Apr 2025
Demystifying the Cyber Assessment Framework (CAF)
Let’s face it – cybersecurity frameworks can be a minefield and full of technical jargon, but the Cyber Assessment Framework (CAF) isn’t just another acronym to file away and forget about.
Information Security Consultant
For organisations operating in essential sectors, it’s a bit like a sat-nav for cyber resilience, it tells you where you are, where you should be, and helps guide your business along the way.
As a proud National Cyber Security Centre (NCSC) Assured Service Provider, we work closely with organisations across the UK to bring the CAF to life. We’re not just ticking boxes, we’re helping businesses build cyber resilience that’s as strong as it is sustainable.
So, what exactly is CAF?
CAF is now a de facto framework for cyber security regulation in the UK.
It was created to provide a security framework for operators of essential services who were in scope of the NIS regulations, however, in recent years it has been expanded to other sectors including the NHS and local government.
CAF is structured around four key objectives:
1. Managing Security Risk
2. Protecting Against Cyber Attack
3. Detecting Cyber Security Events
4. Minimising the Impact of Cyber Security Incidents
These cover everything from risk management and data protection to incident response and supply chain security. It’s comprehensive, but not overwhelming, especially with the right guidance.
Why CAF matters
You don’t have to be a nuclear power station or water supplier for the CAF to matter. More and more organisations are using it as a framework for good practice, a way to raise the bar, demonstrate maturity, and build cyber into their broader governance and risk management.
And in a world of increasing cyber threats, growing regulation, and ever-more complex supply chains, having a robust cyber resilience strategy is more essential than ever.
The latest on CAF
The CAF is evolving to keep pace with changing cyber threats and regulatory requirements.
Recent updates proposed by the government include tailored guidance for Managed Service Providers to address growing supply chain risks. They also aim to introduce requirements of critical suppliers to operators of essential services. This means that even if you are not currently classed as a critical supplier, you may still come under that category if you serve a large number of organisations within a regulated sector, such as healthcare or energy.
It is worth noting that these updates were recently announced in a policy statement, which set out the UK government’s aims for the Cyber Resilience Bill. So, although they are currently only proposed changes, they are very likely to be included.
Regulators are expanding the use of CAF beyond traditional Critical National Infrastructure (CNI) to industries like energy, transport, health, and local governments, increasing the pressure on organisations to comply.
So, what do you actually need to do?
With various changes to CAF on the horizon, here are a few points on what you need to do to stay ahead of the curve:
1. Check if your organisation must comply with the CAF
The regulations that require CAF compliance can have complex scope requirements, with specific thresholds varying depending on the sector. It is important organisations understand if they are in scope of the CAF, compliance timelines, and the target CAF Profile. Currently the following sectors have CAF compliance requirements.
2. Healthcare
The NHS Data Security Protection Toolkit (DSPT) has started transition to the CAF aligned DSPT from 2025. All organisations that previously had to complete the DSPT will transition to the new CAF aligned DSPT over the next few years.
3. Local government
CAF for local gov will require councils in England to comply with the CAF. The scheme is currently in Beta with full release expected in Spring 2025.
4. Critical National Infrastructure
While many CNI organisations have had to comply with the CAF since the 2018 NIS regulations, new organisations entering these sectors must ensure they are aware of and comply with the CAF.
5. Assess if you may be a critical supplier to regulated organisations
While your organisation may not be directly in scope, if you provide critical services to multiple regulated organisations, you may be considered a critical supplier and be directly regulated under the proposed new Cyber Resilience Bill changes, expected in late 2025.
6. Conduct a gap analysis against the CAF
If you are in scope, you should conduct a gap analysis to understand your current CAF compliance with the aim of establishing a programme of work to meet your regulatory requirements.
7. Continue to monitor expansion of the CAF in the UK
For those currently not in scope, it is important to continue to monitor the UK government’s plans to expand the CAF to more sectors over the next few years. If you think you may come in scope in the future, if may be worth getting ahead of the crowd and starting work on the CAF sooner rather than later.
Ready to tackle the CAF?
Whether you're a first timer, a CNI operator under NIS regs, or simply want a solid benchmark to steer your cyber strategy, we’re here to help.
We’ll translate CAF into something that makes sense, feels achievable, and improves your resilience, not just your paperwork.
Contact our cyber team at cyber@waterstons.com to get started or take a look at our cyber security page to explore our range of services.
Want to find how you can save your business money through thorough cyber security practises? Head over to our events page and sign up to join one of our upcoming webinars:
Streamline your security – Developing robust cyber strategies that don’t cost the earth
Cyber security board briefing – Are you getting value from your cyber investments?