Skip to main content
NIS2Certify
Back to overview

Belgium NIS2: The CyFun Framework, the April 18 Deadline, and What MSPs Need to Do Next

By NIS2Certify
nis2belgiumcyfuncyberfundamentalsccbauditmspcomplianceconformity-assessment

On April 18, 2026, Belgium became the first EU member state to enforce a hard NIS2 conformity assessment deadline. Essential entities operating under Belgian law had to submit proof of conformity to the Centre for Cybersecurity Belgium (CCB) by that date. Not a self-declaration. Not a roadmap. An actual third-party verified assessment.

If you manage NIS2 compliance for Belgian clients — or if your clients supply services into Belgium — this changes the conversation.

What the April 18 Deadline Actually Required

Belgian law gave essential entities two compliance pathways:

CyberFundamentals (CyFun) pathway: Essential entities had to obtain at minimum a CyFun Basic or CyFun Important verification statement from a BELAC-accredited Conformity Assessment Body (CAB) by April 18, 2026.

ISO/IEC 27001 pathway: Organizations already certified under ISO 27001 could submit their scope document, Statement of Applicability (SoA), and most recent internal audit results directly to the CCB via email by the same deadline.

Neither pathway allows self-attestation. Belgium explicitly requires an independent third party to verify compliance — a model more rigorous than most EU member states have implemented so far.

The next hard deadline is April 18, 2027, when full CAB certification is required for all essential entities. Important entities follow a separate, slightly later schedule.

Understanding CyFun: Belgium's National NIS2 Framework

The CyberFundamentals framework — CyFun — is the CCB's structured approach to NIS2 compliance. It is not a replacement for NIS2; it is an operationalization of it for the Belgian market.

CyFun is structured around 6 functions, 22 categories, and 106 subcategories. It maps directly to the security measures required under NIS2 Article 21, covering areas like risk management, access control, incident response, business continuity, and supply chain security.

The framework has four tiers:

  • CyFun Basic — 34 controls, the starting point for smaller organizations
  • CyFun Important — the standard for NIS2 "important entities"
  • CyFun Essential — required for NIS2 "essential entities"
  • CyFun Critical — for the highest-risk sectors

For most MSP clients in Belgium, CyFun Important or Essential is the relevant tier. CyFun Basic is a valid interim milestone but is not sufficient for full NIS2 compliance in the long run.

The CAB Bottleneck: A Practical Problem for Consultants

As of April 2026, only two BELAC-accredited bodies are authorized to perform CyFun certification audits in Belgium: Brand Compliance Belgie and What a Work SRL (Trust CHECK).

Two auditors for an entire country's essential entity population is a serious capacity constraint. This is not a theoretical concern — organizations that left audit scheduling late found themselves unable to meet the April 18 deadline through no fault of their own readiness.

For IT consultants and MSPs, this creates both a problem and an opportunity. The problem: your clients need audit slots that may not be available when they need them. The opportunity: clients who are fully prepared when a slot opens move through the audit faster, reduce CAB engagement time, and lower their total compliance cost.

Preparing clients for CyFun audits — gap analysis, documented controls, evidence vaults, policy documentation — is a concrete MSP service offering. The CCB's model is that MSPs prepare, CABs verify. That division of labor is a business model.

What Belgian NIS2 Means for Cross-Border Suppliers

Belgian NIS2 law does not only apply to Belgian companies. If your organization provides ICT services or products to Belgian essential or important entities, those Belgian clients are now required under Article 21 to manage their supply chain security — which means they will be asking you for compliance evidence.

This mirrors the pattern we covered in NIS2 supply chain security: downstream clients become a compliance forcing function for their suppliers, regardless of where those suppliers are based.

If you are an MSP based in the Netherlands, Germany, or elsewhere providing managed services to Belgian clients, expect procurement questionnaires and contractual NIS2 clauses to land in your inbox. The Belgian enforcement model makes this concrete rather than theoretical.

The Rest of the EU Is Watching

Belgium's approach is being watched closely by other member states. The CCB's model — mandatory third-party verification, an accredited CAB ecosystem, a tiered framework with clear milestones — is more structured than what most EU countries have built.

As of May 2026, 21 of 27 EU member states have transposed NIS2 into national law. The European Commission has sent reasoned opinions to 19 member states demanding full transposition. Enforcement is active, not pending.

Germany's BSI is running a parallel enforcement ramp-up under NIS2UmsuCG — we covered that in NIS2 enforcement Germany. Italy's ACN has set October 2026 as the deadline for minimum security requirements to take effect. France's ANSSI is moving toward enforcement under its own legislative timeline.

The pattern is clear: 2026 is the year NIS2 moves from transposition to active supervision across the bloc. Belgium just moved first.

What MSPs Should Do Right Now

If you have Belgian clients who are essential or important entities:

Audit the audit situation. Find out if your clients have scheduled or completed their CyFun conformity assessment. If not, get them on a CAB waitlist immediately — capacity is constrained.

Run a CyFun gap analysis. Map your clients' current security controls against the relevant CyFun tier. Gaps found now are fixable; gaps found during an audit are expensive.

Build the evidence vault. CyFun auditors want documented controls and evidence of implementation — not just policies. Policies without evidence fail verification.

Check the supply chain exposure. If your clients are essential entities, they need NIS2-compliant supplier contracts under Article 21. If you are a supplier to Belgian essential entities, you need to be ready to produce your own compliance evidence.

For clients still at the starting line, a structured NIS2 gap analysis is the fastest way to establish where they actually stand. You can run an initial assessment at NIS2Certify to generate a baseline before scheduling the formal CAB audit.

The Broader Lesson from Belgium

Belgium's NIS2 implementation demonstrates what enforcement actually looks like when a regulator builds a concrete operational framework rather than leaving compliance interpretation open-ended. The CyFun framework, the CAB accreditation model, and the hard April 18 deadline left no room for ambiguity.

For MSPs and IT consultants, that is useful — even if your clients are not Belgian. It shows the direction enforcement is heading across the EU. Regulators are building out accredited auditor ecosystems, setting hard deadlines, and moving away from self-attestation.

The organizations that are ahead of that curve — fully documented, gap-analyzed, and audit-ready — will spend less time and money on compliance than those who wait for a deadline to force the issue.

Belgium has already set that precedent. The rest of the EU is building toward the same model.

    Belgium NIS2: The CyFun Framework, the April 18 Deadline, and What MSPs Need to Do Next — NIS2Certify