CYRA is a Dutch national framework and certification method for cybersecurity maturity and information security. It provides organizations with a clear, step-by-step approach to assess, improve, and certify their cyber resilience. As of January 2025, CYRA is officially managed by the Centre for Crime Prevention and Safety (CCV) in the Netherlands.
The method is especially designed for SMEs and growing companies seeking a structured way to strengthen digital security.
Structure of the CYRA method
CYRA uses a maturity model that starts with an “Entry” level and supports growth across areas like IT security, privacy, supply chain responsibility, and – optionally – digital subversion.
Key features of CYRA:
- Self-assessment with a standardized set of controls
- Practical improvement tips tailored to each level
- Certification available via independent third parties
- Accessible for SMEs and larger companies alike
- Alternative to inconsistent customer-specific questionnaires
With the integration of the Digital Subversion Framework (NDO), CYRA also supports certification for organizations working to counter digital criminal influence.
Not to be confused with RiskStudio’s Cyber Ratings
While the name is the same, CYRA is completely separate from the cyber ratings generated by RiskStudio. RiskStudio’s ratings are based on technical scanning, public data, and its own scoring model. CYRA, in contrast, is a manually assessed certification system that evaluates organizational maturity and preparedness.
CYRA and RiskStudio
For RiskStudio users, CYRA certificates can serve as an additional data point in evaluating suppliers. While RiskStudio provides dynamic and automated cyber ratings, CYRA offers insight into the structural and organizational cybersecurity readiness of a party.
RiskStudio helps you combine technical risk indicators with structural certification insights like CYRA, enabling more strategic decisions and targeted follow-up actions.
