How far does CyFUN Basic get you? A straight look at the baseline

The CCB's CyFUN framework is one of the most pragmatic cybersecurity frameworks built for Belgian SMEs. No 400-page ISO standard, no consultant jargon, just a tiered list of practical measures that scales with your maturity and risk profile.

A question that comes up regularly: is Basic enough, or should I jump straight to Important? Below, a straight read on what Basic covers, what it deliberately leaves out, when Important is actually worth the step up, and the kind of effort to plan for.

What Basic covers and what it does not

CyFUN Basic is built around 34 essential controls. Many are things you should already be doing:

• Antivirus on every endpoint
• Multi-factor authentication on critical accounts
• Backups that are actually tested
• An up-to-date incident response plan
• Central management of access rights and software installations

A Basic trajectory for a typical SME of 10 to 30 staff usually takes about three months from first assessment to being able to demonstrate compliance. Not because the measures are technically complex, but because anchoring them organisationally takes real effort. Example: writing down "password manager required" as a policy costs nothing. Teaching the entire team to use Vaultwarden or equivalent, importing existing passwords, and weaning them off shared Excel files in DMs costs something else.

What Basic does not do

Basic gives you a good baseline. It does not give you:

• Continuous detection of advanced threats (that is what Important or Essential is for)
• Penetration testing or red teaming
• Compliance with sector-specific frameworks like DORA or NIS2 as an entity

For most SMEs with a limited risk profile (client-side threats like phishing, ransomware, business email compromise, common credential abuse), that is enough. Basic anchors that exposure adequately without requiring a 24/7 SOC.

When to move to Important anyway

Three reasons that are decisive in practice:

1. A client asks for it. At contract renewal with bigger accounts, CyFUN Important comes up more and more often. Especially if that client is itself in NIS2 scope.
2. Your cyber insurer asks for it. Some carriers offer 15 to 20 percent off at Important level. That adds up on the premium.
3. You are yourself an 'important entity' under NIS2. Then Important is the minimum you can defend as 'reasonable measures'.

If none of those apply, Basic is a perfectly fine endpoint. Not every organisation needs maximum security, every organisation needs appropriate security.

What to plan for

Indicative numbers for an SME of about 10 to 20 staff, based on what is common in the market:

• Assessment and gap analysis: about 12 hours of consultancy
• Remediation work: about 50 hours over three months
• Tools (password manager, paid MFA app, possibly one extra backup licence): around 80 euros a month on top of existing tooling
• Awareness session for the whole team: two hours

Not complicated numbers. Real work though. One important nuance: this moves much faster when the owner-manager attends the awareness session and carries the project. Without that buy-in from the top, the same trajectory takes at least twice as long, mostly because behaviour change does not stick.