Three frameworks. One goal: protect your Irish business from the attacks that are happening right now. This hub organises everything you need to understand CyFUN, implement Cyber Essentials, and apply Essential 8 — in plain English, with no jargon.
Whether you are starting from zero or trying to demonstrate NIS2 compliance to a regulator or enterprise client, this is your starting point.
What is CyFUN?
CyFUN — the Cyber Fundamentals Framework — is Ireland's national cybersecurity baseline, published by the NCSC Ireland. It is built on NIST CSF 2.0 and organises cybersecurity into six functions: Govern, Identify, Protect, Detect, Respond, and Recover.
It is voluntary — but it is the NCSC's recommended path to NIS2 compliance. For Irish SMEs trying to demonstrate that they take cybersecurity seriously to regulators, insurers, or enterprise clients, CyFUN is the most credible starting point available.
The framework works alongside — not instead of — Cyber Essentials and Essential 8. Think of CyFUN as the governance structure, Cyber Essentials as the five technical controls, and Essential 8 as the eight prioritised mitigations. Together, they form a complete baseline.
| Framework | Origin | Focus | NIS2 |
|---|---|---|---|
| CyFUN | Ireland / NCSC | Governance + risk management | Directly aligned |
| Cyber Essentials | UK / NCSC UK | 5 technical controls | Complementary |
| Essential 8 | Australia / ACSC | 8 prioritised mitigations | Complementary |
The Six CyFUN Functions
CyFUN organises cybersecurity into six functions. Each function has a dedicated article and a quick-win guide. Start with Govern — everything else depends on it.
Govern
Establish cybersecurity policies, assign accountability, and ensure leadership understands the organisation's risk exposure. This is the foundation — without governance, every other control is optional.
Identify
Know what you have: hardware, software, data, and the people who access it. You cannot protect what you cannot see. Asset inventory is the single most impactful first step for any SME.
Protect
Implement the controls that reduce your attack surface: MFA, patching, access management, email security, and staff training. This is where Cyber Essentials and Essential 8 live.
Detect
Know when something is wrong. Logging, monitoring, and alerting are the difference between discovering a breach in hours and discovering it in months — after the damage is done.
Respond
Have a plan for when — not if — something goes wrong. An incident response plan does not need to be 50 pages. It needs to answer: who calls who, what do we shut down, and who do we tell?
Recover
Get back to business. Tested backups, documented recovery procedures, and a communication plan for customers and regulators. The Essential 8 backup strategy is the gold standard for SMEs.
Frequently Asked Questions
Is CyFUN mandatory for Irish businesses?
CyFUN is currently voluntary. However, it is the NCSC Ireland's recommended baseline for NIS2 compliance, and NIS2 is mandatory for businesses in scope. If your business falls under NIS2 — and many Irish SMEs do, including those in supply chains of larger organisations — using CyFUN is the most straightforward way to demonstrate compliance.
Do I need Cyber Essentials certification to use the framework?
No. Cyber Essentials certification is a UK scheme and is not required in Ireland. You can implement the five Cyber Essentials controls without pursuing formal certification. However, if you supply UK public sector contracts or work with UK enterprise clients, certification may be required by your customer.
How long does it take to implement CyFUN?
For a typical Irish SME with 10–50 employees, achieving a basic CyFUN baseline takes 3–6 months. The 7-Day Govern Quick Start gets your governance structure in place in a week. The technical controls (Protect function) take longer — patching, MFA, and access management are ongoing processes, not one-time tasks.
What is the difference between Essential 8 Maturity Level 1 and Level 2?
Maturity Level 1 means you have implemented the control in a basic way — for example, MFA is enabled on email. Maturity Level 2 means the control is implemented consistently and comprehensively — MFA is enabled on all internet-facing services, privileged accounts, and remote access. Most Irish SMEs should target Level 1 across all eight strategies as a starting point, then progress to Level 2 for the highest-risk controls.
Can a vCISO help with CyFUN implementation?
Yes — and for most Irish SMEs, a vCISO is the most cost-effective way to implement CyFUN. A vCISO provides the senior security leadership to drive the Govern function, the technical expertise to implement the Protect controls, and the ongoing oversight to maintain compliance. Pragmatic Security provides vCISO services from €1,500/month.