CyFun & NIS2 Compliance

The NIS2 deadline has passed. CyFun is the Belgian standard. Is your digital workplace compliant?

The NIS2 directive has been in force since October 2024. The CyFun framework from the CCB is the Belgian implementation standard. Canvos helps your organisation comply with both.

Request compliance assessment Download NIS2 whitepaper
NIS2-compliant platform
CyFun-aligned
100% EU-hosted
CCB standard
Home › CyFun & NIS2 Compliance
EU Directive 2022/2555

What is NIS2?

The NIS2 directive is the successor to the original NIS directive and sets stricter cybersecurity requirements for a broader range of organisations in the EU.

NIS2 key facts

  • EU Directive 2022/2555, adopted in 2022
  • In force since 17 October 2024
  • Replaces the original NIS Directive (NIS1)
  • Broader scope: more sectors and more entities
  • Belgium implements via the CCB (Centre for Cybersecurity Belgium)
  • Fines up to €10 million or 2% of global annual turnover

Who must comply?

  • Essential entities: energy, transport, healthcare, drinking water, digital infrastructure, public services, space
  • Important entities: postal/courier services, waste management, food production, chemicals, digital providers, research
  • Medium-sized and large enterprises in these sectors
  • Suppliers and service providers of the above
Cyber Fundamentals Framework

What is CyFun?

The CyFun framework was developed by the Centre for Cybersecurity Belgium (CCB) and is the Belgian standard for cybersecurity measures, based on the internationally recognised NIST Cybersecurity Framework.

🏛

CCB standard

Developed by the Centre for Cybersecurity Belgium, the national authority for cybersecurity.

🌐

Based on NIST CSF

Built on the NIST Cybersecurity Framework, internationally the gold standard for cybersecurity.

📊

3 levels

Small, Basic and Important/Essential — each level builds on the previous with stricter measures.

The 5 CyFun pillars

🔍
Identify
Understand your environment
🛡
Protect
Protect your assets
👁
Detect
Detect incidents
Respond
Respond to attacks
🔄
Recover
Recover after incidents

Mandatory for NIS2-obligated organisations in Belgium. The CyFun framework is the official instrument through which Belgian organisations demonstrate their NIS2 compliance.

CyFun Mapping

How Canvos helps per CyFun pillar

For each pillar of the CyFun framework, Canvos offers concrete features that support your compliance.

IDENTIFY

Understand your digital environment

  • Asset management: Canvos centralises all business data on one platform — files, emails, calendar, contacts, tasks. No fragmentation across multiple tools.
  • Governance: Governance Center with configurable policies per organisation — data classification, sharing policies, retention, email policies.
  • Risk assessment: Data classification at 4 levels (public, internal, confidential, restricted) automatically identifies sensitive data and applies corresponding rules.
PROTECT

Protect your data and users

  • Access control: Multi-factor authentication (TOTP 2FA), IP and geo-blocking, time-based access, session management with automatic timeout.
  • Data security: Encryption at rest and in transit, DLP rules that prevent data leaks, configurable sharing policies per classification level.
  • Awareness & training: Phishing reporting button in every email, security onboarding tour for new users.
  • Protective technology: 36+ security hardening measures active by default, SSRF filters, input validation, rate limiting, CORS and CSP headers.
DETECT

Detect suspicious activity

  • Anomaly detection: Automatic detection of suspicious logins — new country, new IP address, unusual times, unknown devices.
  • Continuous monitoring: Platform watch every 20 minutes checks all system components, availability monitor every minute.
  • Logging: Structured JSON logging on 130+ API routes, governance event log per organisation with who-what-when-result.
RESPOND

Respond quickly to incidents

  • Response planning: Brute force protection with automatic account lockout, remote session revocation, IP blocking on repeated attacks.
  • Communication: Real-time alerts on policy violations via the Governance Center, email notifications to administrators on suspicious activity.
  • Analysis: Complete audit trail with export in JSON, CSV and CEF format, compliance reporting per organisation for forensic investigation.
RECOVER

Recover and continuously improve

  • Recovery planning: PM2 auto-restart on process failures, health endpoint monitoring, automated recovery procedures.
  • Improvements: Monthly compliance reports show trends and areas for improvement, governance dashboard for continuous optimisation.
  • Communication: Daily digest to administrators with system status, suspicious activities and points of attention.
Article 21 EU 2022/2555

NIS2 Requirements & Canvos

Article 21 of the NIS2 directive specifies 10 risk management measures. Below you will find how Canvos supports each requirement.

NIS2 Requirement (Art. 21)Canvos Implementation
Risk analysis and security policyGovernance Center with configurable security policy per organisation, data classification at 4 levels for risk-based approach.
Incident handlingAudit logging on 130+ routes, real-time alerts on suspicious activity, built-in phishing reporting, structured event logging for rapid analysis.
Business continuityPM2 auto-restart on process failures, health endpoint monitoring, availability probes every minute, platform watch every 20 minutes.
Supply chain security100% open-source stack — full transparency on every component. No dependency on US cloud providers, no hidden sub-processors.
Security in acquisition and developmentFully auditable source code, 100% European hosting in Datacenter United (Ghent, Belgium), no proprietary black-box components.
Effectiveness assessmentMonthly compliance reporting per organisation, audit export in JSON/CSV/CEF, governance event log for periodic evaluation.
Cyber hygiene and trainingSecurity onboarding tour for new users, phishing awareness via built-in reporting, clear warnings on risky behaviour.
Cryptography and encryptionTLS 1.3 for all in-transit communication, AES-256 encryption at rest, mandatory TLS enforcement for email.
Access policy and asset managementMulti-factor authentication (TOTP 2FA), role-based access control, session management, IP and geo-blocking, time-based access.
Multi-factor authenticationTOTP 2FA built in, conditional access policies, mandatory MFA enforceable per organisation via Governance Center.
Ready to comply?

Start your NIS2 compliance journey

Let our team perform a compliance assessment and discover how Canvos helps your organisation comply with NIS2 and CyFun.

Request a compliance assessment Download our NIS2 compliance whitepaper

No obligation. We discuss your situation and show concretely how Canvos helps.