The April 2026 deadline has passed. Belgian organisations classified as essential or important entities under NIS2 are no longer preparing for audits. They are sitting through them. The Centre for Cybersecurity Belgium (CCB) has moved from advisory support to active enforcement, and accredited Conformity Assessment Bodies (CABs) are on-site across the country, requesting evidence packs that many IT teams are still assembling. The CyberFundamentals (CyFun) framework is the compliance backbone. If your organisation has not yet undergone external verification, the clock is no longer ticking. It has stopped.
This guide covers what the conformity assessment process involves: who audits you, what they ask for, how long it takes, what it costs, and where most Belgian mid-market organisations fall short.
What is a CCB conformity assessment?
A CCB conformity assessment is a formal evaluation by an independent, BELAC-accredited body that verifies whether a Belgian organisation meets the security requirements of the CyberFundamentals (CyFun) framework. It applies to entities regulated under NIS2 at the Important or Essential level. The assessment results in a verification statement or certification that serves as legal proof of compliance. Self-declarations are no longer sufficient for these levels. The assessment covers technical controls, governance processes, and documented evidence of ongoing security operations, all mapped to CyFun’s control domains.
The CyFun framework structure in 2026
The CyberFundamentals framework is Belgium’s national translation of NIS2 into measurable controls. It draws on ISO 27001, NIST CSF, and the CIS Critical Security Controls, structured into four assurance levels that scale with organisational risk.
| CyFun level | Target audience | Compliance path | External requirement |
|---|---|---|---|
| Small | Small businesses, low risk | Self-assessment | None (optional label) |
| Basic | SMEs, entry-level essential | Verification (ISO 17029) | Required for proof |
| Important | Mid-market, important entities | Verification (ISO 17029) | Mandatory |
| Essential | Systemic, essential entities | Certification (ISO 17021-1) | Full certification by 2027 |
The Important level requires verification according to ISO/IEC 17029. The Essential level demands full management system certification under ISO/IEC 17021-1. This distinction determines both the evidence required and the qualifications your auditor must hold.
The CyFun self-assessment guide covers the Small and Basic levels in detail. This article focuses on external verification for Important and Essential entities.
The 2025 CyFun update sharpened the focus on supply chain security and board-level accountability. Directors must actively participate in cybersecurity oversight and training, not just approve budgets.
Who audits you and how to choose a CAB
The choice of Conformity Assessment Body is a strategic decision. A CAB must be both accredited by BELAC (or an equivalent national body under EA mutual recognition) and specifically authorised by the CCB for NIS2 audits. Not all CABs are authorised for all CyFun levels.
The Big Four (Deloitte Belgium, KPMG Belgium, PwC Belgium, EY Belgium) suit large multinationals or organisations combining CyFun with ISO 27001. For mid-market organisations with 50 to 250 employees, specialised bodies like Brand Compliance, Bureau Veritas Belgium, and Vinçotte offer deeper CyFun expertise and more predictable timelines.
| CAB (examples, 2026) | Focus | Accreditation | Authorisation scope |
|---|---|---|---|
| Brand Compliance | Antwerpen, mid-market | BELAC | CyFun Basic/Important |
| Bureau Veritas Belgium | Antwerpen, global | BELAC | ISO 27001/NIS2 |
| Vinçotte | Vilvoorde, technical | BELAC | ISO 27001/CyFun |
| KPMG Certification | Zaventem, enterprise | BELAC | ISO 27001/NIS2 |
| DQS Belgium | Brussel, standards | DAkkS | ISO 27001/NIS2 |
| EY CertifyPoint | Rotterdam, digital | RvA | ISO 27001/NIS2 |
Request at least three quotes. Ask specifically about experience with the CyFun 2025 update and familiarity with your sector. The CCB’s inspection service applies sector-specific risk assessments, so an auditor who understands your industry identifies practical gaps rather than theoretical ones.
The audit timeline in practice
Most Belgian mid-market organisations underestimate the time a conformity assessment takes. The CCB research quotes a minimum of 1.5 man-days for basic verification, but the reality for a 200-person organisation is considerably more involved.
| Audit phase | Duration | Focus |
|---|---|---|
| Internal preparation | 6-9 months | Gap analysis, policy drafting, evidence gathering |
| CAB scoping | 1 month | Contractual agreement, defining audit scope |
| Stage 1: documentation review | 1-3 days | Verifying policies against CyFun requirements |
| Stage 2: on-site audit | 5-10 days | Testing controls, interviews, system inspections |
| Reporting and review | 2-4 weeks | Auditor drafting, independent review, CCB submission |
| Remediation (if needed) | 3-6 months | Fixing non-conformities |
The preparation phase consumes most time. Organisations perform a gap analysis against CyFun controls, draft missing policies, and assemble evidence packs. Service partners who run mock audits during this phase consistently reduce on-site audit duration by flagging issues before official auditors arrive.
The on-site phase involves verifying physical security, interviewing key personnel, and requesting live demonstrations of controls. For organisations with multiple sites or OT environments, the on-site portion alone can extend to 10 days.
Organisations using Jimber’s SASE platform reduce the evidence-gathering burden during preparation. Centralised logging, identity-based access records, and device posture reports export from a single console, instead of requiring manual assembly from separate tools.
Remediation is the phase most organisations overlook when planning timelines. If an auditor identifies non-conformities, you receive a specific period to address them before a final verification statement can be issued. For essential entities, missing remediation deadlines can trigger surveillance measures from the CCB’s inspection service.
What evidence auditors actually request
Auditors in 2026 look for “substantial evidence validated by management.” Policy documents alone are insufficient. The organisation must prove that policies are active, enforced, and regularly reviewed. The CCB instructs inspectors to focus on “key measures” derived from actual Belgian attack patterns.
The top ten evidence types requested during CyFun Important or Essential audits:
1. Management-validated security framework. Board-approved cybersecurity strategy and risk management documentation. Evidence that directors have reviewed, approved, and understand the organisation’s risk posture.
2. Statement of Applicability (SoA). A comprehensive listing of all implemented controls, their maturity level (1-5), and evidence of effectiveness.
3. Asset inventory. A complete, current list of IT and OT assets, including cloud services, IoT devices, and mobile hardware, with clear ownership and classification. This is where many mid-market organisations fail first. Platforms like Jimber that include device posture verification maintain a live asset register as a by-product of normal operations, rather than requiring a separate manual inventory.
4. Network architecture and segmentation proof. Diagrams and configuration logs demonstrating that critical systems are isolated from general office networks.
5. Access control and identity records. Joiner-mover-leaver process documentation, MFA enforcement evidence, and regular reviews of privileged access.
6. Incident detection and response logs. Evidence of operational monitoring and documented playbooks for specific threats.
7. Supplier and third-party contracts. Security requirements mandated and monitored for critical service providers, including audit rights and incident notification clauses.
8. Vulnerability management and patching logs. Regular scanning evidence and proof that critical vulnerabilities are patched within defined timelines.
9. Business continuity and backup test results. Documented evidence that backups are ransomware-protected and have been tested for restoration.
10. Cybersecurity training records. Participation logs showing all staff, including senior management, have completed mandatory training.
Auditors frequently request “live evidence” during the on-site phase: asking an administrator to demonstrate a policy in action, or requesting a random log sample from a specific date. Organisations running security through a unified SASE platform produce this evidence significantly faster than those correlating logs across multiple tools.
Common gaps in Belgian mid-market organisations
Research into the 2026 audit cycle shows that roughly 84% of Belgian organisations facing active enforcement were not fully prepared for external verification. The readiness gap is rarely about missing security tools. It is about fragmented processes and a lack of integrated documentation.
Supply chain documentation. The most frequent gap auditors identify. Organisations may have secure internal systems but fail to document how they monitor the security of their service partners, software vendors, or cloud providers. NIS2 Article 21 requires demonstrable security expectations for your supply chain. Updated DPAs and security annexes in vendor contracts are the minimum.
Stale incident response plans. Many organisations have a general response policy but lack the specific, tested playbooks required to meet the 24-hour and 72-hour NIS2 reporting windows. Plans that have not been exercised in the past 12 months score poorly.
Incomplete OT asset discovery. Printers, IoT sensors, building management systems, and industrial equipment that cannot run security agents remain the most common blind spots. Auditors check asset inventories against what they observe on the network. Jimber’s NIAC hardware provides a documented IT-OT bridge for agentless devices, closing this gap with verifiable isolation evidence.
MFA gaps on administrative tools. Organisations with MFA on external applications often lack enforcement on internal administrative consoles and infrastructure tools. Auditors check this specifically.
Untested backup restoration. Having backups is not enough. Auditors ask for tested restoration evidence with documented results. Quarterly restoration drills for critical applications are the expected standard.
Log retention inconsistencies. The CCB expects minimum six months of retained logs for forensic capability. Many organisations retain different durations across tools, creating gaps that auditors flag immediately. Centralised logging through a SASE platform like Jimber’s eliminates this inconsistency.
Governance disconnect. Under NIS2 Article 20, management bodies are personally accountable. Auditors look for evidence the board is actively engaged in risk decisions, not just signing off on annual reports.
The cost of CyFun certification
The cost of achieving CyFun conformity varies with organisational complexity and the target assurance level. For most Belgian mid-market organisations, the CyFun route is more accessible and less expensive than a full ISO 27001 certification.
| Budget item | CyFun (Basic/Important) | ISO 27001 (comparable scope) |
|---|---|---|
| Internal implementation | EUR 5,000-30,000 | EUR 15,000-60,000 |
| Auditor fees (verification/cert) | EUR 1,000-15,000 | EUR 5,000-25,000 |
| Annual maintenance/surveillance | EUR 500-5,000 | EUR 2,000-10,000 |
| Total 3-year estimated TCO | EUR 10,000-60,000 | EUR 30,000-120,000 |
Direct costs cover CAB fees for the audit itself. Indirect costs, including internal preparation, documentation drafting, and external consultancy for gap analyses, represent the larger portion. For many Belgian organisations, VLAIO subsidies can partially offset these preparation costs.
The most significant variable is remediation. If your current infrastructure cannot support requirements like centralised logging, network segmentation, or identity-based access, the cost of new technology adds substantially. This is where consolidated platforms deliver measurable savings. A single SASE platform that covers access control, web security, network segmentation, and logging solves multiple CyFun requirements through one investment, rather than requiring four or five separate procurements. The SASE architecture explained guide covers how these components integrate.
Consequences of a failed audit
A failed CyFun audit or a CCB inspection that uncovers significant non-compliance carries consequences beyond fines. The NIS2 compliance 2026 overview covers the full enforcement framework. The impact is financial, operational, and reputational.
The Belgian NIS2 Law introduces administrative measures and penalties. Essential entities face fines up to EUR 10 million or 2% of global annual turnover. Important entities face up to EUR 7 million or 1.4%. The CCB prioritises remediation over fines, but immediate risks include suspension of verification statements, disqualifying organisations from government tenders and supply chain contracts.
Under NIS2 Article 20, management body members can be held personally liable and temporarily banned from managerial functions. The CCB’s “Active Cyber Protection” programme means the regulator already knows about many vulnerabilities through their own scanning. Failing to act on spear warnings before an audit is viewed as a failure of due diligence.
The AZ Monica ransomware attack in January 2026 demonstrated what happens when Belgian healthcare organisations face both a cyber incident and regulatory scrutiny simultaneously. The operational consequences of poor preparation extend well beyond fines.
How SASE simplifies audit evidence
A Secure Access Service Edge (SASE) platform directly addresses several of the most difficult evidence-gathering requirements in the CyFun framework. By integrating identity-based access, device posture checks, web security, and centralised logging into a single cloud-native architecture, it reduces the manual effort that makes audit preparation so time-consuming for mid-market teams.
| SASE capability | CyFun/NIS2 evidence mapping | Audit benefit |
|---|---|---|
| Centralised logging | Article 21 (detection and response) | Single-click export of access logs, 6+ month retention |
| Identity-based access | CyFun access control domain | Proof of app-level least privilege per user |
| Device posture checks | CyFun asset management domain | Evidence that only secure, known devices connect |
| NIAC hardware isolation | CyFun network security domain | Documented IT-OT bridge for agentless factory assets |
| Single console export | Governance and audit accountability | Reduces auditor on-site time |
| European data residency | GDPR overlap with CyFun | Data stays under EU jurisdiction |
Jimber’s SASE architecture maps directly to these evidence needs. Centralised logging provides the single source of truth for all access attempts that NIS2 Article 21 requires, without deploying a separate SIEM. Identity-based access demonstrates least-privilege enforcement at the application level. For organisations with industrial operations, NIAC hardware provides physical, verifiable evidence of IT-OT isolation.
European data residency matters in the audit context. Auditors evaluating your vendor supply chain find fewer open questions when your security platform operates under EU jurisdiction by design. Service partners guiding Belgian clients through verification report that a locally aligned toolset reduces both preparation time and audit friction.
The NIS2 compliance checklist maps these controls to the full set of CCB expectations, including the access control and supply chain requirements that trip up most mid-market organisations.
Frequently asked questions
What is a CCB conformity assessment?
A CCB conformity assessment is a formal process where an independent, BELAC-accredited Conformity Assessment Body verifies that a Belgian organisation has implemented the security controls required by the CyberFundamentals (CyFun) framework. It is the primary route for important and essential entities to prove NIS2 compliance and receive a CyFun label or certificate.
Which CyFun level does my organisation need?
Your level depends on your NIS2 classification. Essential entities in Annex I sectors (energy, healthcare, transport, digital infrastructure) need Important or Essential verification. Important entities in Annex II sectors target the Important level. Many organisations start with Basic as an initial milestone before the 2027 deadline.
How long does a CyFun audit take?
For a 200-person organisation, preparation takes 6 to 12 months. The formal audit involves 1 to 3 days of documentation review and 5 to 10 days of on-site verification, depending on the complexity of IT and OT environments. Remediation of non-conformities can add 3 to 6 months.
What does a CyFun audit cost for a mid-size Belgian organisation?
The total cost of ownership for a three-year CyFun cycle ranges from EUR 10,000 to EUR 60,000. This covers CAB verification fees (EUR 1,000-15,000), internal implementation costs, and ongoing maintenance. VLAIO subsidies can offset part of the preparation costs for eligible organisations.
Can SASE platforms help with CyFun compliance?
SASE platforms directly answer several CyFun audit requirements by providing centralised logging for detection evidence, identity-based access for least-privilege proof, device posture reports for asset management, and network isolation for segmentation evidence. A single console export reduces the manual evidence assembly that consumes most of the preparation timeline.
What happens if my organisation fails a CyFun audit?
A failure can lead to administrative fines (up to EUR 10 million for essential entities), loss of CyFun labels, and exclusion from supply chain contracts. Under the Belgian NIS2 Law, management body members face personal liability and can be temporarily banned from their roles if they fail to address documented security deficiencies.
Belgian organisations that treat the CyFun conformity assessment as an operational improvement exercise, not a compliance checkbox, are reporting better outcomes. The organisations that move fastest are those that consolidated their security stack before the audit, reducing both evidence-gathering time and the number of gaps auditors find. If your team is preparing for external verification or helping clients navigate the process, book a Jimber demo to see how a single SASE console maps to the evidence your CAB will request.
