CyberFundamentals Levels: Small vs Basic vs Important vs Essential
CyberFundamentals offers four security levels, each building on the previous one. Choosing the right tier depends on your company size, regulatory requirements, and how much risk you can afford to carry. Here's how to decide.
Understanding the Tiers
The CCB designed CyberFundamentals with a progressive approach. You start where you are and grow as needed. Each tier is a complete level - not a partial implementation of a higher tier.
Tier-by-Tier Comparison
| Tier | Controls | Coverage | Best For | NIS2 Status |
|---|---|---|---|---|
| Small | 7 | Foundation | Getting started, micro-businesses | Not sufficient |
| Basic | 34 | 82% | SMEs < 25 employees | Not sufficient |
| Important | 117 | 94% | Medium businesses, supply chains | Required for Important Entities |
| Essential | 140 | 100% | Critical infrastructure | Required for Essential Entities |
Coverage = percentage of common attack types defended against
Small Tier: The Starting Point
The Small tier covers the absolute basics that every organization should have in place. It's not about compliance - it's about having doors with locks.
Ideal for:
- Organizations just starting with cybersecurity
- Micro-businesses (< 10 employees)
- Anyone who wants a quick security baseline
The 7 controls:
- 1 Multi-Factor Authentication (MFA)
- 2 Regular security updates
- 3 Antivirus software
- 4 Network security (firewall)
- 5 Regular backups
- 6 Limited admin rights
- 7 Physical security measures
Basic Tier: Solid Protection
Basic tier provides real protection against the majority of threats. For many small businesses, this is the sweet spot - good security without overwhelming complexity.
Ideal for:
- SMEs with fewer than 25 employees
- Businesses not in NIS2 scope
- Companies with limited IT resources
- Organizations wanting insurance benefits
Additions from Small:
- Asset inventory and management
- Security awareness training
- Incident response procedures
- Secure configuration standards
- Email security controls
- Mobile device management basics
Important Tier: NIS2 Ready
The Important tier is designed for organizations that need comprehensive protection - either because of NIS2 requirements or because they handle sensitive data and can't afford significant security gaps.
Ideal for:
- NIS2 "Important Entities"
- Companies in supply chains of critical infrastructure
- Organizations handling sensitive customer data
- Businesses where a breach would be very costly
Additions from Basic:
- Risk management framework
- Third-party/vendor security
- Advanced access controls
- Security monitoring and logging
- Business continuity planning
- Vulnerability management program
Essential Tier: Maximum Protection
Essential tier provides the highest level of protection in the CyberFundamentals framework. It's designed for organizations where security failures could have widespread societal impact.
Ideal for:
- NIS2 "Essential Entities"
- Critical infrastructure operators
- Large organizations with complex environments
- Companies with the highest risk tolerance requirements
Additions from Important:
- Advanced threat detection
- Security Operations Center (SOC) capabilities
- Comprehensive supply chain security
- Detailed incident forensics
- Regulatory compliance documentation
How to Choose Your Tier
The right tier depends on three factors:
NIS2 Classification
If you're an Essential Entity, you need Essential tier. If you're an Important Entity, you need Important tier. No negotiation.
Business Risk
What would a security incident cost you? Not just direct costs - think reputation, customer trust, legal liability. Higher risk = higher tier.
Resources
Can you implement and maintain the controls? Higher tiers require more ongoing effort. Be realistic about what your team can sustain.
Quick Decision Guide
Use this simple decision tree:
Are you an NIS2 Essential Entity?
→ Essential tier (mandatory)
Are you an NIS2 Important Entity?
→ Important tier (mandatory)
Do you have 25+ employees or handle sensitive data?
→ Consider Important tier
Are you a small business just starting?
→ Start with Basic, upgrade as needed
New to cybersecurity entirely?
→ Start with Small tier today
Can You Upgrade Later?
Yes, absolutely. CyberFundamentals is designed for progression:
- Each tier builds on the previous one - your work isn't wasted
- You can upgrade at your own pace as your needs or resources change
- Many organizations start with Basic and move to Important within 12-18 months
- Evidence and documentation from lower tiers carries forward
Get Started with Easy Cyber Protection
We guide you through whichever tier is right for you:
Frequently Asked Questions
Can I get certified at any tier?
Yes. The CCB offers certification for all four tiers. Certification provides external validation that you've implemented the controls correctly. It's optional but valuable for demonstrating compliance to customers and regulators.
What if I'm not sure about my NIS2 status?
Check our "Who Must Comply" article for detailed criteria. Generally, if you're in one of the 18 critical sectors and have 50+ employees or €10M+ turnover, you're likely in scope. When in doubt, consult with the CCB or a compliance expert.
Is Basic tier enough if I'm not in NIS2 scope?
For most small businesses, Basic tier provides excellent protection (82% of attack types). It's a great choice if you want solid security without the overhead of higher tiers. You can always upgrade if your situation changes.
How long does each tier take to implement?
Small tier: days to weeks. Basic tier: 1-3 months. Important tier: 3-6 months. Essential tier: 6-12 months. These are typical ranges - your timeline depends on your current security posture and available resources.
What's the cost difference between tiers?
Small tier is free. Cost increases with each tier due to more controls, tools, and documentation requirements. However, the cost of a breach typically far exceeds the cost of implementation at any tier.
Related Articles
Sources
- CCB CyberFundamentals Framework — Official tier documentation
- Centre for Cybersecurity Belgium (CCB) — Belgian authority
- NIS2 Directive (EU) 2022/2555 — NIS2 tier requirements