NIS2 Certification: CyberFundamentals & ISO 27001 Paths
NIS2 does not create a "NIS2 certificate." Instead, Belgium uses the CyberFundamentals (CyFun) framework as its compliance path. About 25% of registered organizations choose ISO 27001 instead. This guide explains both paths, what certification actually means, and how to get audit-ready.
Is NIS2 Certification Required?
Not directly. NIS2 is a European directive. It does not issue certificates. Each member state decides how to verify compliance. In Belgium, the Centre for Cybersecurity Belgium (CCB) chose the CyberFundamentals framework as the primary compliance mechanism. Organizations can also demonstrate compliance through ISO 27001 certification.
CyberFundamentals Certification Tiers
CyFun has four levels. Your required level depends on your NIS2 classification.
Small
Basic
Important
Essential
CyFun vs ISO 27001
| Aspect | CyberFundamentals | ISO 27001 |
|---|---|---|
| Framework cost | Free | Standard purchase required |
| Belgian NIS2 accepted | Yes (primary path) | Yes (alternative path) |
| Audit required | Important & Essential tiers | Always (for certification) |
| International recognition | Belgium only | Globally recognized |
| Typical audit cost | Lower | Higher |
| Maintenance | Annual reassessment | Annual surveillance audits |
| Best for | Belgian-focused organizations | International organizations |
ISO 27001 as Alternative
About 25% of NIS2-registered organizations in Belgium chose ISO 27001 over CyberFundamentals. ISO 27001 is internationally recognized and may be preferred if you already hold the certification or operate across borders. The CCB accepts it as equivalent for NIS2 compliance.
- ✓ ISO 27001 certification is typically more expensive than CyFun audits
- ✓ It requires annual surveillance audits and triennial recertification
- ✓ If you already have ISO 27001, you may already be compliant
- ✓ ISO 27001 covers a broader scope than CyFun
How Certification Works
For CyFun Important and Essential tiers, a Conformity Assessment Body (CAB) conducts the audit. CAB accreditation is concluding in April 2026. Here is the process:
- 1 Register with the CCB and determine your classification
- 2 Choose your path: CyberFundamentals or ISO 27001
- 3 Implement the required controls and document evidence
- 4 For self-assessment tiers: submit your assessment to the CCB
- 5 For audit tiers: engage an accredited CAB for third-party audit
- 6 Receive your certification and maintain it annually
Certification vs Self-Assessment
Not every organization needs a full third-party audit. The requirements depend on your NIS2 classification:
Self-assessment
Who: Important entities at Basic level
Deadline: April 2026
What: Complete the CyFun self-assessment questionnaire and submit to CCB
Third-party audit
Who: Essential entities at Important/Essential level
Deadline: April 2027
What: Engage an accredited CAB to verify your controls and evidence
Cost Considerations
Getting audit-ready does not have to be expensive.
- ✓ The CyFun framework itself is completely free
- ✓ Self-assessment has no external cost (your time only)
- ✓ Third-party CyFun audits vary by organization size (typically lower than ISO)
- ✓ ISO 27001 certification costs EUR 5,000-30,000+ depending on scope
- ✓ The biggest cost is implementation time, not the audit itself
- ✓ Starting with Small/Basic tier keeps initial costs near zero
How Easy Cyber Protection Helps
We make your organization audit-ready. That means you walk into your assessment or audit with confidence.
- ✓ Guided implementation of CyFun controls at your tier
- ✓ Evidence collection and documentation templates
- ✓ Gap analysis showing exactly what is missing
- ✓ Progress tracking across all required controls
- ✓ Clear guidance on what auditors expect to see
Also check our NIS2 compliance checklist and the implementation steps to get started.
Get Audit-Ready
Easy Cyber Protection guides you through every CyberFundamentals control with clear evidence requirements. Know exactly where you stand before the auditor arrives.
Frequently Asked Questions
Is there a NIS2 certificate I can get?
No. NIS2 is a directive, not a certification scheme. In Belgium, you demonstrate NIS2 compliance through CyberFundamentals certification or ISO 27001. These are the accepted proof of compliance.
What is a CAB and how do I find one?
A CAB (Conformity Assessment Body) is an accredited organization that conducts third-party audits. BELAC accredits CABs in Belgium. The accreditation process concludes April 2026. The CCB will publish a list of accredited CABs.
Can I use ISO 27001 instead of CyberFundamentals?
Yes. The CCB accepts ISO 27001 as an alternative compliance path for NIS2. About 25% of registered organizations chose this option. If you already have ISO 27001, verify that your scope covers the NIS2-relevant services.
What happens if I miss the April 2026 self-assessment deadline?
Essential entities that fail to submit their self-assessment by April 18, 2026 risk enforcement action by the CCB. This includes potential fines. Start your assessment now to avoid last-minute pressure.
How long does it take to get CyFun certified?
For Small and Basic tiers (self-assessment), you can complete in days to weeks. For Important and Essential tiers requiring a third-party audit, plan for 3-6 months of preparation plus the audit process itself.