ISMS Compliance
CyFun BasicIdentify

ID.GV-3: Legal and regulatory requirements

Legal and regulatory requirements regarding cybersecurity are understood and managed

IDENTIFYID.GV-3

Requirement

Legal and regulatory requirements regarding information/cybersecurity, including privacy obligations, shall be understood and implemented.

Our Implementation

Legal and regulatory requirements are identified and addressed across the following frameworks:

  • GDPR: As a Belgian company processing EU customer data, GDPR compliance is a core requirement. Critical data stores (Supabase) are hosted in EU regions (AWS eu-central-1). Data processing provisions include breach notification within 72 hours, data subject rights (access, deletion, portability), and lawful processing bases
  • Belgian regulatory framework: CERT.be notification requirements are incorporated into the Incident Response Plan for security incident reporting
  • CyFun framework: This ISMS documentation implements the Belgian Cybersecurity Framework (CyFun) at the Basic assurance level
  • No high-risk processing: The organisation does not process special categories of personal data under GDPR Article 9

Gaps / Planned improvements:

  • Formal documentation of data residency per provider not yet compiled (NEX-374)
  • Formal Data Protection Impact Assessment (DPIA) not yet conducted (NEX-362)
  • DPA agreements pending with several cloud providers (NEX-348)

Evidence

ImplementedL2 — Repeatable

ID.GV-1: Cybersecurity policy

Organisational cybersecurity policy is established and communicated

ID.GV-4: Risk management processes

Governance and risk management processes address cybersecurity risks

On this page

RequirementOur ImplementationEvidence