Cybersecurity and Resilience Bill & NCSC CAF 4.0 | Vambrace

Vambrace Cybersecurity. Reading time: 8 mins

UK organisations are in a different cyber landscape than they were even two years ago. The NCSC’s Cyber Assessment Framework (CAF) reached version 4.0 in August 2025, and the Cybersecurity and Resilience (Network and Information Systems) Bill was introduced to Parliament in November 2025 as Bill 329. Together, they signal a clear direction: outcome-based cyber resilience, backed by law.

The UK Governments Cybersecurity Strategy 2022 to 2030 uses CAF as the assurance backbone for the whole public sector. The milestones are no longer theoretical:

• Critical government functions were expected to reach enhanced CAF profiles by the end of 2025.
• All central government departments are working to evidence their designated CAF profiles in 2026.
• Wider government organisations are expected to reach at least a basic CAF profile by 2030.

The Bill now moving through Parliament will extend these expectations. Data centre operators above defined thresholds, managed service providers, critical suppliers, and larger digital service providers will fall under a strengthened NIS regime whose practical benchmark is the CAF. For many organisations, 2026 is the year in which “good practice” turns into concrete regulatory obligation.

How NCSC CAF 4.0 underpins the UK Governments Strategy

The Cyber Assessment Framework UK model, developed by the NCSC, is now the reference standard for demonstrating compliance with UK government cybersecurity and resilience expectations.

The Governments Cybersecurity and Resilience Strategy recognised that despite progress, there was still a significant gap between current and required cyber resilience. In response, it set two pillars:

• Build strong organisational cybersecurity and resilience.
• Defend as one across government and its supply chain.

CAF is the mechanism that makes these pillars real. It translates strategic ambition into 4 clear objectives, 14 principles, and detailed outcomes that can be assessed and improved over time. Version 4.0 lifts expectations in several important ways.

The four CAF objectives in practice

Managing security risk (Objective A)
This is about governance, risk management, asset visibility, supply chain security and now a more explicit requirement to understand threats. CAF 4.0 adds a dedicated outcome on threat understanding and a new outcome on secure software development and support. Organisations are expected to base decisions on a real view of adversaries, not generic risk lists, and to treat software (including supplier software) as a security-relevant asset across its lifecycle.

Protecting against cyber-attack (Objective B)
Controls around identity, access, data and systems have been tightened. Multi-factor authentication, strong privileged access management, secure configuration and “secure by design” architectures are now table stakes. CAF 4.0 expects policies that are lived and enforced, not just written, and it links protection directly to the continuity of essential functions rather than to abstract compliance.

Detecting cyber security events (Objective C)
Detection in 4.0 is not just about collecting logs. Organisations are expected to enrich and correlate data, understand normal behaviour and actively hunt for threats that slip past automated controls. The earlier “proactive attack discovery” language has matured into a clear expectation of structured threat hunting. For any organisation supporting essential activities, a passive, best-efforts approach to monitoring is no longer enough.

Minimising impact of incidents (Objective D)
Plans must work in real life. CAF 4.0 raises the bar for tested incident response, recovery, and lessons learned. Organisations should be able to restore essential functions within tolerable timeframes even after severe incidents, including destructive ransomware. The focus is on rehearsed capability rather than theoretical documentation.

For government bodies, these expectations directly underpin the 2025, 2026 and 2030 milestones. For suppliers and private-sector operators of essential services, they describe the level of resilience that the government is now starting to mandate.

Why the UK chose CAF rather than overseas frameworks?

While referencing international cybersecurity and resilience standards such as NIST has become commonplace, the NCSC Cyber Assessment Framework is the UK government’s designated assurance model for essential services and public sector resilience. This is because CAF is specifically designed for UK legal, regulatory, and national security priorities. Unlike US-origin frameworks, CAF is embedded directly into UK policy, procurement, and regulation through the NIS regime and the Cybersecurity and Resilience Bill.

For UK organisations, this means alignment with CAF is alignment with government expectations, regulators, and public sector buyers.

How the Cybersecurity and Resilience Bill impacts 2018 NIS Regulations

The UK Cybersecurity and Resilience Bill amends and strengthens the NIS Regulations from 2018 in three important ways:

Extends who is regulated

The Bill amends the NIS 2018 Regulations so that more types of organisation fall clearly in scope. In particular it:

• Brings data centre services into regulation where the rated IT load is at least 1 megawatt, or 10 megawatts for enterprise-only data centres.
• Defines managed service providers as those who provide ongoing management of customers’ IT by connecting to their systems, including remote support, monitoring and administration. Larger providers that are not micro or small enterprises will be regulated.
• Introduces critical suppliers. These are organisations whose goods or services, if disrupted, could significantly affect an operator of essential services, a regulated digital service provider, or a regulated managed service provider. They can be designated and brought under specific duties even though they do not operate the essential service themselves.
• Clarifies which digital services are regulated (online marketplaces, online search engines and cloud computing services) and updates definitions to reflect modern cloud models.

In practice, this means many organisations that previously viewed CAF as something for government and critical infrastructure to worry about now need to pay close attention. If they operate large data centres, deliver managed services, or are a key supplier to regulated entities, they can expect the CAF to become the reference point for what “appropriate and proportionate” security looks like.

Strengthens duties and enforcement

The Bill gives regulators and the Secretary of State more tools to make sure cybersecurity and resilience risks to essential activities are properly managed:

• Clear powers to require information, including technical evidence about systems and controls, from regulated entities and designated critical suppliers.
• A structured regime for financial penalties, with maximums up to £17 million or 4% of global turnover for serious failures.
• Powers for the Secretary of State to issue directions for national security purposes, including to regulated entities and regulators themselves.
• A duty on regulators to have regard to a Statement of Strategic Priorities for network and information system security and resilience.

Although the Bill is still going through Parliament, the enforcement model is visible now. Organisations that fall in scope can already see the type of scrutiny and consequences they should expect once the Act is commenced.

Codifies the “CAF plus” world

The Bill does not reproduce CAF in statute, but it assumes an outcome-based cybersecurity and resilience regime very much aligned with CAF. It requires operators, digital service providers, managed service providers and critical suppliers to manage cybersecurity and resilience risks, prevent and minimise impact of incidents, and follow relevant guidance and codes of practice. In effect, CAF 4.0 and the Bill point in the same direction: threat-informed, risk-based security that protects essential activities, supported by evidence and backed by enforcement.

What this means for your organisation in 2026

The practical implications depend on who you are, but a few themes apply broadly.

Government bodies

If you are in central government, 2025 was not a soft target. It was the point at which critical functions were expected to be significantly hardened to known attacks. Throughout 2026 departments are being asked to evidence that position and to close outstanding gaps against their CAF profiles. For wider public bodies, 2030 still feels distant, but achieving a basic profile from a low starting point will take years, not months. Treat 2026 as the year to move from planning into delivery.

Operators of essential services

If you are already regulated under NIS, CAF 4.0 defines the modern standard that regulators will expect. A CAF 3.2 assessment from 2023 or 2024 is no longer enough on its own. You should revisit your assessments against 4.0, paying particular attention to:

• Threat understanding
• Secure development and supplier software risk
• Identity and access management
• Security monitoring and threat hunting
• Tested incident response and recovery

Regulators now have, or soon will have, a clearer statutory basis to escalate where they find persistent weaknesses.

Data centres, managed service providers and critical suppliers

If you run a data centre above the thresholds, provide remote managed services to customers, or if you are a key supplier to essential services, the Bill places you squarely in the spotlight. Even before it is fully enacted, large customers and government buyers are beginning to ask for CAF-aligned evidence of cybersecurity and resilience posture.

For these organisations, 2026 should be used to:

• Map services and customers against the Bill’s definitions and thresholds.
• Conduct a first CAF 4.0 gap analysis focused on services that, if disrupted, would impact essential activities.
• Begin building or strengthening core capabilities around monitoring, incident response and supplier management.

What is a CAF Assessment and who needs one?

A CAF assessment is a structured evaluation of how well an organisation meets the outcomes defined in the NCSC Cyber Assessment Framework. Under CAF 4.0, this means assessing governance, risk management, identity, and access control, monitoring, incident response and supply chain security against clearly defined objectives and principles. An NCSC CAF assessment is not a tick-box certification exercise. It is an evidence-based review of whether essential functions are genuinely protected against real-world threats.

For organisations regulated under the UK NIS regulations, including those covered by the NIS Regulations 2018 and the forthcoming UK Cybersecurity and Resilience Bill, a CAF assessment is becoming the practical benchmark for demonstrating appropriate and proportionate security. In short, if your organisation delivers services that the UK government considers critical to national resilience, aligning with the Cyber Assessment Framework UK model is no longer optional, it is fast becoming expected.

A practical way to get started

You do not need to implement everything at once. A pragmatic sequence for 2026 looks like this:

1. Clarify scope
   Identify which services, systems and customers relate to essential activities or fall directly under the Bill’s definitions. Be specific. A focused, defensible scope is more useful than a vague, organisation-wide statement.
2. Conduct a structured CAF 4.0 assessment against the NCSC Cyber Assessment Framework
   Use the CAF objectives and principles to assess where you are now. Concentrate first on the outcomes that matter most for your essential functions: governance, risk, identity, monitoring, and incident response. The aim at this stage is honest visibility, not perfection.
3. Prioritise improvements
   Rank gaps by business impact and regulatory risk. Issues that could cause long outages of essential functions, or that clearly contradict CAF 4.0 expectations, should rise to the top. Be realistic about what you can achieve in 2026, but do not postpone everything difficult into future years.
4. Deliver and test
   Implement improvements in manageable increments. For every significant change, ask how you will demonstrate that it works: a log, a report, an exercise, a metric. Build testing into normal operations so that evidence accumulates naturally rather than being assembled in panic before an assessment.
5. Prepare your story
   Regulators, customers, and audit committees will all ask some version of the same question: “How do you know you are managing cybersecurity and resilience risks to essential activities effectively?” CAF gives you a structure for answering that question. Document your rationale, your roadmap, and your progress in language that non-specialists can understand.

Done well, this turns CAF from a checklist into a narrative about how your organisation is improving its cybersecurity and resilience year on year.

Looking ahead

From a February 2026 vantage point, the direction is unmistakable. The UK is moving toward a world in which:

• Essential activities are identified and protected in a systematic, evidence-based way.
• CAF 4.0 provides the reference model for what good looks like.
• The Cybersecurity and Resilience Bill gives teeth to that model by extending NIS, clarifying who is regulated and setting out real enforcement powers.
• Government buyers expect suppliers to speak the same language and to demonstrate outcomes, not just paperwork.

Organisations that act early in 2026 gain two advantages; They reduce real cybersecurity and resilience risks, and they arrive at the new regulatory regime with a defensible story backed up with evidence and a culture that already treats CAF as part of how the organisation runs. Those that wait for Royal Assent to begin will find themselves trying to build capability, close gaps and satisfy regulators at the same time.

CAF 4.0 does not demand perfection. It does demand seriousness, honesty, and progress. If your organisation can show that it understands its essential functions, knows where it is vulnerable, is investing in the right areas and is learning from incidents, you will be well placed for the world that this Bill and this framework are creating.

www.vambrace.co.uk

[email protected]

0330 460 4633