CyberFundamentals 2025: transition from CyFun 2023 to 2025
CyberFundamentals 2025 is the revised version of CyberFundamentals 2023. This update aligns more closely with international standards, current cyber threats and the Belgian context surrounding NIS2.
There is no need to switch immediately. A transition period applies during which CyFun 2023 and CyFun 2025 remain available in parallel. However, it is advisable to assess in good time what the changes mean for your organisation, documentation, planning and any verification or certification process.
Transition period from CyberFundamentals 2023 to 2025 #
During the transition period, both CyberFundamentals 2023 and CyberFundamentals 2025 can be used. Until 18 April 2027, you may choose verification or certification based on CyFun 2023 or CyFun 2025.
Certificates and verification statements based on CyFun 2023 remain valid until 18 April 2028 at the latest. After that date, only CyFun 2025 will be accepted.
Key changes in CyFun 2025 #
CyberFundamentals 2025 includes substantive and editorial improvements. The main changes are:
- Stronger alignment with international standards and legislation: CyFun 2025 aligns more closely with NIST Cybersecurity Framework 2.0 and the European NIS2 Directive.
- Expansion and clarification of controls: the controls and guidance have been revised and formulated more clearly.
- More focus on supply chain security and OT security: the new version explicitly addresses the security of the supply chain and operational technology.
- Incorporation of user feedback: feedback from practice has been used to make the framework clearer and more practical.
- Introduction of Governance Measures: new in CyFun 2025 are Governance Measures, aimed at strengthening cybersecurity governance at board level.
- More extensive guidance and interpretation: the guidance has been expanded so that organisations can better determine what is expected of them.
- Improved structure and readability: editorial, grammatical and structural improvements have also been made.
What does this mean for your organisation? #
Is your organisation already working with CyFun 2023, or are you preparing for a verification or certification process? Then it is advisable to assess in good time which version best fits your planning, documentation and cybersecurity approach.
It is important not only to consider the validity of existing processes, but also the impact of the new requirements. This includes governance, supply chain security, OT security and the way controls are documented.
Would you like to understand how CyFun is used in the Belgian NIS2 context? Read the article about the CyberFundamentals Framework in Belgium.
CyFun 2025 and NIS2 #
In Belgium, CyFun can play a role in demonstrating a presumption of conformity with NIS2 legislation. This does not mean that an organisation automatically demonstrates such a presumption. The correct wording, interpretation and assessment remain important.
Organisations preparing for CyFun can also use a CyFun verification. This provides insight into the extent to which your organisation aligns with the relevant requirements within the CyberFundamentals Framework.
Does your organisation already have ISO 27001 certification, or are you considering this route? Read the article about ISO 27001 in a NIS2 context in Belgium.
Preparing for CyFun verification #
The transition to CyFun 2025 requires a timely assessment of the differences between the old and new version. Consider, among other things:
- the version your organisation is currently preparing for;
- the desired date for verification or certification;
- the impact of new or changed controls;
- the documentation that may need to be updated;
- the extent to which governance, supply chain security and OT security have already been implemented.
Would you like to know what CyFun verification involves? View the page about CyFun verification.
FAQ about the transition from CyFun 2023 to 2025 #
Do you need to switch to CyberFundamentals 2025 immediately? #
No. During the transition period, you may still choose between CyFun 2023 and CyFun 2025. This transition period runs until 18 April 2027.
Until when will certificates and verification statements based on CyFun 2023 remain valid? #
Certificates and verification statements based on CyFun 2023 remain valid until 18 April 2028 at the latest.
What changes in CyberFundamentals 2025? #
CyberFundamentals 2025 aligns more closely with NIST Cybersecurity Framework 2.0 and NIS2, places more emphasis on supply chain security and OT security, introduces Governance Measures and provides more extensive guidance for interpretation and implementation.
Does CyFun 2025 automatically provide a presumption of conformity with NIS2 legislation? #
No. In the Belgian context, CyFun can play a role in determining a presumption of conformity with NIS2 legislation. This requires careful assessment and wording.
Which version is the best fit for your organisation? #
This depends on your planning, the status of your documentation, the desired timing of verification or certification and the impact of the changes in CyFun 2025.
Questions about your situation? #
Do you have questions about the impact of CyberFundamentals 2025 on your organisation, verification or certification? Request a CyFun verification or contact us via +32 14 48 0730 or info@brandcompliance.com.
