NIS2 is in force. The scope question is harder than it looks.
Scope determination, gap analysis, and implementation for essential and important entities. CyFun-aligned for Belgian organisations. Governance that holds under audit, not just on paper.
WHO NEEDS TO COMPLY
Sixteen sectors. Two categories.
NIS2 applies to organisations in sixteen sectors across the EU, split into two categories.
-
Essential entities
Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space. Subject to the strictest obligations and the most comprehensive audit requirements.
-
Important entities
Postal and courier services, waste management, manufacture of critical products, food, chemicals, digital providers, research. Subject to significant obligations, with a lighter audit regime than essential entities.
Size matters too. NIS2 generally applies to medium and large organisations: more than 50 employees or more than €10 million in turnover. Smaller organisations in critical sectors may still fall within scope. The scope determination engagement answers that question precisely for your organisation.
WHERE ORGANISATIONS GET STUCK
Three patterns we see again and again.
-
01
Scope that is wrong in both directions
Most organisations get the scope question wrong on the first pass. Either they over-scope, treating systems that fall outside NIS2 as if they were essential. Or they under-scope, missing the third-party dependencies that pull them into the directive's reach. Both create problems. Only one shows up in an audit.
-
02
Governance that lives in documents, not systems
The paperwork exists. The controls are listed. But when an auditor asks how a control is enforced, the answer is a policy document, not a system. Governance that is not embedded in how the organisation actually operates does not hold.
-
03
No clear owner
NIS2 imposes obligations on management, not just IT. When nobody in the organisation has clear accountability for the programme, the gap between what is required and what is in place grows quietly until it becomes urgent.
HOW THE ENGAGEMENT RUNS
NIS2 readiness is a phased engagement. Scope always comes first.
FIG · 01 · NIS2 READINESS PHASES
-
01 · Scope determination
The asset inventory is walked, not assumed. Third-party dependencies are mapped. Which systems and entities fall under NIS2 is determined with precision, and a signed scope brief is produced, ready to present to the supervisory body. Delivered in two weeks.
-
02 · Gap analysis
The current security posture is assessed against what NIS2 requires. Every gap is documented with the operational reasoning behind it. The output is not a checklist. It is a finding set the organisation can act on and defend.
-
03 · Remediation
The gaps are closed in order of risk and regulatory priority. Where a Forward Deployed Engineering mission is the right way to close a gap, the two engagements run together. Where policy or process changes are sufficient, those are designed and implemented.
-
04 · Audit brief
A regulator-ready brief documenting what was done, why, and what the organisation's compliance position is. Written to be shown, not filed.
CYFUN · THE BELGIAN CONTEXT
NIS2 in Belgium runs through CyFun. Four levels, four obligations.
In Belgium, NIS2 is interpreted through CyFun, the control framework developed and audited by the Centre for Cybersecurity Belgium. CyFun defines four levels. Which level applies depends on your organisation's size, sector, and classification under NIS2.
-
Small
Self-assessment
For micro-enterprises and low-risk entities. Verified through an internal self-assessment checklist. Covers basic digital hygiene and fundamental security measures. The starting point for organisations just beginning their cybersecurity programme.
-
Basic
External audit
For SMEs with low to medium risk. Requires an external audit by a CCB-approved conformity body. Approximately 34 core security controls. Establishes a structured baseline against common, automated threats.
-
Important
Third-party certification
For entities classified as Important under NIS2. Requires mandatory, regular third-party certification audits by the CCB. Expands significantly to cover operational continuity and data protection. Aligns closely with standard NIS2 risk management requirements.
-
Essential
Strict third-party certification
For critical infrastructure and entities classified as Essential under NIS2. The most demanding level. Up to 140 advanced controls, mirroring ISO 27001 and NIST standards. Requires strict, comprehensive third-party certification audits by the CCB.
Not sure which level applies to your organisation? The scope determination engagement answers that question and produces a signed brief you can take to your supervisory body.
BEYOND NIS2
Other directives, addressed coherently.
The regulatory landscape does not stop at NIS2. For financial entities and their critical ICT providers, DORA adds a parallel layer of operational resilience obligations that intersects with NIS2 in places. The EU AI Act imposes governance obligations on AI systems across all sectors. Where more than one directive applies, we work alongside the right specialists to make sure the engagements produce coherent documentation, not contradictory parallel tracks.
Tell us where your NIS2 programme stands today.
We will tell you what the right starting point is and what it would produce.
COMMON QUESTIONS
Asked before starting.
-
How do we know if NIS2 applies to us?
NIS2 applies to essential and important entities across a broad range of sectors. The scope question is not always obvious. It depends on your sector, size, and the systems you operate. Scope determination is the first engagement, and it answers that question with a signed brief you can present to your supervisory body.
-
What is CyFun?
CyFun is the Belgian interpretation of NIS2, developed by the Centre for Cybersecurity Belgium. It defines four levels: Small, Basic, Important, and Essential. Each carries different control requirements and audit obligations. All Imageplus NIS2 engagements are aligned to CyFun.
-
Which CyFun level applies to us?
It depends on your organisation's size, sector, and classification under NIS2. The scope determination engagement answers that question precisely and produces a signed brief you can take to your supervisory body.
-
What does the scope determination produce?
A signed scope brief that identifies which systems and entities fall under NIS2, maps third-party dependencies, and produces a supervisory-body draft. Delivered in two weeks.
-
Do we need a CISO to run a NIS2 programme?
Not necessarily a full-time one. A fractional CISO can own the NIS2 programme, covering preparation, implementation, and the yearly review cycle, without the full-time hire. That engagement is available directly through the fractional and interim offer.
-
What happens after the initial implementation?
NIS2 is not a one-time exercise. The yearly review cycle is a real obligation. A fractional CISO engagement covers ongoing compliance, so the organisation is never caught unprepared at the next cycle.
-
Does this cover DORA and the EU AI Act as well?
The EU AI Act yes, directly. DORA applies specifically to financial entities and their critical ICT providers. Where a client operates in that space, we work alongside specialists to make sure the NIS2 and DORA obligations are addressed coherently. The two directives overlap in places, and the documentation needs to reflect that.