Cyber Fundamentals
Ireland has joined the Belgian Cyber Fundamentals Scheme (CyFun) as a scheme owner to provide a structured, risk-based approach for essential and important entities to demonstrate compliance with the NIS2 Directive.
The NCSC recommends the CyberFundamentals (CyFun) framework (NIST CSF 2.0 version, to be released later this year) as a well-recognised, structured, voluntary tool to assist entities in meeting their NIS2 obligations.
Certification through CyberFundamentals will be optional but is seen as a strong and credible route to demonstrating compliance and can also serve as a business enabler and trust-building mechanism in supply chains and regulatory contexts.
The CyFun framework provides a tiered, standards-based framework, with Version 1 available for use now, and Version 2 (aligned to NIST CSF 2.0) due in September 2025 the version to be used for NIS2 compliance. However, starting your compliance journey by aligning with the fundamentals provided for in Version 1, will allow for a strong base once Version 2.0 is released.
At a broader level, a national certification system will take 18–24 months to establish due to the need for legal agreements, resourcing, and accreditation infrastructure. In the meantime, entities are encouraged to use the framework internally and begin preparations.
Developed by the Centre for Cybersecurity Belgium (CCB), the CyFun framework has been built to be recognised at European level, thereby meeting NIS2 requirements. The Belgian accreditation body BELAC has started the process to ensure formal recognition is received. As this continues, the framework has also been formally adopted by both Ireland and Romania, with other European countries exploring its introduction. The CCB maintains the framework and associated documents as primary scheme owner, which allows for its roll-out to other European countries.
The Role of CyFun in Ireland’s Compliance Framework
The development of Ireland’s NIS2 compliance framework will be underpinned by the requirements set out in the National Cyber Security Act (once published), and any subsequent associated statutory instruments. The primary legislation will establish the overarching security obligations, while subsequent statutory instruments will provide more detailed requirements, including the risk management measures essential and important entities must implement. CyFun will serve as a key component of this compliance structure, both informing the statutory instrument and acting as a recognised means by which entities can clearly demonstrate compliance.
The scheme does not, however, represent the sole route to compliance, and will be optional and voluntary. The NCSC will continue to recognise other internationally accepted standards such as ISO 27001 for information security and ISO 62443 for industrial control systems. Similarly, direct assessments carried out by National Competent Authorities (NCAs), or self-assessments for lower risk entities may also occur where appropriate. This approach is designed to provide flexibility, ensuring that organisations can meet their obligations in a way that aligns with their existing security frameworks while maintaining consistency with the Directive’s core requirements.
How the Cyber Fundamentals Scheme Works
CyFun is a structured framework designed to provide a risk-based approach to cybersecurity, built around a model that allows organisations to be assessed at different levels of maturity. It is fundamentally based on the NIST Cybersecurity Framework (CSF), which is widely recognised internationally, and serves as the foundation for many cybersecurity assurance schemes.
At the core of the scheme is an initial selection tool that enables an organisation to determine its cybersecurity maturity level. This assessment considers factors such as the organisation’s size, sector, risk exposure, and the potential impact of a security incident. Based on this assessment, the organisation is assigned one of four levels (Small, Basic, Important, Essential) of security maturity, ranging from foundational cybersecurity controls at the lower levels to more stringent requirements for high-risk entities.
For organisations classified as important or essential under NIS2, CyFun provides a pathway to certification or formal assurance. This ensures that organisations with a high degree of societal or economic importance can demonstrate compliance through a structured, externally validated process. Once the forthcoming update is released, the scheme’s reliance on NIST CSF V2.0 provides a well-established framework structured around six key cybersecurity functions:
- Govern: Determining how an organisation’s cybersecurity risk management strategy, risk appetite and policy are established, communicated, and monitored
- Identify: Understanding organisational risks, assets, and vulnerabilities.
- Protect: Implementing controls to prevent cybersecurity incidents.
- Detect: Developing capabilities to recognise and respond to threats.
- Respond: Establishing incident response and mitigation procedures.
- Recover: Ensuring business continuity and resilience following incidents.
By structuring compliance around these core principles, CyFun provides a flexible but comprehensive framework that can be adapted across multiple sectors. CyFun is currently being updated to reflect the NIST CSF v2.0 changes. The NCSC is contributing to this update, which is expected to be completed by Q3 2025.
Cyber Fundamentals Resources
While the NCSC will develop specific resources and guides for the operation of CyFun in Ireland, there is already signifiacnt amount of tooling and supports availble from the CCB on their CyFun home page. There is also and FAQ page available here:CyFun FAQs.
