How NIS 2 aligns with CyberFundamentals (CyFun), ISO 27001, and other cybersecurity standards

As cyber threats continue to rise, the EU’s NIS 2 directive is raising the bar for cybersecurity across Europe. Already in effect, it requires companies to adopt structured security practices or risk penalties. But where do familiar frameworks like ISO 27001 and Belgium’s CyberFundamentals (CyFun) fit in?

7 mins read

Who falls under the scope of NIS 2?

This directive applies to a wide range of sectors categorised by their level of criticality and size. To learn more about the full scope and find out if your company falls within it, read this comprehensive article.

Although NIS 2 has been in effect since January 2023, EU member states were given until 17 October 2024 to transpose it into national law. However, as of April 2025, only 10 of the 27 EU member states have completed this process (see table below). This delay means that if your business is not operating in one of these countries (Belgium, Croatia, Finland, Greece, Hungary, Italy, Latvia, Lithuania, Romania and Slovakia), you may still lack clarity on how the directive will be applied nationally. That is because member states can impose stricter rules or broader scopes beyond the directive’s minimum requirements.

Is your company under the NIS 2 scope?

A practical guide to determining your organization's classification under the EU's updated cybersecurity directive.

Read the article


Current status across EU member states

Here is an overview of each EU country’s progress in implementing NIS 2

Country

NIS 2 stage

Standard accept

Austria

Draft law

To be determined

Belgium

Transposed

Cyber Fundamentals Framework and ISO 27001:2022 (requires full company scope). A company can also be audited directly by the Centre for CyberSecurity of Belgium

Bulgaria

Draft law

Reference to EU standards under the NIS2 Directive

Croatia

Transposed

ISO 27001:2002

Cyprus

Draft law

Framework mapping ISO 27001, NIST SP 800-53, and NIS CG

Czech Republic

Draft law

To be determined

Denmark

Draft law

To be determined

Estonia

Draft law

National Cyber Security Strategy 2023-2027.

Finland

Transposed

ISO 27001

France

Draft Law

To be determined

Germany

Draft Law

To be determined

Greece

Transposed

Reference to EU standards under the NIS2 Directive.

Hungary

Transposed

Reference to EU standards under the NIS2 Directive

Ireland

Draft law

NIST CSF 2.0

Italy

Transposed

National Framework based on NIST CSF adapted to the Italian context

Latvia

Transposed

References European and international standards without specifying frameworks

Lithuania

Transposed

National framework aligned with ISO 27001 and ENISA

Luxembourg

Draft law

To be determined

Malta

Draft law

Reference to international and European standards

Netherlands

Draft law

Reference to international and European standards

Poland

Draft law

To be determined

Portugal

Draft law

National Reference Framework for Cybersecurity; reference to European and international Standards.

Romania

Transposed

Framework based on ISO 27001 and NIST SP 800-53

Slovakia

Transposed

Reference to international standards

Slovenia

Draft law

Standard agnostic; supporting document suggests using ENISA guidelines, ISO 27001/27002, CIS Controls

Spain

Draft law

Reference to EU certification schemes and the Esquema Nacional de Seguridad (ENS)

Sweden

Draft law

Reference to European and international standards

The European Cyber Security Organisation (ECSO) regularly updates this information here.

How cybersecurity frameworks like ISO 27001 and CyFun support NIS 2 compliance

Although many countries are still in the drafting phase of their laws, there is no reason to wait. Organisations can begin preparing for compliance by aligning with widely recognised cybersecurity frameworks such as ISO 27001, NIST or Belgium’s CyberFundamentals (CyFun)

For organisations already following these frameworks, complying with NIS 2 becomes far less overwhelming. In fact, these standards can serve as useful building blocks, helping you prepare before your national laws are finalised.

ISO 27001

ISO 27001 is widely recognised as a gold standard for information security management systems (ISMS). Many countries either reference it directly or align with it in their national frameworks. It provides a structured approach that aligns well with many of the requirements outlined in NIS 2:

  • Risk Management: ISO 27001 and NIS 2 emphasise identifying network and information systems risks and implementing controls to mitigate them.
  • Incident Response: ISO 27001 includes specific controls for incident response, which directly support NIS 2’s mandates for incident reporting.
  • Supply Chain Security: ISO’s supplier management controls help organisations meet NIS 2’s requirements for securing third-party relationships.
  • Continuous Improvement: required by NIS2 and embedded in ISO27001 as a management system.
  • Accountability: While ISO certification is voluntary, it demonstrates a commitment to best practices that align with corporate accountability measures required by NIS 2.



CyberFundamentals (CyFun) Framework

In Belgium, the government introduced the CyberFundamentals Framework (CyFun) to guide organisations toward structured cybersecurity maturity. It’s based on internationally recognised standards like ISO 27001/27002, NIST Cybersecurity Framework, CIS Controls, and IEC 62443, but tailored to Belgian businesses.

CyFun is tiered into Basic, Important, and Essential maturity levels, making it accessible to companies of different sizes and risk profiles. Importantly, CyFun directly supports the goals of NIS 2, and Belgian companies using it are already aligned with key aspects of the directive.

Here is how CyFun maps to NIS 2 requirements: 

  • Risk Management: both CyFun and NIS 2 require risk-based thinking and control implementation.
  • Governance and Responsibility: CyFun emphasises roles, responsibilities, and leadership involvement, which are key themes in NIS 2. 
  • Technical and Organisational Measures: The frameworks align closely on controls such as access management, logging, patching, and asset inventory.
  • Incident Handling: Incident response planning and reporting processes are core to both.

By following CyFun, Belgian organisations align with nationally recognised best practices and lay a strong foundation for broader NIS 2 compliance, even though CyFun is not formally accepted outside Belgium.

Practical steps to start your NIS 2 compliance journey

Given the complexity of NIS 2 compliance, especially for organisations operating in multiple countries, it is crucial to start early. Whether you are working with CyFun, ISO 27001, or another framework, you can take concrete steps toward NIS 2 compliance today:

1. Assess current maturity
Conduct a maturity assessment to evaluate the current maturity level and create next steps based on priorities.

2. Map risks
Identify and document risks across operations, systems, and third-party vendors.

3. Evaluate and update controls
Close gaps by addressing deficiencies in policies, controls, and technical safeguards.

4. Establish governance
Define roles, responsibilities, and escalation paths in case of incidents.

5. Create visibility
Use dashboards and automation to gain real-time oversight of compliance and control effectiveness.

6. Manage third parties
NIS 2 requires organisations to assess and monitor risks introduced by external suppliers and partners.

7. Stay informed
Monitor the progress of NIS 2 transposition in your country and adapt as new requirements emerge. Especially if operating in multiple EU jurisdictions, staying informed about local laws is key.

How Maiky can help

Maiky can help organisations prepare for NIS 2 and maintain ongoing compliance monitoring with:

  • Maturity assessment: Assess your program’s maturity with visual graphs, helping identify improvement areas and guiding future program changes and budget decisions.
  • Gap analysis: analyse the gaps between the current policy set and the requirements specified in one of the over 150 standards supported by the Maiky platform.
  • NIS 2 Quick Start with pre-built policies, controls, and risks
  • Third-party management: Manage your third-party suppliers, and send surveys to ensure your risks are covered by the proper controls at the third party.
  • Trust Center: Maintain a public-facing webpage to showcase your security program to your customers and prospects.
  • Automation of controls: Free your teams of repetitive work and ensure accuracy by automating tasks, evidence collection, and validation.
  • Dashboard: Real-time monitoring using your favourite dashboard tools


Whether you are just starting or refining an existing program, we can help you move from uncertainty to confidence.

Final thoughts

The NIS 2 Directive sets a high standard for cybersecurity across Europe, but it’s not an impossible bar. Frameworks like ISO 27001 and CyberFundamentals (CyFun) offer practical, scalable roadmaps to get there. If your organisation is already working with these standards, you are not starting from scratch, you are simply adapting and improving to meet new legal expectations.

Start now, not later. NIS 2 compliance is a journey that requires time, strategy, and the right tools.

Begin your NIS 2 journey today

Want to get ahead of the curve?