Easy Cyber Protection

ENGAGEMENT BRIEF

ECP-EB-001

Achieve audit-readiness for CyFun/NIS2

Q: Do I need compliance expertise?

The platform doesn't replace your judgment — it removes the busywork around it. Control mapping, evidence intake, gap detection, and audit packs are automated. You apply judgment to scope, risk acceptance, and evidence quality. Solo CyFun consultants tell us this cuts roughly 40–50% of their per-client hours.

Q: What do my clients see?

Your branding. Your logo on every report, every email, every page. They see you as the compliance expert.

Q: Can I set my own price?

Yes. We charge you per client. What you charge your client is entirely up to you.

Q: How do we get started?

Schedule a 20-minute call with Tom. He walks you through the platform, configures your first client together, and you go live the same week. No contract, no commitment.

Q: What does "audit-ready" mean?

It means your client has documented evidence of security controls aligned with the CyFun framework. The actual audit is done by certified CAB auditors, not by us or you.

Q: How does pricing work?

One fee: per client by client size, quoted per month and billed annually. A client is one site — a company or group spanning several sites is several clients. Brackets by the site's entity count: XS (<100) €25, S (100–999) €75, M (1k–9,999) €250, L (10k–99,999) €825, XL (100k–999,999) €2,750, XXL (1M+) €9,075. No setup fee and no monthly base — start with a free 14-day trial. Every client gets full features (AI + integrations) and AI email support, included in the license. Optional human help: human-in-the-loop support €1,500/mo, or an online NIS2 consultant one day a week €7,000/mo. You charge your client whatever you want — most MSPs charge €50–€300/month by client size. See §6 for the full schedule.

Q: Are there subsidies available?

Yes — each Belgian region runs its own programme, scoped to where the end-client is established. Flanders: VLAIO kmo-portefeuille (cybersecurity-only since Feb 2026) covers up to 45% of advisory costs (45% small / 35% medium, cap €7,500/year). Wallonia: Chèque cybersécurité via Wallonie Entreprendre covers up to 75% ex-VAT (approved provider, 12-month window). Brussels-Capital: hub.brussels consultancy grant covers IT-security advice up to €10,000/year. Your client applies in their region; we provide pre-filled templates.

≈40–50% of CISO time saved^¹

§1 Engagement summary

Issued to: Belgian CyFun practitioners.
Subject: A CyFun-native compliance platform.
Position: Built from the official CCB CyberFundamentals spec. Score, evidence, and files always match.
Scope: Survey current IT landscape (integrations, Excels) → assess risk → map controls → draft policies → verify evidence → detect gaps.
Deliverable: CAB-ready audit pack — official CCB Excel, all evidence checked, in a signed .zip.
Add-on: Senior CyFun consultants available on request.
Recommendation: 20-minute walkthrough with the founder.

^¹ Estimate by a senior CyFun consultant after a demo. See §4.

See the demo Book a 20-min call

Scan to book

Book a 20-min call

cal.com/tojans/apply-4-ecp

Framework: Belgian CyberFundamentals (CCB) — Small to Essential
Prepared by: Tom Janssens · Founder, ECP
Languages: NL · FR · EN

§2 Risk register — key risks for CyFun practitioners

§2 Risk register — key risks for CyFun practitioners
ID	Risk	Mitigation in ECP
RR-01	No CyFun toolset → client moves to a consultant	Native CyFun platform → controls mapped per tier
RR-02	Can't demonstrate CyFun Basic → dropped by NIS2 customer	Per-client supply-chain readiness → mapped to expected evidence
RR-03	Ad-hoc evidence (PDFs, emails) → CAB auditor rejects	One-click export → official CCB Excel in a signed .zip
RR-04	Excel-based compliance → scale ceiling	Wiki, per-control structure → same workflow at 5 or 500 clients
RR-05	Retail pricing → margin compressed	Wholesale per-client (€75–€750) → 70%+ margins typical
RR-06	MSP delivers solo without CyFun expertise → first audit fails → client churns	Co-delivery (§2.5, DM-01) → senior consultant carries the first 1–3 clients

RR-01

No CyFun toolset → client moves to a consultant

Native CyFun platform → controls mapped per tier

RR-02

Can't demonstrate CyFun Basic → dropped by NIS2 customer

Per-client supply-chain readiness → mapped to expected evidence

RR-03

Ad-hoc evidence (PDFs, emails) → CAB auditor rejects

One-click export → official CCB Excel in a signed .zip

RR-04

Excel-based compliance → scale ceiling

Wiki, per-control structure → same workflow at 5 or 500 clients

RR-05

Retail pricing → margin compressed

Wholesale per-client (€75–€750) → 70%+ margins typical

RR-06

MSP delivers solo without CyFun expertise → first audit fails → client churns

Co-delivery (§2.5, DM-01) → senior consultant carries the first 1–3 clients

Risk owner remains the MSP. ECP encodes the framework and produces the artifacts the CAB auditor reviews; certification is the CAB's call. ECP is not the auditor, and frankly prefers not to be.

§2.5 Delivery model — who does what, at what cost

ECP automates the artifacts. CyFun expertise — scope, risk acceptance, evidence quality, CAB remediation — is human work. Three delivery models support different MSP starting points.

§2.5 Delivery model — who does what, at what cost
ID	Model	Expertise source	Typical MSP margin
DM-01	Co-delivered	ECP senior consultant	Lower, predictable
DM-02	MSP-led	MSP's own CyFun lead	Highest, after ramp
DM-03	Channel	Independent consultant	Revenue share

DM-01 · Co-delivered

ECP senior consultant

Lower, predictable

DM-02 · MSP-led

MSP's own CyFun lead

Highest, after ramp

DM-03 · Channel

Independent consultant

Revenue share

DM-01 is the default starting point. The senior CyFun consultant (€1,500/day, §6) typically carries scope, risk acceptance, and CAB remediation on the first 1–3 clients while the MSP learns the framework. Most MSPs migrate to DM-02 within 6–12 months.

Pricing the client: retail anchors against one-off consultancy gap analysis (€5,000–€15,000). Recurring delivery prices above that floor. Specific retail levels depend on delivery model and client complexity — discuss in the 20-minute call.

ECP-EB-001 · §2.5 · the platform compresses busywork, not expertise

§3 Engagement — client compliance journey, onboard to audit

Phase 1 · Onboard & assess
- Add the client. Set scope, entities, language, CyFun tier (Basic / Important / Essential).
- Per-client risk register, mapped to CyFun controls.
- Live gap report, scored per required control.
Phase 2 · Build & evidence
- AI-drafted policies in NL / FR / EN, per client context.
- Structured evidence vault per control — reusable across clients.
- Score, evidence, and files always match: one fact change propagates everywhere.
Phase 3 · Audit & sustain
- One-click signed .zip — official CCB Excel filled with linked evidence.
- CAB submission, finding-by-finding remediation tracking.
- Annual reassessment + tier progression (Basic → Important → Essential).

§4 Division of work — automation vs judgment

§4 Division of work — automation vs judgment
Automated by ECP	Stays with the consultant
Risk assessment data + control mapping per CyFun tier	Scope decisions (in/out of NIS2 perimeter, entity types)
AI-drafted policies in NL / FR / EN, per client context	Risk acceptance — which risks to mitigate vs. accept
Structured evidence vault per control + cross-doc consistency	Evidence-quality judgment ("is this enough for a CAB auditor?")
Live gap detection, scored per required control	Client interviews — surfacing hidden processes
One-click audit pack — signed .zip with CCB Excel	CAB remediation rounds — interpreting and pushing back on findings (delivery model: §2.5)

Automated by ECP

Risk assessment data + control mapping per CyFun tier

Stays with the consultant

Scope decisions (in/out of NIS2 perimeter, entity types)

Automated by ECP

AI-drafted policies in NL / FR / EN, per client context

Stays with the consultant

Risk acceptance — which risks to mitigate vs. accept

Automated by ECP

Structured evidence vault per control + cross-doc consistency

Stays with the consultant

Evidence-quality judgment ("is this enough for a CAB auditor?")

Automated by ECP

Live gap detection, scored per required control

Stays with the consultant

Client interviews — surfacing hidden processes

Automated by ECP

One-click audit pack — signed .zip with CCB Excel

Stays with the consultant

CAB remediation rounds — interpreting and pushing back on findings (delivery model: §2.5)

§5 Deliverables

5.1 To the partner (MSP)

Portfolio dashboard — every client's compliance status at a glance
Ready-to-use policy templates, SOPs, and compliance documents
Step-by-step CyFun guidance — the platform maps the controls, you deliver the results

5.2 To the end client

Guided audit preparation — every CyFun control explained in plain language
Evidence collection & progress tracking — always know where they stand
Weekly micro-learnings via branded email — 5 minutes, no jargon

§6 Fee schedule

How to read this

Client: one site (establishment) you onboard. A company or group spanning several sites counts as one client per site.
Entity: a device, user, application, supplier or location inside that client's compliance scope.

Your monthly cost = one fee per client (= per site), by size. No base fee, no setup fee.

The fee — per client, by size

The fee — per client, by size
Size	Entity count	Rate
XS	< 100 entities	€25 /client/mo
S	100 – 999	€75 /client/mo
M	1,000 – 9,999	€250 /client/mo
L	10,000 – 99,999	€825 /client/mo
XL	100,000 – 999,999	€2,750 /client/mo
XXL	1,000,000+	€9,075 /client/mo

Entity = device, user account, application, supplier or location tracked in that site's compliance scope. Counted as distinct entities uploaded per quarter.

Worked example

12 clients (sites), each a small site in bracket S (100–999 entities): 12 × €75 = €900/month — that's the whole platform bill. Start with a free 14-day trial, no setup fee. You bill each client at your own rate — most MSPs charge €50–€300 per client per month.

No setup fee, no monthly base — per-client rates are per month, billed annually. Request a 14-day trial .

Support & advisory

Optional support plans
Plan	Rate
AI email support AI-powered email support, included in your license.	Included
Human-in-the-loop support A human in the loop on top of the AI — reviews and answers.	€1,500 /mo
NIS2 consultant An online NIS2 consultant, 1 day per week.	€7,000 /mo

Very large estates or a direct enterprise engagement? Talk to us .

§7 Architectural assurances — secure by design

§7 Architectural assurances — secure by design
#	Principle	What it means
7.1	Local-first by default	Each client's compliance data lives in a portable, digitally-signed bundle on their own infrastructure — not in our cloud.
7.2	Cloud only when working	The bundle is hosted server-side only during active edits, then returned to the client as a snapshot when work pauses.
7.3	Tamper-evident audit trail	Every change is a digitally-signed event. A CAB auditor can replay and verify the full history independently — no trust in ECP required.

7.1

Local-first by default

Each client's compliance data lives in a portable, digitally-signed bundle on their own infrastructure — not in our cloud.

7.2

Cloud only when working

The bundle is hosted server-side only during active edits, then returned to the client as a snapshot when work pauses.

7.3

Tamper-evident audit trail

Every change is a digitally-signed event. A CAB auditor can replay and verify the full history independently — no trust in ECP required.

§8 Clarifications

Q1. Do I need compliance expertise?

The platform doesn't replace your judgment — it removes the busywork around it. Control mapping, evidence intake, gap detection, and audit packs are automated. You apply judgment to scope, risk acceptance, and evidence quality. Solo CyFun consultants tell us this cuts roughly 40–50% of their per-client hours.

Q2. What do my clients see?

Your branding. Your logo on every report, every email, every page. They see you as the compliance expert.

Q3. Can I set my own price?

Yes. We charge you per client. What you charge your client is entirely up to you.

Q4. How do we get started?

Schedule a 20-minute call with Tom. He walks you through the platform, configures your first client together, and you go live the same week. No contract, no commitment.

Q5. What does "audit-ready" mean?

It means your client has documented evidence of security controls aligned with the CyFun framework. The actual audit is done by certified CAB auditors, not by us or you.

Q6. How does pricing work?

One fee: per client by client size, quoted per month and billed annually. A client is one site — a company or group spanning several sites is several clients. Brackets by the site's entity count: XS (<100) €25, S (100–999) €75, M (1k–9,999) €250, L (10k–99,999) €825, XL (100k–999,999) €2,750, XXL (1M+) €9,075. No setup fee and no monthly base — start with a free 14-day trial. Every client gets full features (AI + integrations) and AI email support, included in the license. Optional human help: human-in-the-loop support €1,500/mo, or an online NIS2 consultant one day a week €7,000/mo. You charge your client whatever you want — most MSPs charge €50–€300/month by client size. See §6 for the full schedule.

Q7. Are there subsidies available?

Yes — each Belgian region runs its own programme, scoped to where the end-client is established. Flanders: VLAIO kmo-portefeuille (cybersecurity-only since Feb 2026) covers up to 45% of advisory costs (45% small / 35% medium, cap €7,500/year). Wallonia: Chèque cybersécurité via Wallonie Entreprendre covers up to 75% ex-VAT (approved provider, 12-month window). Brussels-Capital: hub.brussels consultancy grant covers IT-security advice up to €10,000/year. Your client applies in their region; we provide pre-filled templates.

Achieve audit-readiness for CyFun/NIS2

§1 Engagement summary

§2 Risk register — key risks for CyFun practitioners

§2.5 Delivery model — who does what, at what cost

§3 Engagement — client compliance journey, onboard to audit

Phase 1 · Onboard & assess

Phase 2 · Build & evidence

Phase 3 · Audit & sustain

§4 Division of work — automation vs judgment

§5 Deliverables

5.1 To the partner (MSP)

5.2 To the end client

§6 Fee schedule

How to read this

The fee — per client, by size

Worked example

Support & advisory

§7 Architectural assurances — secure by design

§8 Clarifications

Walk through it with us.