Cyber Fundamentals (CyFun): A Practical Framework for IT and OT Security

Learn how the Cyber Fundamentals (CyFun) framework helps organisations improve IT and OT security, strengthen cyber resilience and prepare for NIS2 compliance.
5 min read time

Organisations are actively preparing for increasing cybersecurity regulation, including the NIS2 Directive, many are looking for practical frameworks that improve cyber resilience without introducing unnecessary complexity.

Cyber Fundamentals (CyFun) is a risk-based cybersecurity framework designed to help organisations assess, improve and demonstrate their cybersecurity maturity. It aligns with recognised standards including the NIST Cybersecurity Framework (CSF) 2.0 and supports organisations preparing for legislation such as the NIS2 Directive.

At a recent cybersecurity conference, Gerard Joyce explored how CyFun is being adopted across Europe and why it is becoming an increasingly important option for organisations seeking a practical route to stronger cyber governance across both Information Technology (IT) and Operational Technology (OT).

Why was Cyber Fundamentals Developed?

Many cybersecurity frameworks are comprehensive but can be challenging to implement consistently.

Cyber Fundamentals was developed to provide organisations with:

  • A practical, risk-based approach to cybersecurity
  • Alignment with recognised international standards
  • A structured pathway for organisations of different sizes and maturity levels
  • Support for both IT and Operational Technology (OT) environments
  • A foundation for organisations preparing for NIS2 compliance

The framework has already been formally adopted in several European countries, including Belgium, Ireland, Romania, Malta and Cyprus, with additional countries monitoring its development.

How is CyFun Structured?

One of the key principles behind Cyber Fundamentals is proportionality.

Rather than applying identical requirements to every organisation, CyFun provides three assurance levels that reflect organisational size, complexity and risk.

Basic

Designed for smaller organisations or those facing lower levels of cyber risk. The Basic level focuses on implementing fundamental cybersecurity controls to defend against common threats.

Important

Introduces stronger governance, security monitoring, logging, incident management and third-party risk management capabilities for organisations with greater operational exposure.

Essential

Designed for larger organisations and operators of critical services that require mature cybersecurity practices capable of addressing sophisticated threats.

This tiered approach allows organisations to improve cybersecurity at a pace appropriate to their risk profile while providing a clear roadmap for continual improvement.

The Six Core Functions of Cyber Fundamentals

Cyber Fundamentals follows the same six core functions that underpin the NIST Cybersecurity Framework 2.0.

These are:

  • Govern
  • Identify
  • Protect
  • Detect
  • Respond
  • Recover

Together these functions are supported by:

  • 22 security categories
  • 106 sub-categories
  • 220 cybersecurity controls

Importantly, the framework extends beyond traditional IT environments to include Operational Technology (OT), making it suitable for organisations managing industrial systems, manufacturing environments, utilities and other forms of critical infrastructure.

How Does CyFun Compare with Other Cybersecurity Frameworks?

Cyber Fundamentals is designed to complement, rather than replace, established cybersecurity standards.

Organisations already working with frameworks such as the ones below, will recognise many of the same governance, risk management and security principles.

CyFun's strength lies in providing a practical implementation pathway that helps organisations improve cyber resilience while supporting regulatory compliance.

Is CyFun Aligned with NIS2?

Yes.

Although the NIS2 Directive does not require organisations to adopt a single cybersecurity framework, it does require organisations to implement appropriate cybersecurity risk management measures, governance arrangements, incident reporting processes and supply chain security controls.

Cyber Fundamentals provides a structured approach that supports these objectives and offers organisations a practical route towards improving cyber maturity while preparing for NIS2 obligations.

How to Get Started with Cyber Fundamentals

Organisations considering Cyber Fundamentals should begin with governance before focusing on technical controls.

Recommended first steps include:

  1. Secure board or senior management commitment.
  2. Appoint an executive sponsor or senior cybersecurity champion.
  3. Carry out a cybersecurity maturity assessment.
  4. Complete a gap analysis against the framework.
  5. Work towards achieving the Basic assurance level before progressing further.

Organisations already using NIST CSF may also find the official implementation guidance and profiles useful when assessing their current and target cybersecurity posture.

Certification for Cyber Fundamentals is expected to become available in 2027. However, organisations do not need to wait for certification and can begin implementing the framework immediately through self-assessment and continuous improvement.

Final Thoughts

Cyber Fundamentals provides organisations with a practical, scalable approach to improving cybersecurity maturity while aligning with recognised international standards and emerging regulatory expectations.

By combining governance, risk management and technical controls into a structured framework covering both IT and Operational Technology environments, CyFun offers organisations a clear pathway towards stronger cyber resilience and future certification readiness.

Whether organisations are just beginning their cybersecurity journey or looking to strengthen existing programmes, Cyber Fundamentals provides a structured and proportionate approach that can evolve alongside business needs and the changing threat landscape.

Frequently Asked Questions

What is Cyber Fundamentals (CyFun)?

Cyber Fundamentals (CyFun) is a risk-based cybersecurity framework that helps organisations improve cyber resilience through a structured set of governance, technical and operational controls. It is aligned with recognised standards, including NIST Cybersecurity Framework 2.0, and supports organisations preparing for regulatory requirements such as NIS2.

Is Cyber Fundamentals the same as NIST CSF?

No. Cyber Fundamentals is a separate cybersecurity framework, but it is closely aligned with NIST Cybersecurity Framework 2.0. It adopts similar core functions while providing a practical implementation framework with defined assurance levels and detailed security controls.

Is CyFun suitable for small organisations?

Yes. Cyber Fundamentals has been designed to be proportionate to organisational size and risk. The Basic assurance level focuses on fundamental cybersecurity controls appropriate for smaller organisations or those with lower cyber risk, while larger organisations can progress to the Important and Essential assurance levels.

Does Cyber Fundamentals cover Operational Technology (OT)?

Yes. Unlike some cybersecurity frameworks that primarily focus on Information Technology, Cyber Fundamentals also includes Operational Technology. This makes it suitable for organisations that manage industrial systems, manufacturing environments or critical infrastructure.

How does Cyber Fundamentals support NIS2 compliance?

While NIS2 does not mandate a specific cybersecurity framework, Cyber Fundamentals provides a structured approach to governance, risk management and security controls that can help organisations demonstrate good cybersecurity practices and prepare for NIS2 obligations.

How many controls are included in Cyber Fundamentals?

The framework is built around six core functions, 22 categories, 106 sub-categories and 220 cybersecurity controls. These controls provide organisations with a comprehensive roadmap for improving cybersecurity maturity.

Is Cyber Fundamentals certification available?

Certification is expected to become available in 2027. Organisations do not need to wait until certification is introduced and can begin by completing a self-assessment, identifying gaps and implementing improvements against the framework.

Where should organisations start with Cyber Fundamentals?

A good starting point is securing board or senior management commitment, appointing an executive sponsor, carrying out a maturity assessment and gap analysis, and working towards the Basic assurance level before progressing to more advanced levels.

Further Reading

For readers wishing to explore the standards and legislation referenced in this article:

About the Author

Gerard Joyce is CTO at calQrisk and has more than 30 years' experience delivering governance, risk and compliance solutions. He works with organisations across financial services and other regulated industries to strengthen operational resilience, cybersecurity and regulatory compliance. Gerard regularly presents on topics including NIS2, DORA, cyber resilience and governance frameworks.

Next Steps

Continue Exploring Information Security

Cyber Fundamentals is just one part of building a resilient cybersecurity programme. Explore more articles, guidance and resources on information security, cyber resilience, governance and regulatory compliance.