#CyberWeekly
Europe just put Belgium’s CyFun on the official NIS2 map
The NIS Cooperation Group, the European Union body that coordinates the NIS2 cybersecurity law across member states, published a reference document this week that translates NIS2's security measures into a single cross-framework table. Belgium's own CyFun framework is on it, sitting right next to ISO 27001, IEC 62443 and the United States' NIST Cybersecurity Framework 2.0.
- What it is: a common European reading of the NIS2 security measures, tied to EU Implementing Regulation 2024/2690, with a mapping table so a requirement written in one framework can be found in the others. It was published on 17 June
- Why CyFun matters here: CyFun is the official cybersecurity baseline from the Centre for Cybersecurity Belgium (CCB). This document means doing CyFun now demonstrably equals doing NIS2 in terms Europe itself recognises, not a local shortcut, a mapped equivalent
- The practical read for SMEs: if your information technology (IT) partner gets you CyFun-ready, you are no longer guessing whether that satisfies NIS2. The EU's own table draws the line for you
- The catch: a mapping is not a certificate. You still implement the controls and keep the evidence; the table just tells you which control answers which law
If you are still untangling how these two fit together, start here: what CyFun is, what NIS2 asks of you, and how CyFun compares to ISO 27001.
Platform Spotlight: a free book on turning NIS2 into recurring revenue
Most managed service providers (MSPs) skip compliance because they assume it means hiring an expert. It doesn't. We wrote a full guide that shows how to offer CyFun and NIS2 readiness as a recurring service, billed monthly, and it is free.
- What's inside: the pricing model, objection scripts for the "we're too small for this" conversation, a client scoping form, and a 90-day rollout plan. A complete playbook, not a teaser
- The honest part: it shows your client exactly what they must do to comply first, the controls, the scoring, the official CCB tools, then how you deliver that as a service. The upgrades are required by the government's cyber agency, not invented by you
- The proof: how one of our client MSPs used an intern and our platform to complete 31 of 34 CyFun controls in eight days, with no prior compliance experience
- Who it's for: MSP owners who keep getting the "our biggest customer, and our insurer, want proof we're secure" call and would rather answer it with a service than a shrug
It is the same case we make here: why an MSP should offer compliance. The book just hands you the playbook to do it.
CCB patch watch: a perfect-10 Joomla bug your website might be running
The Centre for Cybersecurity Belgium (CCB) had a heavy week, and the headline is a maximum-severity flaw in a popular Joomla add-on that attackers are already hunting for at scale.
- Joomla Content Editor (JCE): CVE-2026-48907, severity 10.0 out of 10. On vulnerable versions (2.9.99.4 and earlier) an unauthenticated attacker can upload and run their own code, which means full takeover of the website. CCB flagged it on 17 June and warned that public exploit code and automated mass-scanning are already in the wild. If your site runs Joomla, check the JCE version today
- Cisco Catalyst SD-WAN Manager: actively exploited. CCB warned on 16 June, and the flaw is on the United States' exploited-vulnerabilities list with a 29 June federal fix-by date. This is core managed-network equipment, an MSP-stack item as much as a client one, so patch your own house too
- Oracle PeopleSoft: critical, actively exploited. CCB issued a "patch immediately" on 12 June for a remote code execution flaw. Niche for most SMEs, but if you run PeopleSoft for human resources or finance, treat it as urgent
Three "patch now" calls in one week, on systems most businesses never think to check. That is why patching belongs on a calendar, not in a panic: our patch-management guide sets the rhythm, and our ransomware guide explains what these flaws are usually a doorway to.