As regulatory pressure intensifies across the EU and cyberattacks become more frequent and sophisticated, having a robust, scalable, and actionable cybersecurity framework is no longer a strategic advantage—it’s a necessity. The CyberFundamentals Framework, developed by the Centre for Cybersecurity Belgium (CCB), responds to this need with a structured, risk-based approach tailored for organisations of all sizes.
What is CyberFundamentals?
CyberFundamentals is a practical cybersecurity framework designed to help organisations build and strengthen cyber resilience in line with the evolving threat landscape and regulatory expectations, including the NIS2 Directive. The framework translates cybersecurity theory into actionable, measurable controls, enabling both NIS entities and private sector organisations to safeguard systems, data, and digital infrastructure against common cyber threats.
It is structured around a tiered system of assurance levels: Basic, Important, and Essential—plus an entry-level tier for Small organisations. These levels help organisations scale their cyber maturity gradually and select measures that match both operational complexity and threat exposure.
A Risk-Based, Tiered Framework
At the heart of the CyberFundamentals Framework is the principle of risk-based prioritisation. Not every organisation needs the same level of protection, but every organisation needs a plan.
-
Assurance Level Basic: Covers key security measures to address common cyber risks. Ideal for smaller organisations or those just beginning their cybersecurity journey.
-
Assurance Level Important: Introduces additional security controls and more advanced governance requirements.
-
Assurance Level Essential: Reserved for entities with critical infrastructure or those with high exposure to cyber threats. It aligns closely with the expectations of the NIS2 Directive and international standards like ISO/IEC 27001 and the NIST Cybersecurity Framework.
Organisations can use the CyFun Selection Tool provided by the CCB to assess their current risk profile and identify the most appropriate assurance level.
Concrete Measures, Not Abstract Theory
The CyberFundamentals Framework includes a clear, structured set of technical and organisational measures. These are not vague guidelines—they are specific controls and policies that organisations are expected to implement, assess and improve over time.
Examples include:
-
Access management and authentication controls
-
Patch management processes
-
Network segmentation and monitoring
-
Incident response procedures
-
Supplier risk management
-
Regular backup and recovery testing
This emphasis on concrete cybersecurity measures gives organisations a clear roadmap for implementation, supported by documentation, toolkits, and reference architectures available via CCB SafeonWeb.
Built for Alignment and Compliance
The CyberFundamentals Framework is aligned with major global standards—NIST CSF, ISO 27001, and COBIT—while remaining accessible to non-experts. This alignment makes it easier for organisations to integrate the framework into existing compliance efforts, including data protection obligations under GDPR and sector-specific mandates.
For organisations navigating NIS2 obligations, CyberFundamentals offers a credible, structured route to demonstrate compliance, build stakeholder trust, and reduce audit complexity. Certification through the CyberFundamentals label is optional but increasingly recognised as a business enabler.
Growing Adoption Across the EU
While originally developed in Belgium, the CyberFundamentals Framework is gaining traction beyond its borders. Ireland’s National Cyber Security Centre (NCSC) now recommends CyberFundamentals (CyFun) as part of its national guidance, and its relevance is expected to grow as more EU nations adopt risk-based cyber resilience strategies aligned with NIS2.
The framework’s simplicity, scalability, and real-world applicability make it a compelling alternative or complement to more heavyweight cybersecurity frameworks, especially for mid-sized enterprises that need structure without excessive overhead.
Where It Fits in the Broader Security Landscape
CyberFundamentals sits at the intersection of cyber maturity models and practical risk management. It doesn't replace enterprise-wide governance models like ISO 27001, but instead provides a solid foundation that’s quicker to implement and easier to adopt for organisations that are earlier in their security journey or lacking in-house security teams.
For larger or more mature organisations, it can serve as a baseline, with advanced standards built upon it.
Final Thoughts
The CyberFundamentals Framework represents a pragmatic shift in how cybersecurity can be structured and scaled, especially for organisations needing to meet regulatory demands without building excessive complexity. As cyber threats continue to evolve, and frameworks like NIS2 expand across the EU, understanding and aligning with CyberFundamentals is a forward-thinking step toward strategic, demonstrable cyber resilience.
For more details and tools, including the CyFun Selection Tool and implementation guidance, visit the official CyberFundamentals Framework page by CCB.
.png?width=55&height=41&name=conosco_icon_lightbg%20(1).png "conosco_icon_lightbg (1)"){kind=icon}
