← All issues

#CyberWeekly

Jun 12 - Jun 18, 2026

Europe just put Belgium’s CyFun on the official NIS2 map

One law, four frameworks, one map.

The NIS Cooperation Group, the European Union body that coordinates the NIS2 cybersecurity law across member states, published a reference document this week that translates NIS2's security measures into a single cross-framework table. Belgium's own CyFun framework is on it, sitting right next to ISO 27001, IEC 62443 and the United States' NIST Cybersecurity Framework 2.0.

  • What it is: a common European reading of the NIS2 security measures, tied to EU Implementing Regulation 2024/2690, with a mapping table so a requirement written in one framework can be found in the others. It was published on 17 June
  • Why CyFun matters here: CyFun is the official cybersecurity baseline from the Centre for Cybersecurity Belgium (CCB). This document means doing CyFun now demonstrably equals doing NIS2 in terms Europe itself recognises, not a local shortcut, a mapped equivalent
  • The practical read for SMEs: if your information technology (IT) partner gets you CyFun-ready, you are no longer guessing whether that satisfies NIS2. The EU's own table draws the line for you
  • The catch: a mapping is not a certificate. You still implement the controls and keep the evidence; the table just tells you which control answers which law

If you are still untangling how these two fit together, start here: what CyFun is, what NIS2 asks of you, and how CyFun compares to ISO 27001.

Centre for Cybersecurity Belgium (17 June 2026) →

Platform Spotlight: a free book on turning NIS2 into recurring revenue

Compliance as a service, by the book.

Most managed service providers (MSPs) skip compliance because they assume it means hiring an expert. It doesn't. We wrote a full guide that shows how to offer CyFun and NIS2 readiness as a recurring service, billed monthly, and it is free.

  • What's inside: the pricing model, objection scripts for the "we're too small for this" conversation, a client scoping form, and a 90-day rollout plan. A complete playbook, not a teaser
  • The honest part: it shows your client exactly what they must do to comply first, the controls, the scoring, the official CCB tools, then how you deliver that as a service. The upgrades are required by the government's cyber agency, not invented by you
  • The proof: how one of our client MSPs used an intern and our platform to complete 31 of 34 CyFun controls in eight days, with no prior compliance experience
  • Who it's for: MSP owners who keep getting the "our biggest customer, and our insurer, want proof we're secure" call and would rather answer it with a service than a shrug

It is the same case we make here: why an MSP should offer compliance. The book just hands you the playbook to do it.

Grab the free kit →

CCB patch watch: a perfect-10 Joomla bug your website might be running

The Centre for Cybersecurity Belgium (CCB) had a heavy week, and the headline is a maximum-severity flaw in a popular Joomla add-on that attackers are already hunting for at scale.

  • Joomla Content Editor (JCE): CVE-2026-48907, severity 10.0 out of 10. On vulnerable versions (2.9.99.4 and earlier) an unauthenticated attacker can upload and run their own code, which means full takeover of the website. CCB flagged it on 17 June and warned that public exploit code and automated mass-scanning are already in the wild. If your site runs Joomla, check the JCE version today
  • Cisco Catalyst SD-WAN Manager: actively exploited. CCB warned on 16 June, and the flaw is on the United States' exploited-vulnerabilities list with a 29 June federal fix-by date. This is core managed-network equipment, an MSP-stack item as much as a client one, so patch your own house too
  • Oracle PeopleSoft: critical, actively exploited. CCB issued a "patch immediately" on 12 June for a remote code execution flaw. Niche for most SMEs, but if you run PeopleSoft for human resources or finance, treat it as urgent

Three "patch now" calls in one week, on systems most businesses never think to check. That is why patching belongs on a calendar, not in a panic: our patch-management guide sets the rhythm, and our ransomware guide explains what these flaws are usually a doorway to.

Centre for Cybersecurity Belgium advisories →


Never miss an issue

Get #CyberWeekly delivered to your inbox every Wednesday.

Or use our RSS feed

TJ

Tom Janssens

Editor, #CyberWeekly — LinkedIn

Questions or feedback? Contact us — we read every message.

easycyberprotection.com
TARS AI
Ask me about NIS2, CyFun & compliance