Easy Cyber Protection

ENGAGEMENT BRIEF

ECP-EB-001

Achieve audit-readiness for CyFun/NIS2

Q: Do I need compliance expertise?

The platform doesn't replace your judgment — it removes the busywork around it. Control mapping, evidence intake, gap detection, and audit packs are automated. You apply judgment to scope, risk acceptance, and evidence quality. Solo CyFun consultants tell us this cuts roughly 40–50% of their per-client hours.

Q: What do my clients see?

Your branding. Your logo on every report, every email, every page. They see you as the compliance expert.

Q: Can I set my own price?

Yes. We charge you per client. What you charge your client is entirely up to you.

Q: How do we get started?

Schedule a 20-minute call with Tom. He walks you through the platform, configures your first client together, and you go live the same week. No contract, no commitment.

Q: What does "audit-ready" mean?

It means your client has documented evidence of security controls aligned with the CyFun framework. The actual audit is done by certified CAB auditors, not by us or you.

Q: How does pricing work?

Five-tier MSP pricing: Starter (<10 clients) is €399 one-off setup, no monthly. Practice (10–49) is €499/mo. Studio (50–99) is €999/mo. Firm (100–999) is €1,999/mo. Enterprise (1,000+) is bespoke. Per-client brackets apply uniformly to every tier: S (<1,000 entities) €75, M (1k–9.9k) €250, L (10k+) €750. 12-month commitment on every tier. Starter ships with templates + CSV import + audit output; AI assistance and integrations begin on Practice. You charge your client whatever you want — most MSPs charge €50–€300/month by client size. See §6 for the full schedule.

Q: Are there subsidies available?

Yes — each Belgian region runs its own programme, scoped to where the end-client is established. Flanders: VLAIO kmo-portefeuille (cybersecurity-only since Feb 2026) covers up to 45% of advisory costs (45% small / 35% medium, cap €7,500/year). Wallonia: Chèque cybersécurité via Wallonie Entreprendre covers up to 75% ex-VAT (approved provider, 12-month window). Brussels-Capital: hub.brussels consultancy grant covers IT-security advice up to €10,000/year. Your client applies in their region; we provide pre-filled templates.

≈40–50% of CISO time saved^¹

§1 Engagement summary

Issued to: Belgian CyFun practitioners.
Subject: A CyFun-native compliance platform.
Position: Built from the official CCB CyberFundamentals spec. Score, evidence, and files always match.
Scope: Survey current IT landscape (integrations, Excels) → assess risk → map controls → draft policies → verify evidence → detect gaps.
Deliverable: CAB-ready audit pack — official CCB Excel, all evidence checked, in a signed .zip.
Add-on: Senior CyFun consultants available on request.
Recommendation: 20-minute walkthrough with the founder.

^¹ Estimate by a senior CyFun consultant after a demo. See §4.

See the demo Book a 20-min call

Scan to book

Book a 20-min call

cal.com/tojans/apply-4-ecp

Framework: Belgian CyberFundamentals (CCB) — Small to Essential
Prepared by: Tom Janssens · Founder, ECP
Languages: NL · FR · EN

§2 Risk register — key risks for CyFun practitioners

§2 Risk register — key risks for CyFun practitioners
ID	Risk	Mitigation in ECP
RR-01	No CyFun toolset → client moves to a consultant	Native CyFun platform → controls mapped per tier
RR-02	Can't demonstrate CyFun Basic → dropped by NIS2 customer	Per-client supply-chain readiness → mapped to expected evidence
RR-03	Ad-hoc evidence (PDFs, emails) → CAB auditor rejects	One-click export → official CCB Excel in a signed .zip
RR-04	Excel-based compliance → scale ceiling	Wiki, per-control structure → same workflow at 5 or 500 clients
RR-05	Retail pricing → margin compressed	Wholesale per-client (€25–€750) → 70%+ margins typical
RR-06	MSP delivers solo without CyFun expertise → first audit fails → client churns	Co-delivery (§2.5, DM-01) → senior consultant carries the first 1–3 clients

RR-01

No CyFun toolset → client moves to a consultant

Native CyFun platform → controls mapped per tier

RR-02

Can't demonstrate CyFun Basic → dropped by NIS2 customer

Per-client supply-chain readiness → mapped to expected evidence

RR-03

Ad-hoc evidence (PDFs, emails) → CAB auditor rejects

One-click export → official CCB Excel in a signed .zip

RR-04

Excel-based compliance → scale ceiling

Wiki, per-control structure → same workflow at 5 or 500 clients

RR-05

Retail pricing → margin compressed

Wholesale per-client (€25–€750) → 70%+ margins typical

RR-06

MSP delivers solo without CyFun expertise → first audit fails → client churns

Co-delivery (§2.5, DM-01) → senior consultant carries the first 1–3 clients

Risk owner remains the MSP. ECP encodes the framework and produces the artifacts the CAB auditor reviews; certification is the CAB's call. ECP is not the auditor, and frankly prefers not to be.

§2.5 Delivery model — who does what, at what cost

ECP automates the artifacts. CyFun expertise — scope, risk acceptance, evidence quality, CAB remediation — is human work. Three delivery models support different MSP starting points.

§2.5 Delivery model — who does what, at what cost
ID	Model	Expertise source	Typical MSP margin
DM-01	Co-delivered	ECP senior consultant	Lower, predictable
DM-02	MSP-led	MSP's own CyFun lead	Highest, after ramp
DM-03	Channel	Independent consultant	Revenue share

DM-01 · Co-delivered

ECP senior consultant

Lower, predictable

DM-02 · MSP-led

MSP's own CyFun lead

Highest, after ramp

DM-03 · Channel

Independent consultant

Revenue share

DM-01 is the default starting point. The senior CyFun consultant (€1,500/day, §6) typically carries scope, risk acceptance, and CAB remediation on the first 1–3 clients while the MSP learns the framework. Most MSPs migrate to DM-02 within 6–12 months.

Pricing the client: retail anchors against one-off consultancy gap analysis (€5,000–€15,000). Recurring delivery prices above that floor. Specific retail levels depend on delivery model and client complexity — discuss in the 20-minute call.

ECP-EB-001 · §2.5 · the platform compresses busywork, not expertise

§3 Engagement — client compliance journey, onboard to audit

Phase 1 · Onboard & assess
- Add the client. Set scope, entities, language, CyFun tier (Basic / Important / Essential).
- Per-client risk register, mapped to CyFun controls.
- Live gap report, scored per required control.
Phase 2 · Build & evidence
- AI-drafted policies in NL / FR / EN, per client context.
- Structured evidence vault per control — reusable across clients.
- Score, evidence, and files always match: one fact change propagates everywhere.
Phase 3 · Audit & sustain
- One-click signed .zip — official CCB Excel filled with linked evidence.
- CAB submission, finding-by-finding remediation tracking.
- Annual reassessment + tier progression (Basic → Important → Essential).

§4 Division of work — automation vs judgment

§4 Division of work — automation vs judgment
Automated by ECP	Stays with the consultant
Risk assessment data + control mapping per CyFun tier	Scope decisions (in/out of NIS2 perimeter, entity types)
AI-drafted policies in NL / FR / EN, per client context	Risk acceptance — which risks to mitigate vs. accept
Structured evidence vault per control + cross-doc consistency	Evidence-quality judgment ("is this enough for a CAB auditor?")
Live gap detection, scored per required control	Client interviews — surfacing hidden processes
One-click audit pack — signed .zip with CCB Excel	CAB remediation rounds — interpreting and pushing back on findings (delivery model: §2.5)

Automated by ECP

Risk assessment data + control mapping per CyFun tier

Stays with the consultant

Scope decisions (in/out of NIS2 perimeter, entity types)

Automated by ECP

AI-drafted policies in NL / FR / EN, per client context

Stays with the consultant

Risk acceptance — which risks to mitigate vs. accept

Automated by ECP

Structured evidence vault per control + cross-doc consistency

Stays with the consultant

Evidence-quality judgment ("is this enough for a CAB auditor?")

Automated by ECP

Live gap detection, scored per required control

Stays with the consultant

Client interviews — surfacing hidden processes

Automated by ECP

One-click audit pack — signed .zip with CCB Excel

Stays with the consultant

CAB remediation rounds — interpreting and pushing back on findings (delivery model: §2.5)

§5 Deliverables

5.1 To the partner (MSP)

Portfolio dashboard — every client's compliance status at a glance
Ready-to-use policy templates, SOPs, and compliance documents
Step-by-step CyFun guidance — the platform maps the controls, you deliver the results

5.2 To the end client

Guided audit preparation — every CyFun control explained in plain language
Evidence collection & progress tracking — always know where they stand
Weekly micro-learnings via branded email — 5 minutes, no jargon

§6 Fee schedule

Billing: Base fee — paid upfront for the commitment period. Per-client fees — billed at end of each quarter, on active clients in that quarter.

§6 Fee schedule
Tier	Base	Clients
Starter New MSPs / solo & vCISOs	€399 setup, no monthly	< 10
Practice ★ Most common	€499 /mo	10 – 49
Studio Mid-size practice	€999 /mo	50 – 99
Firm Established practice	€1,999 /mo	100 – 999

12-month commitment on every tier. Per-client rates (below) apply to every tier.

What's included

Feature comparison by tier
Feature	Starter	Practice+
Audit-readiness output (CCB CyFun workbook)	✓	✓
Starter / example templates	✓	✓
CSV entity import (devices, users, apps, suppliers, locations)	✓	✓
AI assistance (drafts, gap narrative, improve)	—	✓
Integrations (M365, EDR, AppSec, PSA)	—	✓

Practice+ covers Practice, Studio, and Firm. AI and integrations are the natural upgrade trigger once you scale past the first few clients.

Per-client rates (apply to every tier, by entity count)

Per-client rates (apply to every tier, by entity count)
Code	Entity count	Rate
S	< 1,000 entities	€75 /client/mo
M	1k – 9,999	€250 /client/mo
L	10k+	€750 /client/mo

Entity = device, user account, application, supplier or location tracked in the client's compliance scope. Counted as distinct entities uploaded per quarter.

1,000+ clients or a direct enterprise engagement? Talk to us — bespoke pricing.

Optional add-on

Senior CyFun consultant: €1,500 / day — setup, complex assessments, CAB remediation. Available on request.

§7 Architectural assurances — secure by design

§7 Architectural assurances — secure by design
#	Principle	What it means
7.1	Local-first by default	Each client's compliance data lives in a portable, digitally-signed bundle on their own infrastructure — not in our cloud.
7.2	Cloud only when working	The bundle is hosted server-side only during active edits, then returned to the client as a snapshot when work pauses.
7.3	Tamper-evident audit trail	Every change is a digitally-signed event. A CAB auditor can replay and verify the full history independently — no trust in ECP required.

7.1

Local-first by default

Each client's compliance data lives in a portable, digitally-signed bundle on their own infrastructure — not in our cloud.

7.2

Cloud only when working

The bundle is hosted server-side only during active edits, then returned to the client as a snapshot when work pauses.

7.3

Tamper-evident audit trail

Every change is a digitally-signed event. A CAB auditor can replay and verify the full history independently — no trust in ECP required.

§8 Clarifications

Q1. Do I need compliance expertise?

The platform doesn't replace your judgment — it removes the busywork around it. Control mapping, evidence intake, gap detection, and audit packs are automated. You apply judgment to scope, risk acceptance, and evidence quality. Solo CyFun consultants tell us this cuts roughly 40–50% of their per-client hours.

Q2. What do my clients see?

Your branding. Your logo on every report, every email, every page. They see you as the compliance expert.

Q3. Can I set my own price?

Yes. We charge you per client. What you charge your client is entirely up to you.

Q4. How do we get started?

Schedule a 20-minute call with Tom. He walks you through the platform, configures your first client together, and you go live the same week. No contract, no commitment.

Q5. What does "audit-ready" mean?

It means your client has documented evidence of security controls aligned with the CyFun framework. The actual audit is done by certified CAB auditors, not by us or you.

Q6. How does pricing work?

Five-tier MSP pricing: Starter (<10 clients) is €399 one-off setup, no monthly. Practice (10–49) is €499/mo. Studio (50–99) is €999/mo. Firm (100–999) is €1,999/mo. Enterprise (1,000+) is bespoke. Per-client brackets apply uniformly to every tier: S (<1,000 entities) €75, M (1k–9.9k) €250, L (10k+) €750. 12-month commitment on every tier. Starter ships with templates + CSV import + audit output; AI assistance and integrations begin on Practice. You charge your client whatever you want — most MSPs charge €50–€300/month by client size. See §6 for the full schedule.

Q7. Are there subsidies available?

Yes — each Belgian region runs its own programme, scoped to where the end-client is established. Flanders: VLAIO kmo-portefeuille (cybersecurity-only since Feb 2026) covers up to 45% of advisory costs (45% small / 35% medium, cap €7,500/year). Wallonia: Chèque cybersécurité via Wallonie Entreprendre covers up to 75% ex-VAT (approved provider, 12-month window). Brussels-Capital: hub.brussels consultancy grant covers IT-security advice up to €10,000/year. Your client applies in their region; we provide pre-filled templates.

Achieve audit-readiness for CyFun/NIS2

§1 Engagement summary

§2 Risk register — key risks for CyFun practitioners

§2.5 Delivery model — who does what, at what cost

§3 Engagement — client compliance journey, onboard to audit

Phase 1 · Onboard & assess

Phase 2 · Build & evidence

Phase 3 · Audit & sustain

§4 Division of work — automation vs judgment

§5 Deliverables

5.1 To the partner (MSP)

5.2 To the end client

§6 Fee schedule

What's included

Per-client rates (apply to every tier, by entity count)

Optional add-on

§7 Architectural assurances — secure by design

§8 Clarifications

Walk through it with us.