FAQ & Feedback

The CyberFundamentals framework defines three assurance levels:

• Basic – this level contains the standard information security measures for all enterprises.
• Important – this level is designed to minimise the risks of targeted cyber-attacks by actors with common skills and resources in addition to known cyber security risks.
• Essential – this level goes one step further and is designed to address the risk of advanced cyber-attacks by actors with extensive skills and resources.

Each level builds on the previous one, with increasing expectations in terms of controls, governance, and resilience.

In addition, there is a questionnaire and guidance for level ‘small’. These tools are  intended for micro-organisations or organisations with limited technical knowledge.

The allocation of an organisation to a specific assurance level is based on the performance of a risk assessment. The risk assessment and the determination of the appropriate assurance level fall under national authority. Therefore, the risk assessment must be carried out via the official national website.You can go to this page to be redirected to your national website.

Yes, this framework consists of a structured three-step process, each step being essential for achieving and maintaining robust cybersecurity standards. First of all, a risk assessment to determine your organisation’s assurance level. Secondly,  a self-assessment to review how well your organisation implemented the required cybersecurity measures for their selected assurance level. The last, optional, step is, requesting verification or certification by an accredited conformity Conformity Assessment Body.

These requirements are a core cybersecurity control that organisations are required to implement as part of their assurance level.

Choosing the right maturity level can initially be a challenge. That’s why we’ve created additional guidance to support you in this process. On the one hand, this document provides a general explanation of the different maturity levels. On the other hand, for each key measure, we’ve included a use case that explains in more detail which level applies in which situation.

An update of the CyFun® 2023 was necessary to stay aligned with the NIST Cybersecurity Framework (CSF) 2.0 and to take into account relevant European legislation, such as NIS2.

The new version of CyFun®, now in validation phase, will be released in the second half of 2025. It:

1. includes feedback from different stakeholders that are already using the 2023 version of the framework;
2. reworded the CyFun® requirements so that they are clear and auditable. In addition they are complemented by comprehensive guidelines indicating how the requirement should be understood;
3. provides extended guidelines for each requirement. This made it impossible to include all guidance in the self-assessment tool. In order to be more manageable, the self-assessment tool only includes the requirements. The additional guidance can be found in the booklets, available for each assurance level;
4. extended the focus on supply chain;

includes Governance Measures. These measures have to be evaluated in every audit (initial audit, surveillance audit or recertification audit) in the Essential assurance level. Until now these measures were only identified in the Conformity Assessment Scheme. In CyFun® 2025 these controls are aligned with NIST CSF 2.0 and included in the CyFun® Framework itself as “Governance Measures".

The switch will be accompanied by a migration period during which the various organisations can make the transition to this new edition. We  will update its existing mappings and publish information, new mappings and possibly tools on this page to make that transition as smooth as possible.

A transposition can be found here → link to the CyFun® 2025 page. 

The CyFun®2025 Framework deliberately chooses not to include AI as a separate function or category within its core model. This approach aligns with the methodology used in the NIST Cybersecurity Framework 2.0. The main reasons are:

1. AI is addressed through additional profiles and overlays

The CyFun® 2025 Framework allows for the development of specific profiles or sector-based extensions for domains such as AI. This enables organisations that develop or use AI systems to follow targeted guidance without altering the core framework.

2. Avoiding duplication of existing controls

Many of the security measures required for AI are already covered by existing CyFun® 2025 controls. To prevent redundancy, the framework opts to manage AI-related risks through established principles such as risk management, governance, and incident response.

3. Use-case specific approach

AI introduces unique risks depending on its application (e.g. generative AI, machine learning in critical infrastructure). The CyFun® 2025 Framework supports a proportional and context-driven approach, allowing organiz-sations to determine which additional safeguards are needed based on their specific use of AI.

4. Future-oriented flexibility

The framework is designed to evolve alongside technological developments. AI can be further integrated in the future through new profiles or national guidelines, depending on the needs of Belgian organisations and Belgian and European laws and regulations.

NOTE

🔹 What are profiles?

A profile is an application of the framework to a specific sector, organisation, or technology. It helps translate the framework's general principles into concrete measures that are appropriate for:

· a specific type of organisation (e.g., a hospital, a bank, a government agency),

· a specific technology (e.g., cloud, AI, OT),

· or a specific risk context (e.g., critical infrastructure, privacy-sensitive data).

Example: An AI profile within CyFun® 2025 would indicate which existing controls are relevant for AI systems and which additional measures are needed for safe and responsible AI applications.

🔹 What are overlays?

An overlay is a layer on top of the framework, providing additional guidelines or adjustments for a specific situation. It is narrower than a profile and often focuses on technical or legal requirements.

Example: An overlay for generative AI could indicate how existing CyFun® 2025 controls should be adapted to address risks such as deepfakes, hallucinogenic models, or copyright issues.

In summary:

· Profiles = applying the framework to a specific context.

· Overlays = an additional layer with guidelines for specific risks or technologies.

Both ensure that the framework remains flexible and extensible, without having to constantly adapt the core principles.

The CyberFundamentals Framework is originally a Belgian framework, developed by the Centre for Cybersecurity Belgium (CCB) but built in such a way that it can be recognised at European level. A process that has now been initiated by BELAC. At the moment, CyFun® was only registered in legislation in Belgium in order to be able to assume, until proven otherwise, that the entity meets its NIS2 cybersecurity obligations (presumption of conformity). Meanwhile, the framework has been formally adopted by Romania and Ireland. How it will be used in their operational rollout of NIS2 is under construction there. Other European countries also recognise the value of CyFun® (including France) and are looking at how they can recognise or even fully adopt this framework.

The CCB maintains the framework and all documents associated with the scheme as Primary Scheme Owner. This is contained in a formal procedure that enables the roll-out of CyFun® to other European countries.

The CyFun® Framework is a registered trademark owned by the CCB. The Framework and the CyberFundamentals Conformity Assessment Scheme (CAS) are available on CAS and clarifications page

The use of the acronym “CyFun®” and/or parts of this document are authorised, as long as the source is clearly mentioned.

Any commercial use of CyFun® is subject to a prior agreement with the CCB. Please contact the legal department of the CCB if you have any interest in reusing the Framework