The Centre for Cybersecurity Belgium (CCB) has developed a tool to conduct an easy risk assessment resulting in a well-informed selection of the appropriate CyberFundamentals Assurance Level in the context of NIS2. The tool does not impose a specific risk analysis methodology to be used by organisations in their day-to-day management.
Inspired by the EU's NIS2 directive, the CCB conducted generic risk assessments for 17 sectors, particularly taking into account the national or societal consequences of a cyber attack. The results of those risk assessments are included in the tool as default values.
In order to determine the appropriate CyberFundamentals Assurance Level for your organisation you have to go through the following 4 easy steps:
Set you organisation size by entering the correct number in the cell next to the cell "Organisation Size (L/M/S=3/2/1)”.
To determine your organization size, please use the following criteria:
| Size Number | Size | Size criteria * |
| 3 | Large | 250 or more employees**, OR more than EUR 50 million annual turnover, OR more than EUR 43 million annual balance sheet total. |
| 2 | Medium | In between Small and Large |
| 1 | Small | Less than 50 employees AND less than EUR 10 million annual turnover AND less than EUR 10 million annual balance sheet total |
* The average size of your organisation over the course of the last accounting year. If you are part of a larger organisation (e.g. holding) or have a partner organisation, you have to take their size also into account in your calculation, unless you can prove sufficient independence from their network and information systems.
** Full Time Equivalents of all personnel who worked in or for the organisation in the last accounting year.
For more details on the above see Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises.
Using it’s experience the CCB has selected the following Cyberattack Categories:
For each category of cyberattack, the national, societal or business impact level has been determined in the column “Impact”. You can accept the default impact level or adapt it to reflect your organisation’s specific situation.
The document "Description of impact levels High, Medium and Low" provides more information on how to determine impact.
When the default value was changed, it is important to document the reasoning behind this.
Using it’s experience the CCB has selected the following Threat Actor Types:
For each Cyber attack category and for each type of Threat Actor, the probability (High, Medium, Low) has been determined whether this type of cyber attack will be carried out by this type of Threat Actor.
The probability criteria are explained in the tab "criteria" in the CyFun Selection Tool.
You can accept the default probability or adapt it to reflect your organization’s specific situation.
When the default value was changed, it is important to document the reasoning behind this.
In the "Criteria" tab of the CyFun selection tool, you can find more information on the meaning of probabilities Low, Medium and High.
The tool automatically generates the appropriate CyberFundamentals Assurance Level in the "CyFun Level" cell.
If your organisation falls into multiple sectors, the highest CyFun Assurance level is applicable.
When the generated "CyFun level" differs from the default "CyFun level", it is important to document the reason why.
Feedback regarding the tool can be sent to certification@ccb.belgium.be
