Complete Guide: CCB CyberFundamentals Framework

CyberFundamentals is Belgium's official cybersecurity framework, providing a clear path from basic protection to full NIS2 compliance. This guide covers everything you need to know: the framework structure, how to get started, and what each tier involves.

CyberFundamentals complete framework overview
CyberFundamentals: The complete Belgian cybersecurity framework

What is CyberFundamentals?

CyberFundamentals (CyFun) is the official Belgian cybersecurity framework developed by the Centre for Cybersecurity Belgium (CCB). It provides organizations with a structured, evidence-based approach to cybersecurity that scales from small businesses to critical infrastructure.

  • Official Belgian framework - recognized for NIS2 compliance
  • Based on international standards: NIST CSF 2.0, ISO 27001, CIS Controls
  • Tiered approach - start simple, grow as needed
  • Free entry level - the Small tier has no cost

The 4 Security Tiers

CyberFundamentals uses a progressive tier system. Each tier builds on the previous one, adding more controls for increased protection.

Small Free

Essential basics for any organization. Perfect for getting started with cybersecurity.

7
controls
First step
Multi-factor authenticationSecurity updatesBackupsAntivirus
Learn about Small tier

Basic

Comprehensive protection for SMEs. Defends against 82% of attack types.

34
controls
82%
All Small controlsAccess managementNetwork securityIncident procedures

Important

Required for NIS2 "important" entities. Enterprise-grade security controls.

117
controls
94%
All Basic controlsSecurity monitoringVulnerability managementSupply chain security

Essential

Maximum protection for critical infrastructure. Full NIS2 compliance.

140
controls
100%
All Important controlsAdvanced threat detectionContinuous monitoringFull audit trail

The 6 Core Functions

CyberFundamentals organizes all security controls into six functions, following the NIST Cybersecurity Framework structure:

GV

Govern

Establish cybersecurity governance, policies, roles, and risk strategy

ID

Identify

Know your assets, business environment, and risk exposure

PR

Protect

Implement safeguards: access control, training, data security

DE

Detect

Monitor for anomalies, security events, and potential threats

RS

Respond

Take action when incidents occur, contain and mitigate impact

RC

Recover

Restore operations, learn from incidents, improve defenses

Getting Started

Starting with CyberFundamentals is straightforward. Here's the recommended path:

1

Start with the Small tier

Begin with the 7 essential controls. They're free to implement and provide immediate protection.

2

Assess your current state

Use a self-assessment tool to evaluate where you stand on each control.

3

Implement controls progressively

Work through the controls one by one. Document your progress as you go.

4

Upgrade when ready

Once Small tier is complete, decide if you need Basic, Important, or Essential based on your risk profile and NIS2 requirements.

Start with What is CyberFundamentals?

Certification

While self-assessment is valuable, official certification provides external validation of your security posture.

  • Certification available through CCB-accredited auditors
  • Validates your compliance with the chosen tier
  • Useful for customers, insurers, and regulatory requirements
  • Typically valid for 2-3 years with surveillance audits

CyberFundamentals and NIS2

If your organization falls under NIS2, CyberFundamentals provides the implementation path in Belgium:

Important entities: Important tier (117 controls)
Essential entities: Essential tier (140 controls)
Learn more about NIS2 requirements →

Deep Dive Articles

What is CyberFundamentals?

Introduction to Belgium's cybersecurity framework

CyberFundamentals Levels

Small vs Basic vs Important vs Essential - which tier is right for you?

How to Get CyFun Certified

Step-by-step certification process and costs

CyberFundamentals vs ISO 27001

When to use which framework

The 12 Control Categories

Deep dive into all CyberFundamentals controls

What is the CCB?

Belgium's Centre for Cybersecurity - the organization behind CyberFundamentals

How Easy Cyber Protection Helps

We make CyberFundamentals implementation simple and guided:

Step-by-step guidance — Clear tasks for each control, no guessing what to do
Progress tracking — See your compliance percentage in real-time
Evidence collection — Built-in documentation for audits
Free Small tier — Start with 7 essential controls at no cost

Frequently Asked Questions

Is CyberFundamentals the same as ISO 27001?

No, but they're related. CyberFundamentals incorporates ISO 27001 principles but is tailored for the Belgian context and specifically designed to meet NIS2 requirements. It's generally more accessible for SMEs than a full ISO 27001 implementation.

Which tier do I need?

Start with Small tier to establish basics. If you're an NIS2 "important" entity, you need Important tier. If you're an NIS2 "essential" entity, you need Essential tier. Most SMEs not in NIS2 scope do well with Basic tier.

How long does implementation take?

Small tier: days to weeks. Basic tier: 2-4 months. Important tier: 6-12 months. Essential tier: 12+ months. These are ongoing programs - security is never "done."

Do I need external help?

Not necessarily. Small and Basic tiers can often be implemented internally. Higher tiers may benefit from expert guidance, especially for complex controls.

Is certification mandatory?

Certification is voluntary for most organizations. However, certain sectors, contracts, or insurance requirements may require certified compliance.

Related Topics

Sources

  1. CCB CyberFundamentals Framework — Official CCB documentation
  2. NIS2 Directive (EU) 2022/2555 — European cybersecurity directive
  3. NIST Cybersecurity Framework — Foundation for CyberFundamentals structure