Easy Cyber Protection

POSITION PAPER

ECP-WP-001

Why ECP for Belgian MSPs

§1 Executive position

Issued to: Belgian CyFun practitioners.
Subject: The four-pillar case for choosing ECP over alternatives.
Audience: Belgian MSPs evaluating CyFun & NIS2 compliance tooling.
Position: The only CyFun-native compliance platform built for MSP economics.
Verdict: Better margin, half the hours per client, native CyFun, no vendor lock-in.
Recommendation: 20-minute walkthrough with the founder.

Book a 20-min call

Scan to book

Book a 20-min call

cal.com/tojans/apply-4-ecp

Framework: Belgian CyberFundamentals (CCB) — Small to Essential
Prepared by: Tom Janssens · Founder, ECP
Languages: NL · FR · EN

§2 The four pillars at a glance

§2 The four pillars at a glance
#	Pillar	Headline claim	Evidence
01	The margin is yours	70%+ margin typical at Practice tier — no revenue share, no feature gating.	see §3
02	Half the hours per client	≈40–50% of CISO time saved on the busywork around your judgment.	see §4
03	Native CyFun	Built directly from the official CCB CyberFundamentals spec.	see §5
04	Local-first by default	Tamper-evident audit trail; secure by architecture, not by promise.	see §6

The margin is yours

70%+ margin typical at Practice tier — no revenue share, no feature gating.

see §3

Half the hours per client

≈40–50% of CISO time saved on the busywork around your judgment.

see §4

Native CyFun

Built directly from the official CCB CyberFundamentals spec.

see §5

Local-first by default

Tamper-evident audit trail; secure by architecture, not by promise.

see §6

A 30-second read of the case. Each pillar unfolds in §3 through §6.

§3 The margin is yours

MSP-tier pricing built for your scale, plus your client size mix. White-label, no revenue share, no feature gating — every tier ships with the full product.

§3 The margin is yours
Approach	Indicative cost (Y1)	Fit for MSPs
Consultant engagement (per client)	€10,000–€20,000	No leverage — every client restarts the bill.
Generic GRC platform	€8,000–€30,000 + integrator	Framework-agnostic — CyFun is a reskin, not the spec.
Spreadsheet + manual evidence	Cheap; expensive in CISO hours	Scale ceiling at ~5–10 clients before the spreadsheet wins.
ECP (Practice tier example)	~€1,950/mo at 50 SME clients; retails €5,000+	70%+ margin typical, white-label included.

Consultant engagement (per client)

€10,000–€20,000

No leverage — every client restarts the bill.

Generic GRC platform

€8,000–€30,000 + integrator

Framework-agnostic — CyFun is a reskin, not the spec.

Spreadsheet + manual evidence

Cheap; expensive in CISO hours

Scale ceiling at ~5–10 clients before the spreadsheet wins.

ECP (Practice tier example)

~€1,950/mo at 50 SME clients; retails €5,000+

70%+ margin typical, white-label included.

Full fee schedule (per-client brackets and commitment terms) on the engagement brief — see /.

Why this works

Wholesale per-client pricing (€25 to €750/month by entity count) — you set the retail.
White-label everywhere — your logo on policies, reports, evidence packs, the client portal.
No feature gating — every tier ships with white-label, every integration, full AI.
No revenue share, no commission — pure margin.

§4 Half the hours per client

Control mapping, evidence intake, gap detection, and audit packs are automated. The busywork around your judgment is gone — the judgment, the client conversations, and the CAB clock stay yours.

§4 Half the hours per client
Phase	Order	Output
Onboard & assess	First	Scope, entities, CyFun tier, per-client risk register, live gap report.
Build & evidence	Then	AI-drafted policies (NL/FR/EN), structured evidence vault, cross-doc consistency.
Audit pack	Last	One-click signed .zip — official CCB Excel filled with linked evidence.

First

Onboard & assess

Scope, entities, CyFun tier, per-client risk register, live gap report.

Then

Build & evidence

AI-drafted policies (NL/FR/EN), structured evidence vault, cross-doc consistency.

Last

Audit pack

One-click signed .zip — official CCB Excel filled with linked evidence.

Phase order, not phase duration — the CAB clock depends on your client's starting posture and your bandwidth, not on a marketing promise.

§5 Native CyFun

CyFun is not a feature on a list — it is the entire product. Built directly from the official Centre for Cybersecurity Belgium (CCB) specification, in NL, FR, and EN.

Framework version: CCB CyberFundamentals 2025 (Small · Basic · Important · Essential)
Control count: Small 7 · Basic 34 · Important 132 · Essential 217 — verified against the CCB spec on every release.
Deliverable: CAB-ready audit pack — official CCB Excel filled with all evidence, in a digitally-signed .zip.
Upgrade path: Tier progression Small → Basic → Important → Essential. Evidence captured at one tier carries to the next — you only do the delta.

Why this matters for your CAB outcome

Evidence requirements per control match the CCB spec — no second-guessing what auditors expect.
NL/FR/EN throughout — controls, policies, evidence labels and exports.
Direct CCB Excel output — the audit pack is the artifact the CAB reviews, not a translation layer.
No retro-fit: starting on Basic does not lock you out of Important or Essential later.

§6 Architectural assurances

Local-first is not a slogan — it is the architecture. Three principles, each with a concrete consequence for your data residency answer.

§6 Architectural assurances
Principle	What it means	Consequence for you
6.1 Local-first by default	Each client's compliance data lives in a portable, digitally-signed bundle on their own infrastructure — not in our cloud.	Data-residency answer is "your client's own storage" — no cross-border SaaS questionnaire to fill out.
6.2 Cloud only when working	The bundle is hosted server-side only during active edits, then returned to the client as a snapshot when work pauses.	No always-on cloud copy — the surface area for breach and subpoena is bounded to active sessions.
6.3 Tamper-evident audit trail	Every change is a digitally-signed event. The CAB auditor can replay and verify the full history independently — no trust in ECP required.	Your audit defence is "verify the bundle yourself" — strongest possible position in front of a CAB auditor.

6.1 Local-first by default

Each client's compliance data lives in a portable, digitally-signed bundle on their own infrastructure — not in our cloud.

Data-residency answer is "your client's own storage" — no cross-border SaaS questionnaire to fill out.

6.2 Cloud only when working

The bundle is hosted server-side only during active edits, then returned to the client as a snapshot when work pauses.

No always-on cloud copy — the surface area for breach and subpoena is bounded to active sessions.

6.3 Tamper-evident audit trail

Every change is a digitally-signed event. The CAB auditor can replay and verify the full history independently — no trust in ECP required.

Your audit defence is "verify the bundle yourself" — strongest possible position in front of a CAB auditor.

§7 Common questions — why ECP vs. alternatives

Q1. Why not use a generic GRC platform that supports many frameworks?

Generic GRC platforms reskin a control library to look like CyFun. They are framework-agnostic by design, which means CyFun-specific evidence requirements, the CCB Excel output format, and the four-tier progression all sit on top as a configuration. ECP is built from the spec down — every control, every evidence type, every export matches what the CAB auditor expects, because there is no translation layer.

Q2. Could a single experienced CyFun consultant deliver this faster?

For one client, possibly. For five, ten, fifty — the consultant becomes the bottleneck and the bill scales linearly. ECP automates the busywork (control mapping, AI-drafted policies, structured evidence intake, gap detection, audit-pack assembly) so the consultant's judgment goes further. Senior consultants are still available on request, billed per day; the platform makes their hours count.

Q3. Why not just use spreadsheets and a shared drive?

Five clients in, the spreadsheet wins. Cross-document consistency breaks; evidence drifts from policy; the CAB auditor catches the discrepancy first. ECP encodes the structure once and the workflow stays the same at 5 or 500 clients — that is the part you cannot replicate with shared drives.

Q4. What happens to my client's data if I leave ECP?

You export the signed bundle — policies, evidence, assessments, full event-sourced history — and walk away. The bundle is the source of truth, not our database. Every change is reconstructable from the bundle alone, by anyone with the public verification key. The CAB auditor can replay it independently. Sovereignty is by architecture, not by promise.

Q5. How does ECP handle Belgian-specific context — language, CCB references, NIS2 deadlines?

NL, FR, and EN throughout — UI, controls, policies, evidence labels, exports. CCB and BELAC references are first-class citizens, not afterthoughts. NIS2 supply-chain readiness is mapped to expected evidence per CyFun tier. The April 2026 transposition deadline is tracked at the org level so you know which clients are on the clock.

Q6. Is ECP itself audited or certified?

ECP is a tool, not the auditor. The CAB (Conformity Assessment Body) audits your client; ECP produces the artifacts the CAB reviews. The architectural assurances in §6 — local-first storage, signed events, replayable history — let the CAB verify the evidence independently. Trust does not need to live in our company; it lives in the math.

Walk through it with us.

20-minute call. We pull up one of your real clients and run the four pillars against it.

Book a 20-min call