At a Belgian shipping terminal, an automated gate system failed for just one hour because the supplier’s camera equipment malfunctioned. In that hour, around 12 km of trucks backed up on the Ring of Antwerp. This shows how quickly operations can grind to a halt if supply-chain cyber and operational controls are weak.
Table of Contents
If your organisation or your customers operate in energy, healthcare, public administration or manufacturing, the new Belgian cybersecurity rules under NIS2 likely affect you. Directly in-scope entities must comply, and many suppliers are now being asked to meet similar standards.
Last week, the Centre for Cybersecurity Belgium (CCB) marked one year of NIS2 implementation and unveiled CyberFundamentals 2025 (CyFun 2025). This is a refreshed national framework designed to help entities meet EU cybersecurity standards in a practical, risk-based way. Nearly a thousand professionals joined the event to discuss progress, lessons learned, and what lies ahead for 2026 and beyond.
Below, we unpack key trends from one year of NIS2 and what they mean for cybersecurity leaders across Belgium.
One year of NIS2 implementation in Belgium
Steady progress
One year after the NIS2 Directive took effect, Belgium’s rollout is considered smooth and on track.
So far, around 1,500 essential and 500 important entities have registered with the CCB. While some sectors remain underrepresented, most in-scope organisations are now correctly identified.
Roughly 70 – 75 % of those entities have already started implementing a cybersecurity framework, either CyFun or ISO 27001. In practice, essential entities often lean towards the latter, which gives more flexibility in how objectives are met. Smaller and public-sector organisations instead tend to prefer CyFun for its clear, step-by-step guidance.
For a detailed comparison of both approaches and which one might fit your organisation best, read Cingulum’s blogpost on choosing between ISO 27001 and CyFun 2025.
Conformity assessments
The accreditation process for Conformity Assessment Bodies (CABs) is expected to fully conclude around April 2026, but audits are already underway. Several authorised CABs are now performing assessments, and the first organisations have already received CyFun labels.
If your organisation has not yet started, the coming months are the ideal window to strengthen your controls before facing an external assessment. By 2027, the first major audit cycle will be in full swing, so entities that prepare early will have a clear advantage and fewer surprises.
A cultural shift
Perhaps the most remarkable outcome of the first year is the tone of cooperation.
The CCB has focused on education and support rather than punishment, meaning no sanctions have been issued so far. Entities are encouraged to report incidents early and treat inspections as a learning exercise.
A good example comes from the waste-management sector. Several container-park operators, through their umbrella organisation, entered into dialogue with the CCB about their classification level. They were initially listed as essential entities because they also manage small bioenergy and solar installations, which make up only a fraction of their operations. After explaining the limited critical impact, they were able to agree on a more realistic “important” level, which they are now actively implementing.
CyberFundamentals 2025: Belgium’s next-generation framework
Purpose and structure
CyFun 2025 is Belgium’s official national cybersecurity baseline, developed by the CCB and supervised by the National Cybersecurity Certification Authority (NCCA).
It continues to follow its founding “Principle of Balance”. This ensures proportionality between risks and security measures and defines three assurance levels. These should not be confused with the NIS2 entity categories, even though they use the same terms.
- Basic: standard information-security measures that every organisation should have in place
- Important: controls designed to minimise the risk of targeted but common cyberattacks
- Essential: capabilities to detect and respond effectively to advanced, targeted attacks
Each organisation’s CyFun assurance level is determined by its criticality and size, but this is separate from NIS2’s classification of essential or important entities. It is a common point of confusion because the same terms are used for both, but they refer to different things. For example, an organisation may be classified as essential under NIS2, but still only need to meet the important assurance level under CyFun. While NIS2 defines which organisations fall under the law, CyFun defines how far they must go to comply.
Although organisations can temporarily start at a lower level to phase in maturity, they are legally required to reach the mandated level within the prescribed deadlines.
This tiered structure turns the abstract idea of “risk-based security” into concrete, measurable obligations. It also gives entities a roadmap to strengthen their defences in line with their legal targets and risk exposure, helping them prioritise what matters most instead of treating cybersecurity as a one-size-fits-all exercise.
What’s new in CyFun 2025
The new release modernises the 2023 version and aligns fully with the NIST Cybersecurity Framework 2.0 and ISO 27001 standards.
Key improvements include:
- Stronger focus on Operational Technology (OT) and supply-chain resilience
- A new Governance category to elevate cybersecurity to board level
- Clearer, auditable control objectives for better oversight
- Updated guidance and improved readability based on feedback
- A significantly updated control set: roughly one-third of the controls were revised, so organisations that implemented CyFun 2023 should revisit their mappings and evidence.
In practical terms, CyFun 2025 feels less like a compliance checklist and more like a field manual. It reflects how security teams should work: start by identifying what truly needs protection, then build defences around it. Too often, organisations jump straight to installing firewalls and antivirus tools without first understanding their assets, processes, and data flows. CyFun helps correct that imbalance by putting “identify” back at the beginning of the cycle, which is then followed by protect, detect, respond, and recover.
CyFun 2025 now consists of 218 controls in total:
- 34 Basic
- 99 Important
- 85 Essential.
This structure makes it easier to link CyFun directly with daily operations, such as monitoring incidents, training staff, or verifying supplier security. It allows teams to measure real progress rather than simply ticking boxes.
Incident handling: lessons from year one
Between October 2024 and September 2025, the CCB received 279 incident notifications from NIS2 entities:
- 70 significant
- 7 under review
- 202 non-significant
The most affected sectors were public administration, digital infrastructure, ICT services, and healthcare.
Ransomware remains the leading threat, followed by operational outages and data-related incidents. Notably, significance under NIS2 isn’t limited to cyber-attacks: supplier outages or prolonged downtime can also qualify if essential services are affected.
Key takeaways from the CCB’s follow-up:
- Third-party and supply-chain risks must be actively managed. Under Belgian NIS2 law, entities remain legally responsible for incidents even when direct regarding the implementation of security controls lies with a supplier. Don’t forget that you shouldn’t only address supply chain risks technically, but also consider your contracts with your supplier. After all, if something goes wrong, the liabilities will be assessed based on the contract.
- Root-cause analysis (RCA) and clear remediation plans build regulator confidence.
- The CCB’s approach remains constructive and improvement-oriented, not punitive.
Best practices for organisations:
- Keep up-to-date incident-response documentation and escalation plans
- Test recovery and continuity processes regularly
- Reinforce basic cyber hygiene: backups, patching, MFA, monitoring
- Use CyFun’s maturity and self-assessment tools to guide your implementation, but combine these with internal validation or external checks to ensure your results are reliable. Don’t forget that the accuracy of the results of these tools depend on the accuracy of the input!
- Don’t forget your contracts! Especially the contracts with suppliers of critical systems. We have seen it often in practice: the collaboration with the supplier is long-term and runs smoothly, but nobody knows if there is a conclusive contract with this supplier. That represents a significant risk, not only for NIS2 but also in terms of business continuity.
Trends and strategic implications
- Cybersecurity is now a boardroom topic. NIS2 and CyFun 2025 make executives accountable for cyber risk management.
- Operational Technology joins IT. The new framework explicitly covers industrial systems, bridging security for sectors like energy and transport.
- Supply-chain security is non-negotiable. Continuous supplier assessment and contractual controls are baseline expectations.
- Frameworks are converging. CyFun 2025 aligns with ISO 27001 and NIST CSF 2.0, allowing a single roadmap for multiple requirements.
- Certification becomes a trust signal. Early certification under CyFun or ISO strengthens credibility and tender competitiveness.
- From compliance to resilience. Entities using structured frameworks report fewer and less severe incidents. This is measurable proof that good cybersecurity pays off.
Final stretch of preparation
As 2025 draws to a close, organisations are entering the final stretch of preparation.
With conformity assessments already underway and scaling in 2026, organisations that act now can avoid bottlenecks and turn early certification into an advantage.
CyFun 2025 is already drawing interest abroad: France’s ANSSI and Ireland’s NCSC are exploring interoperability under the EU Cybersecurity Certification Framework. This is a promising step toward cross-border recognition.
