Cybersecurity-Archiv - Vertrauenscheck

Muss ich meine Cybersicherheitsreife gesetzlich nachweisen?

admin4035 — Mo., 22. Sep. 2025 17:41:00 +0000

Under the EU NIS2 Directive, certain organizations classified as essential and important are legally required to taking cybersecurity risk-management measures. Essential entities shall demonstrate cybersecurity maturity. This includes sectors such as energy, transport, health, finance, digital infrastructure, and public administration.
Failure to comply can result in audits, corrective measures, and administrative fines.

The centre for cybersecurity in belgium developped a tool to figure out if your entity fall under the NIS2 law or not. Refer to this link to find the tool.

Obligations of Essential and Important Entities under the NIS2 Law (Belgium)

The Belgian NIS2 law, which transposes the EU Directive 2022/2555, imposes several cybersecurity obligations on entities deemed essential or important for the functioning of society and the economy.

1. Registration

Entities falling within the scope of the NIS2 law must register with the Centre for Cybersecurity Belgium (CCB) via the Safeonweb@work platform. This registration is mandatory and ensures that the CCB can effectively supervise and support these entities.

2. Cybersecurity Risk Management Measures

Both essential and important entities are required to implement appropriate technical, operational, and organizational measures to manage cybersecurity risks. These measures aim to:

Secure network and information systems.
Prevent incidents.
Minimize the impact of incidents on customers and services.

4. Supply chain security

Essential and Important entities must take appropriate and proportionate cybersecurity risk-management measures on their supply chain. This is why many companies outside NIS2 scope adopt CyFun® to strengthen cybersecurity governance or because a customer, supplier, or partner requires proof of compliance.

5. Notification of Significant Incidents

Entities must report any significant incidents to the national CSIRT, which in Belgium is the CCB. This includes:

Incidents causing severe operational disruption.
Incidents with potential cross-border effects.
Financial or reputational damage.

The reporting process includes:

Initial notification within 24 hours.
Detailed incident report within 72 hours.
Final report within one month.

4. Obligations for management

The management bodies of NIS2 entities are responsible for:

Approving cybersecurity risk-management measures and supervise their execution.
Following a training to ensure that their knowledge and skills are sufficient to identity risks and treatment

In case of non-compliance, management can be held liable.

5. Supervision

Essential entities must undergo regular compliance assessments, choosing one of the following:
- CyberFundamentals Certification or verification.
- ISO/IEC 27001 Certification.
- Audit by the CCB’s audit service.
Important entities must not undergo a regular compliance assessment.

6. Sanction

Essential and Important entities which do not respect their obligations can be subjected to a series of administrative measures and fines.

L’article Must I demonstrate my cybersecurity maturity by law? est apparu en premier sur Trust Check.

Wo finde ich das CyFun® Framework?

admin4035 — Mo, 22 Sep 2025 17:37:02 +0000

The official CyFun® framework is published by the Centre for Cybersecurity Belgium (CCB) and available on their website atwork.safeonweb.

L’article Where can I find the CyFun® framework? est apparu en premier sur Trust Check.

Was ist der Unterschied zwischen CyFun® und ISO/IEC 27001?

admin4035 — Mo, 22 Sep 2025 17:35:10 +0000

Aspect	CyFun®	ISO/IEC 27001
Scope	NIS2 compliance, practical controls	Comprehensive ISMS, global standard
Levels	Basic, Important, Essential	No levels; one standard
Certification	National/EU recognition, CCB-driven	International, ISO-accredited bodies
Target	All organizations	mature organization
Approach	Include OT, IT and other standard as well (NIST, CIS…)	ISO

CyFun® and ISO/IEC 27001 are interconnected through reference matrices, enabling organizations to map requirements and controls between both frameworks. This facilitates dual compliance and helps organizations leverage existing certifications to meet new regulatory expectations.

L’article What is the difference between CyFun® and ISO/IEC 27001? est apparu en premier sur Trust Check.

Wo wird das CyFun® Label und die Verifizierung anerkannt?

admin4035 — Mo, 22 Sep 2025 17:28:22 +0000

The CyFun® Label is recognized nationally in Belgium as a trusted proof of cybersecurity maturity. It is accepted by authorities, partners, and customers as evidence of compliance.

Today, more and more EU countries are recognizing CyFun®, including France, Romania, and Ireland, with others expected to follow soon.

For organizations, CyFun® means easier access to new markets, streamlined compliance processes, and increased trust from clients and partners.

As CyFun® aligns with European frameworks such as NIS2 and GDPR, it is becoming a continental reference for cybersecurity assurance.

L’article Where is the CyFun® Label and verification recognized? est apparu en premier sur Trust Check.

Wie werden die an Trust Check gesendeten Informationen geschützt?

admin4035 — Mo., 22. Sep. 2025 15:23:14 +0000

All documents and communications are protected using Traffic Light Protocol (TLP)
Access is restricted to authorized personnel only.
Trust Check follows data protection best practices in compliance with GDPR and cybersecurity standards.
Critical evidences are saved offline after the verification mission

L’article How is the information sent to Trust Check protected? est apparu en premier sur Trust Check.

Was kann ich tun, wenn ich nicht möchte, dass meinem Auftrag eine bestimmte Prüfstelle zugewiesen wird?

admin4035 — Mo., 22. Sep. 2025 15:22:47 +0000

You can request a different verifier during the verification plan step.
Trust Check maintains a pool of qualified verifiers, and assignments are flexible to prevent conflicts of interest.
Your request is handled confidentially.

L’article What can I do if I don’t want a specific verifier assigned to my mission? est apparu en premier sur Trust Check.

Was kann ich tun, wenn ich das Prüfergebnis nicht akzeptiere?

admin4035 — Mo., 22. Sep. 2025 15:22:26 +0000

You may request a review or clarification from Trust Check. Check appeals and complaints page.
The process ensures fairness and transparency.

L’article What can I do if I don’t accept the verification result? est apparu en premier sur Trust Check.

Wie viele Kontrollen werden auf jeder Ebene bewertet?

admin4035 — Mo, 22. Sep 2025 15:22:03 +0000

Basic Level: Approximately 34 controls, covering fundamental cybersecurity measures required for important entities.
Important Level: Around 143 controls (including the Basic’s ones), including advanced technical and organizational measures for essential entities.

These controls align with the CCB CyberFundamentals framework.

L’article How many controls are evaluated at each level? est apparu en premier sur Trust Check.

Wie lange dauert eine Verifizierung?

admin4035 — Mo., 22. Sep. 2025 15:21:31 +0000

The duration depends on the scope and complexity of your IT environment. Typically:

Basic Level (Cyber PR1): 2–4 days
Important Level (Cyber PR2): 3–5 days

L’article How long does a verification take? est apparu en premier sur Trust Check.

Kann die Verifizierungserklärung an Partner oder Aufsichtsbehörden weitergegeben werden?

admin4035 — Mo., 22. Sep. 2025 15:21:02 +0000

Yes, the verification report can be shared to demonstrate compliance and provide evidence during audits or contractual evaluations

L’article Can verification statement be shared with partners or regulators? est apparu en premier sur Trust Check.