Cyber Fundamentals
Important: Certification or self-assesment under Cyber Fundamentals is optional. Compliance with NIS2 will always be a matter determined by the relevant National Competent Authority (NCA) empowered by legislation. CyFun is one recognised way to organise and evidence your controls, not a statutory presumption of compliance.
Ireland has joined the Cyber Fundamentals Framework (CyFun), originally developed in Belgium, as a scheme co-owner. The CyFun frameowork provides a structured, risk-based approach for essential and important entities to help entities organise and evidence their NIS2 security measures.
The NCSC recommends the CyberFundamentals (CyFun) framework (NIST CSF 2.0 version) as a well-recognised, structured, voluntary tool to assist entities in meeting their NIS2 obligations. CyberFundamentals provides a tiered, standards-based framework grounded in the NIST Cybersecurity Framework v1.1, soon to transition to v2.0 (Q3 2025). Version 1 is available for use now, however we will be using the second version due September 2025. Further information is available at CyberFundamentals Framework | CCB Safeonweb
Certification through CyberFundamentals will be optional but is seen as a strong and credible route to support compliance and can also serve as a business enabler and trust-building mechanism in supply chains and regulatory contexts.
A national certificationsystem will take 18-24 months to establish due to the need for legal agreements, resourcing, and accreditation infrastructure.In the mean time, entites are encouraged to use the framework internally and being preparations.
How the Cyber Fundamentals Scheme Works
CyFun is a structured framework designed to provide a risk-based approach to cybersecurity, built around a model that allows organisations to be assessed at different levels of maturity. It is fundamentally based on the NIST Cybersecurity Framework (CSF), which is widely recognised internationally, and serves as the foundation for many cybersecurity assurance schemes.
At the core of the scheme is an initial selection tool that enables an organisation to determine its cybersecurity maturity level. This assessment considers factors such as the organisation's size, sector, risk exposure, and the potential impact of a security incident. Based on this assessment, the organisation is assigned one of three levels (Small, Basic, Important, Essential) of security maturity, ranging from foundational cybersecurity controls at the lower levels to more stringent requirements for high-risk entities.
For organisations classified as important or essential under NIS2, CyFun provides a pathway to certification or formal assurance. This ensures that organisations with a high degree of societal or economic importance can demonstrate compliance through a structured, externally validated process. Once the forthcoming update is released, the scheme's reliance on NIST CSF V2.0 provides a well-established framework structured around six key cybersecurity functions:
- Govern: Determining how an organisation's cybersecurity risk management strategy, risk appetite and policy are established, communicated, and monitored
- Identify: Understanding organisational risks, assets, and vulnerabilities.
- Protect: Implementing controls to prevent cybersecurity incidents.
- Detect: Developing capabilities to recognise and respond to threats.
- Respond: Establishing incident response and mitigation procedures.
- Recover: Ensuring business continuity and resilience following incidents.
By structuring compliance around these core principles, CyFun provides a flexible but comprehensive framework that can be adapted across multiple sectors. CyFun is currently being updated to reflect the NIST CSF v2.0 changes. The NCSC is contributing to this update, which is expected to be completed by Q3 2025.
The Role of CyFun in Ireland's Compliance Framework
The development of Ireland's NIS2 compliance framework will be underpinned by the requirements set out in the National Cyber Security Act (once published), and any subsequent associated statutory instruments. The primary legislation will establish the overarching security obligations, while subsequent statutory instruments will provide more detailed requirements, including the risk management measures essential and important entities must implement. CyFun will serve as a key component of this compliance structure, both informing the statutory instrument and acting as a recognised means by which entities can clearly demonstrate compliance.
The scheme does not, however, represent the sole route to compliance, and will be optional and voluntary. The NCSC will continue to recognise other internationally accepted standards such as ISO 27001 for information security and ISO 62443 for industrial control systems. Similarly, direct assessments carried out by National Competent Authorities (NCAs), or self-assessments for lower risk entities may also occur where appropriate. This approach is designed to provide flexibility, ensuring that organisations can meet their obligations in a way that aligns with their existing security frameworks while maintaining consistency with the Directive's core requirements.
Cyber Fundamentals Resources
While the NCSC will develop specific resources and guides for the operation of CyFun in Ireland, there is already signifiacnt amount of tooling and supports availble from the CCB on their CyFun home page. There is also an FAQ page available here: CyFun FAQs.
