CyFun Framework Ireland: The NCSC's Cybersecurity Maturity Tool Explained

The NCSC Ireland's CyFun framework helps organisations assess cybersecurity maturity across four levels. Here's what it is, how it maps to NIS2, and how to use it.

CyFun Framework Ireland: The NCSC's Cybersecurity Maturity Tool Explained

Most cybersecurity frameworks used in Ireland originate elsewhere. NIST CSF was designed for US federal agencies and critical infrastructure. ISO 27001 was built for enterprises with dedicated compliance teams. Cyber Essentials is a UK government scheme with UK context baked in.

CyFun is different. It is the cybersecurity maturity framework published by the National Cyber Security Centre (NCSC) Ireland, adapted for the Irish context from the Belgian Centre for Cyber Security (CCB) CyFun model. The NCSC references it directly in guidance documents relating to NIS2 self-assessment, which makes it the closest thing Ireland has to an official starting point for measuring your cybersecurity posture.

Most Irish SMEs have never heard of it. This guide fixes that.

What CyFun Actually Is

CyFun is a maturity framework — a structured way to assess where your organisation stands across a range of cybersecurity practices, and to identify a progression path toward a stronger posture.

It is not a certification scheme in the same way ISO 27001 is. You do not pass or fail CyFun, and there is no independent auditor who stamps you as "CyFun compliant." What it gives you is a benchmark: a structured picture of what good looks like at each level, and an honest assessment of where you currently sit.

The framework is organised across the core security functions — Govern, Identify, Protect, Detect, Respond, Recover — and breaks each down into specific practices. For each practice, you assess which of four maturity levels your organisation has reached.

The Four CyFun Levels

Level 1 — Initial. Security measures exist but are ad hoc. Practices are reactive, undocumented, and dependent on individual knowledge rather than process. Most Irish SMEs that have not actively invested in cybersecurity will land here across most practice areas. This is not a condemnation — it is an honest starting point.

Level 2 — Managed. Core practices are in place and documented. There is a basic awareness of the organisation's assets, a documented approach to patching and access control, and some incident response capability. This is the realistic target for most Irish SMEs under NIS2 minimum measures, and it represents a meaningful improvement over Level 1.

Level 3 — Defined. Practices are standardised, systematically applied, and measured. The organisation has moved beyond "we do this most of the time" to "we have a defined process, everyone follows it, and we verify that." Security is integrated into how the business operates rather than bolted on. Appropriate for larger SMEs, those in NIS2-regulated sectors, or those with significant data-handling responsibilities.

Level 4 — Optimised. Continuous improvement is embedded. Practices are reviewed, refined, and adapted based on threat intelligence and measured outcomes. Realistic for enterprise organisations and critical infrastructure operators. Chasing it as an SME is not the right use of resources.

How CyFun Maps to NIS2

This is why CyFun matters for Irish businesses right now. NIS2 — implemented in Ireland under S.I. No. 322 of 2024 — requires in-scope entities to implement "appropriate and proportionate technical and operational measures" across ten specific security areas, including risk management, access control, incident response, supply chain security, and cryptography.

CyFun Level 2 maps closely to NIS2's minimum measure expectations for most of those areas. If you can honestly assess your organisation as having reached Level 2 across the relevant practice domains, you have a credible foundation for a NIS2 compliance argument. If you are sitting at Level 1 across critical areas — no documented asset inventory, no formal patch process, no tested incident response — you have a clear picture of your gap.

The NCSC has indicated that CyFun can serve as a self-assessment tool for NIS2 purposes. This does not mean self-assessment replaces independent audit for higher-risk entities, but it does mean that working through CyFun systematically is a legitimate and recognised way to begin your NIS2 readiness work. For more detail on what NIS2 requires, see the NIS2 compliance guidance on this site.

Using CyFun Even if You Are Not in NIS2 Scope

NIS2 applies to entities in specific sectors above defined size thresholds. Many Irish SMEs will not be formally in scope. That does not make CyFun irrelevant.

A CyFun self-assessment tells you, in structured terms, what your actual security posture looks like compared to an agreed benchmark. Useful for board conversations, procurement and tender responses, and cyber insurance applications where underwriters are asking specific questions. It is also a useful precursor to ISO 27001 — a CyFun assessment gives you a low-cost way to identify the biggest gaps before you begin a formal gap analysis against the standard.

Practical First Steps for an Irish SME

Start with asset inventory. You cannot protect what you have not identified. Produce a basic list of your critical IT assets — servers, cloud services, endpoints, applications, data stores — with ownership assigned to each.

Assess your access control practices. Are privileged accounts separated from standard user accounts? Is multi-factor authentication in place for remote access and email? Is there a documented process for removing access when someone leaves?

Document your incident response process. Even a one-page document that answers "who do we call, in what order, if we suspect a breach" moves you meaningfully from Level 1 to Level 2 in this domain.

Rate yourself honestly per domain. Use the four-level scale. Avoid the temptation to rate yourself at Level 2 because you have a vague intention to implement something. Level 2 means the practice is actually in place and documented.

Prioritise the gaps. Rank your Level 1 ratings by business impact and start there. A gap in access control for cloud email is a higher priority than a gap in physical security procedures for most Irish SMEs.

The output is a prioritised remediation plan with an honest baseline — which is exactly what the NCSC, NIS2 regulators, and your board should want to see.


If you want a facilitated CyFun assessment rather than a self-directed one, Pragmatic Security can run this as a structured engagement with an output report suitable for board review and regulator discussion. Talk to us about what that looks like for your organisation.


James McGee is a CISA, CISSP, and CISM-certified security professional and founder of Pragmatic Security, an Irish vCISO advisory firm helping SMEs navigate cybersecurity and regulatory compliance.