What if my IT partner has not heard of CyFun?

Useful information. The CCB CyberFundamentals framework is the official Belgian compliance route for NIS2 and has been live since 2023. An IT partner not familiar with it can still get up to speed — the framework is well-documented and free — but ask about timeline and cost frankly. If they need 3 months to learn the framework before they can start your assessment, the math may favor a partner who is already certified or ECP-trained.

How much should the IT partner charge for a CyFun BASIC self-assessment?

Industry-reported ranges suggest a managed CyFun BASIC self-assessment runs €3K-€15K depending on whether the partner uses a tooling platform (lower end) or a hand-rolled approach (upper end). MSPs running ECP charge in the lower band because the platform replaces hours of manual scaffolding. See the CAB audit cost article for the full cost breakdown.

What if my IT partner pushes me toward ISO 27001 instead?

A defensible position if you already have or are building an ISO 27001 ISMS. The CCB recognizes ISO 27001 with a NIS2-mapped Statement of Applicability as an equivalence path. For SMEs without an existing ISMS, CyFun BASIC is faster, cheaper, and explicitly accepted by the CCB as the minimum NIS2 self-assessment. Compare both paths before committing.

Can my IT partner take our existing security work and just file the assessment?

Sometimes. If your partner has been managing MFA, EDR, backups, patching, and incident response with documented evidence, the gap to a clean BASIC self-assessment is mostly mapping their existing artifacts to the CCB workbook structure. If documentation has been ad-hoc, the gap is bigger. The honest test: ask them to show you the last 3 months of patch compliance reports and backup restore-test logs. If those are easy to retrieve, you are in good shape.

My IT partner is great at security but compliance is not their thing — what do I do?

Common pattern in the Belgian SME market. Two options: (1) bring in a separate compliance consultancy to handle the CyFun layer while your partner keeps running the technical controls, or (2) ask your partner to onboard onto a managed compliance platform like ECP, which lets them deliver compliance services without building a compliance practice from scratch. The second is the model ECP is designed around.

What if my IT partner has not heard of CyFun?

Useful information. The CCB CyberFundamentals framework is the official Belgian compliance route for NIS2 and has been live since 2023. An IT partner not familiar with it can still get up to speed — the framework is well-documented and free — but ask about timeline and cost frankly. If they need 3 months to learn the framework before they can start your assessment, the math may favor a partner who is already certified or ECP-trained.

How much should the IT partner charge for a CyFun BASIC self-assessment?

Industry-reported ranges suggest a managed CyFun BASIC self-assessment runs €3K-€15K depending on whether the partner uses a tooling platform (lower end) or a hand-rolled approach (upper end). MSPs running ECP charge in the lower band because the platform replaces hours of manual scaffolding. See the CAB audit cost article for the full cost breakdown.

What if my IT partner pushes me toward ISO 27001 instead?

A defensible position if you already have or are building an ISO 27001 ISMS. The CCB recognizes ISO 27001 with a NIS2-mapped Statement of Applicability as an equivalence path. For SMEs without an existing ISMS, CyFun BASIC is faster, cheaper, and explicitly accepted by the CCB as the minimum NIS2 self-assessment. Compare both paths before committing.

Can my IT partner take our existing security work and just file the assessment?

Sometimes. If your partner has been managing MFA, EDR, backups, patching, and incident response with documented evidence, the gap to a clean BASIC self-assessment is mostly mapping their existing artifacts to the CCB workbook structure. If documentation has been ad-hoc, the gap is bigger. The honest test: ask them to show you the last 3 months of patch compliance reports and backup restore-test logs. If those are easy to retrieve, you are in good shape.

My IT partner is great at security but compliance is not their thing — what do I do?

Common pattern in the Belgian SME market. Two options: (1) bring in a separate compliance consultancy to handle the CyFun layer while your partner keeps running the technical controls, or (2) ask your partner to onboard onto a managed compliance platform like ECP, which lets them deliver compliance services without building a compliance practice from scratch. The second is the model ECP is designed around.

How to Talk to Your IT Partner About a CyFun CAB Audit

Why This Conversation Matters Now

The April 18, 2026 self-assessment deadline already passed. About 84% of Belgian organizations in scope were not fully ready (D3 Security industry survey, April 2026). The next pressure point is the April 18, 2027 essential-entity full-certification deadline — and a Conformity Assessment Body (CAB) audit cycle takes 3-6 months once preparation is done.

For most Belgian SMEs, the IT partner is the natural starting point. They already manage MFA, EDR, backups, patching, and probably some of the policies. The question is whether they can also produce the artifact a CAB audit needs: a CCB CyberFundamentals workbook scored honestly, with evidence per control, ready for submission.

The conversation below is designed to surface the answer to that question quickly — without putting your partner on the defensive.

Copy-Paste Email Starter

Replace the bracketed placeholders, paste into your email client, send. The five questions are scoped so you get a concrete answer in the first reply, not a marketing brochure.

Subject: NIS2 audit-readiness — can we discuss?

Hi [partner name],

Belgium's NIS2 law requires us to be cybersecurity audit-ready. The April 18, 2026 self-assessment deadline already passed and the April 18, 2027 full-certification deadline is next.

We need to file a CyFun (CyberFundamentals) self-assessment with the CCB and ideally start preparing for a CAB audit at IMPORTANT or ESSENTIAL tier. I would like to understand:

1. Are you familiar with CCB CyberFundamentals (BASIC = 34 controls, IMPORTANT = 132, ESSENTIAL = 217)? Have you supported other clients through it?

2. Can you scope a CyFun BASIC self-assessment for us? What does that look like in time, cost, and your involvement vs ours?

3. Can you collect the evidence the CCB workbook expects (policies, screenshots, log samples, training records) for our existing controls — MFA, EDR, backups, patch management?

4. Do you have a tooling layer (compliance platform, evidence wiki) you would use, or would we be doing this in Excel?

5. If we needed a CAB audit at IMPORTANT tier, would you handle the prep, or would we engage a separate consultancy?

A short call this week would help. Could you reply with two or three time slots?

Thanks,
[your name]

Reading the Answer Honestly

Three signals worth listening for in your partner's reply:

Specificity over generalities. "We can do this in 6 weeks for €X" is a real answer. "We will scope it" is not. Push for the concrete reply.
Tooling vs Excel. A partner who runs CyFun assessments out of Excel can do it; a partner with a compliance platform will be 2-3x faster and the workbook quality will be higher. Ask explicitly.
Honesty about CAB-tier scope. A BASIC self-assessment is well within most MSPs' ability to deliver. An IMPORTANT or ESSENTIAL CAB audit is a bigger lift; partners that say "we will figure it out" without referencing a method or platform are more likely to underdeliver. Better to hear "we would partner with X for the CAB layer" than confident vagueness.

If Your Partner Wants to Deliver Compliance but Lacks the Toolkit

Easy Cyber Protection is built for managed service providers in exactly this situation. Your IT partner gets a compliance platform that:

Maps every CyFun BASIC, IMPORTANT, and ESSENTIAL control to evidence collection — no Excel.
Pulls live coverage data from Microsoft Graph, Sophos, Bitdefender into the relevant control evidence slots automatically.
Exports the CCB-compatible Excel workbook the Safeonweb @work portal accepts — and reimports CAB findings without manual reconciliation.
Forward this article to your IT partner — the partner page below has the technical setup.