nis2-and-ncsc-caf-v4-0-how-they-map-for-uk-operators
  • NIS 2
  • 15th Jul 2026
  • 1 min read

NIS2 and NCSC CAF v4.0: How They Map for UK Operators

Gabriel Few-Wiegratz
  • Written by
Gabriel Few-Wiegratz
View my profile on
In Short...
  • CAF v4.0 already covers most of NIS2 Article 21, since both frameworks share the same outcome-based structure and CAF’s four objectives map directly onto Article 21’s ten measure areas.
  • Three gaps still need targeted work: incident reporting timelines, supply chain depth, and board-level personal accountability.
  • The Cyber Security and Resilience Bill is converging on NIS2 standards, with a matching 24/72-hour reporting framework and CAF moving onto a statutory footing.

CAF v4.0 already covers much of NIS2 Article 21. If you're a UK operator of essential services with a mature Cyber Assessment Framework (CAF) programme, you're likely closer to NIS2 compliance than you think. CAF's four objectives and 14 principles align closely with the ten security measures in Article 21(2). The main gaps are incident reporting timelines, supply chain risk management, and board-level accountability.

 

If your organisation has EU operations, subsidiaries, or supports EU-regulated entities, NIS2 may apply directly. Even for UK-only organisations, the proposed Cyber Security and Resilience Bill is expected to align UK requirements more closely with NIS2 and place CAF on a stronger statutory footing.

This guide focuses on the CAF-to-NIS2 mapping. If you're working with ISO 27001 instead, see our ISO 27001 framework and NIS2 control mapping guides. For a broader overview of NIS2 obligations, scope, and Article 21 requirements, see our complete NIS2 compliance guide.

Expert View

 

Matt Davies

Chief Product Officer, SureCloud

LinkedIn

 

What our experts say about closing NIS2 gaps inside CAF

 

“The gap most teams miss is board accountability. CAF asks whether the board is engaged. NIS2 attaches personal liability to directors who aren’t. That distinction changes what evidence you need to collect.”

 

 

What CAF v4.0 Is and Why It Matters Here

The NCSC Cyber Assessment Framework (CAF) v4.0 is the UK’s outcome-based cybersecurity assessment methodology for organisations responsible for essential functions. It’s structured around four objectives, 14 principles, and 41 contributing outcomes, and each outcome is rated Achieved, Partially Achieved, or Not Achieved against its Indicators of Good Practice.

 

Objective

Focus

Principles

A: Managing security risk

Governance, risk management, asset management, supply chain

A1, A2, A3, A4

B: Protecting against cyber attack

Preventive controls across identity, data, systems, networks, staff

B1, B2, B3, B4, B5, B6

C: Detecting cyber security events

Security monitoring, proactive threat hunting

C1, C2

D: Minimising the impact of incidents

Response and recovery planning, lessons learned

D1, D2

 

CAF v4.0, published by the NCSC in August 2025, added two entirely new contributing outcomes and strengthened a third, all directly relevant to NIS2 alignment. Understanding Threat sits under Objective A’s risk management principle and requires organisations to understand attacker capability and technique in depth; Secure Software Development and Support sits under Objective A’s supply chain principle and covers software provenance, testing, and patching. Objective C’s threat hunting expectation also deepened, and a new indicator under Objective B’s secure-by-design principle now requires restrictions on any automated decision-making system that could adversely affect essential functions. Those additions make v4.0 a stronger baseline for NIS2 mapping than earlier CAF versions.

 

Who Uses CAF, and Why It’s the Right Starting Point

CAF applies to UK Operators of Essential Services and Relevant Digital Service Providers under the Network and Information Systems Regulations 2018. Sector regulators, including Ofgem, the Department of Health and Social Care, the Department for Transport, and Ofcom, use CAF as their assessment tool. Cloud, managed service, and digital infrastructure providers face additional technical detail under Commission Implementing Regulation (EU) 2024/2690, which extends Article 21 into more than 150 specific controls for those provider categories.

 

CAF is outcome-based. So is NIS2 Article 21. Both frameworks ask what your organisation actually achieves, rather than which controls you’ve ticked, and that shared philosophy is exactly why the two map well at a structural level. Your existing CAF evidence base already counts as a genuine compliance asset for NIS2.

 

The government’s Policy Statement, published alongside the Cyber Security and Resilience Bill, makes this explicit: secondary legislation is expected to embed CAF principles on a statutory footing, bringing closer alignment with NIS2. In practice, operators who are strong on CAF are well-positioned for both the Bill and any NIS2 obligations they carry.

The NIS2 Article 21 to CAF v4.0 Mapping

The table below maps each of the ten NIS2 Article 21(2) measure areas to its corresponding CAF v4.0 principles, with a coverage rating for each.

 

NIS2 Requirement, Art. 21(2)

CAF v4.0 Mapping

Coverage

(a) Risk analysis and security policies

A1 Governance, A2 Risk Management

Strong

(b) Incident handling

D1 Response and Recovery Planning, D2 Lessons Learned

Strong for response; gap on NIS2 reporting timelines

(c) Business continuity, backup, DR, crisis management

D1 Response and Recovery Planning, B5 Resilient Networks and Systems

Strong for planning; restore testing evidence often partial

(d) Supply chain security

A4 Supply Chain

Partial; CAF covers supply chain risk, NIS2 requires deeper contractual obligations

(e) Secure acquisition, development, maintenance

A4 Supply Chain (v4.0 adds Secure Software Development and Support, A4.b), B4 System Security

Strong for IT; OT/ICS environments may have gaps

(f) Effectiveness testing of cybersecurity measures

A2 Risk Management (assurance), B4 System Security

Partial; CAF assurance is periodic, NIS2 expects continuous testing evidence

(g) Cyber hygiene and training

B6 Staff Awareness and Training

Strong

(h) Cryptography and encryption

B3 Data Security

Strong

(i) HR security, access control, asset management

A3 Asset Management, B2 Identity and Access Control

Strong

(j) MFA and secure communications

B2 Identity and Access Control, B5 Resilient Networks

Strong for IT; legacy OT systems may have gaps

 

Reading the Coverage Ratings

Strong means your CAF evidence, if genuinely achieved against the relevant principle, directly satisfies the NIS2 requirement. You’ll still need to document the mapping and confirm the evidence is current, building on real progress you already have in place.

 

Partial means CAF addresses the domain, but NIS2 goes further in a specific, material way. These areas need targeted remediation, a much smaller lift than rebuilding the programme.

 

A UK operator who’s achieved CAF objectives A through D against the Basic Profile has covered most of NIS2’s ten measure areas already. If your last CAF assessment returned Achieved or Partially Achieved against most contributing outcomes, your NIS2 exposure is narrower than you’d think, and the work is concentrated in the three gaps below.

The Three Gaps Between CAF and NIS2

CAF addresses cyber risk management in depth. NIS2 adds specific obligations that CAF’s outcome-based structure doesn’t reach directly, and they concentrate in exactly three places: incident reporting, supply chain depth, board accountability. Nothing more. That’s the entire remediation list UK operators consistently run into.

 

1. Incident Reporting Timelines (NIS2 Article 23)

 

CAF Principle D1 covers response and recovery planning. It requires a documented incident response plan, clear escalation paths, and a process for learning from incidents. It stops short of specific regulatory notification deadlines, and that’s the gap.

 

NIS2 Article 23 mandates a precise three-stage process for significant incidents: a 24-hour early warning to the relevant competent authority or CSIRT, a 72-hour full incident notification with impact assessment, and a final report within one month covering root cause, remediation, and cross-border impact.

 

Your CAF-based incident response plan is unlikely to have these NIS2 timelines built in as explicit triggers. The fix is targeted: add NIS2 notification triggers to your existing runbooks, map them to your CSIRT or competent authority contacts, and test them in your next tabletop exercise.

 

The Cyber Security and Resilience Bill introduces a similar two-stage notification framework (24 hours initial, 72 hours full) for UK Operators of Essential Services, Relevant Digital Service Providers, and the new category of Relevant Managed Service Providers. Close this gap now and you’ll satisfy both NIS2 and the incoming UK obligation at once.

 

2. Supply Chain Security Depth (NIS2 Article 21(2)(d) and Article 22)

 

CAF Principle A4 requires that you understand and manage supply chain cyber risk, and asks whether you’ve assessed the security of suppliers whose compromise could affect your essential function. That’s a genuine, substantive requirement already.

 

NIS2 goes further in two specific ways. Article 21(2)(d) requires assessment of the security practices of all direct suppliers, regardless of criticality tier. Article 22 requires organisations to take into account the results of coordinated EU-level supply chain risk assessments for specific product and service categories.

 

If your supplier security programme is built around a tiered criticality model where only Tier 1 suppliers receive full assessment, NIS2 requires you to broaden that scope. Contractual security clauses are now expected as evidence, going beyond questionnaires alone.

 

The Cyber Security and Resilience Bill mirrors this direction. Secondary legislation is expected to introduce supply chain security duties for Operators of Essential Services and Relevant Digital Service Providers, requiring proportionate measures to prevent supplier vulnerabilities from undermining essential services.

 

3. Board-Level Personal Accountability (NIS2 Article 20)

 

CAF Principle A1 requires board-level direction and governance of cybersecurity, and asks whether the board understands the security and resilience of the essential function well enough to translate that into effective organisational practice. CAF v4.0 strengthened this expectation, adding new indicators requiring that the board has the information it needs to discuss how network and information system security contributes to essential function delivery.

 

NIS2 Article 20 goes beyond governance posture. It requires that management bodies personally approve cybersecurity risk management measures, oversee their implementation, complete mandatory cybersecurity training, and accept personal liability for non-compliance.

 

That last point is a material shift. CAF asks whether the board is engaged. NIS2 makes directors personally liable if they aren’t. You’ll need a specific governance artefact: a board-level approval record for your cybersecurity measures, evidence of training completion, and a documented accountability structure well beyond a standard CAF A1 assessment.

The UK Context: What the CS&R Bill Changes

UK operators sometimes ask whether NIS2 applies to them at all. Post-Brexit, the EU directive has no direct legal force in Great Britain, but two reasons make the NIS2-CAF mapping matter regardless of where your operations sit.

 

First, EU operations and supply chains. If your organisation has subsidiaries, joint ventures, or significant supply chain relationships with EU-regulated entities, those counterparties are subject to NIS2, and Article 22 requires them to assess the security practices of their direct suppliers. If you’re one of those suppliers, you’ll face NIS2-derived security requirements through contractual channels whether or not you’re directly in scope.

 

Second, the CS&R Bill is converging on NIS2 standards. The Cyber Security and Resilience (Network and Information Systems) Bill, introduced to Parliament in November 2025 and expected to receive Royal Assent in 2026, is the UK’s domestic answer to NIS2. It reforms the 2018 NIS Regulations in three ways that affect CAF-aligned operators directly: expanded scope bringing managed service providers, data centres, large load controllers, and designated critical suppliers into the regime; a mandatory 24/72-hour incident notification framework mirroring NIS2 Article 23; and increased penalties of up to £17 million or 4% of worldwide turnover for the most serious breaches, which exceeds NIS2’s own penalty ceiling.

 

The Policy Statement confirmed that secondary legislation will embed CAF principles on a statutory footing. That’s the shift that matters here: CAF is moving from a best-practice assurance tool to a legally referenced compliance standard.

 

UK operators who close the three CAF-to-NIS2 gaps now are building the evidence base the CS&R Bill will require anyway. The same incident response runbooks, supply chain security programme, and board governance artefacts satisfy both.

 

For operators subject to both regimes, the principle is straightforward: adopt the higher standard as your baseline. Where NIS2 is more prescriptive than current CAF expectations, such as incident timelines and board accountability, build to NIS2. Where CAF is more granular, such as its specific indicators for OT and ICS environments, maintain that depth. The result is a single control set that satisfies both.

Running the Mapping Exercise: A Practical Approach

Turning this mapping into a working compliance document takes four steps.

 

Step 1: Take Your Last CAF Assessment as the Baseline

 

Your most recent CAF assessment, self-assessed or independently reviewed, is your starting point. For each of the ten NIS2 Article 21 areas, identify the corresponding CAF principle and note your current rating: Achieved, Partially Achieved, or Not Achieved. Where you’ve achieved the relevant CAF principle, you have a strong baseline for that NIS2 requirement; where you haven’t, you have a gap that needs addressing for both frameworks at once.

 

Step 2: Apply the NIS2-Specific Overlay

 

For each of the three gap areas, add a specific NIS2 overlay to your existing CAF documentation. On incident reporting, annotate your plan with Article 23 timelines and identify your competent authority or CSIRT contact. On supply chain, review your supplier inventory against NIS2’s broader scope and check whether contractual security clauses are in place. On board governance, create an approval record for your cybersecurity measures and document training completion.

 

Step 3: Rate Your NIS2 Coverage Honestly

 

Use the same three-tier rating that works for CAF: covered, where your evidence directly satisfies the requirement and is current; partial, where CAF covers the domain but the NIS2-specific obligation isn’t yet evidenced; and gap, where no existing CAF work addresses the requirement at all.

 

Step 4: Build the Evidence Trail

 

The output is a single compliance artefact that maps your CAF programme to NIS2 Article 21, shows your coverage rating for each area, and records what remediation is under way for any gaps. When a regulator or auditor asks how your programme addresses NIS2, this is what you hand them, and a documented coverage picture lands very differently to a verbal "we’re working on it."

 

Keeping that picture current is the harder problem. CAF assessments age, evidence lapses, the CS&R Bill will introduce new obligations on its own timeline, and your supplier landscape keeps changing. Mapping a control once so it satisfies multiple frameworks is significant overhead if you’re managing it in spreadsheets, which is exactly the kind of repeatable, multi-framework work platforms like SureCloud’s Compliance Management software are built to sustain: test a control once, and the evidence stays live for every framework that references it.

 

If you’re also managing DORA alongside NIS2 and CAF, the DORA vs NIS2 vs ISO 27001 comparison guide covers where those three overlap. If you’re evaluating tooling to operationalise this approach, the NIS2 compliance software guide covers the options in detail. Either way, the goal is the same: one evidence base that satisfies CAF, NIS2, and the CS&R Bill, instead of three parallel programmes doing the same job three times.

See Your CAF Programme Mapped to NIS2

Gracie AI Agents with Personas and Skills map each control once and keep the evidence live across CAF, NIS2, and every other framework you run, delivering a 50–65% reduction in manual evidence collection. Book a demo to see it mapped against your own CAF programme.
Related articles:
  • NIS 2

NIS2 Compliance Software: 3 Gaps Spreadsheets Miss

  • ISO 27001
  • NIS 2

NIS2 Control Mapping: Reuse ISO 27001 and CIS Work

  • Compliance Management

Compliance Management Software: Top 10 Tools for DORA, NIS2 & FCA 2026

Share this article

FAQ’s

How does NIS2 map to NCSC CAF v4.0?

NIS2 maps closely to CAF v4.0 because both are outcome-based frameworks that ask what your organisation actually achieves, rather than which controls you’ve ticked. Most Article 21 areas line up directly with CAF’s four objectives, so UK operators already have a strong evidence base. The gaps that remain sit in incident reporting timelines, supply chain depth, and board accountability.

Does CAF v4.0 cover NIS2 Article 21?

CAF v4.0 covers most of Article 21, particularly risk management, security controls, training, and incident response. Where it falls short is on NIS2-specific obligations such as the 24-hour and 72-hour reporting windows, deeper supplier oversight, and personal accountability for management bodies. Those three areas need a targeted overlay, a lighter lift than rebuilding the programme.

What are the biggest gaps between CAF and NIS2?

The three biggest gaps are incident reporting deadlines, supply chain security obligations, and board-level approval and training requirements. UK operators should prioritise these first, since they’re the most prescriptive elements of NIS2 and the incoming Cyber Security and Resilience Bill mirrors them closely.

 

Why does the UK Cyber Security and Resilience Bill matter here?

The Cyber Security and Resilience Bill is designed to bring UK cyber obligations closer to NIS2 and place CAF on a firmer statutory footing. That means CAF-aligned operators can close the NIS2 gaps now, and the same evidence will support both regimes once the Bill takes effect.

Should UK operators start from CAF or from NIS2?

Start from CAF if it’s already your main assurance framework. That gives you a working baseline, and you add the NIS2-specific overlays for reporting, supply chain, and governance rather than rebuilding the programme from scratch.