CyberFundamentals compliance tracker for Belgian SMEs
Auto-check your Microsoft 365 tenant against Belgium's 34 CyFun Basic-level controls. Built for the NIS2 transposition deadline (April 18, 2026) to help organizations assess, track, and improve their cybersecurity posture.
CyberFundamentals (CyFun) is a cybersecurity framework published by the Centre for Cybersecurity Belgium (CCB) via SafeOnWeb. It maps to NIST CSF v1.1 and defines security controls at four assurance levels. The Basic level targets small organizations and covers 82% of historical Belgian cyber-attack types.
This tool covers all 34 Basic-level controls across five NIST CSF functions:
| Function | Controls | Key Measures |
|---|---|---|
| Identify | 9 | 0 |
| Protect | 17 | 10 |
| Detect | 4 | 2 |
| Respond | 3 | 0 |
| Recover | 1 | 0 |
| Total | 34 | 13 |
- 11 automated checks via Microsoft Graph API covering identity management, MFA enforcement, access control (4 sub-controls), patch management, audit logging, event correlation, user activity monitoring, and anti-malware
- 62% of key measures can be verified automatically
- Checks run in parallel batches to avoid API rate limits
- Guided attestation for 16 manual controls (governance, physical security, HR, incident response, recovery)
- Dual maturity scoring (documentation + implementation, 1-5 scale) matching the official CyFun methodology
- Evidence notes and attestation history
- Create and manage remediation actions from compliance findings
- Priority levels (critical/high/medium/low)
- Status workflow: Open -> In Progress -> Done
- Assignee and due date tracking
- Overview - Compliance donut chart, NIST CSF function scores, trend sparklines, key measures status, critical findings
- Controls - All 34 controls with search, filter by function/key measure/automation level, gap analysis
- Control Detail - Per-control scores, maturity levels, findings table, Graph API endpoints used, remediation guidance
- Trends - Historical score progression per function over time
- DNS Security - SPF, DKIM, DMARC record validation (free, no API key)
- SSL/TLS - SSL Labs grading via their free API
- HTTP Headers - Mozilla Observatory scoring
- All mapped to relevant CyFun controls (PR.PT-4, PR.AC-5)
- CSV export - All 34 controls with scores, maturity levels, and details
- Print-ready PDF - Full compliance table via browser print
- Statement of Applicability format (planned)
- Dark mode with system detection
- Mobile-responsive layout
- All settings configurable via GUI (no .env files needed)
- localStorage persistence (works without a database)
- Optional Neon PostgreSQL for multi-device storage
| Layer | Technology |
|---|---|
| Framework | Next.js 16 (App Router) |
| Language | TypeScript 5 |
| Styling | Tailwind CSS 4 + shadcn/ui |
| Charts | Recharts |
| Auth | MSAL.js (@azure/msal-browser, @azure/msal-react) |
| M365 API | @microsoft/microsoft-graph-client |
| Database | Drizzle ORM + Neon PostgreSQL (optional) |
| Hosting | Vercel (free tier) |
- Node.js 20+
- npm
git clone https://github.com/Yasuke2000/cyfun.git
cd cyfun
npm install
npm run devOpen http://localhost:3000. The app loads with realistic demo data immediately - no M365 tenant needed to explore.
- Register an app in Azure Portal > Microsoft Entra ID > App registrations
- Add the required application permissions (listed in Settings page)
- Grant admin consent
- Enter your Client ID, Tenant ID, and Client Secret in the app's Settings page
Required permissions:
Policy.Read.All, AuditLog.Read.All, Directory.Read.All, User.Read.All,
SecurityEvents.Read.All, SecurityAlert.Read.All, UserAuthenticationMethod.Read.All,
DeviceManagementManagedDevices.Read.All, DeviceManagementConfiguration.Read.All,
DeviceManagementApps.Read.All, RoleManagement.Read.Directory,
SharePointTenantSettings.Read.All, Domain.Read.All, IdentityRiskEvent.Read.All,
AttackSimulation.Read.All, Reports.Read.All
- Push to GitHub
- Import in Vercel
- Framework preset: Next.js
- Deploy - no environment variables required
The app works fully on the Vercel Hobby (free) tier with zero configuration.
If you prefer server-side configuration over the GUI:
NEXT_PUBLIC_AZURE_AD_CLIENT_ID=
NEXT_PUBLIC_AZURE_AD_TENANT_ID=
AZURE_AD_CLIENT_ID=
AZURE_AD_CLIENT_SECRET=
AZURE_AD_TENANT_ID=
DATABASE_URL=src/
├── app/
│ ├── (dashboard)/ # Dashboard route group
│ │ ├── dashboard/ # Main dashboard pages
│ │ │ ├── attestations/ # Manual attestation workflow
│ │ │ ├── controls/ # Control browser + detail
│ │ │ ├── external/ # DNS/SSL/Observatory scans
│ │ │ ├── remediations/ # Remediation action tracking
│ │ │ ├── reports/ # CSV/PDF export
│ │ │ ├── settings/ # App configuration
│ │ │ └── trends/ # Historical trend charts
│ │ └── layout.tsx # Sidebar + mobile nav
│ ├── api/ # API routes
│ │ ├── compliance/ # Scan + per-control checks
│ │ └── external/ # DNS + SSL proxy endpoints
│ ├── layout.tsx # Root layout with providers
│ └── page.tsx # Landing page
├── components/
│ ├── auth/ # MSAL provider + login button
│ ├── dashboard/ # Charts, cards, sidebar, nav
│ └── ui/ # shadcn/ui components
└── lib/
├── auth/ # MSAL config + Graph client
├── compliance/ # Check engine + 7 check modules
├── cyfun/ # 34 control definitions + types
├── db/ # Drizzle schema + connection
├── external/ # DNS, SSL Labs, Observatory
├── demo-data.ts # Stable demo data
└── store.ts # localStorage persistence
| Level | Controls | Coverage |
|---|---|---|
| Fully automated | 8 (24%) | PR.AC-1, PR.AC-3(b), PR.AC-4(a-d), PR.MA-1, PR.PT-1, DE.AE-3, DE.CM-3, DE.CM-4 |
| Semi-automated | 10 (29%) | ID.AM-1, ID.AM-2, ID.RA-1, PR.AC-5(a), PR.AT-1, PR.IP-4, PR.PT-4, DE.CM-1 |
| Manual | 16 (47%) | Governance, physical security, HR, incident response, recovery |
62% of the 13 key measures can be fully automated via Microsoft Graph API.
- CyberFundamentals Framework - CCB official documentation
- SafeOnWeb CyFun - Framework overview
- NIS2 Directive - EU cybersecurity regulation
- Microsoft Graph API - M365 API documentation
- NIST CSF v1.1 - Framework mapping reference
MIT