Why AI alone can't reach full NIS2 / CyFun compliance

Vendors sell "AI compliance" like it ends the audit problem. It does not. AI handles real work — control mapping, evidence templates, regulatory tracking — but compliance also needs human judgment, physical verification, and scope decisions that an AI cannot legitimately make. This piece is for MSPs and SME owners evaluating AI-flavoured compliance tools.

What AI can do for compliance — and does well

Modern compliance AI is genuinely useful. Used inside a disciplined workflow, it removes the volume work humans are bad at:

• → Control mapping at scale. Parse the CCB CyberFundamentals workbook, map each of the 34 (Basic) / 132 (Important) / 217 (Essential) controls to your business, draft a per-control implementation hint.
• → Evidence templates. Generate first-draft policy documents, procedure templates, and evidence-collection rubrics that match the control language an auditor expects.
• → Regulatory-update tracking. When the CCB publishes new implementation guidance (and they do, every month), AI flags which articles, controls and policies need to be revisited.
• → Audit-pack structuring. Consolidate evidence into the shape an auditor reads. Filled CCB workbook, evidence references, control status, change log.
• → Multilingual coverage. Belgian SME compliance is at least three languages (NL/FR/EN). AI keeps content parity without doubling the human writing budget.

What AI cannot do — and why this matters for your audit

AI fails at the parts of compliance where reality has to meet documentation. Four limits worth naming, because they show up on every real engagement:

How to spot a vendor selling a demo, not a product

When evaluating an "AI compliance" vendor, listen for these patterns. Each one is a sign the product cannot survive a real CAB audit:

• "Compliance in 24 hours." A CAB audit takes weeks of preparation. Twenty-four hours generates a glossy dashboard, not audit-readiness.
• "No human in the loop." Look for the human approval gate. If outputs ship straight from the model to the customer, the vendor has not solved compliance — they have automated marketing copy.
• No mention of evidence. Auditors verify evidence: screenshots, logs, signed policies. If the demo only shows control checklists, ask where the evidence vault is and how it is maintained.
• No mention of the CAB auditor. The product's job ends at the auditor's door. A vendor that does not talk about how its output integrates with a BELAC-accredited audit body has not thought past the demo.
• No regulatory-update workflow. The CCB updates implementation guidance regularly. If the platform does not have a documented process for how AI-generated content stays current as regulation evolves, the content is rotting from day one.

The right division of labour: AI under specs, humans in the loop

A working AI-compliance pipeline has the same shape everywhere: humans define the rails (typed controls, audit-shape specs, primary-source checks, approval gates) and AI fills the volume work inside those rails. The rails determine what is possible. AI accelerates execution.

• AI maps each CyFun control to your business. A human reviews the mapping for scope sanity.
• AI drafts the security policy. A human reads it against operational reality and signs off.
• AI structures the audit pack. A human MSP physically collects the firewall screenshot, the backup logs, the access-review evidence.
• AI flags new CCB guidance. A human decides which articles, controls and policies actually need rework.

Anyone selling "compliance via AI" without that human step is selling a demo, not a product. The audit doesn't care about your demo. The audit cares about whether your evidence holds up. Plan accordingly.

FAQ

Can AI replace the CAB auditor?

No. CyFun certification is performed by a BELAC-accredited Conformity Assessment Body. As of April 2026, two are accredited in Belgium. AI cannot be one of them. AI prepares the audit dossier; the human auditor signs it off.

Can AI replace the MSP?

No. The MSP physically verifies the firewall rules, runs the patch cycle, monitors the access reviews. AI cannot stand next to the rack or open the laptop. AI accelerates the MSP's work; it does not remove the MSP from the workflow.

So what is AI useful for in compliance?

Mapping, drafting, structuring, translation, tracking. AI removes the volume work — the parts a human does badly because there is too much of it. That frees the human for the parts AI does badly: judgment, verification, accountability.

Does ECP do "AI compliance"?

ECP is AI-assisted compliance tooling for MSPs. The platform does the mapping, the drafting, the structuring. The MSP does the physical verification and accountability. The CAB auditor signs off. Three roles. Each in their lane.

Further reading

• How to prepare for your CyFun audit →

  The human steps that produce the evidence pack the auditor signs off.

• What a CAB audit actually costs →

  The audit side of the chain. Two BELAC-accredited bodies in Belgium, current bottleneck, what they charge.

• Mock audit: dry-run before the real one →

  Catch the gaps AI can't see by running a human-led mock first.

• How to scope an NIS2 audit-readiness engagement →

  The judgment calls (in scope / out of scope, important vs essential) AI cannot legitimately make.

• What to ask your MSP about cybersecurity →

  Vendor-evaluation questions. Same shape as the red-flag checklist above, applied to your IT partner.

See how ECP runs the AI side, honestly.

Our internal "How we work" page documents the agent stack we use to build the platform itself — and the four trust rails AI output passes through before it reaches any customer.

How we work →