Overview of the (R)evolution
CyFun 2025 Essential is a significant upgrade from the 2023 edition. Where CyFun 2023 was mainly based on NIST CSF 1.1 in combination with ISO/IEC 27001:2022, the new version is fully aligned with NIST Cybersecurity Framework 2.0, including the new “Govern” function and revision of the original five functions (Identify, Protect, Detect, Respond, Recover). See CyFun2025_Booklet-ESSENTIAL.
Belgium learns from the storm: 272 incidents and the rebirth of cyber resilience
Something remarkable is happening in Belgium. While other countries are still struggling with reactive compliance and paper security, Belgian companies seem to be gradually writing a new chapter in digital resilience. The figures speak for themselves: 272 reported cyber incidents in one year — each with its own story of panic, confusion and, ultimately, transformation.
What began as a grim tally of data breaches, disruptions, and phishing attacks grew into a national wake-up call. Companies from Antwerp to Arlon learned that security is no longer a matter for IT, but for leadership. Behind every report lies a decision to work differently: to no longer ignore risks, to screen suppliers as if they were life partners, and to treat incidents as opportunities to become stronger.
“It was touch and go,” says a CISO at a medium-sized technology company, “but that one incident saved us from something much worse.” Such statements illustrate a striking trend: where the blow fell hard, innovation came back even harder. By acting quickly, reporting transparently, and learning from their mistakes, dozens of organisations not only avoided fines but also strengthened their reputations.
And now, with the launch of the CyFun Essential Framework 2025, Belgium is turning the page with remarkable confidence. The new version — based on the international NIST CSF 2.0 — is no longer a theoretical manual, but a reflection of what has been learned in practice from those 272 incidents. Incident management and supplier trust are at the heart of this evolution. Companies that were once victims are now guides for others.
Belgium is back on the radar — not because it is invulnerable, but because it dares to learn. The lesson is clear: cyber security is not a fortress, it is an ecosystem. And from every fault line, a stronger structure is now growing.
The 2025 edition has a modular structure with six functions, and the controls are directly labelled according to the NIST CSF 2.0 code (such as GV.OC, ID.IM, RS.MI, RC.CO). This ensures better traceability and alignment with ISO 27001:2022 Annex A.
Core comparison: number and nature of measures
| Element | CyFun 2023 | CyFun 2025 | Evolution |
| Total core functions | 5 (Identify, Protect, Detect, Respond, Recover) | 6 (Govern added) | +1 function |
| Number of key measures (Essential level) | ±155 | ±190 | +23 |
| Governance controls | 8 (in “Management & Policy”) | 20+ (GV.* section) | +150 |
| Incident management controls | 6 | 12 | doubling |
| Supplier management controls | 5 | 10 | doubling |
| Overlap with 2023 | ~70% of original measures retained | 30% revised/refined | expanded in terms of content |
Key content improvements
1. Integration of NIST CSF 2.0
The framework structure and coding are now fully aligned with CSF 2.0, with the new ‘Govern’ function bringing together strategic policy, risk management, allocation of responsibilities and supplier management. See CyFun2025_Booklet-ESSENTIAL.
Examples:
- GV.RR-01 – GV.RR-03: emphasise top management responsibility and resource allocation.
- GV.OC-02 and GV.OC-04: require formal stakeholder analysis and operational continuity objectives.
These additions strengthen the alignment with ISO/IEC 27001:2022 (clauses 5–8) and with NIS2 governance requirements.
2. Strengthened incident management
The 2025 edition significantly expands the Respond and Recover domains.
New controls such as:
- RS.MA-01 to RS.MA-05: refine incident triage, categorisation and escalation processesCyFun2025_Booklet-ESSENTIAL.
- RS.CO-02.2: requires formal reporting of significant incidents to competent authorities (in accordance with NIS2)CyFun2025_Booklet-ESSENTIAL.
- ID.IM-03 & ID.IM-04: introduce mandatory post-incident evaluations and periodic testing of IR and BCP plans, including collaboration with external stakeholdersCyFun2025_Booklet-ESSENTIALCyFun2025_Booklet-ESSENTIAL.
Impact: The incident cycle is now viewed holistically — from prevention to recovery — with measurable maturity goals and integration into risk assessments.
3. Strengthened supplier management (Supplier & Supply Chain Security)
The 2025 version doubles the number of measures relating to supplier risks:
- GV.SC-05 – GV.SC-10: introduce full lifecycle integration of supplier managementCyFun2025_Booklet-ESSENTIAL.
- GV.SC-07 & GV.SC-03: emphasise annual evaluations, contractual cyber clauses and continuous monitoring of supplier performanceCyFun2025_Booklet-ESSENTIALCyFun2025_Booklet-ESSENTIAL.
- GV.SC-10.1: requires formal offboarding procedures to minimise residual risks after termination of cooperation.
Impact: supplier management is evolving from reactive compliance to continuous risk-based oversight, similar to DORA and ENISA CVD expectations.
4. Operational improvements
- Automation: New controls such as ID.RA-08.2 introduce automatic vulnerability distribution and tracking of measures.
- OT coverage: Each domain now includes OT-specific guidelines, including segmentation (PR.IR-01.4), physical security and supplier coordination.
- Evaluation & maturity tracking: The Framework Improvement [ID.IM] section links testing, lessons learned and maturity assessments to continuous improvement.
- In summary: maintenance and improvement
| Category | Retained from 2023 | Improved in 2025 |
| Basic protection & awareness | Unchanged, restructured | Clearer link with CSF 2.0 and ISO 27002 |
| Risk management & governance | Fundamentally renewed | Extensive “Govern” function with top management responsibility |
| Incident management | Doubled number of measures | Integrated with recovery and external reporting obligations |
| Supplier management | Significantly expanded | Full lifecycle + contractual integration |
| Detection & monitoring | Same content | Greater emphasis on correlation and automation |
| Continuous improvement | New framework for evaluation | Maturity-oriented, in line with CyFun Maturity Model |
Conclusion
CyFun Essential 2025 marks a clear transition from a technical baseline to a governance-driven framework.
The most important innovations are:
- Full adoption of NIST CSF 2.0 (with ‘Govern’ as the sixth function);
- Double the emphasis on incident and supplier management, including external reporting and OT coverage;
- A more demonstrable maturity and risk-based character with continuous improvement cycles.
In summary: approximately 70% of the original 2023 measures have been retained, while 30% have been updated or replaced by deeper, governance- and response-oriented controls.
