What cybersecurity framework should a small business use? NIST CSF 2.0 is the global standard. It is free, vendor-neutral, and scales from a 5-person company to a multinational. In Belgium specifically, the CCB (Centre for Cybersecurity Belgium) built CyberFundamentals (CyFun) on top of NIST CSF. CyFun translates the framework into practical controls you can actually implement. Start with CyFun Basic's 34 controls. They stop 82% of documented attacks in CERT incident profiles - and they put you directly on the path to NIS2 compliance.
If you're running a small business and someone tells you to "implement a cybersecurity framework," your first reaction is probably: where do I even start? There are dozens of frameworks out there - ISO 27001, NIST, CIS Controls, COBIT, SOC 2. It's overwhelming.
Here's the short version: start with NIST CSF 2.0. It's free, open-source, maintained by the U.S. National Institute of Standards and Technology, and used by organizations worldwide regardless of size. In Belgium specifically, the CCB (Centre for Cybersecurity Belgium) built the CyberFundamentals (CyFun) framework on top of NIST CSF. CyFun gives you a practical, auditable path to compliance - including NIS2 compliance.
This guide explains both frameworks and how they work together.
NIST CSF 2.0 - The Global Standard (And It's Free)
NIST CSF 2.0 was released in February 2024, replacing version 1.1. It is the most widely adopted cybersecurity framework in the world. The full document is available for free: NIST CSF 2.0 (PDF).
NIST also published a Small Business Quick-Start Guide (PDF) specifically for organizations that don't have a dedicated security team. It is worth reading - it's short and practical.
CSF 2.0 is not a checklist. It's a risk management framework you adapt to your size and context. A 10-person accounting firm and a 200-person manufacturing company will implement it differently. That flexibility is the point.
Organizations from 5-person startups to Fortune 500 companies use it. Governments reference it in regulation. The Belgian CyFun framework is built on it. If you learn one framework, make it this one.
The 6 Functions Explained (Without the Jargon)
NIST CSF 2.0 organizes cybersecurity into six core functions. Think of them as six questions your business needs to answer.
1. GOVERN
The question: Who's responsible for cybersecurity?
This function is new in CSF 2.0. It asks: who is responsible for cybersecurity in your company? What is the budget? What are the policies?
Even a 10-person company needs someone who "owns" security decisions. It does not have to be a full-time role. It can be the office manager, the IT person, or the founder. But someone has to be accountable. Without governance, the other five functions fall apart.
2. IDENTIFY
The question: What do you have?
Laptops, servers, cloud accounts, customer data, software licenses. You cannot protect what you don't know exists.
Practical example: a simple spreadsheet listing all devices, all accounts (Google Workspace, banking, CRM, hosting), and where customer data lives. This takes a few hours and immediately reveals blind spots.
3. PROTECT
The question: What safeguards are in place?
Firewalls, encryption, access controls, training. The locks on the doors.
Practical example: MFA on every account, encrypted laptops, regular staff training on phishing recognition. These three measures alone block the majority of common attacks.
4. DETECT
The question: How would you know if something went wrong?
Monitoring, logging, alerting.
Practical example: at minimum, enable login alerts on your email and cloud accounts. If someone logs into your Microsoft 365 from a country you don't operate in, you want to know immediately - not three months later.
5. RESPOND
The question: What's the plan when something happens?
Incident response procedures.
Practical example: who calls who? Who disconnects compromised systems? Who talks to customers? Who contacts the authorities? Write it down. A one-page incident response plan is infinitely better than no plan.
6. RECOVER
The question: How do you get back to normal?
Getting back to normal. Backups, business continuity, lessons learned.
Practical example: tested backups. Not "we think we have backups somewhere." Tested means you've actually restored from a backup in the last 90 days and confirmed it works. If you haven't tested it, you don't have a backup - you have a hope.
Belgium's CyFun Framework - NIST Made Local
The CyberFundamentals (CyFun) framework was created by the CCB (Centre for Cybersecurity Belgium). It takes NIST CSF 2.0, combines it with controls from ISO 27001, CIS Controls, and IEC 62443, and packages it into four practical levels.
The four CyFun levels:
- Small - for micro-organizations (fewer than 10 employees, minimal IT)
- Basic - 34 controls. The starting point for most SMEs. Stops 82% of documented attacks.
- Important - 99 additional controls on top of Basic. For companies with higher risk profiles.
- Essential - 85 further controls on top of Important. For critical infrastructure and large organizations.
For most small businesses, CyFun Basic is the target. 34 controls sounds manageable because it is. Many of them are things you're probably already doing - you just haven't documented them.
The CCB provides a free self-assessment tool at atwork.safeonweb.be. Use it. It takes about an hour and gives you a clear picture of where you stand.
How NIST CSF and CyFun Map Together
CyFun is built on NIST CSF, so the mapping is direct. Here's how the six NIST functions translate into CyFun Basic controls:
| NIST CSF 2.0 Function | CyFun Basic Controls (examples) |
|---|---|
| GOVERN | Security policy, risk assessment, roles and responsibilities |
| IDENTIFY | Asset inventory, data classification |
| PROTECT | Access control, MFA, encryption, backups, staff awareness |
| DETECT | Logging, monitoring, anomaly detection |
| RESPOND | Incident response plan, communication procedures |
| RECOVER | Backup restoration, lessons learned, continuity planning |
The advantage of starting with CyFun: you get concrete, auditable controls instead of abstract categories. NIST tells you "protect your assets." CyFun tells you exactly what that means in practice.
The NIS2 Connection
NIS2 (EU Directive 2022/2555) is the law. CyFun is how Belgium implements it.
If your organization falls under NIS2 scope, CyFun compliance equals NIS2 compliance in Belgium. The Belgian Law of 26 April 2024 transposed NIS2 into national law and designated CyFun as the compliance framework.
The deadline that matters: April 18, 2026 for self-assessment submission to the CCB. If you haven't started yet, start now.
We wrote a detailed NIS2 compliance checklist covering scope, deadlines, and practical steps - read it here.
Where ISO 27001 and SOC 2 Fit In
ISO 27001 is an alternative compliance track for NIS2 in Belgium. If you already hold ISO 27001 certification, you can use it to demonstrate NIS2 compliance instead of CyFun. However, ISO 27001 certification is expensive and time-consuming. For most small businesses, CyFun is the faster and cheaper path.
SOC 2 is more common for SaaS and tech companies working with US clients. It's not a Belgian or EU requirement, but American enterprise customers often require it. If you serve international clients, SOC 2 builds trust.
The good news: CyFun incorporates ISO 27001 controls. Starting with CyFun puts you on the path to ISO certification if you decide to pursue it later. The work is not wasted.
If you're a tech company serving international clients, consider ISO 27001 + SOC 2 as your target. CyFun gets you started. ISO 27001 gives you international credibility. SOC 2 opens the American market.
Getting Started - The 30-Day Plan
- Week 1: Get a baseline. Run the CCB's self-assessment tool. Answer honestly. The point is to see where you stand, not to pass a test.
- Week 2: Asset inventory. List everything - devices, accounts, data, software. Every laptop, every cloud subscription, every place customer data lives. Put it in a spreadsheet. This is CyFun's IDENTIFY function in action.
- Week 3: Quick wins. Enable MFA everywhere. Update all software. Set up automated backups and verify they work. These three actions alone cover several CyFun Basic controls and dramatically reduce your attack surface.
- Week 4: Documentation. Write your security policy, incident response plan, and access control procedures. They don't need to be long. A security policy can be two pages. An incident response plan can be one page. What matters is that they exist and that your team knows where to find them.
This won't make you fully compliant. But it covers the most critical CyFun Basic controls and gives you something to show an auditor. More importantly, it actually makes your business safer.
If you're short on time or staff, AI agents can help automate parts of this process - asset discovery, log monitoring, even generating draft policies. We've seen small teams cut their compliance workload significantly this way.
The Bottom Line
You don't need a 6-figure budget to have decent cybersecurity. NIST CSF 2.0 gives you the framework. CyFun gives you the practical controls. Start with the 34 basics, document what you do, and build from there.
Need Help Implementing CyFun?
We help Belgian businesses implement CyberFundamentals and prepare for NIS2 compliance.
Get a Gap Analysis
