Your Path to NIS2 Compliance: CyberFundamentals

Author: Erika Criscione

As EU Member States transpose the NIS2 Directive (“NIS2”)[1] into national law, public and private sector organisations are seeking effective and standardised methods to ensure cybersecurity resilience and regulatory alignment. The CyberFundamentals Framework (“CyFun” or the “Framework”), developed by the Centre for Cybersecurity Belgium (CCB)[2], has emerged as a voluntary but powerful tool for organisations seeking to align with NIS2’s requirements.

This article outlines the main elements of the Framework, explains its operational structure and its strategic significance within the context of the NIS2. It also gives an understanding of why it is increasingly being adopted as a preferred cybersecurity framework across EU member states.

What is CyFun?

CyFun is a risk-based cybersecurity framework that enables organisations to assess and improve their cybersecurity posture in line with international standards and European expectations. At its core, the Framework is built around five cybersecurity functions: Identify, Protect, Detect, Respond and Recover. These functions serve as the backbone of the framework, helping integrate cybersecurity into the broader risk management strategies of organisations.

The Framework uses a three-level maturity model – Basic, Important, and Essential – based on self-assessment of an organisation’s sector, size, risk exposure, and operational significance. This framework is mainly based on the Cybersecurity Framework (CSF)[3] developed by the U.S. National Institute of Standards and Technology (NIST)[4] and complemented with International Organisation for Standardisation (ISO) 27001[5], ISO 27002[6], International Electrotechnical Commission (IEC) 62443[7] and the Centre for Internet Security (CIS) critical security controls (ETSI TR 103 305-1).

This allows the Framework to accommodate a wide range of organisations, from small and medium-sized enterprises (SMEs) to critical infrastructure providers.

Each maturity level corresponds to an increasing number of required controls. These include:

• Basic cyber hygiene;
• Security awareness and training;
• Risk assessment and remediation planning; and
• Implementation of essential technical and organisational measures.

CyFun and the NIS2 Directive

The Framework is a valuable and practical tool that supports organisations in meeting the requirements of NIS2. It helps entities put in place essential cybersecurity measures, improving their overall preparedness and resilience. While its use is voluntary, CyFun offers a reliable and recognised way to demonstrate cybersecurity maturity, particularly in the absence of mandatory certification. This makes it especially useful for SMEs and organisations with limited resources, offering a cost-effective path toward compliance. By providing a clear and consistent reference point, CyFun also supports regulatory oversight.

The Framework, which is freely accessible, includes straightforward tools for risk assessment, self-evaluation and the implementation of the core cybersecurity risk-management measures required under NIS2, making it suitable for both essential and important entities.

NIS2 Implementation: The Key Role of Harmonisation

One of the objectives of NIS2 is to promote harmonisation across the EU by creating a consistent a regulatory framework for cybersecurity. However, as Member States translate the Directive into their national laws, varying approaches may lead to legal uncertainty, higher compliance costs for organisations and a weaker overall level of cybersecurity across the EU.

These factors pose significant challenges for businesses such as online marketplaces, search engines and social media platforms, as well as digital infrastructure, healthcare and manufacturing companies, operating on a cross-boarder basis. The Framework helps address these concerns by providing common benchmarks, supporting interoperability between national systems and enabling mutual recognition of cybersecurity measures.

For national authorities, CyFun offers a practical tool to assess compliance in a standardised way, while still allowing flexibility for sector-specific needs. For organisations, it presents a clear and credible path to show alignment with EU and international standards, helping to reduce fragmentation and strengthen trust across borders.

CyFun: A Model for Malta?

Originally developed in Belgium and used as a recommended framework to demonstrate compliance with NIS2 requirements, the Framework is gaining momentum across the EU. Romania has adopted it, Ireland is integrating it as its national assessment and certification scheme and other Member States, including France, are exploring its recognition.

Considering its expanding adoption across the EU, it may be valuable for Malta to consider adopting the Framework as a strategic means of facilitating NIS2 implementation. The framework, which is freely accessible, reduces regulatory complexity and promotes coherence with emerging EU standards.

By aligning with such a framework, Malta can avoid fragmented compliance efforts, enhance interoperability and reinforce its standing as a digitally resilient and forward-looking EU Member State.

---

[1] Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS2 Directive), OJ L 333, 27.12.2022, p. 80.

[2] The national authority for cybersecurity in Belgium, responsible for supervising, coordinating and monitoring the application of the Belgian cybersecurity strategy.

[3] A set of cybersecurity best practices and recommendations, making it easier to understand cyber risks and improve defences.

[4] A U.S. federal agency that develops and promotes measurement standards, including in areas like technology, cybersecurity, engineering, and physical sciences.

[5] The leading international standard for Information Security Management Systems (ISMS).

[6] An international standard providing guidelines for information security management.

[7] A series of international standards focused on cybersecurity for industrial automation and control systems (IACS).