The UK's National Cyber Security Centre (NCSC) has released the most significant update to its Cyber Assessment Framework since its inception, with CAF 4.0 launching on August 6, 2025. This enhanced framework represents a critical evolution in how UK businesses must approach cybersecurity, particularly those operating essential services and critical national infrastructure. The timing is particularly crucial as cyber attackers increasingly exploit remote connections and supply chain vulnerabilities, necessitating a more robust defensive posture across Britain's critical sectors.

What CAF 4.0 Represents

CAF 4.0 is now the baseline for cybersecurity assessments within the UK. It keeps the four familiar objectives (A-D), but the expectations for compliance, readiness, and risk management have all levelled up. This is no longer just another checkbox compliance exercise—CAF 4.0 is a roadmap to genuine resilience.

Where CAF previously emphasised minimum technical standards, the latest version turns attention to strategic understanding, continuous threat monitoring, and future-ready controls. Organisations are now asked to think beyond technical tools and to develop in-house capabilities that understand and adapt to evolving risks, especially those linked to sophisticated threat actors and rapidly advancing tech like AI.

Since its introduction back in 2018, the framework has been widely adopted—if you’re in a regulated sector or work with critical national infrastructure, it probably already shapes your audit approach. Now, with the release of CAF 4.0, the bar’s been raised.

Key Enhancements in CAF 4.0

1. Understanding the Threat

A major change in CAF 4.0 is the new focus on "Understanding Threat." It’s not enough to tick off the usual risk boxes; now, organisations are expected to do the work of threat intelligence and modelling. This means being proactive—identifying what (and who) could be coming after you, and shaping your controls, plans, and investment to match real-world risk.

Key points include:

• Proactively assessing and anticipating threats (not just internal, but across your supply chain)

• Leveraging up-to-date threat intelligence to inform risk decisions

• Building incident response plans around those real, evolving threats

2. Secure Software Development Lifecycle (SDLC)

Software is in everything, and CAF 4.0 recognises that insecure software can be a gateway for attackers. There’s now a dedicated outcome for "Secure Software Development and Support," making it crystal-clear that whether you build your own software or buy it in, you’re responsible for making sure it’s secure and well-maintained throughout its lifecycle.

‍

Expectations under this new section:

• Embed security into every stage of your software development or procurement

• Regularly patch, update, and verify the security of both in-house and third-party apps

• Take extra care with automation and interconnected systems

3. Enhanced Continuous Monitoring & AI Risk

CAF 4.0 isn’t just about defending against known attacks; it’s about spotting and stopping suspicious events in real-time. Updates to the monitoring, detection, and threat hunting requirements encourage organisations to deploy better, smarter detection solutions—across endpoints, networks, and the cloud.

Notably, the framework now also addresses AI-specific risks. With machine learning (ML) increasingly used for both attack and defence, the NCSC wants to see controls that protect against adversarial AI and maintain trust in automated decision-making.

• Adopt advanced SOC/SIEM and threat hunting tools for real-time visibility (learn more about endpoint security solutions)

• Assess AI/ML systems for vulnerabilities and implement robust validation and monitoring

• Include AI risks in your standard risk management and assurance processes

4. Strengthened Access and Supply Chain Expectations

Remote connections, remote working, and tightly-coupled supply chains might make life easier, but they’re also prime targets for cybercriminals. That’s why CAF 4.0 dials up the requirements for:

• Identity and access management, particularly for remote and privileged access

• Formal oversight and assurance for all supply chain partners

• Demonstrable controls that extend across your ecosystem

It’s not just about your own defences—it’s about making sure everyone you do business with meets the same rigorous standards.

‍

Who Needs to Comply with CAF 4.0?

‍

Regulated Organisations

If you’re an Operator of Essential Services or Digital Service Provider under NIS, CAF 4.0 is your new playbook. Your sector’s regulator (Ofgem for energy, Ofwat for water, NHSX/NHS England for healthcare, and so on) will specify the detail and audits to expect.

Public Sector

Local authorities, NHS trusts, and central/ devolved government bodies seeking to demonstrate cyber maturity must align with CAF 4.0. Participation in schemes like GovAssure now relies on CAF as a baseline.

Private Sector

If your business is in energy, transport, water, telecoms, or any area linked to critical national infrastructure, expect to see CAF 4.0 language turning up in contracts, audits, and security reviews—especially as your supply chain partners look to de-risk themselves.

Extended Coverage

The Cyber Security and Resilience Bill (expected by end of 2025) will expand requirements for cloud, managed service providers, and data centre operators. If you’re in any of these sectors, it’s smart to start aligning now, well ahead of 2026 audits.

Tip: Not sure if you’re in-scope, or how the Bill may affect your organisation? Get in touch with Cyber Vigilance for a sector-specific consultation.

Timeline and Regulatory Impact

CAF 4.0 landed in August 2025, but enforcement takes hold from 2026 onwards. Organisations should use the current year to:

• Review and gap-assess existing policies and controls vs. the CAF 4.0 outcomes

• Engage with internal and external audit teams to ensure preparedness for upcoming inspections

• Address strategic risks (like remote access, supply chain, and software dev) as early priorities, since these feature heavily in updated regulatory checks

Sector regulators may set interim milestones and reporting requirements, so keep a close eye on announcements from your relevant authority.

Beyond Compliance: Strategic Cyber Resilience

Following CAF 4.0 isn’t just about avoiding fines; it’s the foundation of a resilient, adaptive, and credible security posture. Businesses who go above mere compliance are better positioned when:

• Facing real-world, rapidly evolving cyberattacks (especially those that target supply chains)

• Winning contracts in sectors where resilience is a differentiator

• Preparing for insurance renewals, M&A activity, and public sector tenders

‍

Even if you aren’t directly regulated, adopting CAF 4.0 best practices will boost your overall security maturity and make it easier to map to standards like SOC 2, ISO 27001, and Cyber Essentials. It also signals to your clients, partners, and board that cyber risk is managed to the highest industry standards.

‍

If you’re considering a CAF 4.0 programme:

• Start with a thorough, independent cyber risk assessment

• Build a roadmap to tackle high-risk controls first (especially threat intelligence, monitoring, and remote access)

• Use CAF 4.0 as a framework for ongoing improvement, not just annual sign-off

Getting Started with CAF 4.0

Adapting to CAF 4.0 might seem daunting, but it’s absolutely achievable with a clear plan:

1. Map your current controls and risk management practices against the new CAF contributing outcomes

2. Identify gaps, prioritising areas such as threat intelligence, software lifecycle, access management, and supply chain oversight

3. Engage knowledgeable partners and solution providers—these updates require collaboration, not siloed IT effort

4. Invest in upskilling staff, especially those in risk, assurance, and DevSecOps roles

‍

If you’d like more insights on CAF 4.0, risk assessments, or sector-specific workshops for your team, check out our cybersecurity resources and insights or connect with us at Cyber Vigilance.

Adopting CAF 4.0 is a strategic investment in your organisation’s resilience, not just another compliance checkbox. Early action means less last-minute stress, stronger cyber defences, and greater confidence across your team and stakeholders.

‍