By Danny Zeegers – for NIS2.news – CISO of Orange Cyberdefense Belgium
Why this update saves time for internal actors
By integrating the sixth function of Governance from NIST CSF 2.0 into the Cyfun 2.0 maturity framework, internal actors such as CISOs, risk managers, and auditors gain immediate clarity on roles, responsibilities, and strategic priorities. Instead of piecing together fragmented compliance obligations, they benefit from a unified structure that aligns ISO 27001 controls, NIS2 expectations, and supply chain risk into one actionable governance model.
Using AI-powered tools like CATS, routine tasks such as policy generation, risk assessments, and maturity reporting are automated and contextualized, allowing internal teams to focus on decisions — not documentation. Combined with the upcoming IAGA2026 auditor training, this dramatically reduces time spent on interpretation and rework, replacing guesswork with confidence and structure.
The result: faster audits, smarter assessments, and less operational friction.
A New Dimension: NIST CSF 2.0 as the Sixth Sense of Maturity-Driven Compliance
The release of the NIST Cybersecurity Framework 2.0 in 2024 marks a turning point in the maturity journey of cybersecurity governance. For organizations operating under the Cyfun Essentials maturity structure and aiming for a Level 3 ISO/IEC 27001:2022 profile, the latest CSF introduces more than an update — it delivers a sixth function: “Govern”, anchoring cybersecurity in strategic risk alignment and responsibility distribution.
The Sixth Function: Governance as the Organizing Spine
While CSF 1.1 was built on five core functions — Identify, Protect, Detect, Respond, Recover — CSF 2.0 introduces Govern as the sixth and foundational function.
The Govern function:
- Defines stakeholder responsibilities
- Aligns cybersecurity with risk tolerance and priorities
- Bridges legal, GRC, and operational strategy
Within the Cyfun 2.0 framework, this sixth sense amplifies existing maturity models, allowing organizations to shift from reactive control to proactive resilience — a system that senses structural weakness before technical failure.
🔄 ISO/IEC 27001:2022 Meets NIST CSF 2.0: Stronger Together
Where ISO 27001:2022 excels in control discipline and auditability, NIST CSF 2.0 strengthens the governance and maturity orchestration around it.
Key integration benefits include:
- Built-in C-SCRM (Cybersecurity Supply Chain Risk Management) mapped across all six CSF functions, with dedicated 10-point coverage in Govern
- Explicit maturity modeling for both “point-in-time” assessments and continuous risk evolution
- Powerful cross-mapping utilities for ISO 27001, NIST RMF, Privacy Framework and Secure SDLC
This makes Cyfun 2.0 a natural bridge between ISO conformity and broader GRC maturity under NIS2.
🇧🇪 Belgium as a Guide: The CCB Pathway to NIS2
Belgium’s decision to centralize national NIS2 guidance through Cyber Center Belgium (CCB) sets a clear and replicable example for other EU member states. The CCB provides:
- Defined maturity pathways for essential and important entities
- Integration of supply chain risk governance
- Alignment with frameworks such as NIST CSF 2.0, ISO 27001, and ENISA sectoral maturity models
Cyfun Essentials aligns seamlessly with this vision — offering a cross-sectoral, maturity-first framework that both entities and their digital supply chains can adopt.
The update to Cyfun 2.0 will be launched in September 2025.
🇮🇪 Ireland as a Guiding Example: The CCB Route to NIS2
Ireland has recently adopted the Cyber Center Belgium (CCB) Framework as the foundation for its NIS2 certification strategy — a visionary move that already was introduced by Croatia, both accelerating their national readiness.
This synergy brings:
- NIS2-compliant maturity benchmarks
- Guidance for business-critical supply chains
- Alignment with global frameworks such as NIST CSF and ISO/IEC 27001
This approach aligns seamlessly with Cyfun Essentials as a sector-neutral maturity framework, fully applicable to both essential and important NIS2 entities as well as their supply chain partners.
CATS, AI & CAPA: Governance Strengthened by Machine Intelligence
The CATS engine (Compliance Audit tracking system) completes the Cyfun maturity system by embedding CSF 2.0 logic and governance into AI-based operations.
CATS enables:
- Automated supply chain risk assessments mapped to CSF and ISO categories
- Generation of AI-driven security and GRC policies
- Intelligent CAPA tracking (Corrective and Preventive Actions) with maturity gap detection
The result: governance and risk become living systems — not just reports.
🎓 Qfirst IAGA2026: The Auditor as Governance Analyst
The Cyfun Internal Auditor & Gap Analyst (IAGA2026) course, developed by Qfirst, transforms internal audit from checklist-based control reviews into governance maturity scanning.
Auditors learn to:
- Apply all six CSF 2.0 functions
- Assess maturity in line with ISO 27001 and Cyfun levels
- Map organizational GRC posture against NIS2 expectations
Training details: https://www.qfirst.be/internal-auditor-cyfun-essential/
Conclusion: Governance, AI and Maturity — the NIS2 Trinity
With NIST CSF 2.0 as its new sixth sense, Cyfun 2.0 completes the NIS2 maturity ecosystem:
- Governance is elevated to strategic priority
- AI enables dynamic policy generation and risk analytics
- Supply chain oversight is embedded
- Internal auditors become active maturity analysts
Cyfun 2.0 makes NIS2 compliance tangible, measurable — and intuitive.
📚 Source: OneTrust — “NIST Cybersecurity Framework 2.0: Changes, Impacts, and Opportunities for Your InfoSec Program”, 2024.
