How NIS 2 aligns with CyberFundamentals (CyFun), ISO 27001, and other cybersecurity standards

Written by Maiky | Jun 30, 2025 11:03:28 AM

Who falls under the scope of NIS 2?

This directive applies to a wide range of sectors categorised by their level of criticality and size. To learn more about the full scope and find out if your company falls within it, read this comprehensive article.

Although NIS 2 has been in effect since January 2023, EU member states were given until 17 October 2024 to transpose it into national law. However, as of April 2025, only 10 of the 27 EU member states have completed this process (see table below). This delay means that if your business is not operating in one of these countries (Belgium, Croatia, Finland, Greece, Hungary, Italy, Latvia, Lithuania, Romania and Slovakia), you may still lack clarity on how the directive will be applied nationally. That is because member states can impose stricter rules or broader scopes beyond the directive’s minimum requirements.

Current status across EU member states

Here is an overview of each EU country’s progress in implementing NIS 2

Country	NIS 2 stage	Standard accept
Austria	Draft law	To be determined
Belgium	Transposed	Cyber Fundamentals Framework and ISO 27001:2022 (requires full company scope). A company can also be audited directly by the Centre for CyberSecurity of Belgium
Bulgaria	Draft law	Reference to EU standards under the NIS2 Directive
Croatia	Transposed	ISO 27001:2002
Cyprus	Draft law	Framework mapping ISO 27001, NIST SP 800-53, and NIS CG
Czech Republic	Draft law	To be determined
Denmark	Draft law	To be determined
Estonia	Draft law	National Cyber Security Strategy 2023-2027.
Finland	Transposed	ISO 27001
France	Draft Law	To be determined
Germany	Draft Law	To be determined
Greece	Transposed	Reference to EU standards under the NIS2 Directive.
Hungary	Transposed	Reference to EU standards under the NIS2 Directive
Ireland	Draft law	NIST CSF 2.0
Italy	Transposed	National Framework based on NIST CSF adapted to the Italian context
Latvia	Transposed	References European and international standards without specifying frameworks
Lithuania	Transposed	National framework aligned with ISO 27001 and ENISA
Luxembourg	Draft law	To be determined
Malta	Draft law	Reference to international and European standards
Netherlands	Draft law	Reference to international and European standards
Poland	Draft law	To be determined
Portugal	Draft law	National Reference Framework for Cybersecurity; reference to European and international Standards.
Romania	Transposed	Framework based on ISO 27001 and NIST SP 800-53
Slovakia	Transposed	Reference to international standards
Slovenia	Draft law	Standard agnostic; supporting document suggests using ENISA guidelines, ISO 27001/27002, CIS Controls
Spain	Draft law	Reference to EU certification schemes and the Esquema Nacional de Seguridad (ENS)
Sweden	Draft law	Reference to European and international standards

The European Cyber Security Organisation (ECSO) regularly updates this information here.

How cybersecurity frameworks like ISO 27001 and CyFun support NIS 2 compliance

Although many countries are still in the drafting phase of their laws, there is no reason to wait. Organisations can begin preparing for compliance by aligning with widely recognised cybersecurity frameworks such as ISO 27001, NIST or Belgium’s CyberFundamentals (CyFun)

For organisations already following these frameworks, complying with NIS 2 becomes far less overwhelming. In fact, these standards can serve as useful building blocks, helping you prepare before your national laws are finalised.

ISO 27001

ISO 27001 is widely recognised as a gold standard for information security management systems (ISMS). Many countries either reference it directly or align with it in their national frameworks. It provides a structured approach that aligns well with many of the requirements outlined in NIS 2:

Risk Management: ISO 27001 and NIS 2 emphasise identifying network and information systems risks and implementing controls to mitigate them.
Incident Response: ISO 27001 includes specific controls for incident response, which directly support NIS 2’s mandates for incident reporting.
Supply Chain Security: ISO’s supplier management controls help organisations meet NIS 2’s requirements for securing third-party relationships.
Continuous Improvement: required by NIS2 and embedded in ISO27001 as a management system.
Accountability: While ISO certification is voluntary, it demonstrates a commitment to best practices that align with corporate accountability measures required by NIS 2.

CyberFundamentals (CyFun) Framework

In Belgium, the government introduced the CyberFundamentals Framework (CyFun) to guide organisations toward structured cybersecurity maturity. It’s based on internationally recognised standards like ISO 27001/27002, NIST Cybersecurity Framework, CIS Controls, and IEC 62443, but tailored to Belgian businesses.

CyFun is tiered into Basic, Important, and Essential maturity levels, making it accessible to companies of different sizes and risk profiles. Importantly, CyFun directly supports the goals of NIS 2, and Belgian companies using it are already aligned with key aspects of the directive.

Here is how CyFun maps to NIS 2 requirements:

Risk Management: both CyFun and NIS 2 require risk-based thinking and control implementation.
Governance and Responsibility: CyFun emphasises roles, responsibilities, and leadership involvement, which are key themes in NIS 2.
Technical and Organisational Measures: The frameworks align closely on controls such as access management, logging, patching, and asset inventory.
Incident Handling: Incident response planning and reporting processes are core to both.

By following CyFun, Belgian organisations align with nationally recognised best practices and lay a strong foundation for broader NIS 2 compliance, even though CyFun is not formally accepted outside Belgium.

Practical steps to start your NIS 2 compliance journey

Given the complexity of NIS 2 compliance, especially for organisations operating in multiple countries, it is crucial to start early. Whether you are working with CyFun, ISO 27001, or another framework, you can take concrete steps toward NIS 2 compliance today:

1. Assess current maturity
Conduct a maturity assessment to evaluate the current maturity level and create next steps based on priorities.

2. Map risks
Identify and document risks across operations, systems, and third-party vendors.

3. Evaluate and update controls
Close gaps by addressing deficiencies in policies, controls, and technical safeguards.

4. Establish governance
Define roles, responsibilities, and escalation paths in case of incidents.

5. Create visibility
Use dashboards and automation to gain real-time oversight of compliance and control effectiveness.

6. Manage third parties
NIS 2 requires organisations to assess and monitor risks introduced by external suppliers and partners.

7. Stay informed
Monitor the progress of NIS 2 transposition in your country and adapt as new requirements emerge. Especially if operating in multiple EU jurisdictions, staying informed about local laws is key.

How Maiky can help

Maiky can help organisations prepare for NIS 2 and maintain ongoing compliance monitoring with:

Maturity assessment: Assess your program’s maturity with visual graphs, helping identify improvement areas and guiding future program changes and budget decisions.
Gap analysis: analyse the gaps between the current policy set and the requirements specified in one of the over 150 standards supported by the Maiky platform.
NIS 2 Quick Start with pre-built policies, controls, and risks
Third-party management: Manage your third-party suppliers, and send surveys to ensure your risks are covered by the proper controls at the third party.
Trust Center: Maintain a public-facing webpage to showcase your security program to your customers and prospects.
Automation of controls: Free your teams of repetitive work and ensure accuracy by automating tasks, evidence collection, and validation.
Dashboard: Real-time monitoring using your favourite dashboard tools

Whether you are just starting or refining an existing program, we can help you move from uncertainty to confidence.

Final thoughts

The NIS 2 Directive sets a high standard for cybersecurity across Europe, but it’s not an impossible bar. Frameworks like ISO 27001 and CyberFundamentals (CyFun) offer practical, scalable roadmaps to get there. If your organisation is already working with these standards, you are not starting from scratch, you are simply adapting and improving to meet new legal expectations.

Start now, not later. NIS 2 compliance is a journey that requires time, strategy, and the right tools.

View full post