The deadline is 18 April 2026. Every Belgian organisation registered under NIS2 must transmit its CyberFundamentals (CyFun) self-assessment or ISO 27001 documentation to the CCB by that date. According to the state of mid-market cybersecurity in Belgium, roughly a quarter of registered entities have not yet begun structured implementation.
The problem is not awareness. Most IT managers know CyFun exists. The problem is documentation: knowing exactly what to submit, what evidence to collect per function, and how to pull it together without a dedicated compliance team. The workload drops significantly when your security stack is consolidated rather than spread across five or six separate tools. This guide walks you through the assessment process step by step.
What is a CyFun self-assessment?
CyFun (CyberFundamentals) is Belgium’s national cybersecurity framework, developed by the Centre for Cybersecurity Belgium (CCB). It translates NIS2 obligations into measurable technical and organisational controls. The self-assessment is the structured document that NIS2-registered organisations submit to the CCB to demonstrate their security maturity. It uses a standardised Excel tool provided by the CCB, scoring each control on a maturity scale aligned with the Conformity Assessment Scheme.
What you must submit by April 2026 (and to whom)
All submissions go through the Safeonweb@Work portal. Registration should already be complete since the registration deadline passed in March 2025.
You have two compliance tracks. Pick the one that fits your situation.
Track 1: CyFun. Submit a verification statement for CyFun Basic or Important level. This means completing the CCB’s self-assessment tool and demonstrating you meet the required controls at the target maturity scores. For most mid-market organisations, this is the faster and more affordable route.
Track 2: ISO 27001. Submit your information security policy, scope, and Statement of Applicability (SoA) to the CCB. This route makes sense if you already hold ISO 27001 certification or are close to completing it.
Both tracks share the same hard deadline: 18 April 2026. By April 2027, organisations must report on progress towards full compliance at their assigned CyFun level.
The distinction between entity types matters for supervision. Essential entities in sectors like energy, healthcare, and digital infrastructure face proactive audits and mandatory conformity assessments by a BELAC-accredited Conformity Assessment Body (CAB). Important entities face reactive (ex post) supervision but are still expected to submit their self-assessment. For a full overview of NIS2 compliance obligations, including registration, reporting timelines, and board-level responsibilities, see our separate guide.
CyFun levels explained: which applies to your organisation
The CCB’s Selection Tool determines your required assurance level based on sector, organisation size, and societal impact of a potential cyber incident. Four levels exist, each building on the previous one.
| CyFun level | Controls | NIS2 classification | Verification deadline |
|---|---|---|---|
| Small | ~23 | Micro-entities | Voluntary |
| Basic | ~34 | Important entities (starting point) | April 2026 |
| Important | ~99 additional | Important entities (full scope) | April 2027 |
| Essential | ~85 additional on top of Important | Essential entities | April 2027 |
Most mid-market organisations with 50 to 400 employees will start at Basic level. The 34 controls in Basic cover the fundamentals: access management, patch management, backup procedures, and incident detection. The CCB has stated that Basic alone addresses roughly 82% of the attack types documented in CERT.be threat profiles.
The framework aligns with NIST CSF 2.0. The 2025 edition added Govern as a sixth core function alongside Identify, Protect, Detect, Respond, and Recover. If you have worked with NIST, ISO 27001, or CIS Controls before, many CyFun requirements will look familiar. The CCB provides mapping documents that cross-reference CyFun controls against all four frameworks.
What evidence auditors expect per CyFun function
This is where most organisations underestimate the effort. A CAB auditor does not just ask whether you have security measures in place. They ask you to prove it. Below is what they expect per CyFun function, with concrete examples of acceptable evidence.
Govern
This function was added in the 2025 edition to align with NIST CSF 2.0. It covers your cybersecurity governance structure: who is responsible, what policies exist, and how security is embedded in organisational decision-making.
Evidence auditors expect: a documented cybersecurity policy approved by management, a risk management framework with defined risk appetite, assigned roles and responsibilities for security (CISO, DPO, or equivalent), meeting minutes showing board-level discussion of cybersecurity, and documented supply chain security requirements for third-party providers.
The NIS2 board liability requirements make this function particularly important. Management is personally accountable for approving and overseeing cybersecurity measures.
Identify
Map your digital environment. Which systems, data, and processes are business-critical? Auditors want to see evidence that you know what you are protecting.
Evidence auditors expect: a hardware and software asset inventory, a network topology diagram showing all segments and connection points, a classification of data sensitivity levels, a documented risk assessment following a recognised methodology, and a register of third-party services with access to your network or data.
Protect
This is the largest function in CyFun and the one where technical controls dominate. Auditors want proof that your protections are active, enforced, and logged.
Evidence auditors expect: access control logs showing per-user, per-application permissions with least-privilege enforcement. Platforms like Jimber generate these automatically from the ZTNA module, eliminating the manual correlation that consumes weeks of preparation. Additionally: multi-factor authentication records, patch management logs showing timely updates, backup schedules with tested restoration procedures, encryption policies for data at rest and in transit, network segmentation evidence showing isolation between IT and OT segments, and security awareness training completion records.
For organisations with agentless devices such as printers, IoT sensors, or industrial equipment, the device posture checks guide explains how device verification maps directly to CyFun Protect controls. Jimber’s NIAC hardware provides network-level isolation logs for these devices, covering a control area that traditional endpoint tools simply cannot reach.
Detect
Auditors want proof that you can identify security events in real time, not just that you have tools installed.
Evidence auditors expect: continuous monitoring logs showing active detection of anomalies, SIEM or log aggregation configuration with defined alert rules, intrusion detection records, documented thresholds for escalation, and evidence of regular log review. Jimber’s centralised logging captures access events, policy changes, and device posture status from one console, which simplifies the evidence pack significantly compared to pulling logs from five separate dashboards.
Respond
Your incident response capability. Auditors verify that you have a plan and that you have tested it.
Evidence auditors expect: a documented incident response plan with defined roles, communication templates for the 24-hour and 72-hour NIS2 reporting requirements, records from tabletop exercises or simulation tests, post-incident review reports (if applicable), and escalation procedures including notification to the CCB’s CSIRT.
The Belgian hospital ransomware case is a practical example of what happens when incident response procedures fail under pressure. Seven patients required emergency transfer because containment was not possible at the network level.
Recover
How you restore normal operations after an incident. This function is often overlooked in self-assessments.
Evidence auditors expect: business continuity plans with recovery time objectives, backup restoration test results with dates and outcomes, lessons-learned documentation from past incidents or drills, communication plans for stakeholders during recovery, and evidence that recovery procedures are reviewed and updated annually.
Five mistakes that derail your CyFun assessment
1. Treating the self-assessment as a checkbox exercise. The CCB’s Excel tool asks for maturity scores per control. Filling in “3” across the board without supporting evidence guarantees trouble when a CAB auditor requests proof. Be honest in your scoring. A low score with a documented improvement plan is better than a high score you cannot substantiate.
2. Starting with technology instead of governance. Many IT managers jump straight to technical controls and neglect the Govern function. Without a documented cybersecurity policy, assigned responsibilities, and board approval, your technical measures lack the organisational foundation that auditors check first.
3. Ignoring agentless devices. Printers, IoT sensors, building management systems, and production equipment that cannot run security agents are the most commonly missed items in asset inventories. If they are on your network, they are in scope. If they are not in your inventory, your Identify function is incomplete.
4. Relying on too many disconnected tools. This is where mid-market organisations lose weeks. If your access control sits in one tool, your web filtering in another, your network segmentation in a third, and your logging in a fourth, you need to extract, correlate, and present evidence from all four. Each tool has its own export format, its own retention policy, its own terminology. Jimber consolidates access control, web security, network segmentation, and logging into one auditable platform. One evidence source instead of five separate dashboards that do not correlate.
5. Waiting for the auditor to tell you what is missing. CAB auditors verify your self-assessment. They do not prepare it for you. Organisations that submit a self-assessment full of gaps and expect the auditor to guide them through fixes end up paying for additional audit cycles and missing deadlines. Use the CCB’s self-assessment tool early, score yourself honestly, and close gaps before engaging a CAB.
How your security architecture determines your assessment experience
This is the part that nobody talks about. Your choice of security architecture does not just affect your security posture. It determines how painful or how smooth your CyFun assessment will be.
Consider two scenarios.
Scenario A: fragmented stack. You run a firewall appliance from one vendor, a VPN from another, web filtering from a third, a separate endpoint tool, and a standalone logging solution. To prepare your CyFun evidence pack, you need to document five vendor contracts for your supply chain assessment. You need to extract access logs from the VPN, web filtering records from the SWG, network segmentation proof from the firewall, and event data from the logger. Then you correlate them manually to demonstrate that your Protect and Detect functions work together. This takes weeks, sometimes months, for a team of two or three.
Scenario B: consolidated SASE platform. You run Jimber’s SASE platform with ZTNA, SWG, FWaaS, and SD-WAN in one console. Access logs, web security records, segmentation policies, and event data come from one source. One vendor contract for supply chain documentation. One audit trail. One configuration set to evidence. Preparation time drops from months to weeks.
This is not theoretical. A Belgian wealth manager cut costs by 58% after consolidating a fragmented security stack onto Jimber’s platform. A significant portion of those savings came from simplified compliance reporting. Evidence that previously required manual correlation across multiple tools now came from a single audit trail with policy versioning, access logs, and device posture records in one place.
Jimber’s SASE platform maps directly to CyFun controls across Protect, Detect, and Respond functions. The CRACy compliance tool shows which controls your current configuration already satisfies and where gaps remain. For IT managers preparing their first CyFun assessment, this turns a weeks-long evidence-gathering exercise into a dashboard view.
The assessment itself does not change based on your architecture. The controls are the same. The evidence requirements are the same. But the effort to produce that evidence varies enormously depending on whether your security data lives in one place or five.
Frequently asked questions
What does CyFun stand for?
CyFun is short for CyberFundamentals, Belgium’s national cybersecurity framework developed by the Centre for Cybersecurity Belgium (CCB). It provides a structured set of security controls aligned with NIST CSF 2.0, ISO 27001, CIS Controls, and IEC 62443. The framework serves as Belgium’s primary route to demonstrating NIS2 compliance.
Is CyFun mandatory for all Belgian companies?
Not directly. CyFun (or equivalent ISO 27001 certification) is mandatory for organisations that fall under the Belgian NIS2 law as essential or important entities. These are organisations in 18 designated sectors that meet size thresholds of 50 or more employees or annual turnover above EUR 10 million. However, the ripple effect is broader. NIS2 entities are required to assess security across their supply chain, which means suppliers and service partners increasingly face CyFun requirements through contractual obligations even if they are not directly in scope.
What is the difference between CyFun and ISO 27001?
Both are accepted by the CCB as proof of NIS2 compliance. CyFun is purpose-built for the Belgian context, is free to use, and provides a structured self-assessment tool with clear maturity scoring. ISO 27001 is an international standard that requires formal certification by an accredited body, which is more expensive and time-consuming. For mid-market organisations without existing ISO certification, CyFun is typically the faster and more cost-effective path. The CCB provides mapping documents that show how the two frameworks align. For a detailed control-by-control breakdown, see our full NIS2 compliance checklist.
Can a SASE platform help with CyFun compliance?
Yes. A unified SASE platform like Jimber generates the access control evidence, network segmentation proof, and centralised logging that CyFun’s Protect and Detect functions require. Instead of pulling evidence from five separate tools, you export it from one console with consistent formatting and correlated event data. CRACy maps your configuration to specific CyFun controls, showing which requirements your current setup already satisfies and where gaps remain. This does not replace the self-assessment itself, but it dramatically reduces the evidence-gathering effort.
What happens if I miss the April 2026 deadline?
The CCB can impose administrative fines and binding instructions. For essential entities, fines can reach EUR 10 million or 2% of global annual turnover, whichever is higher. For important entities, the maximum is EUR 7 million or 1.4% of turnover. Beyond financial penalties, the CCB can temporarily suspend certifications or authorisations, publicly disclose compliance failures, and in cases of repeated negligence, temporarily prohibit individuals from exercising management functions. The fine doubles for repeat offences within three years.
How long does it take to prepare for a CyFun assessment?
It depends on your starting point and your security architecture. With a consolidated security platform that centralises logging, access control, and policy management, preparation for Basic level typically takes weeks. With fragmented tools and manual evidence correlation, it takes months. The biggest time investment is usually not the technical controls themselves but the governance documentation: writing the cybersecurity policy, formalising risk assessments, and documenting incident response procedures. Start with Govern and Identify. The technical evidence follows.
The deadline is weeks away. If you have not started your CyFun self-assessment, the time to begin is now. Jimber’s SASE platform provides the centralised access logs, segmentation evidence, and device posture records that CyFun’s Protect and Detect functions require, all from a single console. The CRACy tool maps your current configuration against CyFun controls so you can see exactly where you stand. Start with our full NIS2 compliance checklist to understand the controls, then book a demo to see how platform consolidation turns assessment preparation from a months-long project into a manageable task.
