Everything you need to use the CyFun Tool

NIS2 (EU Directive 2022/2555) was transposed into Belgian law on 26 April 2024. It requires organisations in certain sectors to implement cybersecurity measures and report significant incidents.

NIS2 applies to your organisation if you: (1) provide a service listed in Annex I or II of the Belgian NIS2 law; and (2) qualify as a medium or large enterprise (50+ employees or €10M+ turnover). Public administrations, trust service providers, and DNS operators are in scope regardless of size.

Use the NIS2 Scope Wizard inside the tool (Profile → NIS2 Scope) if you are unsure.

CyFun® is Belgium's national cybersecurity framework, published by the Centre for Cybersecurity Belgium (CCB). It defines 218 requirements across 6 functions (Govern, Identify, Protect, Detect, Respond, Recover) at three assurance levels (Basic, Important, Essential).

CyFun is rooted in the NIST Cybersecurity Framework (CSF 2.0) and cross-referenced with ISO 27001/27002, CIS Controls v8, and IEC 62443. Achieving CyFun compliance is the official Belgian path to demonstrate NIS2 compliance.

The verification method also differs: Basic and Important require a self-assessment verified by an accredited CAB, while Essential requires a full certification audit (ISO/IEC 17021-1).

Key Measures are the most critical requirements in the framework — 172 out of 218 total. They represent the controls considered indispensable for meaningful cybersecurity posture.

For Important and Essential levels, every Key Measure must individually meet the minimum maturity threshold. You cannot average out a weak Key Measure with a strong one. The dashboard's gap analysis highlights Key Measures that are below threshold with a distinct indicator.

• GV – GOVERN: Governance, risk strategy, policies, and regulatory compliance
• ID – IDENTIFY: Asset management, risk assessment, supply chain, and understanding what needs protection
• PR – PROTECT: Access control, encryption, backups, training, and technical safeguards
• DE – DETECT: Monitoring, anomaly detection, and security event management
• RS – RESPOND: Incident response planning, communication, and mitigation
• RC – RECOVER: Recovery planning, restoration, and lessons learned

Each requirement is scored on two separate dimensions:

• Documentation (D): Does a written, approved policy or procedure exist for this topic? Is it up to date and accessible?
• Implementation (I): Is the policy actually followed? Is the technical control in place and working?

A common failure pattern is good documentation with poor implementation (policies that exist on paper but aren't followed), or good implementation with no documentation (things work but aren't written down). CyFun requires both. Your maturity score for a requirement is the average of D and I.

These thresholds are checked by the dashboard in real time. The gauge and colour coding show exactly how far you are from the threshold.

NIS2 requires in-scope organisations to report significant incidents to the CCB within defined timeframes:

• 24 hours: Early warning — notify the CCB that a significant incident has occurred.
• 72 hours: Initial notification — provide detail on the incident's nature, initial impact, and indicators of compromise.
• 1 month: Final report — full incident analysis, root cause, remediation actions taken.

An incident is "significant" if it causes (or could cause) severe disruption to service delivery, affects other organisations, or involves a malicious act. For reporting, use the official CCB portal at atwork.safeonweb.be. This tool does not manage incident reporting.

CyFun is built on NIST CSF 2.0 (the 6 functions come directly from NIST) and cross-referenced with ISO 27001/27002, CIS Controls v8, and IEC 62443.

• ISO 27001: Globally recognised certification. Many ISO 27001 controls map to CyFun requirements. The Reference → Explorer shows exact cross-references. However, ISO 27001 certification does not automatically substitute CyFun for Belgian NIS2 purposes — CyFun is the legally recognised path in Belgium.
• NIST CSF: The structural backbone of CyFun. If your organisation already uses NIST CSF, the mapping to CyFun is straightforward.
• CIS Controls v8: Practical implementation guidance. Many CyFun requirements map to specific CIS controls.

In short: existing certifications or frameworks reduce the effort needed for CyFun but do not replace it.

All your data is stored exclusively in your browser's local storage — a built-in browser feature that keeps data on your device only. Nothing is ever sent to any server. The tool is fully offline: once loaded, it works without an internet connection.

This means your assessment data is completely private and under your control. No account, no login, no tracking.

Use Export / Import → JSON backup to save a complete copy of all your data as a .json file. Store it somewhere safe (your documents folder, a USB drive, or a cloud storage service).

To restore, use Export / Import → Import and select the .json file. Export a backup regularly — especially before clearing browser data or switching computers.

Yes. The free plan lets you manage up to 2 organisations. Each has its own profile, assessment scores, dashboard, and roadmap. Switch between them using the organisation switcher in the tool header. Need more? The Pro plan removes this limit.

In the Assess section, recent scoring changes can be undone with the Undo button or Ctrl+Z / ⌘Z. For more significant actions (deleting an organisation), these are not undoable within the session.

If you have a JSON backup, you can restore from it via Export / Import → Import. This is why regular exports are strongly recommended.

Use the EN / FR / NL buttons in the navigation bar (this page) or in the tool header. Your preference is saved automatically and remembered next time.

The assessment tool itself is designed for desktop browsers (≥ 900px wide). On smaller screens a notice recommends using a desktop. This help page and the landing page are fully responsive. For the actual assessment, a laptop or desktop is recommended.

Your data lives exclusively in your browser's local storage. If you clear browser history, cookies, or site data — or switch to a different browser or computer — your assessment data will be lost.

Prevention: Export a JSON backup regularly via Export / Import → JSON backup. Store it in a safe place (documents folder, cloud storage, USB drive). To restore, use Export / Import → Import and select the .json file.

The JSON file contains all your organisations, scores, notes, actions, and snapshots — everything needed to fully restore your work.

Yes. In the Assess section, click any requirement to expand it — you will find a Notes field. Use it to record:

• Your reasoning for the score you gave
• References to evidence (e.g. "Policy doc: /IT/Access-Control-Policy-2025.pdf")
• Reminders for follow-up or open questions
• Names of people responsible for implementation

Notes are saved automatically and included in the JSON and XLSX exports. They are especially useful when preparing for a CAB verification.

The tool does not have real-time collaboration — all data stays in your browser. To work with a colleague or consultant:

1. Export your data as JSON (Export / Import → JSON backup)
2. Send the file to your colleague
3. They import it into their own instance of the tool (Export / Import → Import)
4. They make changes and export an updated JSON
5. You import the updated JSON back

Both parties should agree on who holds the "master" copy to avoid conflicting versions.

This is completely normal at the start of any assessment — red means the score is below the threshold, not that your organisation is in breach of the law. The dashboard is designed to show you where to focus.

Start with the Key Measures in red (highlighted in the gap analysis). Use the Roadmap section to create action items. The assessment is a journey: close the biggest gaps first, reassess, and iterate.

A gap is the difference between your current maturity score and the required threshold for your level. For example: if your PROTECT function scores 2.3/5 and the threshold for Important is 3.0/5, the gap is 0.7 points.

The dashboard lists all gaps and sorts them by severity. Closing a gap means improving your documentation and/or implementation in that area and then re-scoring the affected requirements.

The tool is a self-assessment aid — its results are indicative, not legally binding. Non-compliance in the tool means your current self-assessment scores are below the threshold; it does not mean you are in breach of the NIS2 law.

Legal compliance is determined by the formal verification or certification process performed by an accredited CAB. Use the tool's results to guide improvement, then engage a CAB for the official assessment.

The priority matrix lists all requirements currently below the threshold, ranked by gap size and weighted by whether they are Key Measures. It gives you a prioritised action list: fix the biggest gaps in Key Measures first, as they unblock compliance the fastest.

You can create action items directly from the matrix by opening any requirement and clicking "+ Add action".

Yes — this is one of the most common and meaningful findings. A high Documentation score with a low Implementation score means policies exist on paper but are not followed in practice. This is a real risk: in the event of an incident or an audit, written policies that are not applied provide no protection.

For a CAB verification, you need to demonstrate both: the policy exists (D) and is actually applied (I). Auditors will look for evidence of implementation — not just policy documents.

The reverse (I > D) — doing things without documented policies — is also a problem: informal practices may be inconsistent, hard to communicate to new staff, or lost when key people leave.

Use the Roadmap to plan both documentation and implementation improvements together.

A snapshot saves your current scores at a specific point in time — like a named checkpoint. It does not affect your working scores.

Good times to take a snapshot:

• At the very start of your assessment ("Baseline")
• After completing a major remediation effort ("Post-remediation Q2 2025")
• Before a CAB verification ("Pre-audit")
• At regular review intervals (quarterly, annually)

To take a snapshot: go to Roadmap → History tab → click "Take snapshot" → give it a name. In the History view you can compare any two snapshots to see which areas improved and by how much.

The CCB maintains a list of accredited Conformity Assessment Bodies (CABs) on cyfun.eu. A CAB will verify your self-assessment (Basic/Important) or conduct a full audit (Essential).

Asphalia Consulting also provides advisory services for NIS2 and CyFun compliance — contact us at contact@asphaliaconsulting.be.

• Framework documentation: atwork.safeonweb.be
• Toolbox (templates, guidance): Safeonweb@Work Toolbox
• CyFun portal: cyfun.eu/en

The tool also includes a built-in NIS2 FAQ with 60+ official Q&As — accessible from Reference → NIS2 FAQ.

No. This tool is built and maintained by Asphalia Consulting SRL and is not affiliated with or endorsed by the Centre for Cybersecurity Belgium (CCB). It is based on the publicly available CyFun® 2025 framework documentation. For official guidance, always refer to the CCB's publications and accredited CABs.

Once your scores consistently meet the threshold:

• Gather evidence: Collect the documents, logs, and records that demonstrate each requirement is implemented.
• Engage a CAB: Contact an accredited Conformity Assessment Body for formal verification or certification.
• Register on Safeonweb@Work: NIS2 entities must register with the CCB at atwork.safeonweb.be.
• Set up regular reviews: Your scores need to be maintained and updated as your organisation evolves.

Under Belgian NIS2 law, the CCB can impose administrative fines. Maximum fines are:

• Essential entities: up to €10 million or 2% of total global annual turnover (whichever is higher)
• Important entities: up to €7 million or 1.4% of total global annual turnover (whichever is higher)

Additional measures may include temporary suspension of services, public disclosure of violations, or temporary bans for senior management in cases of gross negligence.

These are maximum limits — the CCB applies a proportional approach. The tool is not a legal risk calculator; consult a legal adviser for advice specific to your situation.

Yes. The free plan supports up to 2 organisations. With the Pro plan you get unlimited organisations — ideal for consultants managing multiple clients. Each has its own isolated profile, scores, dashboard, and roadmap.

Typical consultant workflow:

1. Create an organisation profile for each client
2. Score the assessment during your engagement
3. Export the JSON to share with the client (they can import it into their own instance)
4. Export PDF / XLSX for reporting deliverables

Each client keeps their own copy of the data — nothing is shared between organisations or sent to any server.

The Free plan gives you the full assessment tool: all assurance levels, all exports (PDF, XLSX, PPTX, JSON), the dashboard, roadmap, evidence engine, NIS2 wizard, and up to 2 organisations. No account required, fully offline.

The Pro plan (coming soon) adds:

• Cloud sync across devices
• Unlimited organisations
• Sector benchmark comparison
• History restore & version comparison
• Progress reports (snapshot-to-snapshot PDF)