What is the CAF?
Since its introduction in April 2018, the NCSC's Cyber Assessment Framework (CAF) has become an essential tool for cyber resilience and compliance with the UK NIS regulations for Operators of Essential Services (OES), Digital Service Providers (DSP), and other organisations supporting UK Critical National Infrastructure. The CAF is a structured set of cyber security measures and guidance designed to help organisations demonstrate cyber resilience, support regulators in evaluating cyber security, and ensure consistent risk management across those critical sectors.
With the release of CAF 4.0, organisations face the most significant update to the framework since its inception. This latest version, released on 6 August 2025, reflects a maturing threat landscape, the increased use of automation and machine learning in defence and attack, and a shift towards outcome-driven, threat-informed assurance.
Whilst the core structure of four objectives (A-D) remains, the underlying expectations have changed. Organisations must now consider a broader spectrum of risks, ranging from nation-state surveillance to the exploitation of AI-powered decision-making systems.
The next iteration of the CAF
CAF 4.0 is not merely an incremental update to version 3.2. While many of the previous Contributing Outcomes (COs) and Indicators of Good Practice (IGPs) remain familiar, their wording and focus have evolved to reflect the complexity of today's threat environment.
The most notable shift in CAF 4.0 is its enhanced threat model. The framework now places greater emphasis on adversaries with advanced capabilities, persistence, and intent. This means that organisations will need to demonstrate not only that they have protective controls in place but also that those controls are effective against sophisticated threat actors.
This increase in threat level is particularly visible in the treatment of monitoring and detection. New requirements have been introduced around triage processes, threat intelligence, and behavioural analysis. For example, organisations are now expected to understand and utilise user and system behaviour patterns to identify abnormal activity and detect incidents early.
This raises the bar for those working within essential services. Preparing only for common threats is no longer sufficient. CAF 4.0 makes clear that organisations must be capable of defending against adversaries who may possess extensive resources, long-term strategic objectives, and deep technical capability.
A threat-informed, risk-based approach
The new version of the CAF places far greater emphasis on threat intelligence, contextual awareness, and the need for proactive monitoring. Most of the changes introduced in CAF 4.0 have been implemented as refinements to existing IGPs. These include clarified language, more specific examples, and greater emphasis on testing, documentation, and validation.
Some entirely new Contributing Outcomes have also been added. For instance, C1.f introduces a new CO focused on understanding user and system behaviour and integrating threat intelligence into monitoring practices. This goes beyond traditional log analysis and calls for a more analytical, threat-hunting mindset, supported by both skilled personnel and appropriate automated tooling (where possible). Meanwhile, the previous 'System Abnormalities for Attack Detection' has been reshaped into a more structured and repeatable threat-hunting capability under Objective C.
Other additions include new COs dedicated to understanding threats in the essential function (A2.b) and requirements for secure software development and support, focusing on the assurance of software suppliers' and software development environments/lifecycles (A4.b).
AI, machine learning & automation
CAF 4.0 introduces more explicit references to the role of machine learning and automated decision-making within network and information systems. These are not treated as security risks per se, but their inclusion suggests that such technologies must be considered in risk assessments and secured appropriately. Where AI or automated decision-making supports the delivery of essential functions, the framework expects visibility into how these systems behave, make decisions, and could be influenced.
Whilst CAF 4.0 is not designed to be a compliance checklist for artificial intelligence, it does set clear expectations for assurance where automation plays a significant role.
These updates align closely with wider government initiatives, including the UK's Software Security Code of Practice, released on 7 May 2025, which promotes Secure by Design principles and responsible software deployment. CAF 4.0 doesn't map directly to the Code of Practice; however, it does support organisations in meeting many of its underlying goals, especially around transparency, testing, and accountability.
Going beyond checklist compliance
It's worth noting that CAF 4.0 maintains its flexible, sector-agnostic, outcome-driven structure. The framework does not dictate specific technologies or configurations. Instead, it asks organisations to demonstrate that they can achieve a defined set of outcomes appropriate to the risks they face and the essential functions they support within their sector.
This, therefore, ensures the framework remains adaptable to a variety of sectors and system architectures. However, it also requires organisations to understand the risk profile and select controls that are proportionate and effective in their operational context.
Transition timelines
A key consideration for any organisation currently working to CAF 3.2 (or prior) is the question of transition. Whilst CAF 4.0 is now live and recommended for use by the NCSC, timelines for moving from version 3.2 to 4.0 are not mandated centrally. Instead, each Competent Authority will set its own transition period and expectations for adoption.
That means organisations must engage with their regulator to understand specific timelines, reporting requirements, and any sector-specific guidance. Early engagement is advised, especially where investment or capability uplift may be required to meet the new requirements.
It’s also worth noting the forthcoming Cyber Security and Resilience Bill will bring new sectors into scope of UK NIS regulations. As a result, managed service providers, data centre operators, and others will likely have to gear up to adhere to CAF 4.0 in future.
What should Operators of Essential Services (OES) do now?
For most OES, demonstrating compliance with CAF 4.0 will not be a case of starting from scratch. However, the enhanced expectations mean that existing controls and supporting evidence/documentation may need to be updated. Specifically, we recommend prioritising the following steps:
Engage with your competent authority
Timelines for CAF 4.0 adoption will vary. Early engagement will help define expectations and avoid surprises or penalties for non-compliance.
Map existing controls to the new framework
Perform a gap analysis to identify where current policies, processes or technologies align with the new or revised IGPs. It's worth paying special attention to areas such as threat detection, automation and incident response.
Review monitoring and detection capabilities
Consider whether your current tooling and processes can support behavioural analysis, threat hunting and effective triage.
Revisit risk assessments
Ensure that emerging threats, including those posed by automation, AI, and ransomware, are reflected in your understanding of risk. New expectations around context-aware detection, threat-informed hunting, and the use of Indicators of Compromise (IoCs) mean that simply relying on feeds isn't enough. Interpretation and action are key.
Update and test response plans
Testing should be scenario-based and reflect realistic threats. Organisations must ensure exercises involve key stakeholders and incorporate key findings into improvement plans.
Prepare your workforce
Many changes require deeper technical expertise, not just from SOC analysts but also from governance, risk, and senior leadership. Training and clear documentation will be vital to achieving (and maintaining) compliance.
Senior Security Consultant, NCC Group
Within the Consulting & Implementation capability team, Josh works with clients across a multitude of industries, specialising in the creation, delivery and management of compliance programmes as well as regulatory and policy advisory.
Josh is also an ISO 27001 Lead Implementer & Lead Auditor and a PCI DSS QSA & PCIP.
His current role involves leading various UK Government and private sector compliance programmes and he is co-lead of NCC Group's GSMA NESAS services.
As you navigate the transition to CAF 4.0, we'd be happy to support your journey.
At NCC Group, we work closely with regulators and OES across various industries to assess CAF maturity, identify gaps, and support compliance with the NIS Regulations. Reach out today to see how our experts can help.