Got a NIS2 questionnaire? Get a clear answer 48 hours after payment.
Your customer, insurer, or regulator wants to know whether you are compliant with the Network and Information Security Directive (NIS2). You are not sure you are even in scope. You do not have two weeks to read the directive. We answer the three questions that matter, in writing, for €395.
What you get
A signed PDF report covering four answers a Belgian business needs to give a customer, insurer, or regulator asking about NIS2:
Scope determination
In scope, out of scope, or borderline, with the legal reasoning written out against the Belgian transposition (Law of 26 April 2024) and Annex I and Annex II of NIS2.
Your CyFun level
BASIC, IMPORTANT, or ESSENTIAL, with the Centre for Cybersecurity Belgium (CCB) risk score (sector x size x impact) shown so anyone can audit the math.
Your control list
The exact CyberFundamentals controls that apply to you, sorted into 30-day, 90-day, and 180-day priorities.
The "what next" section
What to tell your customer, insurer, or regulator. What to do first. What can wait. A short template paragraph you can paste at the top of incoming questionnaires.
Plus a CSV of the control list so you can paste it into your own tracker.
How it works
Fill the intake (15 minutes).
Sector, size, supply-chain context, current IT setup. About 30 short questions.
We process it.
Our engine maps your answers to the official CCB risk-scoring model and the CyberFundamentals framework. A consultant reviews the output before it goes out.
You get the report by email.
Within 48 hours of us seeing your bank transfer arrive (1-3 business days clearance plus our 48 h SLA). Always within 72 h of payment. No login. No subscription.
Who this is for
- You received a NIS2 questionnaire from a customer, insurer, or regulator.
- You supply a bank, hospital, utility, or government body and they are asking about your security posture.
- You are a Belgian SME that has heard "NIS2" mentioned and wants a definitive read without paying €5,000 for a full consultancy assessment.
- You are an IT partner and a client is asking you to figure this out for them.
Who this is NOT for
- You already have a CyFun assessment in progress with a Conformity Assessment Body (CAB) auditor. You do not need this report.
- You want ongoing compliance management. This is a one-shot scope read; the ongoing platform is a separate product.
- You need someone to implement the controls. This report tells you what to do, not how to do it.
What the math is based on
The scope determination uses the Belgian transposition of the NIS2 Directive (Law of 26 April 2024) and the sector classifications from Annex I and Annex II. The CyFun level is computed from the official Centre for Cybersecurity Belgium (CCB) risk-scoring spreadsheet (Probability x Impact x AttackType x OrgSize). We do not substitute our own model. The control list is the CyberFundamentals framework published by the CCB, version 2025.
Pricing
€395 flat, VAT excluded.
That is it. No upsell. No "starting from." No "depending on complexity." If we determine your situation needs more scope (multiple group entities, multi-sector operations, etc.) we will quote separately before charging. The flat price covers 95% of Belgian SMEs.
After the report: the platform that builds what it tells you to do
The report is the diagnosis. The Easy Cyber Protection platform is the treatment. After your €395 report is delivered we offer a direct-end-client subscription for ongoing audit-readiness. It is optional. It is not a one-shot. You pay monthly or annually, you keep your workspace as long as you subscribe.
Integrations
Connect Microsoft 365, EDR (Bitdefender / SentinelOne / Sophos / Checkpoint), NinjaOne RMM, Aikido, Google Workspace. Each auto-collects evidence.
Evidence pipeline
Machine-collected proof per control: MFA enforcement, backup tests, EDR coverage, training completion. Replaces self-attestation.
CCB workbook export
The exact Excel format Conformity Assessment Body (CAB) auditors expect, pre-populated from your evidence base.
CCB workbook import
Already started filling in the CCB workbook? Upload it. The platform reads, populates entities, and merges with your existing work.
Signed audit bundle
Ed25519-signed .ecpbundle.zip with the workbook, the policies, the evidence inventory, the risk register. Hand to your auditor.
Year-round maintenance
Quarterly drift reports. New vulnerabilities, integration drift, expired training, missing evidence. Audit-ready continuously.
Bracket-priced (subscription only; the €395 report stays flat)
| Bracket | Entities | Monthly | Annual |
|---|---|---|---|
| S | < 1 000 entities | €75 / month | €750 / year (10 months upfront) |
| M | 1 000 – 9 999 entities | €250 / month | €2 500 / year (10 months upfront) |
| L | 10 000+ entities | €750 / month | €7 500 / year (10 months upfront) |
Sequential by design: you must complete the €395 report first. The subscription becomes available after we mark your report paid. Direct end-clients only. If you are a Managed Service Provider (MSP) and want to offer ECP across many clients, talk to us via the MSP partner programme.
See a real sample
The example is the opening pages of a real (anonymized) delivery for a Belgian SaaS company that received two NIS2 questionnaires from healthcare and public-administration customers. It shows the structure, the cover note, and the full scope-determination reasoning. The prioritized control list (the deliverable) lives in the full report.
First pages of an example reportNo email required. Public sample.
Get the full 13-page sample
Want to see the full delivery (executive summary, scope test detail per sector, all 34 prioritized controls, customer-response template)? Leave your work email and we will send it.
Frequently Asked Questions
Is this a substitute for a CyFun audit?
No. A CyFun audit is performed by a Conformity Assessment Body (CAB) accredited by BELAC, the Belgian accreditation body. This report tells you whether you need one, at what level, and prepares you for it. The CAB audit is a separate engagement with a separate party.
Can I send the report to my customer or insurer?
Yes. The report is signed, dated, and references the official Belgian transposition (Law of 26 April 2026, NIS2) and the CCB CyberFundamentals 2025 framework. It is a defensible scope-determination document you can attach to a vendor questionnaire response.
What if you determine I am out of scope?
You get the same report, explaining why you are out of scope, what would change that (sector reclassification, size threshold crossing), and what supply-chain pressure you can still expect from NIS2-essential customers. Same price.
What if I disagree with the result?
The math is shown. If you can point at an error in the inputs (wrong sector mapping, missing size factor) we re-run for free. If you disagree with the official CCB model, that is a separate conversation; we use the CCB model as authoritative.
How is this different from a free online NIS2 checker?
Online checkers give you yes/no without the legal reasoning. Customers, insurers, and auditors want the reasoning. This report shows the sector test for every Annex I and Annex II category, the CCB risk-score calculation, and the prioritized control list. It is the document you forward, not the screenshot.
Who delivers it?
Core BV, a Belgian company based in Zottegem, trading as easycyberprotection.com. Founded by Tom Janssens. Disputes governed by Belgian law, competent courts East Flanders (Ghent division, Oudenaarde section).
Will my data be used to train an AI model?
No. Your intake stays in our Belgian-operated environment. We do not feed customer intakes to any third-party AI vendor. The report is auto-generated from your answers using Cloudflare AI running on EU infrastructure.
What if I want help implementing the controls afterwards?
The report tells you what to do; an IT partner does the implementation. We can introduce you to a partner in our network, or you keep using your current IT partner and hand them the report. No lock-in.
Start the intake
Fifteen minutes of your time. A clear written answer 48 hours after we see your bank transfer arrive. €395 flat, ex VAT, invoice sent on payment receipt.
Start the 15-minute intakeNo card required to start. We send the invoice after you receive the report.