Practical Insights for NIS2 with CyFun: Empowering Digital Service Providers
Practical Insights for NIS2 with CyFun: Empowering Digital Service Providers
On March 4th, 2025, we hosted another successful and greatly appreciated session of our "Enhancing Cybersecurity for Digital Services: Practical Insights for NIS2 with CyFun" webinar at CyberActive.
Participants gained valuable knowledge about the NIS2 Directive and the CyberFundamentals Framework (CyFun), which is emerging as one of the primary standards for certifying conformity under NIS2 in Belgium. By the way, this framework from the Centre for Cybersecurity Belgium (CCB) is also recognized far beyond our borders: Romania decided to enter into a CyFun partnership with Belgium, and Ireland is also taking steps in this direction.
In this article, webinar presenter Kurt Schoenmaekers explains why NIS2 matters for digital service providers, how CyFun helps to reach and demonstrate compliance, and what practical steps to take.
Get in Touch about NIS2 and CyFun!
Main section
Quick facts
/
🔹 CyFun is Belgium's structured framework for NIS2 compliance, based on global cybersecurity standards
/
🔹 Key challenges for digital service providers: supply chain security, SBOMs, cloud security, and incident response
/
🔹 NIS2 mandates strict cybersecurity requirements: incident reporting, management accountability, and supply chain security
/
🔹 Our trainings provide practical guidance on navigating NIS2 compliance and CyFun implementation
Why NIS2 Matters for Digital Service Providers
The NIS2 Directive, which officially came into force on October 18, 2024, significantly expands the scope of the original NIS Directive. It affects approximately 160.000 organizations across Europe, including many digital service providers such as cloud computing services, online marketplaces, data centers, and managed service providers.
During the session, we explored how the directive introduces:
- More stringent cybersecurity requirements
- Precise incident reporting provisions with specific timelines
- Enhanced accountability for management and board members
- Stringent supply chain security requirements
- Increased fines for non-compliance (up to €10 million or 2% of annual turnover for essential entities)
CyFun: Belgium's Approach to NIS2 Compliance
A significant portion of the webinar focused on the CyberFundamentals Framework (CyFun), developed by the Centre for Cybersecurity Belgium (CCB). This framework offers a structured approach to implementing cybersecurity measures based on established standards like NIST CSF, ISO 27001, CIS Controls, and IEC 62443.
We demonstrated how CyFun provides four assurance levels:
- Small: For micro-organizations with basic measures
- Basic: The foundation level with 13 key measures
- Important: For most digital service providers
- Essential: For critical infrastructure and services
Key Challenges for Digital Service Providers
The session highlighted specific challenges faced by digital service providers:
- Supply chain security (particularly relevant after incidents like SolarWinds and 3CX)
- Software composition analysis and the importance of SBOMs (Software Bill of Materials)
- Cloud security responsibilities in different service models (IaaS, PaaS, SaaS)
- Documentation requirements including incident response plans and business continuity plans
Bottom section
Practical Steps for Compliance
Participants received practical guidance on:
- Using the NIS2 scoping tool to determine applicability
- Conducting self-assessments using the CyFun framework
- Implementing the 13 key measures for the basic level
- Addressing supply chain security through tools like OWASP Dependency Check
- Preparing essential documentation and policies
Feedback from Participants
The enthusiasm from our participants was evident in their testimonials:
- "Thanks a lot Kurt, that was very helpful."
- "Thanks a lot, it was really interesting!"
- "Very interesting webinar Kurt."
- "Thanks a lot for the valuable insights!"
- "Thank you Kurt, I now know that we need to work on basic compliance because of the type of customers we serve."
- "Thank you for the interesting webinar!"
Join the (Cy)Fun!
If you missed this session, don't worry: the next session of the "Enhancing Cybersecurity for Digital Services: Practical Insights for NIS2 with CyFun" webinar is planned on April 24th !
Also, take a look at the extensive webinar programme on the CyberActive website to see more of these free events, which are designed to provide practical guidance on navigating the complex landscape of cybersecurity compliance.
The deadline for digital service providers to register under NIS2 has already passed (December 18, 2024), but it's never too late to improve your cybersecurity posture.
Tip: One of the best NIS2/CyFun resources on the Web is CCB's NIS2 Quickstart Guide.
Bonus Tip: we organise a very practical afternoon seminar (in Dutch) "NIS2 en CyFun in de Praktijk" in which we will go deep into the NIS2 Directive, the different CyFun levels, and the best practices to raise your cybersecurity.
At the end of this seminar, we will demonstrate Cyber3Lab's online CyFun self-assessment tool that helps you find your security gaps and exploits the framework in a user-friendly, multilingual and powerful way.
Join our Cyber3Lab Knowledge Network for more (Cy)Fun! Follow us on LinkedIn and contact us via cyber3lab@howest.be.
Contributors
Authors
/
Patrick Van Renterghem, AI, CyberSecurity, Web3, Quantum, ... Community Builder
/
Kurt Schoenmaekers, Cybersecurity Researcher
Want to know more about our team?
Visit the team page