As cybersecurity regulations evolve across Europe, organizations are being asked to demonstrate not just compliance, but structured, risk-based security maturity. Under the EU’s NIS2 Directive, essential and important entities must now evidence how cybersecurity risks are governed, implemented, monitored, and improved over time.
This shift has made one thing clear: modern compliance cannot exist without strong cyber fundamentals.
That is where Cyber Fundamentals (CyFun) plays a pivotal role not as a checkbox certification, but as a foundational framework that enables scalable, automated, and auditable compliance.
Traditional compliance models rely heavily on:
However, NIS2 and similar regulations demand continuous risk management, not snapshot compliance. Regulators are increasingly focused on:
This is where cyber fundamentals become the backbone of compliance automation.
Cyber Fundamentals (CyFun) is a structured, risk-based cybersecurity framework originally developed in Belgium and now adopted by Ireland as a co-owner of the scheme.
CyFun is:
Importantly, CyFun does not automatically mean NIS2 compliance. Final compliance determinations remain with the relevant National Competent Authority (NCA). CyFun is best understood as a credible and structured way to demonstrate alignment with regulatory expectations.
Ireland’s NIS2 compliance framework will be established through the National Cyber Security Act and associated statutory instruments. These define what organizations must do.
CyFun supports this by defining how organizations can organise, implement, and evidence those requirements in a consistent, auditable manner.
The NCSC:
This flexibility ensures organizations can build on existing security programs while maintaining regulatory consistency.
One of CyFun’s strengths is its tiered maturity approach, which recognises that not all organizations face the same level of risk.
CyFun begins with an initial selection tool that assesses factors such as:
Based on this, organizations are assigned one of three levels:
For important and essential entities under NIS2, CyFun provides a pathway to certification or formal assurance, supporting externally validated compliance.
CyFun is fundamentally based on the NIST Cybersecurity Framework, widely recognised as a global best practice.
Under NIST CSF v2.0, CyFun aligns with six core functions:
This structure makes CyFun inherently suitable for automation, mapping directly to controls, workflows, and evidence systems.
Modern compliance automation platforms depend on clarity, structure, and traceability. CyFun provides all three.
By structuring cybersecurity around defined functions and maturity levels, CyFun enables organizations to:
In short, CyFun turns cybersecurity from an abstract obligation into an operational system — which is exactly what automation requires.
Certification under Cyber Fundamentals will be optional, with Ireland’s national certification system expected to take 18–24 months to establish.
In the meantime, organizations are encouraged to:
Even without certification, CyFun can:
This makes CyFun both a compliance enabler and a business differentiator.
The NCSC’s Risk Management Measures (RMM) define the minimum baseline for NIS2 compliance — the what.
CyFun provides a structured way to address the how.
Organizations may still choose:
CyFun complements these approaches, offering a common language and structure that regulators increasingly recognise.
As regulations like NIS2 mature, organizations will be judged not just on whether controls exist, but on whether cybersecurity is governed, repeatable, and demonstrable.
Cyber Fundamentals (CyFun) provides the foundation for this future:
For organizations investing in compliance automation, CyFun is not an add on it is the backbone.