NIS Cyber Assessment Framework

NIS-CAF assessments for UK operators of essential services.

We assess your CAF maturity against NCSC v3.2, score the four objectives, and deliver an uplift plan your regulator can read.

Book a 30-minute scoping callGet a fixed-fee proposal
An electricity transmission tower silhouetted against the sky, illustrating critical national infrastructure

What is NIS-CAF?

The Cyber Assessment Framework (CAF) is the UK’s primary methodology for assessing the cyber resilience of organisations regulated under the Network and Information Systems Regulations 2018. It is published by the National Cyber Security Centre (NCSC) and is used by the competent authorities that enforce NIS — Ofcom, Ofgem, Ofwat, the ICO, DfT, and others depending on sector.

CAF is structured around four objectives, fourteen principles, and a set of contributing outcomes. It is outcome-based rather than control-based: the question is whether a security outcome is achieved, not whether a specific technology is in place. The current version is CAF v3.2, in force since April 2024.

Key facts

CAF version
3.2
Objectives
4
Principles
14
Issuing body
NCSC

What we do

Four engagement components covering the full CAF assessment cycle.

CAF gap assessment

Where you stand against the 14 principles of NCSC CAF v3.2. We test outcomes, not tick-boxes — the framework is designed that way and we assess accordingly.

Scoping for OES and RDSP

Confirm which essential services or digital services are in scope for NIS regulation. We work with your regulator (Ofcom, Ofgem, Ofwat, ICO, DfT, the relevant body) on scope statements.

Principle-by-principle assessment

Every principle scored Achieved / Partially Achieved / Not Achieved with evidence. Findings come with the gap, the cost to close, and the regulatory significance.

Uplift plan and reassessment

Phased remediation plan that your regulator can read alongside the CAF score. Reassessment cadence built into the engagement.

How a CAF engagement runs

Five stages from scoping call to first uplift plan. Reassessment runs on the cadence your regulator sets.

  1. 1

    Scoping call

    30 minutes, free

    We confirm which services fall under NIS — OES (Operator of Essential Services) or RDSP (Relevant Digital Service Provider) — and which competent authority you report to.

  2. 2

    CAF assessment

    4–6 weeks

    Outcome-based assessment against all 14 principles in scope. Evidence gathering, control walkthroughs, interviews with technical and process owners.

  3. 3

    Score and gap report

    1–2 weeks

    Per-principle Achieved / Partially Achieved / Not Achieved scores with rationale and supporting evidence. Mapped against your regulator’s expectations.

  4. 4

    Uplift plan

    2–3 weeks

    Phased remediation roadmap with priorities, effort, and dependencies. Built so your regulator can review it alongside the assessment report.

  5. 5

    Reassessment cycle

    Annual or as required

    Re-scoring against the CAF on an agreed cadence — typically annual, or aligned with regulator expectations and inspection cycles.

Four CAF objectives

CAF organises 14 principles into four high-level objectives. Each principle breaks down into contributing outcomes that auditors score individually.

Why 1 Sequence Cyber

PCI SSC-listed QSAC

Listed on the PCI Security Standards Council website as a Qualified Security Assessor Company. We bring the same evidentiary rigour to CAF assessments.

CREST DPT alignment

Penetration Testing aligned to the CREST Defensible Penetration Test specification — directly relevant to CAF Objectives B (protection) and D (incident response).

Frequently asked questions

Related services: ISO 27001 · Penetration Testing · GRC.

Ready for your CAF assessment?

Tell us your sector, your competent authority, and your last assessment date. We’ll come back with a fixed-fee proposal within 48 hours.

Book a 30-minute scoping callGet a fixed-fee proposal

Back to all services.