Skip to main content
GenioCT

CyFun on Azure

CyberFundamentals on Azure, with 748 control-evidence links audit-ready

The CCB CyberFundamentals framework is the CCB's preferred path to demonstrating NIS2 compliance in Belgium. Governator handles the Azure side: control mapping, evidence collection, gap narratives, and assurance-level exports.

What CyberFundamentals is, and why it matters on Azure

CyberFundamentals (CyFun) is the cybersecurity assurance framework published by Belgium's Centre for Cybersecurity (CCB). It bundles ISO/IEC 27001, NIST CSF, and CIS Controls into four assurance levels and is the framework the CCB has aligned with NIS2 enforcement: an organisation that reaches the appropriate CyFun level is considered to have met the matching subset of NIS2 Article 21 measures.

For Azure environments, that means CyFun is no longer an academic exercise. The April 2026 self-assessment deadline turns it into a concrete deliverable with 748 control-evidence links to demonstrate. The reconciliation work between Azure technical state and the CyFun control set is exactly the operational layer Governator was built to automate.

The framework is also recognised across the EU through bilateral arrangements with other national authorities, so a CyFun assurance pack travels well beyond Belgium for organisations that operate cross-border.

The three assurance levels Governator covers

Each CyFun level expects a deeper Azure evidence model. Governator's collection scope and AI-assisted narrative generation scale with the level you target.

Basic Small organisations or low-risk entities

Azure focus areas

Identity hygiene (MFA, no shared admin), Defender free tier on every subscription, basic backup, encryption at rest, public-exposure inventory.

What Governator collects and produces

Light-touch collection: RBAC inventory, MFA coverage, public IP and storage exposure, backup policy assignments. Single-page assurance pack.

Important NIS2 important entities and most regulated organisations

Azure focus areas

Defender Plan 2 on production workloads, structured exemption process, RBAC drift alerting, Conditional Access posture, Key Vault inventory, Sentinel onboarding for critical resources.

What Governator collects and produces

Continuous collection across Resource Graph, Defender, Policy, RBAC, Activity Log, WAF, Storage, and Cost Management. Full evidence vault, remediation factory, and management dashboard.

Essential NIS2 essential entities and high-risk regulated environments

Azure focus areas

Multi-region BCDR with tested runbooks, customer-managed keys, full Defender plan coverage, network segmentation evidence, dedicated incident-response artefacts, supply-chain attestations.

What Governator collects and produces

Everything in Important, plus AI-assisted gap narratives, deep storage inspection with PII detection, criticality classification, supply-chain mapping, and pre-audit export at Essential level.

How Governator handles CyFun on Azure

748 pre-built control-evidence links

Each CyFun control has a defined Azure evidence model (Resource Graph queries, Defender assessments, Policy compliance, RBAC scope, log queries). Governator runs the collectors and populates the evidence vault per control.

Per-control gap narrative

Where evidence is missing, Governator generates a narrative explaining what is needed, what state was found, and what remediation or attestation closes the gap. The narrative is auditor-ready and tied to your specific Azure inventory.

Attestations, exemptions, and review dates

Some controls cannot be evidenced from Azure data alone. Governator ships an attestation flow for the manual ones (e.g., training records, BCDR runbook tests) and a structured exemption flow with business justification and mandatory review dates.

Pre-audit export at your target level

Color-coded XLSX with executive summary, control evidence matrix, gap analysis, attestations, and exemption register. The format the CCB and external auditors expect, generated on demand.

Continuous drift detection

Once you reach a target level, Governator runs collection on a schedule and alerts on drift. The assurance percentage on your dashboard reflects current state, not last quarter's snapshot.

Assessment, or continuous assurance?

CyFun Readiness Assessment

A one-time engagement that uses Governator to produce a point-in-time compliance picture with expert interpretation. Output: a roadmap to your target assurance level with prioritised remediation, attestations, and a CCB-ready evidence pack.

Typical timeline: 3-5 weeks.

Continuous CyFun Assurance

Governator as a managed service: scheduled collection, drift alerting, board reporting, and on-demand assurance-pack regeneration. Designed for organisations that need to maintain a target level rather than reach it once.

Engagement: ongoing.

Discuss a CyFun readiness assessment See the full Governator platform

Related

→ Azure NIS2 compliance: Article 21 mapping and audit evidence → Defender for Cloud vs Governator: where Microsoft stops on compliance → Your Board Is Asking About NIS2. Here Is What You Actually Need to Do → Defender for Cloud in 2026 and What to Enable, Tune, and Skip → Why Every Azure Enterprise Needs a WAF Analysis Methodology

Start with a Governator-powered Azure Health Check

Not sure where to begin? A quick architecture review gives you a clear picture. No obligation.

  • Risk scorecard across identity, network, governance, and security
  • Top 10 issues ranked by impact and effort
  • 30-60-90 day roadmap with quick wins
Book a Conversation