TIOZ Howest

Howest Logo

NIS2 Update July 2025

The Irish National Cyber Security Centre (NCSC-IE) has adopted the cybersecurity framework CyberFundamentals (CyFun), designed by the Centre for Cybersecurity Belgium. They will help our CCB write the new CyFun-2025, expected for September 2025 (more about this below). Together with this announcement, NCSC-IE also published various interesting documents, and a new set of proposed Risk Management Measures (RMMs).

Below, we also look at ENISA's NIS2 Technical Implementation Guidance report, which helps us implement NIS2 regulation by providing guidance, examples of evidence, and mappings from security requirements to industry good practices.

Let's Get in Touch

Cover image

Quick facts

  • /

    NCSC Ireland Endorses Belgian CyFun and co-authors next version with CCB

  • /

    ENISA releases Technical Implementation Guide

  • /

    The Dutch can't get their NIS2 act together

News from the Irish National Cyber Security Centre and the European Agency for CyberSecurity ENISA

NIS2 documents NCSC Ireland

If you are looking at NIS2, you should definitely take a look at the CyberFundamentals (CyFun) framework. It was originally developed in Belgium by the Centre for Cybersecurity Belgium, and it provides a structured, risk-based approach for essential and important entities to organize and demonstrate their NIS2 security measures.

While CyFun combines elements of the NIST CyberSecurity Framework, ISO/IEC 27001, CIS Controls, and IEC 62443, it was heavily inspired by NIST CSF. The current version of CyFun is based on NIST CSF 1.1, but it will be transitioning to CSF 2.0 in the near future, leading to a CyFun 2.0 or as some call it CyFun-2025.

The biggest change in CyFun 2.0 will be the same as in NIST's CSF 2.0, the addition of a 6th core function "Govern" in addition to the core 5 functions of the initial NIST CSF: Identify, Protect, Detect, Respond, and Recover. Read Danny Zeegers' blog post if you are interested to know how this adds a "Sixth Sense in NIS2 Assessment".

Of course, we are watching this new version of CyFun very closely at Cyber3Lab, and we are already in touch with Irish academic institutes to share our knowledge and experience.

CyFun is getting more popular

CyFun's popularity is growing in Europe, and has been formally adopted end of 2024 by Romania as a tool for implementing the NIS2 Directive.

Mid-2025, the framework was adopted by the Irish National Cyber Security Centre (NCSC) to help organizations in Ireland meet the requirements of the NIS2 Directive.

The NIS2 Directive is still being transposed into Irish law (expected end of 2025), but the NCSC (National Cyber Security Centre) already recommends the Cyber Fundamentals Framework (CyFun) as the tool for organizations to organize and evidence their cybersecurity controls to comply with NIS2.

Belgium, Ireland and Romania will maintain the framework and associated documents as scheme owners, facilitating CyFun's rollout to other European countries.

A very interesting NCSC publication is the draft "NIS2 Risk Management Measures (RMM) Guidance", which outlines the minimum requirements for essential and important entities.

Recently, Joseph Stephens, Director of Resilience of NCSC-IE, published a position statement blog post on the NCSC approach to NIS2 and the role of CyFun.

By the way, if you want to see where the NIS2 Directive was already transposed in national law, check out ECSO's NIS2 Directive Transposition Tracker Map. The situation in the Netherlands is really dramatic, with no national legislation in sight, only expected mid-2026.

ENISA Releases Technical Implementation Guidance

NIS2 Technical Implementation Guidance (ENISA)

ENISA's 170-page Technical Implementation Guidance is quite interesting, especially for medium-sized organisations as a guidance in terms of policies, incidents, access control, asset management, and how this is linked to e.g. business continuity, crisis management and supply-chain security. Talking about policies, our CCB compiled a list of cybersecurity policy templates that can be freely adapted, completed and customized according to your needs.

The guidance also refers to the European Cybersecurity Skills Framework (ECSF), the EU’s reference framework for defining and assessing cybersecurity roles and their skills for professionals as mentioned in the Communication on the Cybersecurity Skills Academy, which aims to close the digital skills gap to boost the EU's growth and resilence. If you have trouble mapping the roles and skills to the obligations of the NIS2 Directive, you should check out ENISA's publication about this.

From an academic point of view, this approach is very interesting, as our Howest University of Applied Sciences, and particularly the Applied Computer Science department, offers regular education for bachelor students, but also continuing education for people in the field (more on this below).

How can Howest Cyber3Lab help your NIS2 compliance project?

At Howest Cyber3Lab, a research group on AI, Cybersecurity, Web3 and Immersive Technologies at Howest, we are researching, applying and teaching NIS2 and CyFun skills.

Our main offering is an interactive afternoon seminar on "NIS2 and CyFun in Practice" (available in Dutch and English), presented by Kurt Schoenmaekers.

Kurt also presents free webinars for CyberActive's Lunch & Learn Trajectory called "NIS2 and supply chain security".

At Cyber3Lab, we are also developing the self-assessment tool NIS2Ready, that is not only more user-friendly than the Excel spreadsheet of the CCB, but also multilingual (e.g. we included Gaelic, but also Dutch, French and German), and will make this more guiding towards best practices, example documents, and extra knowledge and education. This will help you on your road to NIS2 compliance, but your main purpose should be to raise the level of cybersecurity in your company.

Of course, we are available for training, coaching and advice, particularly for smaller and medium companies in Flanders. There are various cybersecurity improvement grants and subsidies available.

If you are interested in studying cybersecurity, you can get an overview of our education classes, microdegrees and continuous learning offer on our web site (the page is in Dutch, but these can also be offered in English).

Don't hesitate to reach out if you have any questions about NIS2, CyFun, compliance, risk assessment or cybersecurity in general.

Background Resources:

  • The Centre for CyberSecurity Belgium (CCB) has a NIS2 Quickstart Guide with plenty of tools for NIS2 Scoping, incident notification guides, strategic risk assessment (CyFun), presentations, ..., built by an incredibly knowledgeable and passionate team.
  • The Center for Cybersecurity Belgium Youtube Channel is particularly interesting because of its multitude of training videos, knowledge sessions, and even Quarterly Cyber Threat Reports (QCTR)
  • The NCSC Ireland website on NIS2, containing more and more information, videos, presentation slides, FAQs, ...
  • The Dutch Ministry "Digitale Overheid" tackles the legal side of NIS2, but the National Cyber Security Centre of the Ministry of Justice and Security that contains the more technical information, tools, research and publications. One of the more interesting NIS2-related publication is "How do I map my critical assets?". Lots of information, but not all in English, and somewhat harder to find.

Authors

  • /

    Patrick Van Renterghem, AI, CyberSecurity, Web3, Immersive Tech, Quantum, ... Community Builder

Want to know more about our team?

Visit the team page

Last updated on: 7/18/2025

/

More stuff to read