CyFun®/NIS2 Compliance Assessment: Have Your Cybersecurity Measures Reviewed
The NIS2 Directive tightens cybersecurity requirements for numerous organizations. In Belgium, the “CyberFundamentals Framework” serves as a reference framework for structuring, implementing, and assessing the required cybersecurity measures.
The CyFun®/NIS2 compliance assessment enables your organization to have its self-assessment, supporting documentation, and the actual implementation of the measures specified in the scope reviewed.
Which organizations are covered?
NIS2 applies to organizations operating in critical or key sectors, such as energy, transportation, logistics, banking, insurance, healthcare, IT services, digital service providers, the pharmaceutical industry, the chemical industry, the food industry, postal services, or waste management.
Certain organizations may also be indirectly affected, for example, if they are part of the supply chain of a company covered by NIS2.
Understanding Cyber Risks
With Qfor’s cybersecurity assessment software, organizations can conduct a self-assessment based on the CyFun® framework. This provides insight into your organization’s cyber resilience and enables you to implement targeted improvements.
The CyFun® Levels
The CyberFundamentals framework, developed by the Center for Cybersecurity Belgium, is based on different maturity levels. The “Basic,” “Important,” and “Essential” levels make it possible to align the requirements with the organization’s risk profile.
The “Basic” level covers standard cybersecurity measures. The “Important” level focuses on advanced protection against targeted attacks. The “Essential” level is intended for organizations whose critical nature requires even more comprehensive protection.
How does an audit work?
A CyFun® audit at the “Basic” and “Important” levels—for which Normec is accredited—typically involves several steps:
- an eligibility check to validate the scope, the organization’s information, and the application;
- a document review of the self-assessment and available supporting documentation;
- an on-site audit to verify the actual implementation of the measures and to exchange views with the relevant personnel.
The Normec auditor analyzes the consistency of the self-assessment, the quality of the supporting documentation, and the actual implementation of the cybersecurity measures.
Documents to Prepare
Before the CyFun® audit engagement begins, you must prepare the necessary documents. These may include:
- the statement of conformity for the intended level;
- the exact scope of the audit;
- any exclusions and the rationale for them;
- the completed self-assessment form;
- the documents and objective evidence related to the measures;
- information about the relevant locations, processes, IT systems, and OT environments.
Thorough preparation significantly facilitates the CyFun® audit process. Important
Why should you choose Normec for a CyFun® conformity assessment?
Normec combines solid experience in auditing with extensive knowledge of service organizations. The company’s auditors are particularly active in the areas of training, consulting, and organizational processes.
This expertise is particularly relevant in the context of a CyFun® assessment. Cybersecurity does not rely solely on technical measures: it also requires clear guidelines, defined responsibilities, controlled processes, reliable documentation, and effective implementation within the organization.
Normec is officially accredited by BELAC and by the CCB, the Belgian Center for Cybersecurity, to conduct CyFun® audits under the NIS2 Directive at the “Basic” and “Important” levels in accordance with the EN ISO/IEC 17029:2019 standard and the CyberFundamentals Framework’s conformity assessment system.
Would you like to have your CyFun®/NIS2 compliance assessed?
Frequently Asked Questions – CyFun®/NIS2 Compliance Assessment
-
NIS2 is European legislation that requires organizations to take cybersecurity and risk management measures.
-
NIS2 applies to organizations considered Important or Essential, but other organizations would also do well to improve their cyber resilience.
-
This is a framework from the Center for Cybersecurity Belgium that helps organizations build and improve their cyber resilience.
-
This software allows you to conduct a self-assessment, identify risks and prepare for an external audit or verification.
-
An external verification or audit will become mandatory for certain organizations starting in 2026.