CyFun and NIS2: What Every Project Manager Needs to Know (And How to Guide Your Team)
CyFun and NIS2: What Every Project Manager Needs to Know (And How to Guide Your Team)
Directors are personally liable. Deadlines are approaching. And most Belgian organizations still don't know where to begin.
That's the reality of NIS2 in Belgium — and exactly why you, as a freelance project manager, are in a uniquely strong position right now. Because someone has to lead these implementation projects. That someone is you.
CyFun (CyberFundamentals Framework) is Belgium's official response to the NIS2 directive. Developed by the Centre for Cybersecurity Belgium (CCB), it's the primary route to NIS2 conformity for Belgian organizations. As a project manager, this is the framework you need to understand.
What Is CyFun?
CyFun — short for CyberFundamentals Framework — is a cybersecurity framework developed by the Centre for Cybersecurity Belgium (CCB). It gives organizations a structured, step-by-step approach to:
- Identifying and managing cyber risks
- Stopping the most common cyberattacks
- Demonstrating NIS2 conformity to regulators
CyFun 2025 is built on internationally recognized frameworks: NIST CSF 2.0, ISO 27001/27002, CIS Controls, and IEC 62443. Organizations already familiar with any of these don't start from scratch.
The Four Assurance Levels
| Level | Controls | Target Audience |
|---|---|---|
| Small | 10 rules of thumb | Micro-organizations without an IT department |
| Basic | 34 controls | SMEs — stops 82% of cyberattacks |
| Important | +99 controls | Organizations handling sensitive data |
| Essential | +85 controls | Critical infrastructure, essential entities |
Why Is CyFun Urgent for Your Clients?
The NIS2 law has been in force in Belgium since 18 October 2024. That means:
- Essential entities must implement Basic/Important by April 2026, Essential by April 2027
- Directors are personally liable in the event of a cyber incident if NIS2 obligations aren't met
- Heavy fines for non-compliance — comparable to GDPR penalties
- Clients and procurement teams increasingly require a CyFun label or equivalent proof
And the good news for you as a project manager: CyFun implementation is a project. With a scope, a timeline, a budget, and deliverables. Exactly what you manage.
The Project Manager's Role in a CyFun Trajectory
A CyFun implementation isn't just an IT project. It touches HR (awareness), Legal (policies), Management (governance), and Operations (incident response). That makes it fundamentally a project management challenge.
As a freelance project manager, you bring:
- Overview across all workstreams: technical, organizational, documentary
- Stakeholder management between IT, business, and the board
- Planning and milestones to meet legal deadlines
- Risk monitoring — including the non-technical risks
- Reporting to the board, which bears personal liability
How to Run a CyFun Project: A Practical Step-by-Step Approach
Phase 1: Determine Scope and Level (Weeks 1–2)
Use the official CyFun Selection Tool from the CCB to determine the correct assurance level based on a sector-specific risk assessment. As PM, you facilitate this process and ensure the right people are in the room.
Phase 2: Gap Analysis (Weeks 2–4)
Measure the current state against the required controls. Which measures are already in place? What's missing? This becomes the foundation of your project plan.
💡 Need support with a professional CyFun gap analysis? RGI bv offers a NIS2 Gap Analysis & Audit specifically designed for Belgian organizations.
Phase 3: Implementation Plan (Weeks 3–5)
Turn the gap analysis into a concrete action plan: which controls get implemented when, by whom, and with what budget. Prioritize the key measures — the mandatory controls the CCB scrutinizes most closely.
Phase 4: Documentation and Policies (Ongoing)
CyFun requires demonstrable implementation. Policies, procedures, risk assessments, and audit logs must be in order. This is where most organizations stumble — and where you bring structure.
Phase 5: Self-Assessment and Verification
Prepare the organization for a formal conformity assessment by an accredited Conformity Assessment Body (CAB). Essential entities must complete this by April 2026.
🔒 Need professional guidance? RGI bv supports Belgian SMEs and mid-market organizations throughout the full CyFun trajectory — from gap analysis to label. 👉 Explore RGI bv's CyFun offering
CyFun vs. ISO 27001: Which Do You Recommend?
A question you'll inevitably get from clients. The rule of thumb:
- CyFun → faster, more affordable, Belgium-specific, ideal for SMEs and the public sector
- ISO 27001 → internationally recognized, more flexible, stronger for larger or international organizations
Good news: an existing ISO 27001 certificate can be used to obtain a CyFun label, provided the scope is complete and the Statement of Applicability covers the required controls.
🔒 For the combined approach: RGI bv also offers ISO 27001 implementation and ISO 27001 certification support.
The Business Case: Why This Is Your Market
According to the CCB, 70–75% of NIS2-registered entities have already started a framework implementation. But most organizations lack the internal project capacity to manage this in a structured way.
As a freelance project manager who understands NIS2 and CyFun, you're the connector they need — not the technical expert, but the project leader who keeps everything on track.
That market is opening right now.
Frequently Asked Questions
Is CyFun mandatory for my client? If the organization qualifies as an essential or important entity under NIS2, it must implement either CyFun or ISO 27001. The CCB determines which entities are in scope via Safeonweb@Work.
Can I lead a CyFun project without a technical background? Yes. Your role is to coordinate, plan, and monitor. Technical depth sits with the security specialists. You ensure the project is delivered on time, within budget, and with the right deliverables.
How long does a CyFun Basic implementation take? With the right guidance and templates: 6 to 10 weeks for an SME. Without preparation, this can stretch to 4–6 months.
Ready to Take the Next Step?
Want to lead CyFun and NIS2 projects as a freelance project manager — or looking for a partner for the technical and compliance side?
📞 Get in touch via freelanceprojectmanager.be/contact
For NIS2 implementation support and CyFun expertise at your clients:
🔒 RGI bv — NIS2 Compliance for Belgian SMEs 🔒 RGI bv — CyFun Implementation Belgium
FreelanceProjectManager.be provides tailored project leadership — including NIS2, CyFun, and cybersecurity projects.