Am I in scope for NIS2?
Five questions, two minutes, instant on-screen result. We tell you whether you appear to be in scope of the Network and Information Security Directive (NIS2), at what CyberFundamentals (CyFun) level, and where the supply-chain pressure sits. No email required to see the result.
This is a rough read.
Five questions cannot replace a 30-question intake with consultant review. The math here uses the official Centre for Cybersecurity Belgium (CCB) risk-scoring model, but real scope determination depends on details we are not asking about: group structure, cross-border operations, sector subclassifications, and how a regulator reads your specific situation. Treat the result as an indication to act, not a legal opinion.
The 5 questions
Direct scope
Supply-chain pressure
Estimated CyberFundamentals (CyFun) level
Controls in scope
Rough effort estimate
How we got this
Legal note: Annex II "Digital providers" covers online marketplaces, search engines, and social networking platforms only. General business-to-business software-as-a-service (SaaS) is not included unless it falls under another Annex category (for example ICT service management or digital infrastructure).
Two things you can do next
Email me a one-page summary
We send your result plus the next concrete steps to your inbox. One email, no drip sequence.
Get the written, signed €395 report
For when you need to forward this to a customer, insurer, or regulator. 30-question intake plus consultant review.
See the €395 written reportEmail me a one-page summary
Leave your work email and we will send your scope-check result plus the next concrete steps. We use your email once, for this. No newsletter unless you ask.
Need a version you can forward?
The free check above is a rough read. If a customer, insurer, or regulator is asking for a defensible answer, the €395 done-for-you (DFY) report covers it: 30-question intake, consultant review, signed 13-page portable document format (PDF) plus a comma-separated values (CSV) of every applicable control. Delivered 48 hours after we see your payment arrive.
See the €395 written reportFrequently asked questions
How accurate is a 5-question check?
Rough. Five questions can correctly classify the obvious cases (hospital with 500 employees = essential; consultancy with 4 employees and no Annex I or II sector = out of scope). The borderline cases are exactly where five questions fall short: group structures, cross-border operations, sector subclassifications, the difference between Annex II "digital providers" and general software-as-a-service. For those cases, the written €395 report exists.
What is the difference between this and the €395 report?
This is an instant on-screen indication based on 5 deterministic rules. The €395 report is a 30-question intake, a consultant review, a signed 13-page portable document format (PDF) with the full legal reasoning, the Centre for Cybersecurity Belgium (CCB) risk-score math, and the prioritized list of CyberFundamentals controls applicable to you. Different tool, different price, different output.
Are you using an artificial intelligence (AI) model to compute this?
No. The result is pure deterministic logic running in your browser. The rules are the official Centre for Cybersecurity Belgium (CCB) risk-scoring model and the Belgian transposition law of 26 April 2024 (NIS2). No artificial intelligence (AI), no external service call to compute the result, no data leaves your browser unless you ask for the emailed summary.
Where does the CyberFundamentals (CyFun) level come from?
The Centre for Cybersecurity Belgium (CCB) publishes a risk-scoring spreadsheet that multiplies Probability, Impact, Attack Type, and Organization Size. Pre-computed scores per sector decide the level: BASIC (under 100), IMPORTANT (100 to 199), ESSENTIAL (200 and above). We use the published per-sector scores; you can audit the math by reading the CCB risk assessment workbook.
My business does not match any of the 18 sectors. Am I safe?
You are likely outside direct NIS2 scope. But customers operating in NIS2-essential sectors are obliged to assess their suppliers. If you sell to hospitals, banks, energy utilities, public administration, or telecoms, expect a security questionnaire eventually. That is supply-chain pressure, separate from direct scope.
Who runs this check?
Core BV, a Belgian company based in Zottegem, trading as easycyberprotection.com. Founded by Tom Janssens. Belgian law applies; competent courts East Flanders (Ghent division, Oudenaarde section).