CyberFundamentals: understanding the four levels

CyberFundamentals (CyFun) is the framework of the Centre for Cybersecurity Belgium (CCB) for implementing cybersecurity measures, in particular in the context of NIS2. Its requirements draw on recognised frameworks — NIST CSF, ISO/IEC 27001 and 27002, IEC 62443, CIS Controls. It comes in four levels, from the most accessible to the most demanding.

The four levels

Small is an entry point: a limited set of key measures, designed for very small organisations. Basic is the baseline that protects against the most common attacks; the CCB recommends it as a minimum for any organisation in the supply chain of a NIS2 entity. Important raises the assurance level, in line with important entities. Essential, finally, aims for the state of the art and is intended for essential entities.

Basic, Important and Essential are the three assurance levels used in the NIS2 context; Small remains a starting tier.

Which level for my organisation

The CCB provides a risk-assessment tool, based on generic analyses carried out for seventeen sectors, to guide the choice of level. In practice, NIS2 status already gives an indication: an important entity sits at Basic or Important; an essential entity, at Important or Essential.

Verification or certification

Presumption of conformity with NIS2 is obtained through CyFun verification for the Basic and Important levels, and through CyFun certification for the Essential level. Essential entities must reach the Basic or Important level before 18 April 2026, then have the required level certified before 18 April 2027.

Choosing the right level means calibrating the effort to the actual risk — neither undersized nor disproportionate.