Cyber Fundamentals (CyFun) Frequently Asked Questions
Laste Updated: 23/6/2025
1. What is CyFun?
CyFun is a structured framework designed to provide a risk-based approach to cybersecurity, built around a model that allows organisations to be assessed at different levels of maturity. It is largely based off the NIST Cybersecurity Framework. CyFun 2023 is based off the NIST 1.1 Framework. CyFun 2025 is based off the NIST 2.0 framework.
2. What are the key objectives of CyFun?
CyFun aims to protect data, reduce the risk of common cyberattacks and increase an organisation’s cyber resilience.
3. What are the different assurance levels in CyFun?
CyFun has three assurance levels. These are Basic, Important, and Essential.
4. What is the difference between Essential and Important entities?
As per the NIS 2 Directive, an Essential Entity is one that was either deemed an Operator of an Essential Service (OES) under NIS 1, l or otherwise meets the criteria set out in Article 3(1) of the Directive. An Important Entity is an entity of a type referred to in Annex I or II of the Directive which does not qualify as an Essential Entity. Please refer to https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_Guide.pdf (NIS2 Quick Reference Guide)
5. How does CyFun relate to NIS2?
CyFun is a tool that can be used by an entity or organisation to assess their cyber security risk. This tool does not prove that an entity is compliant with their NIS2 obligations but can provide a structured assessment framework to demonstrate cybersecurity maturity. The relevant NIS2 Competent Authority may have more specific guidance on how an entity meet the requirements of the Directive for that sector using an assurance model.
6. Will there be a national certification system?
Yes, there will be a certification scheme for the CyFun framework. This will be Irelands national certification scheme for NIS2. Certification is expected to be available by 2027. Recognition of CyFun Certification as a presumption of conformity for NIS2 will be the for the responsible National Competent Authorities.
7. What is meant by “substantiated” statement of applicability?
The definition of “substantiated” is as in ISO/IEC 27006-1:2024 clause 9.3.2.2 (f); the substantiation of the Statement of Applicability (SoA) has to allow the assessment of the effective implementation of the controls. Or in other words: There must be evidence that a control is implemented and is effective.
8. Is CyFun accepted EU wide?
The CyberFundamentals Framework is originally a Belgian framework, developed by the Centre for Cybersecurity Belgium (CCB) but built in such a way that it can be recognised at European level. A process that has now been initiated by BELAC. At the moment, CyFun was only registered in legislation in Belgium in order to be able to assume, until proven otherwise, that the entity meets its NIS2 cybersecurity obligations (presumption of conformity). Meanwhile, the framework has been formally adopted by Romania. How it will be used in their operational rollout of NIS2 is under construction there. Other European countries also recognise the value of CyFun® (including France) and are looking at how they can recognise or even fully adopt this framework. Ireland will be adopting CyFun as its national assessment and certification scheme and have become joint owners of the scheme.
9. What are the differences between ISO/IEC 27001 and CyFun?
CyFun is designed to help organisations protect their data, reduce the risk of common cyber-attacks, and increase cyber resilience. Based on four commonly used cybersecurity frameworks (NIST CSF, ISO/IEC 27001, CIS Controls, and IEC 62443), it also uses anonymised historical data of successful cyber-attacks to identify the different measures in the framework. The CyFun® Framework has a formal conformity assessment scheme and is focused on practical measures to identify, assess, and mitigate cybersecurity risks, with an emphasis on resilience and recovery from cyber incidents. ISO/IEC 27001:2022 is an international standard for information security management systems (ISMS), providing a framework for managing and protecting information assets, that outlines requirements for establishing, implementing, maintaining, and continually improving an ISMS, aligned with other ISO management system standards.
10. What are the differences between ISO/IEC 27001 and CyFun?
Yes, CyFun is a preferred method of the National Competent Authority for Public Administration for demonstrating compliance with NIS2 for entities in the public administration sector. The National Competent Authority for Public Administration is based in the NCSC.
