CyberFundamentals is Belgium's national cybersecurity framework designed to establish a foundational cybersecurity baseline for SMEs operating within Belgium. Introduced by the Centre for Cybersecurity Belgium (CCB), the framework focuses on small and medium-sized enterprises across all sectors, aiming to reduce vulnerabilities and improve overall resilience to cyber threats.

What is CyberFundamentals?
‍CyberFundamentals is Belgium's recommended cybersecurity baseline, helping SMEs reduce cyber risks and improve resilience.

What does CyberFundamentals require?

CyberFundamentals outlines straightforward yet crucial cybersecurity requirements, including:

• Basic security policies: Establishing cybersecurity policies and awareness programs.
• Access management: Ensuring proper user authentication and authorization measures.
• Secure device configurations: Using updated and securely configured hardware and software.
• Patch management: Regularly applying security updates and patches.
• Incident response preparedness: Setting up basic incident response and crisis management processes.
• Data backups: Regular, secure backups of essential business data.

How is CyberFundamentals structured?

The CyberFundamentals framework is organized into four assurance levels to help organizations improve cybersecurity in a practical, phased approach. Each level builds on the previous one, starting from basic non-technical guidance and progressing to comprehensive security controls.

The number of controls and their effectiveness against cyberattacks increase with each assurance level, making it easier to align protection efforts with an organization’s size and risk profile.

In Cyberday, these 140 tasks are broken down into categories. Here's a screenshot from the tool, showing the CyberFundamentals compliance report.

How does CyberFundamentals provide security?

CyberFundamentals enhances security by promoting essential cyber hygiene practices. It emphasizes proactive measures like regular patching, secure configurations, and controlled access, significantly lowering the risk of basic cyberattacks such as phishing, ransomware, and malware infections. By establishing these controls, SMEs can better prevent and respond to cyber incidents effectively.

CyberFundamentals versus NIS2 and ISO 27001

While CyberFundamentals is tailored for Belgian SMEs, other cybersecurity frameworks like NIS2 and ISO 27001 apply to wider or more regulated audiences. This table gives a quick side-by-side view to help you understand how they differ in scope, mandatory status, and effort required.

What are benefits of CyberFundamentals?

Implementing CyberFundamentals brings practical advantages for SMEs, including:

• Reduced risk: Basic cybersecurity measures significantly decrease the likelihood and impact of common cyber incidents.
• Increased business resilience: Better preparedness ensures quicker recovery from disruptions.
• Customer trust: Compliance demonstrates commitment to security, enhancing trust among customers and partners.
• Regulatory alignment: Meets baseline standards recommended by Belgian authorities, potentially easing compliance with future cybersecurity regulations.

How long does it take to get CyberFundamentals compliant?

The compliance timeline typically depends on the current security maturity and resources of the SME:

• Starting from scratch: Achieving full CyberFundamentals compliance usually takes 3–6 months, including policy development, technical setups, and user training.
• Already have basic controls: Compliance can be reached within 1–3 months.

Using compliance management tools like Cyberday significantly accelerates the process through predefined tasks and automated documentation.

FAQs

Is CyberFundamentals mandatory?

No. CyberFundamentals is currently voluntary. However, it is strongly recommended by the Centre for Cybersecurity Belgium as a baseline standard.

Why is CyberFundamentals important?

CyberFundamentals helps SMEs manage essential cybersecurity risks effectively, protecting their operations from common cyber threats. Implementing these measures also prepares businesses for stricter future regulations.

Who needs to comply with CyberFundamentals?

CyberFundamentals primarily targets Belgian SMEs across all industries. While not mandatory, it is particularly valuable for businesses lacking extensive cybersecurity measures or dedicated security staff.

When is CyberFundamentals in effect?

CyberFundamentals has been actively promoted by Belgium’s cybersecurity authority since 2022 and continues to be recommended as the foundational cybersecurity practice for SMEs today.

Is CyberFundamentals supported in Cyberday?

Yes. Cyberday fully supports CyberFundamentals compliance through tailored templates and automated task management features.