In Belgium, officially recognize your level of maturity in cybersecurity with the CyberFundamentals CyFun®

Who are our cybersecurity services for?

NIS2 Entities

These are organizations that fall under the scope of the NIS2 Law.

Regulatory Compliance: NIS2 Essential entities are legally required to implement and demonstrate robust cybersecurity measures. A CyFun® verification provides an independent, accredited assessment aligned with the Belgian NIS2 law.
Risk Management: The verification helps identify vulnerabilities and ensures that appropriate risk management practices are in place.
Trust and Accountability: Demonstrating compliance through an accredited verification enhances trust with regulators, partners, and customers.

Small and medium companies providing products/services to NIS2 entities

These are SMEs that provide products or services to NIS2 entities and are part of their supply chain.

Supply Chain Assurance: NIS2 entities are required to assess the cybersecurity posture of their suppliers. A CyFun® verification can serve as a trusted assurance mechanism.
Business Continuity: By proactively addressing cybersecurity risks, SMEs can reduce the likelihood of disruptions that could affect their clients.
Market Access: Verified cybersecurity practices can be a decisive factor in winning contracts with NIS2-regulated organizations.

All other companies that want a competitive advantage

These are organizations not directly subject to NIS2 but aiming to stand out in their market through strong cybersecurity practices.

Market Differentiation: Demonstrating verified cybersecurity practices can be a unique selling point in competitive markets.
Customer Confidence: Clients are increasingly prioritizing security when choosing suppliers. A CyFun® verification signals a commitment to protecting data and systems.
Preparation for Future Regulations: As cybersecurity regulations evolve, early adoption of best practices positions companies ahead of the curve.

Why choose a CyFun® verification?

The CyFun® verification allows you to receive an official label for your cybersecurity maturity level (Basic or Important), according to a recognized framework then:

Strengthen confidence in your organisation and progress your maturity in a structured, consistent way towards certification (Essential level).
Avoid multiple audits from customers, insurers, or authorities regarding NIS2 requirements.
Gain credible and independent external recognition.
Obtain a recognized label managed by the Belgian Cybersecurity Centre (CCB) that sets you apart from competitors.
For NIS2 entities, ensure compliance with the Belgian NIS2 law (2024-202344).

An accredited body is required to verify your cybersecurity maturity level.

Enhance your self-assessment by completing the official CyFun® verification with What a Work, an accredited body by BELAC (No. 770-VV) under the ISO/IEC 17029 standard.

The verification is carried out by our specialized division, Trust CHECK.

To understand the benefits of working with an accredited body, visit this page. Only accredited bodies can provide you with an official and recognized report, and the Centre for Cybersecurity Belgium (CCB) will then issue the official CyFun® label.

Furthermore, What a Work is also authorized by the CCB, ensuring full confidence in our independence and capability to perform the verification.

How to demonstrate your level of cybersecurity maturity?
Key steps at a glance: :

Read the framework provided by the Cybersecurity Centre in Belgium (CCB) via this link.
Define the status of your entity (Basic, Essential, Important) based on your risk analysis via this link.
Complete your self-assessment via this link with your internal team or external providers.
Submit your declaration of maturity to our organization (template available on request).
We conduct a pre-commitment review to confirm feasibility (competence, resources, conflict of interest, etc.).
Sign the quote
Submit your self-assessment and supporting evidence.
We review your self-assessment, evidence, and conduct an on-site check.
Receive an official verification report along with a verification statement if our experts confirm your declaration.
Submit the report to the Belgian Cybersecurity Centre (CCB) and obtain access to the recognized CyFun® label.

Our audit services are available in two separate programmes:
* Basic Program (Cyber PR1)
* Important Program (Cyber PR2)

Documentation available upon request.

Already a Trust CHECK
customer?
Benefit from limited verification

If you have already completed a first verification with us, enjoy a lighter process focusing only on updates:

Reduced time commitment
Adjusted pricing
Up-to-date proof for your stakeholders

FAQ

Cybersecurity

What is CyFun® Verification?

CyFun® Verification is an independent verification of your cybersecurity maturity based on the CyberFundamentals (CyFun®) framework from the Belgian Cybersecurity Centre (CCB). Once you get the verification statement by Trust CHECK you can request your label from CCB.

How does the verification process work?

Self-assessment: Use CCB tools to evaluate your current cybersecurity maturity.
Submission: Submit your self-declaration and supporting evidence to Trust Check.
Audit: An on-site or remote assessment validates compliance.
Report: Receive an official verification report and certificate.

All steps are traceable and documented to ensure transparency.

What documents are required for verification?

Your filed self-assessment and all documentary and implemented evidences such as:
- Current cybersecurity policies and procedures
- Evidence of technical measures (firewalls, backups, monitoring logs)
- Incident response and business continuity plans
- Access control and user management documentation
- Any useful reports

How long is a verification valid?

A CyFun® Verification report is generally valid for 12 months, after which a re-assessment is recommended to ensure ongoing compliance.
Continuous monitoring and updates are recommended for entities subject to NIS2.

Can a verification statement be revoked?

Yes. A verification statement may be revoked if:

New evidence of non-compliance is discovered.
The organization fails to maintain required cybersecurity measures.
Misrepresentation or fraudulent information is found in the submitted documentation.

How does CyFun® Verification help with NIS2 compliance?

Evaluate current cybersecurity maturity.
Identify gaps and areas requiring improvement.
Demonstrate compliance to regulators, partners, and clients.

It aligns with obligations under NIS2 for essential and important entities.

What are the penalties under NIS2 for non-compliance?

Failure to comply with NIS2 can result in administrative fines and, in severe cases, operational restrictions.
The exact penalty depends on:
- The severity of the non-compliance
- The size and criticality of the entity
- The risk posed to essential services

CyFun® Verification helps mitigate the risk of fines by providing documented proof of proactive compliance measures.

Why choose Trust Check for CyFun® Verification?

Independence: Third-party validation ensures objectivity.
Official recognition: Reports are recognized by the Belgian Cybersecurity Centre.
Efficiency: Streamlined process adapted to Belgian legal requirements.

Can verification statement be shared with partners or regulators?

Yes, the verification report can be shared to demonstrate compliance and provide evidence during audits or contractual evaluations

How long does a verification take?

The duration depends on the scope and complexity of your IT environment. Typically:

Basic Level (Cyber PR1): 2–4 days
Important Level (Cyber PR2): 3–5 days

How many controls are evaluated at each level?

Basic Level: Approximately 34 controls, covering fundamental cybersecurity measures required for important entities.
Important Level: Around 143 controls (including the Basic’s ones), including advanced technical and organizational measures for essential entities.

These controls align with the CCB CyberFundamentals framework.

What can I do if I don’t accept the verification result?

You may request a review or clarification from Trust Check. Check appeals and complaints page.
The process ensures fairness and transparency.

What can I do if I don’t want a specific verifier assigned to my mission?

You can request a different verifier during the verification plan step.
Trust Check maintains a pool of qualified verifiers, and assignments are flexible to prevent conflicts of interest.
Your request is handled confidentially.

How is the information sent to Trust Check protected?

All documents and communications are protected using Traffic Light Protocol (TLP)
Access is restricted to authorized personnel only.
Trust Check follows data protection best practices in compliance with GDPR and cybersecurity standards.
Critical evidences are saved offline after the verification mission

Where is the CyFun® Label and verification recognized?

The CyFun® Label is recognized nationally in Belgium as a trusted proof of cybersecurity maturity. It is accepted by authorities, partners, and customers as evidence of compliance.

Today, more and more EU countries are recognizing CyFun®, including France, Romania, and Ireland, with others expected to follow soon.

For organizations, CyFun® means easier access to new markets, streamlined compliance processes, and increased trust from clients and partners.

As CyFun® aligns with European frameworks such as NIS2 and GDPR, it is becoming a continental reference for cybersecurity assurance.

What is the difference between CyFun® and ISO/IEC 27001?

Aspect	CyFun®	ISO/IEC 27001
Scope	NIS2 compliance, practical controls	Comprehensive ISMS, global standard
Levels	Basic, Important, Essential	No levels; one standard
Certification	National/EU recognition, CCB-driven	International, ISO-accredited bodies
Target	All organizations	mature organization
Approach	Include OT, IT and other standard as well (NIST, CIS…)	ISO

CyFun® and ISO/IEC 27001 are interconnected through reference matrices, enabling organizations to map requirements and controls between both frameworks. This facilitates dual compliance and helps organizations leverage existing certifications to meet new regulatory expectations.

Where can I find the CyFun® framework?

The official CyFun® framework is published by the Centre for Cybersecurity Belgium (CCB) and available on their website atwork.safeonweb.

Must I demonstrate my cybersecurity maturity by law?

Under the EU NIS2 Directive, certain organizations classified as essential and important are legally required to taking cybersecurity risk-management measures. Essential entities shall demonstrate cybersecurity maturity. This includes sectors such as energy, transport, health, finance, digital infrastructure, and public administration.
Failure to comply can result in audits, corrective measures, and administrative fines.

The centre for cybersecurity in belgium developped a tool to figure out if your entity fall under the NIS2 law or not. Refer to this link to find the tool.

Obligations of Essential and Important Entities under the NIS2 Law (Belgium)

The Belgian NIS2 law, which transposes the EU Directive 2022/2555, imposes several cybersecurity obligations on entities deemed essential or important for the functioning of society and the economy.

1. Registration

Entities falling within the scope of the NIS2 law must register with the Centre for Cybersecurity Belgium (CCB) via the Safeonweb@work platform. This registration is mandatory and ensures that the CCB can effectively supervise and support these entities.

2. Cybersecurity Risk Management Measures

Both essential and important entities are required to implement appropriate technical, operational, and organizational measures to manage cybersecurity risks. These measures aim to:

Secure network and information systems.
Prevent incidents.
Minimize the impact of incidents on customers and services.

4. Supply chain security

Essential and Important entities must take appropriate and proportionate cybersecurity risk-management measures on their supply chain. This is why many companies outside NIS2 scope adopt CyFun® to strengthen cybersecurity governance or because a customer, supplier, or partner requires proof of compliance.

5. Notification of Significant Incidents

Entities must report any significant incidents to the national CSIRT, which in Belgium is the CCB. This includes:

Incidents causing severe operational disruption.
Incidents with potential cross-border effects.
Financial or reputational damage.

The reporting process includes:

Initial notification within 24 hours.
Detailed incident report within 72 hours.
Final report within one month.

4. Obligations for management

The management bodies of NIS2 entities are responsible for:

Approving cybersecurity risk-management measures and supervise their execution.
Following a training to ensure that their knowledge and skills are sufficient to identity risks and treatment

In case of non-compliance, management can be held liable.

5. Supervision

Essential entities must undergo regular compliance assessments, choosing one of the following:
- CyberFundamentals Certification or verification.
- ISO/IEC 27001 Certification.
- Audit by the CCB’s audit service.
Important entities must not undergo a regular compliance assessment.

6. Sanction

Essential and Important entities which do not respect their obligations can be subjected to a series of administrative measures and fines.

Disclaimer

To ensure impartiality, Trust CHECK will never conduct a verification of any claim prepared through consultancy activities by What a Work SRL. Likewise, What a Work SRL will not provide consultancy services following a verification carried out by Trust CHECK.
Customers remain fully responsible for their own information security system at all times. A verification by Trust Check is an independent assessment — it is not a guarantee or an insurance.
Responsibility for the accuracy and completeness of the information provided lies solely with the customer, not with Trust CHECK.