Open main menu
Pricing
Get A Demo

The Cyber Fundamentals Framework: A Rising European Standard for Cyber Resilience

In today’s interconnected economy, cybersecurity is no longer a luxury reserved for tech giants, but a fundamental requirement for businesses. For organisations looking to secure their operations and meet European standards, the Cyber Fundamentals (CyFun) Framework has long been the go-to roadmap.

Rutuja Tilekar

Standards & FrameworksSecurity
The Cyber Fundamentals Framework: A Rising European Standard for Cyber Resilience

Table of Contents

Do not index
Do not index
In today’s interconnected economy, cybersecurity is no longer a luxury reserved for tech giants. It is a fundamental requirement for business continuity. For organisations looking to secure their operations and meet European standards, the Cyber Fundamentals (Often referred to as CyFun) Framework has long been the go-to roadmap.
However, with the rise of more sophisticated threats and new regulations like the EU’s NIS 2 Directive, the framework has evolved. Often referred to as CyFun 2.0, the latest CyFun 2025 update (version 2) provides a strengthened, more risk-based approach But what exactly has changed, and how can your organisation achieve certification? Let’s break it down.

What is the Cyber Fundamental Framework 2.0?

The CyFun Framework is a practical set of concrete, actionable security measures designed to protect organisations from the most common cyber threats. Originally developed in Belgium, the framework is maintained by Belgium, Ireland and Romania, with other European countries exploring its introduction and recognition.
Think of CyFun as a “health check” for your company’s digital security. It takes globally recognised standards, such as NIST and ISO, and makes them accessible for businesses of all sizes - from small shops to major enterprises. While the 2023 version was based on the NIST 1.1 model, the new CyFun 2025 update (version 2) is aligned with NIST CSF 2.0. This update is significant because it shifts the focus from purely technical fixes to a more holistic management approach, ensuring that security is integrated into the very fabric of how a company is operated and governed.

The Six Core Pillars of CyFun 2.0

While previous versions focused on the “how” of protection, CyFun 2.0 introduces a more comprehensive structure. By adopting the NIST 2.0 philosophy, it adds a critical ‘Govern’ function to the original five pillars.
It is organised around six core functions:
  1. Govern: Establishing the organisation’s cybersecurity risk management strategy, expectations, and policies. It focuses on leadership accountability, ensuring that risk management is a boardroom priority rather than just an IT task.
  1. Identify: Understanding the organisation’s current cybersecurity risks. This involves identifying assets, including data, hardware, software, systems, facilities, services, and people, to prioritise efforts consistent with the mission needs identified under Govern.
  1. Protect: Implementing safeguards to prevent or limit the impact of cyber risks. This includes technical controls like authentication, access control, staff awareness, and technology infrastructure resilience.
  1. Detect: Finding and analysing possible cybersecurity attacks and ensuring you have the tools in place to spot a security breach as soon as it happens. Effective detection relies on continuous monitoring and logging to catch unusual activity before it escalates.
  1. Respond: Creating a clear action plan for when an incident occurs to contain the damage. This pillar ensures you have a tested incident response team and communication protocols ready to go.
  1. Recover: Developing the capability to restore services and data so business can return to normal quickly. This involves robust backup strategies and disaster recovery testing to ensure minimal downtime.

The Four Tiers of CyFun 2.0

A key strength of CyFun 2.0 is its scalability. It is a maturity-based model, meaning it meets you at your businesses’ current level.
Organisations can engage with CyFun 2.0 at four different tiers:
  • Small: The starting point for micro-organisations or those with very limited technical knowledge. It focuses on a small set of ‘rules of thumb’ to establish basic safety.
  • Basic: Focuses on essential “Cyber Hygiene”. This level is ideal for small organisations looking to implement foundational controls like MFA, patching, and backups.
  • Important: Targeted at mid-sized organisations or those within a supply chain. It requires a more proactive stance on risk management and documented security policies.
  • Essential: The highest tier intended for critical infrastructure. In Ireland, CyFun is being positioned as a structured way for essential and important entities to organise and evidence NIS2 security measures, with a national certification approach under development

How to Achieve CyFun 2.0 Certification

  1. Scoping and Selection: Determine which level - Small, Basic, important, or Essential - fits your risk profile. This is usually based on your size, the sensitivity of the data you handle, and your role in the national infrastructure.
  1. Gap Analysis: Compare your current measures against CyFun 2.0 controls to identify weak spots.
  1. Implementation: Address technical fixes, like firewalls and patching and administrative needs (Governance). This means documenting your policies and ensuring senior management signs off on the security strategy.
  1. Verification: For Small/Basic, many organisations start with a structured self-assessment and evidence pack, then pursue external verification/certification where required by customers, regulators, or national approaches. For Important/Essential, independent assessment is typically expected.

Why Choose CyFun 2.0?

Moving to the 2.0 standard offers more than just a ‘badge’ for your website.
  • The Bridge to NIS2: While CyFun doesn’t automatically grant legal compliance, it’s increasingly used as a method of demonstrating cybersecurity maturity and awareness. In Belgium, it’s referenced in legislation with a ‘presumption of conformity’ approach (until proven otherwise). In other countries, it’s positioned as a voluntary framework to help organisations organise and evidence NIS2 measures.
  • Operational Resilience: By following the ‘Recover’ and ‘Respond’ pillars, you ensure that a cyberattack doesn’t mean the end of your business.
  • Market Trust: Having an independent certification proves to partners and clients that you are a ‘secure link’ in their overall supply chain.

Evolving With the Standard

While the transition to CyFun 2.0 can seem very daunting. It doesn’t have to be a manual burden. At OneClickComply, we recognise that this framework is fast becoming the unified language of European cybersecurity.
Even though we are currently integrating the 2.0 framework directly into our platform, you can start building towards it today using the standards already on our platform. Cyber Fundamentals overlaps heavily with ISO 27001 and Cyber Essentials. If you’ve already implemented strong access control and patch management practices, you’re likely covering a meaningful portion of CyFun requirements, and in some cases that coverage can be evidenced through mapping.
We believe that by combining the structured roadmap of Cyber Fundamentals with our automation engine, from OneClickFix to Continuous Monitoring, businesses can achieve high-level resilience without the traditional administrative headache. We don’t just help you meet the standard, we grow with you to ensure you are always audit-ready, no matter how the regulations shift.
With Cyber Fundamentals 2.0, you have the map. With OneClickComply, you’ll have the engine to get there.
 

Written by

Rutuja Tilekar

Operations Analyst