Transition CyberFundamentals 2023 to 2025

CyberFundamentals 2025 is the revised version of CyberFundamentals 2023.  This update aligns more closely with international standards, current threats, and the Belgian context surrounding NIS2.

There is no need to switch immediately, as a transition period applies. However, it is advisable to determine in good time what the changes mean for your organization.

Would you like a quick understanding of the impact on your organization? Please contact us.

Transition period CyberFundamentals 2023-2025

During the transition period, both CyberFundamentals 2023 and CyberFundamentals 2025 will remain available. Until 18 April 2027, you may choose verification or certification based on CyFun 2023 or CyFun 2025. Certificates and verification statements based on CyFun 2023 will remain valid until 18 April 2028 at the latest. After that date, only CyFun 2025 will be accepted.

Key changes in CyFun 2025

CyberFundamentals 2025 includes several substantive and editorial improvements.

• Stronger alignment with international standards and legislation:
  CyberFundamentals 2025 better aligns with European and national regulations, including the NIS2 legislation.
• Expansion and clarification of requirements:
  The controls and guidelines have been revised and more clearly formulated.
• Increased focus on supply chain and OT security:
  The new version explicitly addresses supply chain security and operational technology (OT).
• Incorporation of user feedback:
  The 2025 version was developed partly based on feedback from the field, making the framework more practical and user-friendly.
• Introduction of Governance Measures:
  New in 2025 are the “Governance Measures,” which ensure cybersecurity assurance at board level.
• More extensive explanation and interpretation:
  The explanation of the requirements has been expanded so that organizations better understand what is expected.
• Improved structure and readability:
  In addition to content changes, grammatical, editorial, and structural improvements have been made.

What does this mean for your organization?

Is your organization already working with CyFun 2023, or are you preparing for a verification or certification process? If so, it is wise to assess in good time which version best fits your planning, documentation, and cybersecurity approach. In doing so, it is important not only to consider the validity of existing processes, but also the impact of the new requirements on governance, supply chain security, and OT security. Brand Compliance will be pleased to help you gain a clear understanding of this transition.

FAQ transition CyberFundamentals 2023-2025

Do you need to switch to CyberFundamentals 2025 immediately?
No. During the transition period, you may still choose between CyFun 2023 or CyFun 2025. This transition period runs until 18 April 2027.

Until when will certificates and verification statements based on CyFun 2023 remain valid?
Certificates and verification statements based on CyFun 2023 will remain valid until 18 April 2028 at the latest.

What are the content changes in CyberFundamentals 2025?
The new version is more closely aligned with NIST CSF 2.0 and NIS2, places greater emphasis on supply chain security and OT, introduces governance measures, and provides more extensive guidance for interpretation and implementation.

Does CyFun 2025 mean that your organization is automatically NIS2 compliant?
No. In the Belgian context, CyFun is used in determining the presumption of conformity with NIS2 legislation. This therefore requires careful wording.

Questions about your situation?

Do you have questions about the impact of the changes in CyberFundamentals 2025 on your organization, verification or certification? Please contact us via +32 14 11 55 00 or info@brandcompliance.com.