CYRA Framework (2025)CYRA Framework (2025): The New Dutch Standard for Cybersecurity Maturity and Certification

by | Apr 15, 2025 | News and Blogs

What Is CYRA?

CYRA is a Dutch national framework and certification method that measures and enhances cybersecurity maturity. It offers a structured, step-by-step approach for organizations to evaluate, strengthen, and certify their information security.

As of January 2025, the CYRA framework is officially managed by the Centre for Crime Prevention and Safety (CCV) in the Netherlands. Its primary goal is to create a consistent and practical standard for cyber resilience across sectors.

 

Official Governance under CCV

The CCV oversees the ongoing development, validation, and quality control of CYRA. By centralizing its governance, the Netherlands aims to ensure a unified national approach to cybersecurity maturity and reduce fragmentation in assessments across industries.

Why CYRA Was Created

Many organizations struggle with inconsistent cybersecurity requirements, particularly SMEs facing multiple customer-specific questionnaires. CYRA addresses this problem by introducing a standardized national framework that helps organizations:

  • Understand their current maturity level

  • Implement targeted improvements

  • Obtain formal recognition through certification

This approach promotes transparency and trust within supply chains, aligning with broader EU cybersecurity initiatives such as NIS2.

How the CYRA Method Works

CYRA operates as a maturity model, guiding organizations from basic to advanced levels of cyber resilience.

The CYRA Levels Explained

The model starts with the Entry level and supports growth across multiple domains. Each level provides practical criteria and improvement guidance tailored to an organization’s size, complexity, and digital environment.

Domains Covered by CYRA

CYRA evaluates maturity in several key areas:

  1. Information and IT Security

  2. Privacy and Data Protection

  3. Supply Chain Responsibility

  4. (Optional) Digital Subversion — addressing risks of criminal influence through digital channels

Key Features of the CYRA Framework

Self-Assessment and Practical Guidance

Organizations can perform a self-assessment using CYRA’s standardized control set. Each result includes improvement tips, helping teams focus on practical next steps without needing deep technical expertise.

Independent Certification Process

Once an organization reaches a sufficient maturity level, certification can be completed through independent accredited assessors. This ensures credibility and uniformity, regardless of company size or sector.

CYRA and the Digital Subversion Framework (NDO)

In cooperation with the Digital Subversion Framework (NDO), CYRA now includes additional assessment criteria for organizations exposed to criminal or extremist digital influence.
This integration allows certified entities to demonstrate not only cybersecurity readiness but also resilience against digital manipulation and social engineering risks.

CYRA vs. RiskStudio Cyber Ratings

Although both use the term “cyber rating,” CYRA and RiskStudio are entirely separate systems.
CYRA is a manual certification framework based on organizational assessments, policies, and governance maturity.
RiskStudio’s Cyber Ratings, on the other hand, are automated, data-driven scores derived from continuous technical scanning and open-source intelligence.

How CYRA Complements RiskStudio

For organizations using RiskStudio, a CYRA certificate adds valuable context to supplier evaluations.
While RiskStudio provides real-time visibility into technical vulnerabilities, data breaches, and ransomware incidents, CYRA highlights organizational preparedness and structural governance.

Together, they offer a complete picture of a company’s cybersecurity posture — blending automated risk signals with evidence-based certification.
This combined view helps procurement and compliance teams make more informed, strategic decisions.

Who Should Use CYRA?

The framework is especially valuable for:

  • SMEs looking to professionalize their cybersecurity management

  • Suppliers aiming to demonstrate compliance to large clients

  • Public organizations seeking uniform security assessments

  • Consultants and auditors supporting maturity development

Benefits of CYRA Certification

  • Clear, structured improvement roadmap

  • Recognized national standard managed by CCV

  • Builds trust within digital supply chains

  • Reduces audit fatigue from overlapping requirements

  • Strengthens internal governance and accountability

Frequently Asked Questions (FAQs)

1. What does CYRA stand for?
CYRA stands for Cyber Resilience Assessment, a Dutch maturity and certification framework.

2. Who manages CYRA?
It is managed by the Centre for Crime Prevention and Safety (CCV) in the Netherlands.

3. What organizations can use CYRA?
CYRA is designed for SMEs, larger companies, and public entities seeking structured cybersecurity improvement.

4. How does CYRA differ from RiskStudio’s cyber ratings?
CYRA involves manual assessment and certification, while RiskStudio’s ratings are automatically generated using live data.

5. Can RiskStudio integrate CYRA data?
Yes. CYRA certificates can be added as external validation points within supplier evaluations.

6. Is CYRA mandatory?
No, but it aligns with national and EU standards, including NIS2, making it highly valuable for compliance readiness.

Conclusion: A Unified Path to Cyber Resilience

The CYRA framework represents a major step forward for cybersecurity maturity in the Netherlands.
By combining CYRA’s structured certification with RiskStudio’s dynamic monitoring, organizations can build a balanced, proactive, and verifiable approach to cyber resilience.