CyFun CAB Audit Cost: What a Belgian NIS2 Audit Actually Costs
Belgian NIS2 organizations weighing a Conformity Assessment Body (CAB) audit against CyFun BASIC self-assessment have a money question to answer first. Here is what each path actually costs, sourced from publicly reported ranges and the published platform pricing — with an honest note about what is not yet publicly documented.
The Four Cost Buckets
CyFun audit-readiness has four cost components. Three of the four are zero or near-zero; one varies wildly. Understanding which bucket each cost lands in changes the budget conversation.
1. CCB framework + workbook + portal: €0
The Centre for Cybersecurity Belgium (CCB) publishes the CyberFundamentals framework, the Excel workbook, the scoring rubric, and the Safeonweb @work portal at no cost. This includes BASIC (34 controls), IMPORTANT (132), and ESSENTIAL (217) tiers. The framework being free is a deliberate CCB policy choice; it removes the most common GDPR-era objection (proprietary frameworks gating compliance behind license fees).
2. Preparation effort: 2–6 months internal time
A first-time CyFun BASIC self-assessment typically takes 4–8 weeks of focused effort with reasonable existing security hygiene; from a near-zero baseline, 12–16 weeks. IMPORTANT tier scales the effort to 16–24 weeks; ESSENTIAL to 24–36. This is the single largest cost line — and the easiest to underestimate. Internal time is real money; a senior compliance lead at €700/day for 60 days is €42,000.
3. CAB audit fees: €5K–€25K (industry-reported range)
A Conformity Assessment Body (CAB) accredited by BELAC charges per engagement. Industry-reported fees during 2025-2026 fall roughly in a €5K–€25K range for IMPORTANT-tier first-time audits, with ESSENTIAL-tier audits trending 50-100% above IMPORTANT. Fees scale with organization size, scope complexity, and the quality of the workbook hand-off (a clean workbook reduces audit hours).
4. Optional external consultancy: €15K–€60K (industry-reported range)
External consultancy for a first-time IMPORTANT-tier audit covers gap analysis, policy drafting, evidence collection support, mock run, and pre-audit hand-holding. The lower end is for organizations with reasonable existing security hygiene; the upper end is for organizations starting from near-zero documentation. This bucket is optional — many organizations use a tooling platform plus internal time instead.
Three Paths, Three Cost Profiles
For a typical Belgian SME pursuing CyFun BASIC self-assessment or a first-time IMPORTANT-tier CAB audit:
| Path | Year-1 cost | Internal time |
|---|---|---|
| A. BASIC self-assessment, internal-only | ~€0–€5K (tooling) | 4–12 weeks |
| B. IMPORTANT CAB audit + external consultancy | €20K–€85K | 3–6 months |
| C. IMPORTANT CAB audit + ECP-via-MSP | €10K–€35K | 3–4 months |
All figures industry-reported / estimated except ECP platform pricing. Internal time is the bigger budget item in all three paths.
Where ECP-via-MSP Lands on the Cost Curve
Easy Cyber Protection ships a managed compliance platform that MSPs operate on behalf of their end clients. The platform replaces the hours of manual scaffolding that drive consultancy bills: workbook fill, policy templates, evidence collection wiring, mock-run scoring, CCB-compatible Excel export.
Authoritative platform pricing (subscription per MSP partner, billed by the MSP to their end clients):
- Starter €399 one-time setup + €75/client/month (no monthly base) — solo consultants and vCISOs running <10 clients. Templates + CSV entity import + audit output. AI and integrations on Practice and up.
- Practice €499/month + per-client by size — small MSPs with 10-49 clients.
- Studio €999/month + per-client by size — mid-size practice with 50-99 clients.
- Firm €1,999/month + per-client by size — established MSPs with 100-999 clients.
- Enterprise MSP €4,999+/month — multi-region MSPs and partners with managed-compliance offerings.
For a Starter-tier MSP with 8 S-size clients, the platform cost lands at roughly €79/client/month in year 1 (€399 setup + 8 × €75 × 12 = €7,599 / 8 / 12 ≈ €79). That is well below the typical consultancy spend per audit cycle, and the platform output (the CCB-compatible workbook with evidence per control) is exactly what a CAB receives.
Direct enterprise customers (typically essential entities at ESSENTIAL tier) are out of the MSP-channel pricing band; ECP serves direct-enterprise from €24K–€122K Y1 depending on scope and integration complexity.
Costs That Are Often Forgotten
Three cost lines that escape most first-time CyFun budgets:
- Surveillance audits. CyberFundamentals certification is valid 2-3 years with surveillance audits in between. Surveillance fees run roughly 30-50% of the initial audit. Year-2 and Year-3 budgets need a line item.
- Remediation between audits. Findings from the initial audit need closure before the surveillance audit. If the platform-and-time approach to remediation is not budgeted, organizations end up paying consultancy day rates exactly when the next audit is approaching.
- Tier upgrade costs. Important entities that grow into the essential-entity classification (size or sector reclassification) face a re-audit at ESSENTIAL tier. The cost is not zero — plan a refresh budget every 12-18 months.
A Decision Frame for the Money Question
For organizations weighing self-assessment against a CAB audit:
- 1 If your NIS2 classification is "important" and your enterprise clients aren't pushing for an external certificate — start with BASIC self-assessment. Free framework, internal time only, valid path to satisfy the April 18, 2026 deadline.
- 2 If you are an essential entity — a CAB audit at IMPORTANT or ESSENTIAL tier is mandatory by April 18, 2027. Budget the audit fee and the preparation effort starting Q3 2026 at the latest.
- 3 If supply-chain pressure is the driver — match what your enterprise clients ask for. Sometimes a clean BASIC self-assessment with a remediation roadmap satisfies a vendor due-diligence questionnaire; sometimes only an external CAB certificate does.
Frequently Asked Questions
Is the CCB CyberFundamentals framework actually free?
Yes. The framework specification, the Excel workbook, the maturity scoring rubric, and submission via the CCB Safeonweb @work portal are all free. The cost lives elsewhere: preparation effort, optional external consultancy, and the CAB audit fee for IMPORTANT or ESSENTIAL tier certification.
Why are there no published CAB price lists?
Conformity Assessment Bodies (CABs) accredited by BELAC set their own rates and typically quote per engagement based on organization size, complexity, and tier (IMPORTANT or ESSENTIAL). At the time of writing, no Belgian CAB publishes a flat rate card. The €5K–€25K range cited above is based on industry reporting and Tom's direct conversations with prospects — it is not an authoritative CAB-published figure.
What does the €15K–€60K preparation range actually cover?
External consultancy for a first-time IMPORTANT-tier audit typically covers gap analysis, policy drafting, evidence collection support, mock run, and pre-audit hand-holding. The lower end (€15K-€20K) is for organizations with reasonable existing security hygiene; the upper end (€40K-€60K) is for organizations starting from near-zero documentation. These are industry-reported ranges, not named-source quotes — collect three CAB or consultancy proposals before budgeting.
How does ECP-via-MSP economics change this?
A managed service provider running multiple clients on Easy Cyber Protection pays a tiered platform fee (Starter €399 setup + €75/client/month with no base, Practice €499/month, Studio €999/month, Firm €1,999/month, Enterprise MSP €4,999+/month) and amortizes that across the book. The per-client cost lands well below standalone consultancy in the €5K-€60K range, because the platform replaces hours of manual scaffolding (workbook fill, policy templates, evidence collection, mock run) and the MSP supplies expertise on top.
Can I do a CAB audit without external preparation?
Yes — and many organizations do, especially when an internal compliance lead drives the work and a tooling layer like ECP handles the workbook + evidence machinery. The CCB does not require you to engage a consultancy before submitting to a CAB. The honest question is whether your team has 2-6 months of available bandwidth and the discipline to score the workbook honestly — both of which are easier to underestimate than overestimate.
Is there a difference between IMPORTANT and ESSENTIAL audit cost?
Yes. ESSENTIAL tier covers 217 controls vs 132 for IMPORTANT, plus more rigorous evidence requirements per control. Industry reporting suggests ESSENTIAL-tier CAB audits trend 50-100% above IMPORTANT-tier audits in fees and preparation time, with the cost differential larger for organizations whose existing security posture is closer to BASIC than to IMPORTANT.
What about ongoing certification maintenance?
CyberFundamentals certification is typically valid for 2-3 years with surveillance audits in between. Surveillance audits are smaller-scope (re-checking sampled controls) and run roughly 30-50% of the initial audit fee. Plan for this in year-2 and year-3 budgets.