed from two perspectives: 
  • Policy Maturity: This measures how well the organisation’s written rules and procedures meet the requirements of the CyberFundamentals Framework. 
  • Implementation Maturity: This measures how well the organisation’s day‑to‑day practices are carried out in line with the CyberFundamentals Framework. 
     
• The table below explains the different maturity levels and how they are used to assess both Policy Maturity and Implementation Maturity. µ
   

  

  3. Calculation method

A sub‑category can include several controls, and each of these controls must be assessed for both documentation and implementation using the maturity levels shown above. For each control a score from 1 to 5 must be entered.  The tool then calculates the average documentation score and the average implementation score for each sub‑category (for example, ID.AM‑01), and uses these to calculate another average for each category (for example, ID.AM).  

    4. Summary report 

The ‘summary’ tab for each CyberFundamentals assurance level contains the following elements: 

• Total Maturity Level: An overall maturity score calculated as the average of the maturity levels of all categories.
• Category Maturity Overview: A summary showing the maturity levels for each category, based on the average values calculated in the dedicated function tab.
• List of Key Measures: An overview of the key measures that must be met, using the values entered in the dedicated function tab.
• Radar Chart (Spider Chart): A visual representation of the category maturity scores, based on the data shown in the summary. 

Determining conformity with the Conformity Assessmentv Scheme (CAS) tresholds 

• The overview includes the target scores (tresholds) defined for each assurance level in the Conformity Assessment Scheme (CAS). The results of the self‑assessment are compared against these target scores.
• When a value appears in red, it indicates that the required maturity level has not been reached.
• When a value appears in green, it indicates that the required maturity level has been met.