What is the NCSC CAF and who does it apply to?

The NCSC Cyber Assessment Framework (CAF) is the UK's primary framework for assessing the cyber security of operators of essential services (OES) and critical national infrastructure. It comprises four objectives: A (Managing Security Risk), B (Protecting Against Cyber Attack), C (Detecting Cyber Security Events), and D (Minimising Impact). Assessments are conducted by NCSC or sector-specific competent authorities including Ofgem, Ofcom, the CAA, and NHSE.

What does ECAF compliance require for UK electricity sector operators?

The Electricity Cyber Assessment Framework (ECAF), enforced by Ofgem, applies CAF's 14 security principles specifically to electricity generation, transmission, distribution, and supply licensees. It requires profile-based assessment covering IT/OT convergence environments. Non-compliance is reportable under the UK NIS Regulations 2018. Ofgem issues improvement plans where gaps are identified and can impose fines up to £17M for significant breaches.

What are the key differences between UK NIS Regulations 2018 and NIS2?

The UK NIS Regulations 2018 (SI 2018/506) is the UK's transposition of the original EU NIS Directive, applying to operators of essential services and digital service providers with enforcement by sector-specific competent authorities. Following Brexit, the UK did not adopt EU NIS2; instead, the UK Cyber Security and Resilience Bill (introduced November 2025) proposes to expand NIS scope, tighten incident reporting, and increase fines. NIS2 (EU) applies to EU-based entities and introduced stricter requirements including personal C-level liability under Article 20.

Kieran Upadrasta — Regulatory Delivery & Assurance

27 Years Securing regulated critical infrastructure

CAF A–D Assessments Full-objective delivery end-to-end

Zero Breaches Track Record Managing >£500B in regulated assets

4 Regulators NIS/NCSC, Ofgem, FCA, EBA/ESMA

Regulatory Execution

30+ Frameworks Delivered

Across 5 jurisdictions, spanning cybersecurity, data protection, AI governance, digital markets, and financial resilience. Every framework aligned to delivery capability, evidence production, and regulator expectation.

30+ Regulatory Frameworks Core & emerging requirements

5 Jurisdictions UK, EU, Ireland + Global Impact

6 Doctrine Responses Integrated delivery models

100% Evidence-Packed Regulator-ready delivery

Foundation Delivery

Core Frameworks (Existing)

The regulatory foundation: NIS/NIS2, NCSC CAF, Ofgem OES. Each delivered end-to-end with evidence packs, assessment roadmaps, and regulator-ready submissions across £500B+ in managed assets.

NIS / NIS2 Regulations

NIS/NIS2

In Force

UK SI 2018/506 + EU 2022/2555. Delivered OES compliance programmes across energy, finance, and digital infrastructure. End-to-end gap assessments, CAF alignment, evidence production, and Board-level reporting.

Enforcer: Ofcom, Ofgem, ICO, EBA/ESMA

Decision Rights™ Recoverability™

NCSC Cyber Assessment Framework

CAF

In Force

Full CAF A–D assessments across all four objectives. Produced IGP scoring, evidence packs, and remediation roadmaps aligned to NCSC expectations. Direct experience with regulator-ready submissions.

Enforcer: NCSC

Evidence Chain™

Ofgem Cyber Compliance (OES)

Ofgem

In Force

Ofgem-specific NIS compliance for Operational Technology environments in energy. Delivered evidence packs for review cycles. Mapped ICS/SCADA controls to CAF objectives with supporting artefacts.

Enforcer: Ofgem

Recoverability™

ISO 27001 / NIST → CAF Mapping

Mapping

In Force

Cross-mapped ISO 27001 and NIST control frameworks against CAF objectives to eliminate duplicate effort. Produced control equivalence matrices used in regulator correspondence.

Enforcer: Multiple (via CAF alignment)

Evidence Chain™

EU Regulatory Landscape

EU Cybersecurity & AI Regulations

Comprehensive EU coverage: DORA (financial resilience, now enforced), NIS2 (critical infrastructure transition), EU AI Act (risk-based classification), CRA (supply-chain security). Personal director liability, €10M+ fines, Board oversight requirements.

DORA (EU 2022/2554)

DORA

In Force 17 Jan 2025 • Active enforcement

Digital Operational Resilience Act for financial sector. 4-hour incident reporting for major incidents. Register of Information Q1 2026, on-site ICT risk inspections underway. Board-level ICT risk framework requirements.

Enforcer: EBA, EIOPA, ESMA

Evidence Chain™ Recoverability™

NIS2 Directive (EU 2022/2555)

NIS2

Transposition 13/27 MS not transposed (Apr 2026)

Expanded NIS scope to essential services and critical digital infrastructure. €10M or 2% global turnover fines. First audits 30 Jun 2026. Art. 20: personal liability for directors on cyber negligence.

Enforcer: National CAs, ENISA

Decision Rights™ Board Survivable™

EU AI Act (EU 2024/1689)

AI

Phased 2 Aug 2026 key provisions

Risk-based classification: Prohibited, High-Risk, Limited Risk, Minimal Risk. Penalties up to 7% global annual turnover. Mandatory conformity assessments, documentation, and human oversight for high-risk systems.

Enforcer: National Market Surveillance, EU AI Office

AI Accountability™

Cyber Resilience Act (EU 2024/2847)

CRA

Phased Dec 2027 full application

Security by design for products with digital elements. Automatic security updates, vulnerability handling, and responsible disclosure. Enforcement via National Market Surveillance authorities.

Enforcer: National Market Surveillance

Evidence Chain™ Contract Control™

EU Cybersecurity Act (2019/881 + 2026)

ECS

Legislative COM(2026)11 published 20 Jan

Extends ENISA mandate to managed security services certification. ICT supply-chain security focus. €341M budget allocation 2028–2034. Expands security product certification schemes.

Enforcer: ENISA, National CAs

Evidence Chain™

Cyber Solidarity Act (EU 2025)

Solidarity

In Force 4 Feb 2025

€36M Cybersecurity Reserve fund. EU-wide SOC network activation. ENISA Single Reporting Platform by Sept 2026. Cross-border incident response and intelligence sharing.

Enforcer: ENISA, National SOCs

Recoverability™

eIDAS2 EU Digital Identity

eIDAS

Rollout Dec 2026 — 27 MS adoption

EU Digital Identity Wallets across all Member States. Secure trustworthy digital identity infrastructure for cross-border services. Pilot programmes expanding. Interoperability mandates.

Enforcer: National Supervisory Bodies

Decision Rights™

ISO 42001 AI Management

ISO

Published Cert. available now

International standard for AI governance systems. Establishes controls for developing, implementing, and managing AI across organizational functions. Aligned with EU AI Act risk frameworks.

Enforcer: Accredited Certification Bodies

AI Accountability™

Data & Platform Governance

Data Protection & Digital Markets Regulation

GDPR (enforcement exceeds €7.1B), ePrivacy, DMA/DSA for digital platforms. Data protection by design, algorithmic transparency, gatekeeper regulation, user consent frameworks. Irish DPC as EU lead authority.

GDPR (EU 2016/679)

GDPR

In Force Total enforcement €7.1B+

Data protection by design and by default. 72-hour breach notification. DPIAs for high-risk processing. Fines up to 4% global turnover. Irish DPC enforcement: €4.04B. 2026 coordinated transparency focus.

Enforcer: National DPAs (CNIL, ICO, BfDI, DPC)

Evidence Chain™ Board Survivable™

ePrivacy Directive (2002/58/EC)

ePrivacy

In Force Awaiting Regulation replacement

Regulates cookies, electronic marketing, email spam, privacy of electronic communications. Consent requirements, opt-in/opt-out mechanisms. Cookie banner compliance and tracking controls.

Enforcer: National DPAs

Contract Control™

Digital Markets Act (DMA)

DMA

In Force Gatekeepers designated

Designates digital gatekeepers (Meta, Alphabet, Apple, etc.). Mandates interoperability, prohibits self-preferencing, prevents combining user data without consent. Compliance documentation requirements.

Enforcer: European Commission (DG COMP)

Decision Rights™

Digital Services Act (DSA)

DSA

In Force VLOP compliance ongoing

Strict risk assessment and independent audits for VLOPs (45M+ EU users). Faster illegal content removal, algorithmic transparency, user appeals. Systemic risk mitigation requirements.

Enforcer: EC, National Digital Services Coordinators

AI Accountability™

UK Regulatory Framework

UK Cybersecurity & Data Protection

Post-Brexit independent regulatory framework: NIS 2018, UK GDPR, FCA Operational Resilience, Cyber Security & Resilience Bill 2025. Digital Security Act, PSTI for products, Telecoms Act. ICO enforcement authority with enhanced powers.

UK FCA Operational Resilience

FCA

In Force Compliance 31 Mar 2025

Financial firms identify important business services, set impact tolerances, test against severe-but-plausible scenarios. Board accountability for resilience. Attestations to FCA/PRA on control effectiveness.

Enforcer: FCA, PRA

Recoverability™ Decision Rights™

UK GDPR + Data Protection Act 2018

DPA

In Force Post-Brexit independent

UK GDPR with post-Brexit modifications. DPA 2018 supplements GDPR for law enforcement processing. 72-hour breach reporting to ICO. Appropriate technical/organisational security measures.

Enforcer: ICO

Evidence Chain™ Board Survivable™

NIS Regulations 2018 (UK SI 506)

NIS

In Force Sector CA enforcement

Operators of essential services (energy, health, transport, water) and digital service providers. Security requirements, incident reporting to sector CAs. Alignment with upcoming Cyber Security & Resilience Bill.

Enforcer: Ofcom, Ofgem, ICO, etc. (Sector CAs)

Recoverability™

Cyber Security & Resilience Bill 2025

CSRB

In Progress Expected 2026

Expands NIS scope to more digital services and supply chains. Tightens incident reporting timelines. Increases fines. Introduced 12 Nov 2025. Replaces/amends NIS 2018.

Enforcer: DSIT, Sector CAs

Decision Rights™ Recoverability™

Product Security Act 2022 (PSTI)

PSTI

In Force Implementation ongoing

Security requirements for consumer-connectable products. Bans default passwords, mandates vulnerability disclosure, minimum security update periods. Fines up to £10M or 4% global turnover.

Enforcer: OPSS

Contract Control™

Telecoms Security Act 2021

Telecoms

In Force

Stricter security duties on public telecom providers. Supply chain security for network equipment and services. Critical equipment controls (vendor assessments, equipment bans, change controls).

Enforcer: Ofcom

Contract Control™

Computer Misuse Act 1990

CMA

In Force

Criminal offences: unauthorised computer access, modification, making/supplying misuse tools. Incident response policies, forensics coordination. Board awareness of criminal liability exposure.

Enforcer: CPS, NCA

Board Survivable™

Data (Use and Access) Act 2025

DUA

Enacted Post-Brexit international data flow reform

Reforms data protection to simplify research and AI use cases. Clarifies international data transfer mechanisms post-Brexit. Interoperability requirements for data holders.

Enforcer: ICO

AI Accountability™

SEC Cyber Rules (US — Global Impact)

SEC

In Force Global public companies affected

Material cyber incident disclosure within 4 business days. Annual reporting on cyber risk management. Board-level oversight requirements. Affects all publicly traded companies globally.

Enforcer: SEC, DOJ

Board Survivable™

Irish Regulatory Authority

Ireland Digital Regulation Matrix

Ireland as EU lead authority: DPC (GDPR enforcement), NCSC (cybersecurity), AI Office of Ireland (Oifig IS), Coimisiún na Meán (online harms). Personal director liability, €35M AI fines, €20M online safety fines. Dynamic regulatory environment.

Data Protection Act 2018 (DPC)

DPA

Active EU One-Stop-Shop lead

Enhanced DPC focus on Dark Patterns in UI/UX. Mandatory Right to be Forgotten for children's data. DPC as primary EU enforcement authority under One-Stop-Shop mechanism. Coordinated EU investigations.

Enforcer: DPC (Irish Data Protection Commissioner)

Evidence Chain™ Board Survivable™

National Cyber Security Bill 2024/26

NIS2

Enforced NCSC on statutory footing

Places NCSC Ireland on statutory basis. Personal liability for Board members re cyber negligence. NIS2 transposition. Critical infrastructure and essential services designation.

Enforcer: NCSC Ireland

Decision Rights™ Board Survivable™

Regulation of AI Bill 2026 (Ireland)

AI

Transitional 1 Aug 2026 statutory establishment

General Scheme published Feb 2026. AI Office of Ireland (Oifig IS) coordinating enforcement across Central Bank, DPC, etc. AI fines up to €35M or 7% global turnover. Risk-based framework mirroring EU Act.

Enforcer: Oifig IS (AI Office of Ireland)

AI Accountability™

Online Safety & Media Regulation Act

Safety

Active Aggressive enforcement underway

Governs harmful content on social media and video platforms. Fines up to €20M or 10% turnover. Rapid removal requirements, algorithmic transparency, user redress mechanisms.

Enforcer: Coimisiún na Meán (Media Commission)

Decision Rights™

Digital Services Act 2024 (Ireland)

DSA

Active Implementation ongoing

Regulates online marketplaces, illegal content hosting, advertising transparency. Community guidelines enforcement. Algorithmic risk assessments for VLOPs operating in Ireland.

Enforcer: Coimisiún na Meán

AI Accountability™

Comparative Analysis

UK vs EU Regulatory Divergence

Post-Brexit regulatory divergence across cybersecurity, data protection, and AI governance. Different implementation timelines, enforcement authorities, and fine structures. Cross-border firms require dual-compliance programmes.

Framework / Aspect	UK Approach	EU Approach	Key Divergence
NIS / NIS2	UK NIS 2018 (SI 506) Sector CAs (Ofcom, Ofgem)	EU NIS2 (13/27 transposed) National Competent Authorities	NIS2 expanded scope vs UK standalone regulation
Data Protection Fine Structure	4% global turnover (UK GDPR) No coordination mechanism	4% global turnover (GDPR) One-Stop-Shop coordination (DPC lead)	EU coordinated enforcement vs UK isolated
AI Governance	No dedicated AI regulation yet Sector-specific oversight	EU AI Act (2 Aug 2026) Risk-based mandatory framework €35M fines (7% turnover)	EU AI Act binding vs UK deregulatory approach
Product Security	PSTI (2022) — vulnerabilities, updates £10M or 4% global turnover fines	CRA (Dec 2027) — security by design Mandatory automatic updates Phased enforcement	UK early implementation vs EU phased (2027)
Cyber Risk for Financials	FCA Operational Resilience 31 Mar 2025 compliance	DORA (17 Jan 2025 in force) 4-hour incident reporting	UK resilience focus vs EU incident reporting
Director Liability	Computer Misuse Act 1990 Criminal exposure (Computer Misuse)	NIS2 Art. 20 (personal liability) Ireland National Cyber Bill Statutory duty of care	EU explicit personal liability vs UK criminal law
Incident Reporting Timelines	NIS 2018: Sector-specific timelines GDPR: 72 hours to ICO	DORA: 4 hours for major incidents GDPR: 72 hours to DPA	EU tighter critical incident timelines (4h)
Digital Markets Regulation	No equivalent (proposed Online Safety Bill)	DMA (in force) — Gatekeeper regulation DSA (in force) — Content, VLOP oversight	EU hardline gatekeeper controls vs UK softer approach
International Data Transfers	Data Use & Access Act 2025 Post-Brexit data flow flexibility	GDPR adequacy assessments SCCs / BCRs required	UK pragmatic post-Brexit vs EU strict adequacy

Regulatory Divergence Impact: Organisations operating cross-border (UK + EU/Ireland) require parallel compliance programmes. EU regulations often move faster (NIS2, AI Act, CRA) with stricter fines and tighter timelines. UK takes more flexible, sector-specific approach. Dual-headquarter firms and financial services with UK/EU presence should integrate evidence production across both frameworks to avoid duplication.

Hands-On Delivery

Assessment Experience

A — Governance & Risk

A1–A4 Coverage

Cyber risk management framework design
Board-level governance documentation
Third-party dependency mapping
Organisational risk appetite statements

Evidence Produced:

Evidence packs
IGP scoring matrices
Gap analysis reports
Remediation roadmaps

B — Protect

B1–B6 Coverage

Service protection policies
Identity and access management
Data security & media management
System security architecture

Evidence Produced:

Control assessments
Architecture reviews
Policy gap analysis
Uplift plans

C — Detect

C1–C2 Coverage

Security monitoring capabilities
Anomaly detection (OT/IT)
SOC integration assessments
Alert triage process design

Evidence Produced:

Monitoring maturity assessment
Capability maps
Detection playbooks
SOC roadmaps

D — Respond & Recover

D1–D3 Coverage

Incident response framework design
Tabletop exercise testing
Business continuity validation
Lessons-learned integration

Evidence Produced:

IR playbooks
Exercise reports
Recovery plans
Validation evidence

Delivery Under Scrutiny

Regulatory Deliverables Under Deadline

Fixed Submission Deadlines

Delivered regulatory artefacts — CAF self-assessments, evidence packs, remediation plans — within fixed regulatory submission windows. Coordinated multi-workstream delivery against NIS2's 24-hour and 72-hour incident reporting obligations.

Concurrent Compliance Workstreams

Managed parallel compliance programmes across NIS, DORA, and ISO 27001 in simultaneous engagement cycles. Built prioritisation frameworks to sequence deliverables without regulatory exposure. Zero missed submission deadlines across 8+ regulated programmes.

SME Evidence Coordination

Assembled and directed SME networks to produce evidence under time constraints — turning technical operations data into regulator-ready documentation. Built evidence libraries mapped to specific CAF objectives and control references.

Operational Capability

Incident Response & Crisis Uplift

Designed and uplifted IR frameworks aligned to CAF Objective D (D1 Response, D2 Recovery)
Ran tabletop exercises for senior stakeholder groups including CISO, CTO, Legal, and Board observers
Tested response capability against realistic OT/IT attack scenarios (ransomware, supply chain compromise, insider threat)
Validated detection, containment, and recovery playbooks against regulatory expectations
Integrated post-exercise lessons learned into updated CAF D1/D2 scoring and evidence packs
Built crisis communications frameworks for regulators, customers, and executive leadership

Impact Metrics

Tabletop Exercises

10+

CAF Objective Uplift

D1/D2

Detection-to-Escalation

<4h

Reporting Process Validated

NIS2 Art.23

Lean Execution

Delivery Model: Small Team Ownership

Scoping & Mandate Setting

Defined assessment scope against regulatory boundaries. Established evidence requirements, stakeholder responsibilities, and timelines before engagement commencement.

Assessment Execution

Conducted end-to-end assessments independently — no reliance on large consultancy teams. Directly interviewed technical and operational SMEs. Produced findings without intermediary layers.

Evidence Production & Scoring

Built evidence packs from first principles. Applied IGP scoring methodology. Documented objective ratings with full supporting rationale aligned to NCSC guidance.

Reporting & Regulatory Submission

Authored final assessment reports in regulator-ready format. Structured findings for Board, CISO, and regulatory consumption simultaneously.

Remediation Roadmap Design

Developed prioritised remediation plans mapped to CAF objectives and NIS obligations. Sequenced activity by regulatory exposure, resource constraint, and delivery dependency.

Ongoing Assurance Tracking

Maintained remediation progress against regulatory milestones. Built governance cadence for Board reporting, including control status dashboards and risk register updates.

Enterprise Governance

Risk, Governance & Assurance Framework

Cyber Risk Register Management

Designed and maintained cyber risk registers aligned to enterprise risk frameworks (ISO 31000, NIST RMF). Calibrated risk ratings against regulatory impact thresholds. Produced risk reporting packs for Board and CISO consumption aligned to NIS and DORA obligations.

Governance Forum Design

Designed cyber governance forums including ISRM Committees, Cyber Risk Committees, and Executive Oversight panels. Produced governance charters, terms of reference, meeting cadence, and reporting templates. Ensured regulatory visibility at Board level.

Assurance & Control Testing

Managed second-line assurance activity across control environments. Delivered control testing schedules, findings registers, and closure evidence. Produced assurance outputs for regulatory submissions, internal audit, and third-party review.

Featured Engagement — UK Critical National Infrastructure

Sector

Energy (Operational Technology Environment)

Regulatory Context

UK NIS Regulations + Ofgem OES obligations

Scope

End-to-end CAF self-assessment against all A–D objectives•
Ofgem-aligned compliance review and evidence production•
OT/IT security architecture review against CAF B-objective controls•
Incident response capability assessment and CAF D1/D2 scoring•

My Role

Led assessment end-to-end as sole lead assessor•
Conducted technical interviews with OT operations, IT security, and executive stakeholders•
Produced CAF self-assessment report, evidence pack, and IGP scoring matrix•
Built remediation roadmap prioritised by regulatory exposure and operational risk•

Outcome

Materially improved CAF maturity profile across all four objectives•
Closed critical Objective D gaps ahead of Ofgem review cycle•
Board-level presentation delivered summarising regulatory position and remediation investment case•
Zero regulatory findings raised at subsequent Ofgem review•

Regulatory Delivery & Assurance

30+ Frameworks Delivered

Core Frameworks (Existing)

NIS / NIS2 Regulations

NCSC Cyber Assessment Framework

Ofgem Cyber Compliance (OES)

ISO 27001 / NIST → CAF Mapping

EU Cybersecurity & AI Regulations

DORA (EU 2022/2554)

NIS2 Directive (EU 2022/2555)

EU AI Act (EU 2024/1689)

Cyber Resilience Act (EU 2024/2847)

EU Cybersecurity Act (2019/881 + 2026)

Cyber Solidarity Act (EU 2025)

eIDAS2 EU Digital Identity

ISO 42001 AI Management

Data Protection & Digital Markets Regulation

GDPR (EU 2016/679)

ePrivacy Directive (2002/58/EC)

Digital Markets Act (DMA)

Digital Services Act (DSA)

UK Cybersecurity & Data Protection

UK FCA Operational Resilience

UK GDPR + Data Protection Act 2018

NIS Regulations 2018 (UK SI 506)

Cyber Security & Resilience Bill 2025

Product Security Act 2022 (PSTI)

Telecoms Security Act 2021

Computer Misuse Act 1990

Data (Use and Access) Act 2025

SEC Cyber Rules (US — Global Impact)

Ireland Digital Regulation Matrix

Data Protection Act 2018 (DPC)

National Cyber Security Bill 2024/26

Regulation of AI Bill 2026 (Ireland)

Online Safety & Media Regulation Act

Digital Services Act 2024 (Ireland)

UK vs EU Regulatory Divergence

Assessment Experience

A — Governance & Risk

B — Protect

C — Detect

D — Respond & Recover

Regulatory Deliverables Under Deadline

Fixed Submission Deadlines

Concurrent Compliance Workstreams

SME Evidence Coordination

Incident Response & Crisis Uplift

Impact Metrics

Delivery Model: Small Team Ownership

Scoping & Mandate Setting

Assessment Execution

Evidence Production & Scoring

Reporting & Regulatory Submission

Remediation Roadmap Design

Ongoing Assurance Tracking

Risk, Governance & Assurance Framework

Cyber Risk Register Management

Governance Forum Design

Assurance & Control Testing

Featured Engagement — UK Critical National Infrastructure

Scope

My Role

Outcome

Ready to Discuss Regulatory Delivery?

Privacy Policy

Terms of Service

Cookie Policy

Accessibility Statement