CyberFundamentals Certification: How It Works

CyberFundamentals certification provides official validation that your organization meets CCB security standards. Here's everything you need to know about getting certified.

CyberFundamentals certification medal - official recognition
CyberFundamentals certification demonstrates officially recognized cybersecurity

Why Get Certified?

Certification isn't mandatory for most organizations, but the trend is clear: 70-75% of registered NIS2 entities in Belgium have already started implementing CyberFundamentals or ISO 27001. With CAB accreditation concluding around April 2026 and audits underway, certification offers significant benefits:

Prove compliance — Show customers and partners you meet recognized standards
Win contracts — Many tenders now require security certification
Reduce insurance costs — Cyber insurers often offer discounts for certified organizations
NIS2 evidence — Certification demonstrates compliance with NIS2 requirements
Identify gaps — The audit process reveals areas for improvement
Build trust — Independent verification carries more weight than self-assessment

Certification Levels

CyberFundamentals offers certification at four levels:

LevelControlsTypical ForAudit Complexity
Small 7 Micro-businesses, getting started Simple
Basic 34 SMEs < 25 employees Moderate
Important 117 NIS2 important entities Comprehensive
Essential 140 NIS2 essential entities Extensive

The Certification Process

1

Self-Assessment

2-8 weeks

Evaluate your current security posture against your target level's controls. Identify and close any gaps before engaging an auditor.

2

Choose an Auditor

1-2 weeks

Select an accredited certification body. The CCB maintains a list of approved auditors. Compare quotes and availability.

3

Document Preparation

2-4 weeks

Gather evidence for all required controls: policies, procedures, configurations, logs, training records, etc.

4

Stage 1 Audit

1-2 days

The auditor reviews your documentation to verify completeness. They identify any issues to address before Stage 2.

5

Stage 2 Audit

1-5 days

On-site (or remote) verification that controls are actually implemented and effective. Includes interviews and testing.

6

Certificate Issued

2-4 weeks

If you pass, you receive your CyberFundamentals certificate. If not, you get specific findings to address.

Finding an Auditor

Only accredited certification bodies can issue official CyberFundamentals certificates. The CCB website lists all approved auditors.

  • Get quotes from at least 2-3 auditors
  • Ask about their experience with your industry
  • Check their availability - popular auditors book up
  • Understand what's included in the price
  • Ask about remote vs on-site audit options
View accredited auditors on the CCB website →

Certification Costs

Costs vary by level, auditor, and your organization's complexity:

Small €1,000 - €2,500 Simplest audit, fewest controls
Basic €2,500 - €5,000 Standard SME audit
Important €5,000 - €15,000 Comprehensive, multi-day audit
Essential €10,000 - €25,000+ Extensive audit for large organizations

These are estimates. Get quotes from auditors for accurate pricing.

Maintaining Certification

Certification isn't a one-time event:

Validity period 3 years from certificate date
Annual surveillance Lighter audit to verify continued compliance
Recertification Full audit required every 3 years
Major changes Notify auditor of significant organizational changes

Preparing for Success

Maximize your chances of passing:

  • Don't rush into audit - ensure you're truly ready
  • Conduct an internal audit first
  • Organize evidence in advance, don't scramble during audit
  • Ensure staff can explain their responsibilities
  • Address any known issues before the audit
  • Have a compliance management system (even a spreadsheet)

Get Certification-Ready with Easy Cyber Protection

We help you prepare for successful certification:

Gap assessment — Know exactly what's missing before you engage an auditor
Evidence management — Organized documentation ready for review
Control implementation — Guided implementation of required controls
Audit preparation — Pre-audit checklist and readiness review

Frequently Asked Questions

Is CyberFundamentals certification mandatory?

No, it's voluntary. However, NIS2 entities must implement appropriate security measures - certification provides evidence of this. Some government contracts and tenders require certification.

How long does certification take?

From decision to certificate: typically 3-6 months. This includes preparation, auditor scheduling, and the audit itself. Well-prepared organizations can move faster.

Can I fail the audit?

Yes. If significant non-conformities are found, you won't receive certification until they're addressed. Minor issues may be noted but won't prevent certification.

What if my organization changes after certification?

Significant changes (mergers, new locations, major IT changes) should be reported to your certification body. They'll advise if additional assessment is needed.

Does certification guarantee I'm secure?

Certification means you meet specific control requirements at a point in time. It's not a guarantee against all attacks, but it significantly reduces your risk.

Related Articles