Does every Belgian SME need CyFun?

Not every SME is directly in scope for NIS2. But the supply chain effect means many SMEs will be asked to demonstrate CyFun Basic readiness by their larger clients or partners. Cyber insurers are also increasingly asking for evidence of a security framework. For most Belgian SMEs, CyFun Basic is the practical answer.

What is the difference between CyFun Basic and Important?

CyFun Basic (34 controls) is designed for SMEs and organisations in the NIS2 supply chain. CyFun Important applies to organisations classified as Important Entities under NIS2 — typically larger organisations in regulated sectors. If you are unsure which applies to a client, start with Basic. The CCB provides a self-assessment tool to determine scope.

Do MSPs need to be accredited to deliver CyFun services?

No. MSPs help clients become audit-ready — that means mapping controls, generating documentation, and collecting evidence. The certification audit itself is performed by a BELAC-accredited CAB auditor. Think of the MSP as the bookkeeper and the auditor as the external accountant.

How long does CyFun Basic implementation take?

For a client starting from scratch, getting to audit-ready typically takes 4-8 weeks with active support. Clients who already have basic security hygiene in place can be ready in 2-3 weeks. The bottleneck is usually documentation and evidence collection, not the technical controls.

Can we use VLAIO subsidies for CyFun compliance work?

Yes, if you are registered as a VLAIO-approved cybersecurity advisor. The kmo-portefeuille covers up to 45% of cybersecurity advisory costs. This makes the compliance service significantly more affordable for Flemish SME clients and removes one of the most common objections.

CyFun for MSPs: Belgium's Cyber Framework Explained

The CyberFundamentals framework is the CCB's answer to a simple question: how does a Belgian organisation know if it is cybersecurity-ready? And how does it prove that to an auditor? As an MSP, you are the bridge between the NIS2 requirements and your client's audit readiness.

What Is CyFun?

CyberFundamentals — CyFun — is the cybersecurity framework published by Belgium's Centre for Cybersecurity Belgium (CCB). It gives organisations a structured, measurable path to cybersecurity compliance. The framework maps to international standards including NIS2, ISO 27001, and NIST CSF, but is specifically adapted for the Belgian regulatory context.

CyFun Small

7 controls

Entry-level framework for very small organisations. Covers the absolute essentials: backups, access control, patching, incident response.

CyFun Basic

34 controls

The standard tier for most SME clients. Required for organisations in the NIS2 supply chain. Covers all critical security domains.

CyFun Important

Extended controls

For organisations classified as Important Entities under NIS2. Requires more rigorous implementation and evidence.

CyFun Essential

Full controls

For Essential Entities — critical infrastructure, large public sector. Full framework implementation and mandatory CAB audit.

Why CyFun Matters for Your MSP Clients

NIS2 created two categories of regulated entities in Belgium: Important and Essential. More than 4,000 organisations have already registered with the CCB. But the real impact on your client base comes from Article 21 of the directive, which requires NIS2-regulated organisations to manage cybersecurity risk in their supply chains.

That means: if your client supplies services or products to an NIS2-registered entity — a hospital, a municipality, a utility — that customer will ask your client to prove basic cybersecurity hygiene. CyFun Basic is the standard they will be measured against. This is already happening.

4,000+

Belgian entities registered with CCB under NIS2

25,000+

estimated organisations affected by supply chain requirements

BELAC-accredited CyFun audit bodies in Belgium (as of April 2026)

controls required for CyFun Basic certification

The Auditor Bottleneck Your Clients Need to Know About

As of April 2026, there are only two BELAC-accredited bodies authorised to perform CyFun certification audits in Belgium: Brand Compliance Belgie and What a Work SRL (Trust CHECK). Two auditors for thousands of organisations means audit queues are already forming. Organisations that prepare now will get audited first.

How MSPs Deliver CyFun Compliance

MSP delivery of CyFun compliance follows a repeatable process. You do not need compliance certifications. You need a process and the right tooling.

Isometric illustration of the 5-step CyFun compliance process for MSPs

Run the CyFun assessment

Map the client's current state against all 34 CyFun Basic controls. Score each control on documentation and implementation maturity. This produces a gap report — the foundation of everything that follows.

Prioritise quick wins

Not all 34 controls are equal. Identify the 5-8 controls with the biggest compliance gap and the lowest effort to close. Start there. Early wins build momentum and client confidence.

Generate policies and evidence

CyFun requires documented policies, not just technical controls. Generate or adapt security policy documents, access control procedures, backup policies, and incident response plans. Collect evidence that each control is implemented.

Build the audit dossier

Consolidate all evidence into a structured audit pack: control status, policy documents, screenshots, logs, test results. This is what the CAB auditor will review. The cleaner the dossier, the faster the audit.

Schedule the CAB audit

Once the client is audit-ready, help them book with a BELAC-accredited auditor. Given the current bottleneck, booking early matters. Your job is done when the client walks into the audit room prepared.

VLAIO Subsidies: Removing the Cost Objection

The Flemish kmo-portefeuille subsidy covers up to 45% of cybersecurity advisory costs (up to €7,500 per year for SMEs). As an MSP registered with VLAIO as a cybersecurity advisor, your compliance services qualify. This means a client paying €100/month for managed CyFun compliance gets up to €45/month reimbursed — their net cost drops to around €55/month.

The Fastest Way to Start Offering CyFun Services

Easy Cyber Protection gives MSPs a multi-tenant CyFun platform with assessment tools, policy generation, evidence collection, and branded audit-ready reports — all at €25/client/month. No compliance expertise required. You prepare the clients; the CAB auditors certify them.