Last update: 29/03/2024

The Centre for Cybersecurity Belgium (CCB) has developed a tool to conduct an easy risk assessment resulting in a well-informed selection of the appropriate CyberFundamentals Assurance Level in the context of NIS2. The tool does not impose a specific risk analysis methodology to be used by organisations in their day-to-day management.

Inspired by the EU's NIS2 directive, the CCB conducted generic risk assessments for 17 sectors, particularly taking into account the national or societal consequences of a cyber attack. The results of those risk assessments are included in the tool as default values.

In order to determine the appropriate CyberFundamentals Assurance Level for your organisation you have to go through the following 4 easy steps:
 

1. Open your Risk Assessment
 

  • Download the CyFun Selection tool (Microsoft Excel workbook).
  • Select the appropriate “sector TAB” at the bottom of the workbook.
  • If your organisation falls into multiple sectors, please perform the risk analysis for each of those sectors.
     

2. Set your organisation size

Set you organisation size by entering the correct number in the cell next to the cell "Organisation Size (L/M/S=3/2/1)”.

To determine your organization size, please use the following criteria:

Size 
Number		SizeSize criteria *
3Large

250 or more employees**, OR

more than EUR 50 million annual turnover, OR

more than EUR 43 million annual balance sheet total.

2MediumIn between Small and Large
1Small

Less than 50 employees AND

less than EUR 10 million annual turnover AND

less than EUR 10 million annual balance sheet total

* The average size of your organisation over the course of the last accounting year. If you are part of a larger organisation (e.g. holding) or have a partner organisation, you have to take their size also into account in your calculation, unless you can prove sufficient independence from their network and information systems.

** Full Time Equivalents of all personnel who worked in or for the organisation in the last accounting year. 

For more details on the above see Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises.
 

3. Confirm or determine the impact level per Cyber Attack Category

Using it’s experience the CCB has selected the following Cyberattack Categories:

  • Sabotage/ Disruption (DDOS…)
  • Information Theft (espionage…)
  • Crime (ransom attacks)
  • Hacktivism (subversion, defacement…)
  • Disinformation (political influencing)

For each category of cyberattack, the national, societal or business impact level has been determined in the column “Impact”. You can accept the default impact level or adapt it to reflect your organisation’s specific situation.

The document "Description of impact levels High, Medium and Low" provides more information on how to determine impact.

When the default value was changed, it is important to document the reasoning behind this.
 

4. Confirm or determine the probability per Cyber Attack Category and Threat Actor Type

Using it’s experience the CCB has selected the following Threat Actor Types:

  • Competitors
  • Ideologues (Hacktivists)
  • Terrorists
  • Cyber criminals
  • Nation state actors

For each Cyber attack category and for each type of Threat Actor, the probability (High, Medium, Low) has been determined whether this type of cyber attack will be carried out by this type of Threat Actor.

The probability criteria are explained in the tab "criteria" in the CyFun Selection Tool.

You can accept the default probability or adapt it to reflect your organization’s specific situation.

When the default value was changed, it is important to document the reasoning behind this.

In the "Criteria" tab of the CyFun selection tool, you can find more information on the meaning of probabilities Low, Medium and High.
 

Result of your risk assessment

The tool automatically generates the appropriate CyberFundamentals Assurance Level in the "CyFun Level" cell.

If your organisation falls into multiple sectors, the highest CyFun Assurance level is applicable.

When the generated "CyFun level" differs from the default "CyFun level", it is important to document the reason why.

Feedback regarding the tool can be sent to certification@ccb.belgium.be

CyFun Selection Tool CyFun Impact Levels