Putting the CyFun® into fundamental cyber security practices

Ireland joins Romania and Belgium in recommending the use of the Cyber Fundamentals Framework (CyFun) to help mitigate common cyber-attack techniques

‍

On 27 December 2022, the Directive on Measures for a High Common Level of Cybersecurity across the Union was published in the Official Journal of the European Union.

That long and complex official title has thankfully been shortened to 'NIS2' as the replacement for the original Network Information Security Directive (NIS1) that came into force in Europe in 2016 with the aim of boosting cybersecurity for critical infrastructure and essential services.

The NIS2 Directive significantly broadens the scope of the original legal framework as it's directed at a wider range of industries in 18 critical sectors to extend and strengthen cybersecurity requirements across the EU.

Helping organisations get ready for NIS2

As EU Member State Ireland prepares to implement NIS2, the National Cyber Security Centre (NCSC-IE) has published a new set of proposed Risk Management Measures (RMMs) and launched 'Cyber Fundamentals' (CyFun) to help organisations comply.

NCSC describes CyFun as a structured, tiered framework based on the NIST CSF that provides practical, actionable controls and can be used to prepare for Ireland's upcoming voluntary cyber security certification scheme.

The CyFun Framework was created and launched in Belgium and has now been formally adopted by Ireland and Romania, with other European countries exploring its introduction.

The three co-owners of the scheme manage the guidance and appoint their own National Competent Authority to establish a standardised approach to compliance assessment and eventual certification, similar to the UK's Cyber Essentials scheme.

Putting CyFun into practice

In Belgium, the Cyber Fundamentals Framework sets out four assurnce levels - Small, Basic, Important and Essential - with Ireland choosing to focus on the latter three tiers.

These levels reflect the profile of the organisation itself based on revenue, number of staff and operating sector and the potential impacts and likelihoods of common cyber incidents occurring.

The Centre for Cybersecurity Belgium (CCB) worked with the nation's Federal CERT to consider attack profiles and then generate appropriate and proportionate mitigating security controls. The controls are based on the 4 most used frameworks in Belgium: ISO 27001/02, NIST CSF, CIS and IEC 62443.

The resulting CyFun control sets listed in Appendix I are designed to be manageable and are scaled from suiting micro-businesses in Small up to multinationals in Essential.

The Essential level sets out 140 controls judged to counter '100% of attacks". Important has 117 controls and addresses 94% of attacks.

There are four simple steps in Belgium to implement CyFun:

1. Perform a risk assesment to select your assurance level using the CyFun Selection Tool
2. Complete your Self-Assessment in the Excel tool and implement corrective measures - ever-popular spider diagrams are included for management reporting
3. Select an authorised Conformity Assessment Body and have them certify your self-assessment and implementation of mitigating measures
4. Request your CyFun label on the Safeonweb@work portal

At launch, NCSC-IE estimates it will take 18 to 24 months to establish their own national certification body against the framework to match Belgium's steps three and four above.

Building a pan-European cybersecurity framework

Ireland’s participation strengthens the scheme’s credibility and reach. Given the significant presence of multinational companies in Ireland, the NCSC will be able to promote the adoption of the scheme not only within Ireland but across the EU

What makes the Irish adoption and promotion of CyFun interesting is the potential to harmonise cybersecurity measures across 27 EU Member States.

NCSC-IE describe the framework as "reducing regulatory fragmentation and facilitating cross-border recognition of cybersecurity measures."

The agency also focusses on the application of the American NIST CSF approach to security across six core Functions, stating that "by aligning with an EU-based scheme that leverages the NIST CSF, the NCSC is supporting the creation of a harmonised approach that balances European regulatory requirements with global cybersecurity best practices."

In short, CyFun is pitched as 'global cybersecurity best practice' that will help companies comply with the rapidly advancing NIS2 requirements.

If the scheme continues to be adopted by other Member States in the future, we may yet see the emergence of a single global security framework.