Download PDF

Apr 2025

Demystifying the Cyber Assessment Framework (CAF)

Let’s face it – cybersecurity frameworks can be a minefield and full of technical jargon, but the Cyber Assessment Framework (CAF) isn’t just another acronym to file away and forget about.

Categories Cyber Resilience

Max Muir

Information Security Consultant

For UK organisations operating in essential sectors, the CAF is a core component of regulatory compliance while also providing a framework to guide the evolving maturity of an organisations cyber security programme. Now, as regulators are expanding the use of the CAF to new sectors, it is more important than ever that UK organisations familiarise themselves with the framework.      

As a proud member of the National Cyber Security Centre (NCSC) Cyber Resilience Audit Scheme, we work closely with organisations across the UK to bring the CAF to life. We’re not just ticking boxes for compliance, we’re helping businesses build cyber resilience that’s as strong as it is sustainable. 

So, what exactly is CAF? 

The CAF was created by the NCSC in 2018 as a regulatory cyber security framework, designed to support the implementation of the NIS regulations for UK Operators of Essential Services (OES). 

The framework is structured around four key objectives: 

1. Managing Security Risk 

2. Protecting Against Cyber Attack 

3. Detecting Cyber Security Events 

4. Minimising the Impact of Cyber Security Incidents 

These cover everything from risk management and data protection to incident response and supply chain security. It’s comprehensive, but not overwhelming, especially with the right guidance. 

Organisations regulated by the CAF are assigned compliance targets known as ‘Profiles’, which set out if organisations are expected to have ‘Partially Achieved’ or ‘Achieved’ each requirement. Many regulated sectors now have a Basic and Enhanced profile that organisations are given target dates to achieve, meaning that the CAF cannot be achieved and then forgotten, but must remain front and centre, guiding the evolution of the security programme.  

Why the CAF matters  

While initially created as a cyber security framework for Critical National Infrastructure (CNI), the application of the CAF is quickly growing to new sectors.  

In the ‘Cyber Security Strategy 2022-2030’, the UK government set out their intention to adopt the CAF as the ‘assurance framework for government’. Since then, the CAF has been introduced to new sectors including the NHS and local councils with more sectors on the horizon. 

However, the CAF doesn’t have to just be about regulatory compliance, with more and more unregulated organisations using it as a framework for good practice, to demonstrate maturity, and build cyber security into their broader governance and risk management processes, using a government backed framework. 

In a world of increasing cyber threats, growing regulation, and ever-more complex supply chains, having a robust cyber resilience strategy is more essential than ever. 

The latest on CAF 

To keep pace with the evolving threat landscape, the UK government are looking to bring more sectors into scope of the CAF. 

In a recent policy statement, the government set out their plans for the upcoming Cyber Security and Resilience Bill, which aims to introduce the CAF to new sectors including Managed Service Providers (MSP) and to critical suppliers of Operators of Essential Services. This means that even if an organisation does not fall into a regulated sector, they may still have to comply with the CAF if they provide critical services to, or work with a large number of, regulated organisations.   

While these are only proposed elements of the Bill which will go to Parliament in late 2025, they look likely to be included, and signal the government’s intention to make the CAF the de facto framework for cyber security regulation in the UK. 

So, what do you actually need to do? 

With various changes to CAF on the horizon, here are a few points on what you need to do to stay ahead of the curve: 

  1. Check if your organisation must comply with the CAF - The regulations that require CAF compliance can have complex scope requirements, with specific thresholds varying depending on the sector. It is important organisations understand if they are in scope of the CAF, what the compliance timelines are, and their target CAF Profile. Currently the following sectors have CAF compliance requirements. 

  2. Healthcare - The NHS Data Security Protection Toolkit (DSPT) has started to transition to the CAF aligned DSPT from 2025. All organisations that previously had to complete the DSPT will switch to the new CAF aligned DSPT over the next few years.  

  3. Local government – CAF for local government will require councils in England to comply with the CAF. The scheme is currently in Beta with full release expected in late 2025.  

  4. Critical National Infrastructure – While many CNI organisations have had to comply with the CAF since the 2018 NIS regulations, new organisations entering these sectors must ensure they are aware of and comply with the CAF requirements.  

  5. Assess if you may be a critical supplier to regulated organisations - While your organisation may not be directly in scope, if you provide critical services to multiple regulated organisations, you may be considered a critical supplier and be directly regulated under the proposed new Cyber Security and Resilience Bill changes. More details are expected in late 2025 when the Bill goes to Parliament. 

  6. Conduct a gap analysis against the CAF - If you are in scope, you should conduct a gap analysis to understand your current CAF compliance with the aim of establishing a programme of work to develop the maturity of your cyber security programme and meet your regulatory requirements.  

  7. Continue to monitor expansion of the CAF in the UK - For those currently not in scope, it is important to continue to monitor the UK government’s plans to expand the CAF to more sectors over the next few years. If you think you may come in scope in the future, if may be worth getting ahead of the crowd and starting work on the CAF sooner rather than later. 

Ready to tackle the CAF? 

Whether you're a first timer, a CNI operator under NIS regs, or simply want a solid benchmark to steer your cyber strategy, we’re here to help. 

We’ll translate CAF into something that makes sense, feels achievable, and improves your resilience, not just your paperwork. 

Contact our cyber team at cyber@waterstons.com to get started or take a look at our cyber security page to explore our range of services. 

Want to find how you can save your business money through thorough cyber security practises? Head over to our events page and sign up to join our upcoming webinars:

Cyber security board briefing – Are you getting value from your cyber investments?